int main() { uint32_t pid = pid_from_process_name("explorer.exe"); HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); uint8_t *addr = (uint8_t *) VirtualAllocEx(process_handle, NULL, 0x1000, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); uintptr_t messagebox_addr = (uintptr_t) GetProcAddress(LoadLibrary("user32.dll"), "MessageBoxA"); static uint8_t buf[0x1000]; SIZE_T bytes_written; memcpy(buf, shellcode, sizeof(shellcode)); #if __x86_64__ *(uintptr_t *) &buf[18] = messagebox_addr; #else *(uint32_t *) &buf[3] = (uint32_t) addr + 128; *(uint32_t *) &buf[8] = (uint32_t) addr + 256; *(uint32_t *) &buf[15] = messagebox_addr; #endif strcpy((char *) buf + 128, "World"); strcpy((char *) buf + 256, "Hello"); WriteProcessMemory(process_handle, addr, buf, sizeof(buf), &bytes_written); HANDLE thread_handle = CreateRemoteThread(process_handle, NULL, 0, (LPTHREAD_START_ROUTINE) addr, NULL, 0, NULL); CloseHandle(thread_handle); CloseHandle(process_handle); return 0; }
JNIEXPORT jint JNICALL Java_SignalSender_sendSignalByProcessName( JNIEnv *env, jobject jobj, jstring pname, jint signal) { const char *nativeString = (*env)->GetStringUTFChars(env, pname, 0); int pid = pid_from_process_name(nativeString); (*env)->ReleaseStringUTFChars(env, pname, nativeString); jint _pid = pid; return Java_SignalSender_sendSignalByPID(env, jobj, _pid, signal); }
int main() { LPWSTR *argv; int argc; argv = CommandLineToArgvW(GetCommandLineW(), &argc); if(argv == NULL) { error("Error parsing commandline options!\n"); } if(argc < 4) { error( "Usage: %S <options..>\n" "Options:\n" " --crt CreateRemoteThread injection\n" " --apc QueueUserAPC injection\n" " --free Do not inject our monitor\n" " --dll <dll> DLL to inject\n" " --app <app> Path to application to start\n" " --args <args> Command-line arguments\n" " Excluding the application path!\n" " --curdir <dirpath> Current working directory\n" " --maximize Maximize the newly created GUI\n" " --pid <pid> Process identifier to inject\n" " --process-name <name> Process name to inject\n" " --tid <tid> Thread identifier to inject\n" " --from <pid> Inject from another process\n" " --from-process <name> " "Inject from another process, resolves pid\n" " --only-start " "Start the application and print pid/tid\n" " --resume-thread " "Resume the thread of the pid/tid target\n" " --config <path> " "Configuration file for the monitor\n" " --dbg <path> " "Attach debugger to target process\n" " --dump <filepath> " "Dump process memory with --pid to filepath\n" " --verbose Verbose switch\n", argv[0] ); } const wchar_t *dll_path = NULL, *app_path = NULL, *arguments = L""; const wchar_t *config_file = NULL, *from_process = NULL, *dbg_path = NULL; const wchar_t *curdir = NULL, *process_name = NULL, *dump_path = NULL; uint32_t pid = 0, tid = 0, from = 0, inj_mode = INJECT_NONE; uint32_t show_window = SW_SHOWNORMAL, only_start = 0, resume_thread_ = 0; for (int idx = 1; idx < argc; idx++) { if(wcscmp(argv[idx], L"--crt") == 0) { inj_mode = INJECT_CRT; continue; } if(wcscmp(argv[idx], L"--apc") == 0) { inj_mode = INJECT_APC; continue; } if(wcscmp(argv[idx], L"--free") == 0) { inj_mode = INJECT_FREE; continue; } if(wcscmp(argv[idx], L"--dll") == 0) { dll_path = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--app") == 0) { app_path = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--args") == 0) { arguments = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--curdir") == 0) { curdir = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--maximize") == 0) { show_window = SW_MAXIMIZE; continue; } if(wcscmp(argv[idx], L"--pid") == 0) { pid = wcstol(argv[++idx], NULL, 10); continue; } if(wcscmp(argv[idx], L"--process-name") == 0) { process_name = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--tid") == 0) { tid = wcstol(argv[++idx], NULL, 10); continue; } if(wcscmp(argv[idx], L"--from") == 0) { from = wcstol(argv[++idx], NULL, 10); continue; } if(wcscmp(argv[idx], L"--from-process") == 0) { from_process = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--only-start") == 0) { only_start = 1; continue; } if(wcscmp(argv[idx], L"--resume-thread") == 0) { resume_thread_ = 1; continue; } if(wcscmp(argv[idx], L"--config") == 0) { config_file = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--dbg") == 0) { dbg_path = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--dump") == 0) { dump_path = argv[++idx]; continue; } if(wcscmp(argv[idx], L"--verbose") == 0) { verbose = 1; continue; } error("[-] Found unsupported argument: %S\n", argv[idx]); return 1; } // Dump memory of a process. if(dump_path != NULL && pid != 0) { dump(pid, dump_path); return 0; } if(inj_mode == INJECT_NONE) { error("[-] No injection method has been provided!