Make Code Stable on various system

Author: UEFI-code

MonikaHijack/HijackMainThread_Returnable.cpp

@@ -2,7 +2,7 @@
 #include <tlhelp32.h>
 #include <cstdio>
 
-const BYTE shellcode[] = {
+BYTE MonikaPayload[] = {
     0x50,                          // push rax
     0x53,                          // push rbx
     0x51,                          // push rcx
@@ -19,7 +19,7 @@ const BYTE shellcode[] = {
     0x41, 0x57,                    // push r15
     0x55,                          // push rbp
     0x48, 0x8B, 0xEC,              // mov rbp, rsp
-    0x48, 0x83, 0xEC, 0x28,        // sub rsp, 0x28 (MessageBoxA Strick Call Convention)
+    0x48, 0x83, 0xEC, 0x28,        // sub rsp, 0x28 (MessageBoxA Strictly requires 32-byte aligned stack)
     0xE8, 0x00, 0x00, 0x00, 0x00,  // call $+5 (self-relative)
     0x5A,                          // pop rdx
     0x48, 0x83, 0xC2, 0x3C,        // add rdx, 0x3C (adjust rdx to point to "JUST Monika!")
@@ -52,16 +52,45 @@ const BYTE shellcode[] = {
     'A', 'L', 'E', 'R', 'T', 0x00,                                         // "ALERT"
 };
 
+BYTE Gidget_Shellcode[] = {
+    0x55,                          // push rbp
+    0x48, 0x8B, 0xEC,              // mov rbp, rsp
+    0x48, 0x83, 0xEC, 0x20,        // sub rsp, 32
+    0xE8, 0x00, 0x00, 0x00, 0x00,  // call $+5 (self-relative)
+    0x59,                          // pop rcx
+    0x48, 0x83, 0xC1, 0x3F,        // add rcx, 0x3F
+    0x48, 0xB8, 0xC0, 0x04, 0x10, 0x1B, 0xFC, 0x7F, 0x00, 0x00, // mov rax, 0x7FFC1B1004C0
+    0xFF, 0xD0,                    // call rax
+    0x48, 0x8B, 0xC8,              // mov rcx, rax
+    0xE8, 0x00, 0x00, 0x00, 0x00,  // call $+5 (self-relative)
+    0x5A,                          // pop rdx
+    0x48, 0x83, 0xC2, 0x31,        // add rdx, 0x31
+    0x48, 0xB8, 0x50, 0xAA, 0x0F, 0x1B, 0xFC, 0x7F, 0x00, 0x00, // mov rax, 0x7FFC1B0FAA50
+    0xFF, 0xD0,                    // call rax
+    0xE8, 0x00, 0x00, 0x00, 0x00,  // call $+5 (self-relative)
+    0x5B,                          // pop rbx
+    0x48, 0x83, 0xC3, 0x27,        // add rbx, 0x27
+    0x48, 0x89, 0x03,              // mov [rbx], rax
+    0x48, 0x83, 0xC4, 0x20,        // add rsp, 32
+    0x5D,                          // pop rbp
+    0xC3,                          // ret
+    0x90, 0x90,                    // nop, nop (padding)
+    0x75, 0x73, 0x65, 0x72, 0x33, 0x32, 0x2E, 0x64, 0x6C, 0x6C, 0x00, // "user32.dll"
+    0x4D, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x6F, 0x78, 0x41, 0x00, // "MessageBoxA"
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 // reserved for result
+};
+
 typedef struct InjectInfo
 {
     DWORD processId;
     HANDLE hProcess;
     DWORD mainThreadId;
     HANDLE hThread;
-    LPVOID remoteMemory;
+    LPVOID remoteGadgetMemory;
+    LPVOID remotePayloadMemory;
 } InjectInfo;
 
-InjectInfo targetGalgame = { 0, 0, 0, 0, 0 };
+InjectInfo targetGalgame = { 0, 0, 0, 0, 0, 0 };
 
