[Problem] Kill Process

[parad0x]

So I was learning to write a little bit windows shellcoding and this guy showed in his tut that we'll be writing a shellcode to kill any process. Everything was working fine, in his video,his code worked fine but when I did all, mine didn't work so I decided to use Olly and trace where the fuck in the problem. I ran the code in Olly and it worked FINE, I mean yes, it worked in the debugger but when I run this outside the debugger, it just doesn't work. I don't really see any problem, and maybe there isn't cause in the debugger, everything running fine but it isn't running out of the debugger.
Here's the code

Code: (C) [Select]

#include<Windows.h>
#include<stdio.h>


char shellcode[] = {"\x6A\x00\x6A\xFF\xE8\x01\x00\x00\x00\xC3\xB8\x01\x01\x00\x00\xE8\x00\x00\x00\x00\x89\xE2\x0F\x34"};

DWORD shellcode_size = 0x18;
DWORD shellcode_offset = 0x00;

/*
The shellcode is :
push 0
push -1
call TERM
ret
TERM:
mov eax, 101h
call sys
sys:
mov edx, esp
syscall
ret
*/

void kill_app(DWORD pid){

char code[0x18];

memcpy(code, shellcode, 0x18);

HMODULE h = GetModuleHandle("NTDLL.DLL");
FARPROC f = GetProcAddress(h, "ZwTerminateProcess");
memcpy((char *)(shellcode+0x0B), (char *)((char *)f+1), 4);

HANDLE hProc = 0;

hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid);

LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, 0x18, MEM_COMMIT, PAGE_EXECUTE_READWRITE);


DWORD numberBytesWritten = 0;

WriteProcessMemory(hProc, hRemoteMem, shellcode, 0x18, &numberBytesWritten);

HANDLE HRemoteThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);


CloseHandle(hProc);
}

int main(int argc, CHAR* argv[])
{
if (argc != 2)
{
printf("Usage: %s <pid_of_program_to_close>\n\n", argv[0]);
return 1;
}

DWORD pid = atoi(argv[1]);

kill_app(pid);
return 0;
}


Explanation: I write the shellcode, then get the address of ZwTerminateProcess function from ntdll.dll, then I open the process into which I have to execute this, then I allocate the memory, write it into the process memory, create a thread, run the code and since the shellcode is of exiting the process, it should kill the process of the given pid.

[iTpHo3NiX]

Why not use the image name instead of PID since pid's change with each running instance. Also it may be a matter of privledge on the system. Are you trying to close a SYSTEM process? If so the code will need to be executed as an administrator. This seems like a permissions issue, however I'm not familiar with the code and whatnot if that's the issue

[parad0x]

Why not use the image name instead of PID since pid's change with each running instance.

Because the code I wrote kills the app given its pid, just to test if the exit shellcode I wrote works fine and exits a process. The thing is not to kill a process, I can do that from Task Manager also but I am testing my code.

Also it may be a matter of privledge on the system. Are you trying to close a SYSTEM process? If so the code will need to be executed as an administrator. This seems like a permissions issue, however I'm not familiar with the code and whatnot if that's the issue

I am the Administrator plus if you don't have permission to do something, you can't do that with a debugger. I have full permissions plus it's not the case with SYSTEM process, notepad isn't a system process, I tried it on the process that I ran, not on the processes running under SYSTEM priv.

[Trevor]

I am pretty sure that the problem is related to insufficient privileges.

When you run the code in a debugger, your app has SeDebugPrivilege, which means OpenProcess will always succeed irrespective of the privileges of the target process.

Can you add a check (sort of printf) after the OpenProcess call to see that if it really succeeds ?

EDIT:
Another thing that needs mentioning, is the shellcode will only work on non ASLR systems (like Win XP).

[iTpHo3NiX]

Parad0x,

Being an administrator on windows doesn't give you admin privs, right-click run as administrator will

[parad0x]

UPDATE : So I added some printfs after each call to every function  just to make sure everything is going ok and now am getting "IT HAS ENCOUNTERED SOME PROBLEM" after CreateThread ( CreateThread executes fine, the printf after it prints that it executed and just after that, it is encountering the fucking problem).

Parad0x,

Being an administrator on windows doesn't give you admin privs, right-click run as administrator will

I tried doing so, but getting what I just wrote above.

I am pretty sure that the problem is related to insufficient privileges.

When you run the code in a debugger, your app has SeDebugPrivilege, which means OpenProcess will always succeed irrespective of the privileges of the target process.

Can you add a check (sort of printf) after the OpenProcess call to see that if it really succeeds ?

EDIT:
Another thing that needs mentioning, is the shellcode will only work on non ASLR systems (like Win XP).

