EG Information

Main Index
EG Manual
Disclaimer
Legal Information
Hall of Fame
Hall of Shame
Member Rankings
Members List
Meet the Staff

Training Missions

Read Me First
Basic Skills
Realistic Scenarios
Cryptography
Software Cracking
Linux ELF Binary Cracking
Logical Thinking
Programming
Captcha Cracking
Patching
Steganography
Deface This Wall
/dev/null
/dev/urandom
/dev/extra

Knowledge Bank

Discussion Forums
Exploit Database New
PasteBin New
RSS Feeds RSS
Articles / Tutorials
Videos
Online EG MP3 Player Radio
Downloads
Tools

Code Resources

Submit Code
Ajax
ASM
Bash
C
CPP
Csharp
Delphi
Haskell
Java
Javascript
Jython
Lisp
mIRC
MySQL
Perl
PHP
Python
QBASIC
VisualBasic

Pimp Us Out!

Review enigmagroup.org on alexa.com

Has Enigma Group Helped You? Then Help Us By Advertising For Us. Place One Of The Following Images On Your Site And Create A Link Back To Enigma Group.

Enigma Group

Enigma Group

Enigma Group

Enigma Group

 

Affiliates



The Urinal

hackhound.org

suck-o.com

hack.org.za

flyninja.net

 