 // Function to get the PID of the target process by name
 void GetProcessIdByName(const char* processName)
@@ -131,33 +160,30 @@ void GetMainThreadId()
     return;
 }
 
-// Function to inject shellcode into the target process and return the address of the remote memory
+// Function to inject MonikaPayload into the target process and return the address of the remote memory
 void InjectShellcode()
 {
-    targetGalgame.remoteMemory = NULL;
-    targetGalgame.hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetGalgame.processId);
+    targetGalgame.remotePayloadMemory = NULL;
     if (!targetGalgame.hProcess)
     {
-        printf("Failed to open process with PID %lu\n", targetGalgame.processId);
+        printf("Invalid process handle\n");
         return;
     }
     // Allocate memory in the target process
-    targetGalgame.remoteMemory = VirtualAllocEx(targetGalgame.hProcess, NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
-    if (!targetGalgame.remoteMemory)
+    targetGalgame.remotePayloadMemory = VirtualAllocEx(targetGalgame.hProcess, NULL, sizeof(MonikaPayload), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if (!targetGalgame.remotePayloadMemory)
     {
         printf("Failed to allocate memory in the target process\n");
-        CloseHandle(targetGalgame.hProcess);
-        targetGalgame.hProcess = NULL;
         return;
     }
-    printf("Allocated RWX memory at address: 0x%p\n", targetGalgame.remoteMemory);
-    // Write the shellcode to the allocated memory
-    WriteProcessMemory(targetGalgame.hProcess, targetGalgame.remoteMemory, shellcode, sizeof(shellcode), NULL);
+    printf("Allocated RWX memory at address: 0x%p\n", targetGalgame.remotePayloadMemory);
+    // Write the MonikaPayload to the allocated memory
+    WriteProcessMemory(targetGalgame.hProcess, targetGalgame.remotePayloadMemory, MonikaPayload, sizeof(MonikaPayload), NULL);
     printf("Shellcode written to remote memory successfully\n");
     return;
 }
 
-// Function to hijack the main thread and set its RIP to the injected shellcode
+// Function to hijack the main thread and set its RIP to the injected MonikaPayload
 void HijackMainThread()
 {
     targetGalgame.hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, targetGalgame.mainThreadId);
@@ -182,9 +208,9 @@ void HijackMainThread()
         WriteProcessMemory(targetGalgame.hProcess, (LPVOID)ctx.Rsp, &ctx.Rip, sizeof(LPVOID), NULL);
         printf("Original RIP Pushed to Stack: 0x%p\n", (LPVOID)ctx.Rsp);
 
-        // Set RIP to the shellcode address
-        ctx.Rip = (DWORD64)targetGalgame.remoteMemory;
-        printf("Hijacking RIP to address: 0x%p\n", targetGalgame.remoteMemory);
+        // Set RIP to the MonikaPayload address
+        ctx.Rip = (DWORD64)targetGalgame.remotePayloadMemory;
+        printf("Hijacking RIP to address: 0x%p\n", targetGalgame.remotePayloadMemory);
 
         // Update the thread context
         SetThreadContext(targetGalgame.hThread, &ctx);
@@ -205,18 +231,56 @@ void HijackMainThread()
     return;
 }
 
