Nytro Posted May 17, 2013 Report Posted May 17, 2013 [h=1]Calling ShellExecute in codecave[/h][h=3]zwclose7[/h]This program inject a codecave that call ShellExecute function to run executable files or open websites into another process.1) Parse the PID and file name from command line.2) Enable SeDebugPrivilege using RtlAdjustPrivilege function.3) Open the target process handle using NtOpenProcess function.4) Allocate memory in the target process using VirtualAllocEx function.5) Write the codecave into the target process using NtWriteVirtualMemory function.6) Create a remote thread in the target process to execute the codecave using RtlCreateUserThread function.7) Wait for the remote thread to terminate.8) The codecave call LoadLibrary function to load shell32.dll, and then call GetProcAddress function to get the address of the ShellExecute function.9) The codecave call ShellExecute function to run the executable file or open a new website.10) After ShellExecute returns, the codecave call FreeLibrary function to unload shell32.dll.11) After FreeLibrary returns, the thread terminates.12) Close the thread handle using NtClose function.13) Free the allocated memory using VirtualFreeEx function.14) Close the process handle using NtClose function.15) ExitNative API functions used:1) RtlAdjustPrivilege2) NtOpenProcess3) NtWriteVirtualMemory4) RtlCreateUserThread5) NtWaitForSingleObject6) NtCloseThis video show you how the injector works:http://www.youtube.com/watch?v=vQ0FP2uyJHI&feature=player_embeddedDownload src:http://www.rohitab.com/discuss/index.php?app=core&module=attach§ion=attach&attach_id=3887Sursa: Calling ShellExecute in codecave - rohitab.com - Forums Quote