Enigma Group's Code Bank


Native Thread Injection into session manager subsystem

By: csrss  -  Date Submitted: 2009-09-09 08:37:07

  1. /*
  2. that is pure Native Windows API code.
  3. it should be executed from native application during
  4. system boot.
  5. */
  6. #include <ddk\ntddk.h>
  7. #include "nt.h"
  8. /*
  9. file "nt.h" you can get here:
  10. http://x1machine.com/db/ru/nt.rar
  11. */
  12. // our remote functions prototypes
  13. typedef VOID (NTAPI *my_RtlInitUnicodeString)(PUNICODE_STRING ,PCWSTR);
  14. typedef NTSTATUS (NTAPI *my_NtDisplayString)(PUNICODE_STRING);
  15. typedef NTSTATUS (NTAPI *my_NtTerminateThread)( HANDLE , NTSTATUS  );
  16. typedef NTSTATUS (NTAPI *my_NtDelayExecution)(BOOLEAN, PLARGE_INTEGER);
  17.  
  18. typedef struct _NtRemoteStructure {
  19. PVOID pvRtlInitUnicodeString;
  20. PVOID pvNtDisplayString;
  21. PVOID pvNtTerminateThread;
  22. WCHAR dbgMessage[100];
  23. UNICODE_STRING output;
  24. } NtRemoteStructure;
  25. NtRemoteStructure my_Structure,*pmy_Structure;
  26.  
  27. HANDLE KeGetPID(WCHAR *pstrProcessName){
  28. 	UNICODE_STRING dbgMessage;
  29.         NTSTATUS Status;
  30.         SIZE_T cbBuffer = 0x8000;
  31.         PVOID pBuffer = NULL;
  32.         HANDLE hResult = NULL;
  33. 		PULONG dwId;
  34. 		PSYSTEM_PROCESSES pProcesses;
  35. 		RTL_HEAP_DEFINITION  heapParams;
  36. 		heapParams.Length = sizeof( RTL_HEAP_PARAMETERS );
  37.  
  38.         do{
  39. 		pBuffer = (void *)RtlAllocateHeap(NtGetProcessHeap(), 0, cbBuffer); if (pBuffer == NULL){return 0;}
  40.             Status = NtQuerySystemInformation(SystemProcessInformation,  pBuffer, cbBuffer, NULL);
  41.             if (Status == STATUS_INFO_LENGTH_MISMATCH){ 
  42. 			RtlFreeHeap(NtGetProcessHeap(), 0, pBuffer); cbBuffer *= 2;
  43.             }else if (!NT_SUCCESS(Status)){ 
  44. 				RtlFreeHeap(NtGetProcessHeap(), 0, pBuffer); return 0; 
  45. 			}
  46.         }
  47.         while (Status == STATUS_INFO_LENGTH_MISMATCH);
  48.         pProcesses = (PSYSTEM_PROCESSES)pBuffer;
  49.  
  50.         for (;;){
  51.             WCHAR *pszProcessName = pProcesses->ProcessName.Buffer;
  52.             if (pszProcessName == NULL)pszProcessName = L"Idle";
  53.             if(wcscmp(pszProcessName, pstrProcessName) == 0){
  54. 				dwId = (HANDLE)pProcesses->ProcessId;
  55.                 break;
  56.             }
  57.  
  58.             if (pProcesses->NextEntryDelta == 0)break;
  59.             pProcesses = (PSYSTEM_PROCESSES)(((BYTE *)pProcesses)+ pProcesses->NextEntryDelta);
  60.         }
  61. RtlFreeHeap(NtGetProcessHeap(), 0, pBuffer);
  62. return dwId;
  63. }
  64.  
  65. LPVOID NTAPI NtVirtualAllocEx(IN HANDLE hProcess,IN LPVOID  lpAddress,IN SIZE_T dwSize,	// VirtualAllocEx
  66. 		                     IN DWORD  	flAllocationType, IN DWORD  flProtect) {
  67.      NTSTATUS Status;
  68.      Status = NtAllocateVirtualMemory(hProcess,(PVOID *)&lpAddress,0,&dwSize,flAllocationType,flProtect);
  69.      if (!NT_SUCCESS(Status))return NULL;
  70.      return lpAddress;
  71. }
  72.  
  73. BOOL NtDelayExecutionEx(DWORD dwSeconds){
  74.      LARGE_INTEGER Interval;
  75.      Interval.QuadPart = -(unsigned __int64)dwSeconds * 10000 * 1000;
  76.      NtDelayExecution (FALSE, &Interval);
  77. }
  78.  
  79. DWORD __stdcall ReThread(NtRemoteStructure *Parameter){
  80.  
  81. my_RtlInitUnicodeString myRtlInitUnicodeString = (my_RtlInitUnicodeString)Parameter->pvRtlInitUnicodeString;
  82. my_NtDisplayString myNtDisplayString = (my_NtDisplayString)Parameter->pvNtDisplayString;
  83. my_NtTerminateThread myNtTerminateThread = (my_NtTerminateThread)Parameter->pvNtTerminateThread;
  84.  
  85. myRtlInitUnicodeString( &(Parameter->output), Parameter->dbgMessage);
  86. myNtDisplayString(&Parameter->output);
  87. myNtTerminateThread(NtCurrentThread(), 0);
  88.  
  89. }
  90.  
  91. void NtProcessStartup( PSTARTUP_ARGUMENT Argument ){