+void GetTargetMsgBoxA_Routine()
+{
+    // Allocate RWX memory in the target process, size is gadget_shellcode size
+    targetGalgame.remoteGadgetMemory = VirtualAllocEx(targetGalgame.hProcess, NULL, sizeof(Gidget_Shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+    if (!targetGalgame.remoteGadgetMemory)
+    {
+        printf("Failed to allocate memory in the target process\n");
+        return;
+    }
+    printf("Allocated RWX memory for Gidget_Shellcode at address: 0x%p\n", targetGalgame.remoteGadgetMemory);
+    // Write the Gidget_Shellcode to the allocated memory
+    WriteProcessMemory(targetGalgame.hProcess, targetGalgame.remoteGadgetMemory, Gidget_Shellcode, sizeof(Gidget_Shellcode), NULL);
+    printf("Gidget_Shellcode written to remote memory successfully\n");
+    // Create Remote Thread to execute Gidget_Shellcode
+    HANDLE hRemoteThread = CreateRemoteThread(targetGalgame.hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)targetGalgame.remoteGadgetMemory, NULL, 0, NULL);
+    if (!hRemoteThread)
+    {
+        printf("Failed to create remote thread\n");
+        return;
+    }
+    WaitForSingleObject(hRemoteThread, INFINITE);
+    CloseHandle(hRemoteThread);
+    // Write Back last 8 bytes of Gidget_Shellcode to get MessageBoxA address
+    ReadProcessMemory(targetGalgame.hProcess, (LPVOID)((UINT64)targetGalgame.remoteGadgetMemory + sizeof(Gidget_Shellcode) - 8), (LPVOID)((UINT64)Gidget_Shellcode + sizeof(Gidget_Shellcode) - 8), 8, NULL);
+    printf("MessageBoxA Address in Target: 0x%p\n", *(UINT64 *)((UINT64)Gidget_Shellcode + sizeof(Gidget_Shellcode) - 8));
+}
+
 int main()
 {
+    *(UINT64 *)(Gidget_Shellcode + 20) = (UINT64)LoadLibraryA;
+    *(UINT64 *)(Gidget_Shellcode + 45) = (UINT64)GetProcAddress;
+
     const char* targetProcessName = "target.exe"; // Replace with your target process name
     GetProcessIdByName(targetProcessName);
 
     if (targetGalgame.processId)
     {
         printf("Target process \"%s\" found with PID %lu\n", targetProcessName, targetGalgame.processId);
-
-        // Inject shellcode and get the remote memory address
+        targetGalgame.hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetGalgame.processId);
+        if (!targetGalgame.hProcess)
+        {
+            printf("Failed to open process handle\n");
+            return 0;
+        }
+        GetTargetMsgBoxA_Routine();
+        // Update MonikaPayload with Target MessageBoxA address
+        *(UINT64 *)(MonikaPayload + 55) = *(UINT64 *)(Gidget_Shellcode + sizeof(Gidget_Shellcode) - 8);
+        // Inject MonikaPayload and get the remote memory address
         InjectShellcode();
-        if (targetGalgame.remoteMemory)
+        if (targetGalgame.remotePayloadMemory)
         {
             printf("Shellcode injected successfully.\n");
             // Get the main thread ID
@@ -237,14 +301,14 @@ int main()
                 printf("Failed to find main thread.\n");
             }
             // clean up, this might cause the target process glitch due to RWX memory being released
-            //VirtualFreeEx(targetGalgame.hProcess, targetGalgame.remoteMemory, 0, MEM_RELEASE);
-            //targetGalgame.remoteMemory = NULL;
+            //VirtualFreeEx(targetGalgame.hProcess, targetGalgame.remotePayloadMemory, 0, MEM_RELEASE);
+            //targetGalgame.remotePayloadMemory = NULL;
             CloseHandle(targetGalgame.hProcess);
             targetGalgame.hProcess = NULL;
         }
         else
         {
-            printf("Failed to inject shellcode.\n");
+            printf("Failed to inject MonikaPayload.\n");
         }
     }
     else

MonikaHijack/HijackMainThread_Returnable.exe

@@ -0,0 +1,22 @@
+55
+48 8B EC
+48 83 EC 20 
+E8 00 00 00 00 
+59 
+48 83 C1 3F 
+48 B8 C0 04 10 1B FC 7F 00 00 
+FF D0 
+48 8B C8 
+E8 00 00 00 00 
+5A 
+48 83 C2 31 
+48 B8 50 AA 0F 1B FC 7F 00 00 
+FF D0 
+E8 00 00 00 00 
+5B 
+48 83 C3 27 
+48 89 03 
+48 83 C4 20 
+5D 
+C3 
+90 90 75 73 65 72 33 32 2E 64 6C 6C 00 4D 65 73 73 61 67 65 42 6F 78 41 00 60 E0 94 1A FC 7F