int main()
{
uint32_t pid = pid_from_process_name("explorer.exe");
HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
uint8_t *addr = (uint8_t *) VirtualAllocEx(process_handle, NULL, 0x1000,
MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
uintptr_t messagebox_addr = (uintptr_t)
GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA");
static uint8_t buf[0x1000]; SIZE_T bytes_written;
memcpy(buf, shellcode, sizeof(shellcode));
#if __x86_64__
*(uintptr_t *) &buf[18] = messagebox_addr;
#else
*(uint32_t *) &buf[3] = (uint32_t) addr + 128;
*(uint32_t *) &buf[8] = (uint32_t) addr + 256;
*(uint32_t *) &buf[15] = messagebox_addr;
#endif
strcpy((char *) buf + 128, "World");
strcpy((char *) buf + 256, "Hello");
WriteProcessMemory(process_handle, addr, buf, sizeof(buf),
&bytes_written);
HANDLE thread_handle = CreateRemoteThread(process_handle, NULL, 0,
(LPTHREAD_START_ROUTINE) addr, NULL, 0, NULL);
CloseHandle(thread_handle);
CloseHandle(process_handle);
return 0;
}
JNIEXPORT jint JNICALL
Java_SignalSender_sendSignalByProcessName(
JNIEnv *env,
jobject jobj,
jstring pname,
jint signal)
{
const char *nativeString = (*env)->GetStringUTFChars(env, pname, 0);
int pid = pid_from_process_name(nativeString);
(*env)->ReleaseStringUTFChars(env, pname, nativeString);
jint _pid = pid;
return Java_SignalSender_sendSignalByPID(env, jobj, _pid, signal);
}
int main()
{
LPWSTR *argv; int argc;
argv = CommandLineToArgvW(GetCommandLineW(), &argc);
if(argv == NULL) {
error("Error parsing commandline options!\n");
}
if(argc < 4) {
error(
"Usage: %S <options..>\n"
"Options:\n"
" --crt CreateRemoteThread injection\n"
" --apc QueueUserAPC injection\n"
" --free Do not inject our monitor\n"
" --dll <dll> DLL to inject\n"
" --app <app> Path to application to start\n"
" --args <args> Command-line arguments\n"
" Excluding the application path!\n"
" --curdir <dirpath> Current working directory\n"
" --maximize Maximize the newly created GUI\n"
" --pid <pid> Process identifier to inject\n"
" --process-name <name> Process name to inject\n"
" --tid <tid> Thread identifier to inject\n"
" --from <pid> Inject from another process\n"
" --from-process <name> "
"Inject from another process, resolves pid\n"
" --only-start "
"Start the application and print pid/tid\n"
" --resume-thread "
"Resume the thread of the pid/tid target\n"
" --config <path> "
"Configuration file for the monitor\n"
" --dbg <path> "
"Attach debugger to target process\n"
" --dump <filepath> "
"Dump process memory with --pid to filepath\n"
" --verbose Verbose switch\n",
argv[0]
);
}
const wchar_t *dll_path = NULL, *app_path = NULL, *arguments = L"";
const wchar_t *config_file = NULL, *from_process = NULL, *dbg_path = NULL;
const wchar_t *curdir = NULL, *process_name = NULL, *dump_path = NULL;
uint32_t pid = 0, tid = 0, from = 0, inj_mode = INJECT_NONE;
uint32_t show_window = SW_SHOWNORMAL, only_start = 0, resume_thread_ = 0;
for (int idx = 1; idx < argc; idx++) {
if(wcscmp(argv[idx], L"--crt") == 0) {
inj_mode = INJECT_CRT;
continue;
}
if(wcscmp(argv[idx], L"--apc") == 0) {
inj_mode = INJECT_APC;
continue;
}
if(wcscmp(argv[idx], L"--free") == 0) {
inj_mode = INJECT_FREE;
continue;
}
if(wcscmp(argv[idx], L"--dll") == 0) {
dll_path = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--app") == 0) {
app_path = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--args") == 0) {
arguments = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--curdir") == 0) {
curdir = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--maximize") == 0) {
show_window = SW_MAXIMIZE;
continue;
}
if(wcscmp(argv[idx], L"--pid") == 0) {
pid = wcstol(argv[++idx], NULL, 10);
continue;
}
if(wcscmp(argv[idx], L"--process-name") == 0) {
process_name = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--tid") == 0) {
tid = wcstol(argv[++idx], NULL, 10);
continue;
}
if(wcscmp(argv[idx], L"--from") == 0) {
from = wcstol(argv[++idx], NULL, 10);
continue;
}
if(wcscmp(argv[idx], L"--from-process") == 0) {
from_process = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--only-start") == 0) {
only_start = 1;
continue;
}
if(wcscmp(argv[idx], L"--resume-thread") == 0) {
resume_thread_ = 1;
continue;
}
if(wcscmp(argv[idx], L"--config") == 0) {
config_file = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--dbg") == 0) {
dbg_path = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--dump") == 0) {
dump_path = argv[++idx];
continue;
}
if(wcscmp(argv[idx], L"--verbose") == 0) {
verbose = 1;
continue;
}
error("[-] Found unsupported argument: %S\n", argv[idx]);
return 1;
}
// Dump memory of a process.