\n"); } if(inj_mode == INJECT_CRT && pid == 0 && process_name == NULL && app_path == NULL) { error("[-] No injection target has been provided!\n"); } if(inj_mode == INJECT_APC && tid == 0 && process_name == NULL && app_path == NULL) { error("[-] No injection target has been provided!\n"); } if(inj_mode == INJECT_FREE && app_path == NULL) { error("[-] An app path is required when not injecting!\n"); } if(pid != 0 && process_name != NULL) { error("[-] Both pid and process-name were set!\n"); } static wchar_t dllpath[MAX_PATH_W]; if(inj_mode == INJECT_FREE) { if(dll_path != NULL || tid != 0 || pid != 0) { error("[-] Unused --tid/--pid/--dll provided in --free mode!\n"); } } if(inj_mode != INJECT_FREE) { if(PathFileExistsW(dll_path) == FALSE) { error("[-] Invalid DLL filepath has been provided\n"); } if(GetFullPathNameW(dll_path, MAX_PATH_W, dllpath, NULL) == 0) { error("[-] Invalid DLL filepath has been provided\n"); } if(GetLongPathNameW(dllpath, dllpath, MAX_PATH_W) == 0) { error("[-] Error obtaining the dll long path name\n"); } } if(from != 0 && from_process != NULL) { error("[-] Both --from and --from-process are specified\n"); } grant_debug_privileges(GetCurrentProcessId()); if(app_path != NULL) { // If a process name has been provided as source process, then find // its process identifier (or first, if multiple). if(from_process != NULL) { from = pid_from_process_name(from_process); } // If no source process has been specified, then we use our // own process. if(from == 0) { from = GetCurrentProcessId(); } if(PathFileExistsW(app_path) == FALSE) { error("[-] Invalid app filepath has been provided\n"); } static wchar_t dirpath[MAX_PATH_W], filepath[MAX_PATH_W]; // If a current working directory has been set then we use that // current working directory. Otherwise default to $TEMP. if(curdir != NULL) { // Allow the current working directory to be // specified as, e.g., %TEMP%. if(ExpandEnvironmentStringsW(curdir, dirpath, MAX_PATH_W) == 0) { error("[-] Error expanding environment variables\n"); } curdir = dirpath; } else { // We don't want to be expanding the environment variable buffer // as that will probably corrupt the heap or so. curdir = wcscpy(dirpath, _wgetenv(L"TEMP")); } if(GetLongPathNameW(dirpath, dirpath, MAX_PATH_W) == 0) { error("[-] Error obtaining the curdir long path name\n"); } if(GetFullPathNameW(app_path, MAX_PATH_W, filepath, NULL) == 0) { error("[-] Invalid app filepath has been provided\n"); } if(GetLongPathNameW(filepath, filepath, MAX_PATH_W) == 0) { error("[-] Error obtaining the app long path name\n"); } pid = start_app(from, filepath, arguments, curdir, &tid, show_window); } if(pid == 0 && process_name != NULL) { pid = pid_from_process_name(process_name); } // Drop the configuration file if available. if(config_file != NULL) { static wchar_t filepath[MAX_PATH_W]; wsprintfW(filepath, L"C:\\cuckoo_%d.ini", pid); if(MoveFileW(config_file, filepath) == FALSE) { error("[-] Error dropping configuration file: %ld\n", GetLastError()); } } // Do not do actual injection here, just have the application launched. if(only_start != 0) { printf("%d %d", pid, tid); return 0; } switch (inj_mode) { case INJECT_CRT: load_dll_crt(pid, dllpath); break; case INJECT_APC: load_dll_apc(pid, tid, dllpath); break; case INJECT_FREE: break; default: error("[-] Unhandled injection mode: %d\n", inj_mode); } if(dbg_path != NULL) { wchar_t buf[1024]; wsprintfW(buf, L"\"%s\" -p %d", dbg_path, pid); start_app(GetCurrentProcessId(), dbg_path, buf, NULL, NULL, SW_SHOWNORMAL); Sleep(5000); } if((app_path != NULL || resume_thread_ != 0) && tid != 0) { resume_thread(tid); } // Report the process identifier. printf("%d", pid); return 0; }