+ | Added Threat and Process classes with main functionality for thread hijacking

Author: kaveOO

Threat/Main.cpp

@@ -0,0 +1,8 @@
+#include "Threat.hpp"
+
+int main() {
+	Threat threat(L"Target.exe");
+	
+	threat.DebugPrint();
+	threat.Hijack();
+}

Threat/Process.cpp

@@ -7,7 +7,7 @@ Process::Process(const wchar_t *processName) {
 
 	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
 	if (hSnapshot == INVALID_HANDLE_VALUE) {
-		std::cerr << "Failed to create snapshot of processes" << std::endl;
+		std::cerr << "Failed to snapshot processes: " << GetLastError() << std::endl;
 		return;
 	}
 
@@ -22,21 +22,19 @@ Process::Process(const wchar_t *processName) {
 		hResult = Process32Next(hSnapshot, &processEntry);
 	}
 
+	CloseHandle(hSnapshot);
+
 	if (processId == 0) {
-		std::wcerr << "Failed to find " << processName << std::endl;
+		std::cerr << "[ ERROR ] Failed to get processId: " << GetLastError() << std::endl;
+		return;
 	}
 
-	CloseHandle(hSnapshot);
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, processId);
+	if (!hProcess) {
+		std::cerr << "[ ERROR ] OpenProcess: " << GetLastError() << std::endl;
+		return;
+	}
 }
 
 Process::~Process() {
-	CloseHandle(hProcess);
-}
-
-DWORD Process::GetProcessId() const {
-	return processId;
-}
-
-HANDLE Process::GetProcessHandle() const {
-	return hProcess;
 }

Threat/Process.hpp

@@ -5,14 +5,11 @@
 #include <TlHelp32.h>
 
 class Process {
-	private:
+	protected:
 		DWORD	processId = 0;
 		HANDLE	hProcess = NULL;
 	public:
 		Process() = delete;
 		Process(const wchar_t *processName);
 		~Process();
-
-		DWORD	GetProcessId()		const;
-		HANDLE	GetProcessHandle()	const;
 };

Threat/Threat.cpp

@@ -1,55 +1,118 @@
-#include <iostream>
-#include <Windows.h>
-#include <ios>
+#include "Threat.hpp"
 
-// Should hijack target thread right here :)
-
-CONTEXT GetAndPrintContext(HANDLE hThread) {
-	CONTEXT context = { };
+Threat::Threat(const wchar_t *processName) : Process(processName) {
 	context.ContextFlags = CONTEXT_FULL;
 
-	if (GetThreadContext(hThread, &context)) {
+	HANDLE			hSnapshot;
+	THREADENTRY32	threadEntry = {};
+	BOOL			hResult;
 
+	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
+	if (hSnapshot == INVALID_HANDLE_VALUE) {
+		std::cerr << "Failed to snapshot threads: " << GetLastError() << std::endl;
+		return;
 	}
 
-	return context;
-}
+	threadEntry.dwSize = sizeof(THREADENTRY32);
+	hResult = Thread32First(hSnapshot, &threadEntry);
+
+	while (hResult) {
+		if (processId == threadEntry.th32OwnerProcessID) {
+			threadId = threadEntry.th32ThreadID;
+			break;
+		}
+		hResult = Thread32Next(hSnapshot, &threadEntry);
+	}
 
-int main() {
-	HANDLE hThread;
-	CONTEXT context;
+	CloseHandle(hSnapshot);
 
-	hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, 6248);
+	hThread = OpenThread(THREAD_ALL_ACCESS, 0, threadId);
 	if (!hThread) {
-		std::cout << "Failed to open thread handle : " << GetLastError() << std::endl;
-		return 1;
+		std::cerr << "[ ERROR ] OpenThread: " << GetLastError() << std::endl;
+		return;
 	}
+}
 
-	std::cout << "Successfully opened thread 0x" << hThread << std::endl;
+Threat::~Threat() {
+	CloseHandle(hThread);
+}
 
-	context = GetAndPrintContext(hThread);
+void Threat::DebugPrint() const {
+	std::cout << "-------------------------" << std::endl;
+	std::cout << " THIS IS A DEBUG PRINT ! " << std::endl;
+	std::cout << "-------------------------" << std::endl;
+	std::cout << "[ DEBUG ] processId: " << processId << std::endl;
+	std::cout << "[ DEBUG ] threadId: " << threadId << std::endl;
+	std::cout << "[ DEBUG ] context: 0x" << std::hex << &context << std::endl;
+	std::cout << "[ DEBUG ] hThread: 0x" << std::hex << hThread << std::endl;
+}
 