if(dump_path != NULL && pid != 0) {
dump(pid, dump_path);
return 0;
}
if(inj_mode == INJECT_NONE) {
error("[-] No injection method has been provided!\n");
}
if(inj_mode == INJECT_CRT && pid == 0 && process_name == NULL &&
app_path == NULL) {
error("[-] No injection target has been provided!\n");
}
if(inj_mode == INJECT_APC && tid == 0 && process_name == NULL &&
app_path == NULL) {
error("[-] No injection target has been provided!\n");
}
if(inj_mode == INJECT_FREE && app_path == NULL) {
error("[-] An app path is required when not injecting!\n");
}
if(pid != 0 && process_name != NULL) {
error("[-] Both pid and process-name were set!\n");
}
static wchar_t dllpath[MAX_PATH_W];
if(inj_mode == INJECT_FREE) {
if(dll_path != NULL || tid != 0 || pid != 0) {
error("[-] Unused --tid/--pid/--dll provided in --free mode!\n");
}
}
if(inj_mode != INJECT_FREE) {
if(PathFileExistsW(dll_path) == FALSE) {
error("[-] Invalid DLL filepath has been provided\n");
}
if(GetFullPathNameW(dll_path, MAX_PATH_W, dllpath, NULL) == 0) {
error("[-] Invalid DLL filepath has been provided\n");
}
if(GetLongPathNameW(dllpath, dllpath, MAX_PATH_W) == 0) {
error("[-] Error obtaining the dll long path name\n");
}
}
if(from != 0 && from_process != NULL) {
error("[-] Both --from and --from-process are specified\n");
}
grant_debug_privileges(GetCurrentProcessId());
if(app_path != NULL) {
// If a process name has been provided as source process, then find
// its process identifier (or first, if multiple).
if(from_process != NULL) {
from = pid_from_process_name(from_process);
}
// If no source process has been specified, then we use our
// own process.
if(from == 0) {
from = GetCurrentProcessId();
}
if(PathFileExistsW(app_path) == FALSE) {
error("[-] Invalid app filepath has been provided\n");
}
static wchar_t dirpath[MAX_PATH_W], filepath[MAX_PATH_W];
// If a current working directory has been set then we use that
// current working directory. Otherwise default to $TEMP.
if(curdir != NULL) {
// Allow the current working directory to be
// specified as, e.g., %TEMP%.
if(ExpandEnvironmentStringsW(curdir, dirpath, MAX_PATH_W) == 0) {
error("[-] Error expanding environment variables\n");
}
curdir = dirpath;
}
else {
// We don't want to be expanding the environment variable buffer
// as that will probably corrupt the heap or so.
curdir = wcscpy(dirpath, _wgetenv(L"TEMP"));
}
if(GetLongPathNameW(dirpath, dirpath, MAX_PATH_W) == 0) {
error("[-] Error obtaining the curdir long path name\n");
}
if(GetFullPathNameW(app_path, MAX_PATH_W, filepath, NULL) == 0) {
error("[-] Invalid app filepath has been provided\n");
}
if(GetLongPathNameW(filepath, filepath, MAX_PATH_W) == 0) {
error("[-] Error obtaining the app long path name\n");
}
pid = start_app(from, filepath, arguments, curdir, &tid, show_window);
}
if(pid == 0 && process_name != NULL) {
pid = pid_from_process_name(process_name);
}
// Drop the configuration file if available.
if(config_file != NULL) {
static wchar_t filepath[MAX_PATH_W];
wsprintfW(filepath, L"C:\\cuckoo_%d.ini", pid);
if(MoveFileW(config_file, filepath) == FALSE) {
error("[-] Error dropping configuration file: %ld\n",
GetLastError());
}
}
// Do not do actual injection here, just have the application launched.
if(only_start != 0) {
printf("%d %d", pid, tid);
return 0;
}
switch (inj_mode) {
case INJECT_CRT:
load_dll_crt(pid, dllpath);
break;
case INJECT_APC:
load_dll_apc(pid, tid, dllpath);
break;
case INJECT_FREE:
break;
default:
error("[-] Unhandled injection mode: %d\n", inj_mode);
}
if(dbg_path != NULL) {
wchar_t buf[1024];
wsprintfW(buf, L"\"%s\" -p %d", dbg_path, pid);
start_app(GetCurrentProcessId(), dbg_path, buf,
NULL, NULL, SW_SHOWNORMAL);
Sleep(5000);
}
if((app_path != NULL || resume_thread_ != 0) && tid != 0) {
resume_thread(tid);
}
// Report the process identifier.
printf("%d", pid);
return 0;
}
