This is going to be a fun one...trust me. It might take a little bit to get through everything but I promise it's pretty interesting once we get it going. Today we are going to be, in a very blunt explanation, injecting shellcode inside of a remote process. This is going to allow us to have FULL access to the victims computer (an educational victim).
I know usually we write our programs in python but today we are going to have a little fun with C!!! This is because we are going to be using the windows api to do some fun stuff. Let's get started.
First thing we are going to have to do when opening a C file is just get our headers out of the way. We are going to add some standard headers like stdio.h which is our regular input/output header and let's not forget our windows.h which is going to allow us to interact with the windows api.
#include <stdio.h>
#include <Windows.h>
Alrighty we are done!...jk let's continue. After our headers we are going to need our main function and begin to add some variables to it. We define hProcess to have a type of HANDLE.
#include <stdio.h>
#include <Windows.h>
int main()
{
HANDLE hProcess;
}
Keep in mind that a HANDLE type is a resource that is used when an application references blocks of memory that are managed by a remote system. In our example we are going to use it to store the remote process's handle. I know it sounds a litte confusing right now but let's move forward so it makes a bit more sense.
We need to set hProcess to Microsoft's OpenProcess function. Let's take a moment of silence for how beautiful Microsoft's documentation is because we can see exactly what parameters these functions take. For example OpenProcesss takes the following:
HANDLE OpenProcess(
[in] DWORD dwDesiredAccess,
[in] BOOL bInheritHandle,
[in] DWORD dwProcessId
);
And yes visual studio is going to let us know the same thing but the documentation allows us to read into detail what each parameter is and is used for. You can check out the documentation here if you want to see what I am going to be referring to.
I'm not going to get into super heavy details on every function, please refer to the documentation if you have more questions. First we are going to run is PROCESS_ALL_ACCESS followed with TRUE as the second parameter is a bool value and the third we are actually going to set it to X for now as a filler but we will change that to the actual ProcessId later on. We also are going to set a variable "exec_mem" to the VirtualAllocEx() function, you can reference that here.