I am having Windows 7 Ultimate SP1
Here's the new code

Code: (C++) [Select]


#include<Windows.h>
#include<stdio.h>


char shellcode[] = {"\x6A\x00\x6A\xFF\xE8\x01\x00\x00\x00\xC3\xB8\x01\x01\x00\x00\xE8\x00\x00\x00\x00\x89\xE2\x0F\x34"};

DWORD shellcode_size = 0x18;
DWORD shellcode_offset = 0x00;

/*
The shellcode is :
push 0
push -1
call TERM
ret
TERM:
mov eax, 101h
call sys
sys:
mov edx, esp
syscall
ret
*/

void kill_app(DWORD pid){

char code[0x20];

memcpy(code, shellcode, 0x18);

HMODULE h = GetModuleHandle("NTDLL.DLL");
FARPROC f = GetProcAddress(h, "ZwTerminateProcess");
memcpy((char *)(shellcode+0x0B), (char *)((char *)f+1), 4);

HANDLE hProc = 0;

hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid);

printf("OpenProcess Succeeded\n");
getchar();

LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, 0x18, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf("Memory allocation Successfull...\n");
getchar();

DWORD numberBytesWritten = 0;

WriteProcessMemory(hProc, hRemoteMem, shellcode, 0x18, &numberBytesWritten);
printf("Writing Done...\n");
getchar();

HANDLE HRemoteThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);
printf("Thread Created..\n");
getchar();
CloseHandle(hProc);
}

int main(int argc, CHAR* argv[])
{
printf("Enter the pid of the program.. : ");

DWORD pid;

scanf_s("%d", &pid);

printf("PID you entered is : %d\n", pid);

kill_app(pid);

printf("Done\n");
getchar();
getchar();
getchar();
return 0;
}


Don't mind the  last 3 getchar(), the first is to take the last newline left in the input queue, second to take another input, just to hold the screen so I can see the above printf and the last one, just to make sure that I have seen everything before I exit, tbh I don't really need that but still.

[Trevor]

Err, No. 
I did not mean to add printf statements literally. You need to do error checking, something like this.

Code: (C) [Select]

hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid);

if (hProc != NULL) printf("[*] OpenProcess succeeded\n");
else
{
   printf("[!] OpenProcess failed\n");
   return;
}

Similarly, do this for the other functions. All the functions are documented on MSDN.
You can find what does a specific function return in case of an error. Use that in the if statement.

EDIT:

I am having Windows 7 Ultimate SP1

That means, the shellcode will not work because of ASLR if you try to inject it into Notepad. It may work sometimes but there is no guarantee. This is because, the address of ZwTerminateProcess will differ between your app and notepad.

If you have some Win XP VM lying around, it is best to try it there. Win XP is best for such stuffz

[parad0x]

I knew all about that but not really working out, my final test code

Code: (C) [Select]

#include<Windows.h>
#include<stdio.h>


char shellcode[] = {"\x6A\x00\x6A\xFF\xE8\x01\x00\x00\x00\xC3\xB8\x01\x01\x00\x00\xE8\x00\x00\x00\x00\x89\xE2\x0F\x34"};

DWORD shellcode_size = 0x18;
DWORD shellcode_offset = 0x00;

/*
The shellcode is :
push 0
push -1
call TERM
ret
TERM:
mov eax, 101h
call sys
sys:
mov edx, esp
syscall
ret
*/

void kill_app(DWORD pid){

char code[0x18];

memcpy(code, shellcode, 0x18);

HMODULE h = GetModuleHandle("NTDLL.DLL");
if(h == NULL){
printf("%x\n", GetLastError());
exit(1);
}

FARPROC f = GetProcAddress(h, "ZwTerminateProcess");
if (f == NULL)
{
printf("%x\n", GetLastError());
exit(1);
}

memcpy((char *)(shellcode+0x0B), (char *)((char *)f+1), 4);

HANDLE hProc = 0;

hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, pid);
if (hProc == NULL)
{
printf("%x\n", GetLastError());
exit(1);
}

printf("OpenProcess Succeeded\n");
getchar();

LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, 0x18, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (hRemoteMem == NULL)
{
printf("%x\n", GetLastError());
exit(1);
}

printf("Memory allocation Successfull...\n");
getchar();

DWORD numberBytesWritten = 0;
int y=0;
y = WriteProcessMemory(hProc, hRemoteMem, shellcode, 0x18, &numberBytesWritten);


if ( y== 0)
{
printf("%x\n", GetLastError());
exit(1);
}

printf("Writing Done...\n");
getchar();
HANDLE HRemoteThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);
if (HRemoteThread == NULL)
{
printf("%x\n", GetLastError());
exit(1);
}

printf("Thread Created..\n");

CloseHandle(hProc);
getchar();
}

int main(int argc, CHAR* argv[])
{
printf("Enter the pid of the program.. : ");

DWORD pid;

scanf_s("%d", &pid);

printf("PID you entered is : %d\n", pid);

kill_app(pid);

printf("Done\n");
getchar();
getchar();
getchar();
return 0;
}
As for ASLR, it calculates the address on the fly, not a problem, still not working.

[Trevor]

Just replace this line

Code: (C) [Select]

HANDLE HRemoteThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);
with this

Code: (C) [Select]

HANDLE HRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);
You must have found out the error by now.

[parad0x]

Just replace this line

Code: (C) [Select]

HANDLE HRemoteThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);
with this

Code: (C) [Select]

HANDLE HRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hRemoteMem, 0, 0, NULL);
You must have found out the error by now.

My bad, I used CreateThread instead of CreateRemoteThread. :p Too silly mistake to do. How the fuck I can do that mistake.

[Trevor]

My bad, I used CreateThread instead of CreateRemoteThread. :p Too silly mistake to do. How the fuck I can do that mistake.

Never mind, that happens even to the best. Apparently, it is those silly mistakes that sometimes render big codebases insecure. For instance see the heartbleed bug in OpenSSL.

BTW, I tried compiling your code only today,  and the mistake was evident in OllyDbg.