  92.  
  93. void *pThread;
  94. HANDLE hProcess; // handle to smss
  95. UNICODE_STRING dbgMessage, uniNameNtDLL; // ....[]....... ..&#1090;&#1102; &#1090;&#1102; &#1090;&#1102;...
  96. OBJECT_ATTRIBUTES ObjectAttributes; // needed for open process function
  97. BOOL en; // out argument, needed for adjust privilege function
  98. WCHAR storage[250]; // here we will store smss's pid for later manipulations ;)
  99. CLIENT_ID ClientId; // this will contain smss's pid
  100. SIZE_T stThreadSize = 2048; // size of our remote thread
  101. HANDLE hNtDLL; // handle to loaded ntdll.dll
  102. ANSI_STRING ansiRtlInitUnicodeString, ansiNtDisplayString, ansiNtTerminateThread;
  103. // ^ this strings will contain names of our import functions, passed to LdrGetProcedureAddress;
  104. // functions names must be ansi strings
  105.  
  106. PVOID fRtlInitUnicodeString, fNtDisplayString, fNtTerminateThread;
  107.  
  108. RtlInitUnicodeString(&dbgMessage, L"\nTrying to inject thread...\n");
  109. NtDisplayString( &dbgMessage );
  110.  
  111. RtlAdjustPrivilege(20, TRUE, AdjustCurrentProcess, &en); // set debug privileges
  112. ClientId.UniqueProcess = (HANDLE)KeGetPID(L"smss.exe"); // get smss.exe pid
  113. ClientId.UniqueThread = 0; // zero
  114. swprintf(storage, L"smss pid: %d", ClientId); // store smss pid for later print out
  115. RtlInitUnicodeString(&dbgMessage, storage);
  116. NtDisplayString( &dbgMessage ); // print smss's pid
  117.  
  118. InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); // whatever...
  119. NtOpenProcess(&hProcess, PROCESS_ALL_ACCESS  , &ObjectAttributes, &ClientId); // open this smss.exe programm xD
  120. pThread = NtVirtualAllocEx(hProcess, 0, stThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
  121. NtWriteVirtualMemory(hProcess, pThread, &ReThread, stThreadSize,0);
  122. RtlZeroMemory(&my_Structure,sizeof(NtRemoteStructure));
  123. // ^ we are allocating memory in smss.exe
  124.  
  125. RtlInitUnicodeString(&uniNameNtDLL, L"ntdll.dll"); // convert "ntdll.dll" to unicode string
  126. RtlInitAnsiString(&ansiRtlInitUnicodeString,  "RtlInitUnicodeString"); // convertion to ansi string
  127. RtlInitAnsiString(&ansiNtDisplayString,  "NtDisplayString");
  128. RtlInitAnsiString(&ansiNtTerminateThread,  "NtTerminateThread");
  129.  
  130. LdrLoadDll(NULL ,0 , &uniNameNtDLL, &hNtDLL); // load ntdll.dll
  131.  
  132. LdrGetProcedureAddress(hNtDLL, &ansiRtlInitUnicodeString, 0, &fRtlInitUnicodeString);
  133. LdrGetProcedureAddress(hNtDLL, &ansiNtDisplayString, 0, &fNtDisplayString);
  134. LdrGetProcedureAddress(hNtDLL, &ansiNtTerminateThread, 0, &fNtTerminateThread);
  135. // ^ lets get all needed procedures adresses
  136.  
  137. my_Structure.pvRtlInitUnicodeString = (void *)fRtlInitUnicodeString;
  138. my_Structure.pvNtDisplayString = (void *)fNtDisplayString;
  139. my_Structure.pvNtTerminateThread = (void *)fNtTerminateThread;
  140. swprintf(my_Structure.dbgMessage, L"\nInjected!\n");
  141. // ^ assign values to the structure
  142.  
  143. DWORD dwSize = sizeof(NtRemoteStructure);
  144. pmy_Structure =(NtRemoteStructure *)NtVirtualAllocEx (hProcess ,0,sizeof(NtRemoteStructure),MEM_COMMIT,PAGE_READW  RITE);
  145. NtWriteVirtualMemory(hProcess ,pmy_Structure,&my_Structure,sizeof(my_Structure),0);
  146. RtlCreateUserThread(hProcess, NULL,FALSE, 0, 0, 0,(PVOID)pThread,(PVOID)pmy_Structure, 0, 0);
  147. NtClose(hProcess);
  148. NtDelayExecutionEx(5); // just to show you output from our remote thread inside smss.exe
  149. NtTerminateProcess( NtCurrentProcess(), 0 );
  150. }
  151.  
  152. /*
  153. compile with:
  154. MinGW/bin/gcc.exe nt.c -o native.exe -lntdll -nostdlib -Wl,--subsystem,native,-e,_NtProcessStartup
  155. */
Comments [0]
Return to c category list
Find Us on Facebook! Find us at Facebook! - Follow Us! Follow us with Twitter! - Make sure to Stumble us! Stumble upon us! - Subscribe! Subscribe to our feed!