-	std::cout << "0x7ffad8f3cca4" << std::endl;
+bool Threat::Hijack() {
+	HMODULE hModules[1024];
+	DWORD modulesCount;
 
-	#ifdef _WIN64
-		std::cout << "RIP (Instruction Pointer): 0x" << std::hex << context.Rip << std::endl;
-		std::cout << "RSP (Stack Pointer): 0x" << std::hex << context.Rsp << std::endl;
-	#endif
+	if (!EnumProcessModules(hProcess, hModules, sizeof(hModules), &modulesCount)) {
+		std::cerr << "[ ERROR ] EnumProcessModules: " << GetLastError() << std::endl;
+		CloseHandle(hProcess);
+		return false;
+	}
 
+	HMODULE ntdll = nullptr;
 
-	if (SuspendThread(hThread) == -1) {
-		std::cout << "Failed to suspend thread : " << GetLastError() << std::endl;
-		return 1;
-	}
+	for (size_t i = 0; i < (modulesCount / sizeof(HMODULE)); i++) {
+		TCHAR path[MAX_PATH];
+
+		if (!GetModuleFileNameEx(hProcess, hModules[i], path, sizeof(path) / sizeof(TCHAR))) {
+			std::cerr << "[ ERROR ] GetModuleFileNameA: " << GetLastError() << std::endl;
+			return false;
+		}
 
-	std::cout << "Sucessfully suspended thread" << std::endl;
+		if (_tcsstr(path, L"ntdll.dll") == 0) {
+			std::cout << "[ DEBUG ] ntdll found!" << std::endl;
+			break;
+		}
 
-	//Sleep(3000);
+		MODULEINFO moduleInfos;
+		
+		if (!K32GetModuleInformation(hProcess, hModules[i], &moduleInfos, sizeof(moduleInfos))) {
+			std::cerr << "[ ERROR ] K32GetModuleInformation: " << GetLastError() << std::endl;
+			return false;
+		}
 
-	if (ResumeThread(hThread) == -1) {
-		std::cout << "Failed to resume thread : " << GetLastError() << std::endl;
-		return 1;
+		std::cout << moduleInfos.SizeOfImage << std::endl;
+		
+
+		std::wcout << path << std::endl;
 	}
+
+	while (1) {
+		if (SuspendThread(hThread) == (DWORD) -1) {
+			std::cerr << "[ ERROR ] SuspendThread: " << GetLastError() << std::endl;
+			return false;
+		}
+
+		std::cout << "[ DEBUG ] SuspendThread" << std::endl;
+
+		if (!GetThreadContext(hThread, &context)) {
+			std::cerr << "[ ERROR ] GetThreadContext: " << GetLastError() << std::endl; 
+			if (ResumeThread(hThread) == (DWORD) - 1) {
+				std::cerr << "[ ERROR ] ResumeThread: " << GetLastError() << std::endl;
+			}
+		}
 
-	std::cout << "Sucessfully resumed thread" << std::endl;
+		Sleep(1000);
+		std::cout << "Resume in 3..." << std::endl;
+		Sleep(1000);
+		std::cout << "Resume in 2..." << std::endl;
+		Sleep(1000);
+		std::cout << "Resume in 1..." << std::endl;
+
+		if (ResumeThread(hThread) == (DWORD) -1) {
+			std::cerr << "[ ERROR ] ResumeThread: " << GetLastError() << std::endl;
+			return false;
+		}
+		std::cout << "[ DEBUG ] ResumeThread" << std::endl;
+
+		Sleep(5000);
+	}
 }

Threat/Threat.hpp

@@ -0,0 +1,23 @@
+#pragma once
+
+#include <iostream>
+#include <Windows.h>
+#include <ios>
+#include <Psapi.h>
+#include <tchar.h>
+
+#include "Process.hpp"
+
+class Threat : protected Process {
+	private:
+		HANDLE	hThread = {};
+		CONTEXT	context = {};
+		DWORD	threadId = 0;
+	public:
+		Threat() = delete;
+		Threat(const wchar_t *processName);
+		~Threat();
+
+		void	DebugPrint() const;
+		bool	Hijack();
+};

Threat/Threat.vcxproj

@@ -123,8 +123,14 @@
     </Link>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="Main.cpp" />
+    <ClCompile Include="Process.cpp" />
     <ClCompile Include="Threat.cpp" />
   </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Process.hpp" />
+    <ClInclude Include="Threat.hpp" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
   </ImportGroup>

Threat/Threat.vcxproj.filters

@@ -18,5 +18,19 @@
     <ClCompile Include="Threat.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="Process.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="Main.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="Threat.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="Process.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>