Who Visited EnigmaGroup Today?

1556 Guests, 262 Users (178 Spiders)
aurena, Hessesian, Rex_Mundi, st3alth, Partisan, hackaday, K0gller, fitz, 3ntr0py, DrOptix, Jayjay, suetekh, JohnMalkovitzch, psychomarine, whoami, nmobin27, Vspectrum, lotato, San Marino, TinCardinal, brunoriversyhn, TheHarrisonW, code-g, yshiau, BillTuer, Psiber_Syn, Klosse, Seasharp, whisperer, obencefoozy, SlayingDragons, Link-, tinuigimeni, jasonbourne, Fred, GothicLogic, strudels, somebody777, Meonkzt, CJ_Omaha, jearrorne, cls777, unsugsNashy, Balksnuntails, trueorfalse, Sir D. Naut, zach, batsbargy, Rik, Macabre, ellisp, Nightraven, Iccyx, Repuhlsive, vipervince2002, Janomatrix, lol, veceattainc, techno, Exclaw, limited, Nikhil, evjfvir967nj, blackknight911, Distorted, Mod777, dark_void, nermtode, Tjm, bjy1997, hecky, saraf, elprof, damoniceht, trik, jordan86, SnoopSky, dan_movie, OnetInsolefon, Blavatsky, darkfire1515, seojlhmyrhwh, Thoplehap, MaxMeier, 1028rajeev, Abhinav2107, autotuneuser, riesenjoe, alexelixir, Tauya, Jozinbrejl, kernel_mod, quolc, anandoump, vladavlada, Taicadine, valy1177, AnnaNoult, GreenTiger, baripadatimes, Ewing, Blackbeard, thepuppeteer, BON-SELE, hak4r, Unotohumsmush, NIGHTWOLF, CloverCipher, m4f10, Vengeance987, avacraft, Bumpadjuppy, becool, thecoder, ddxc, n01se, alpha1, saki, ObesseJew, ActictGlync, sajan, unicornrainbow, Domihoolbob, matt.14, max66, SnowFury, Spud101, myfabregas, Ausome1, kajman121, Frudopvia, ideveloper6, OLOLO, Bugshuppy, lamb, VagWirura, LialiTiTviors, Ordeptpen, scifics, Pozycj-Z21, RomeoG, Gkjt, interPuscruse, aaftab, TheCheeseDemon, blackcyxx21, jollyjimbo, N4g4c3N, rineDriekly, Rap70r, Xargos, flarornEral, ovetz13, sonu sahu, Breezy, emitleBen, Hackpad, JWTSR, nicyun, kaizo, itevainee, IvanDimitriev, advilapyday, luke460, AverageJoe, zeratu92, m0rt, litbk, Mr.Pickle, mannavard1611, LoopyLion, NexusVos, lonely.connection, mtroscheck, burberrybagsjr, nikedunksxm, xordux, jeho, Lonewolf034, Dragonite, nhorton, Reloaded, Odile, Kaptain_k1rk, Teefelltugh, grizzly, posthuman01, jakesboy2, pwnpwnlolz, Sabo, Lakhoamnmek, Røgue, dot_Cipher, mori, snickerless1, cart1m, Xendz, KELATALFTUS, hubris, Afrika, welepocourl, carpinteyrofbt, ReottphoffBom, Reahastegah, pumashoesld, pdanielt, dmac006, DnA-Ender, Red Fox, couptupleakb, ryanjcrook, iMaxx, sh3llcod3, TimHortons, EmilaHapsaums, Feld Grau, burgeoningneophyte, Maroonhat, CookieAu, tinkansinar, Mitodina, timberlandoutletlufc, zsefvy, guccioutletox, AlexDiru, AbercrombieFitchhl, Ryuske, r0z4, slchill, rospark, kalak55, Ph4Kt480ii, beefarn, Jigoku, WrossyJes, pollolololo, ZepSung, Fragility, jell0, C9019, Othrguy, Noticon, KIKNWING, llasarus, mdubz, leah027, iellswo, MAZI_, Estilaamoli, subtentar, Trollorful, no, nas0151, Traybo, howisthechicken, thethird3y3, Somethingclever, marplusz, MSI52, twink gay cam dUi8D, temoJessy, greedee
 
Enigma Group