Reflective DLL Injection Method 2

1. #include<stdio.h>
2. #include<windows.h>
3. #include<dbghelp.h>
4. #include<tlhelp32.h>
5. #include<string.h>
6. #pragma pack(1)
7.  
8. typedef struct _PE_INFO_
9. {
10.     BOOL Brloc;
11.     BOOL Cleanup;
12.     DWORD Cleanup_RVA;
13.     LPVOID (*Get_Proc)(LPVOID , LPSTR);
14.     LPVOID (*Load_Dll)(LPSTR);
15.     LPVOID base;
16. } PE_INFO , * LPE_INFO ;
17.  
18.  
19. LPVOID Memory_Map_File(const char * Filename)
20. {
21.     HANDLE f,mmap;
22.    
23.    
24.     if((f=CreateFileA(Filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE)
25.     {
26.         printf("[-]Failed To Open File");
27.         return NULL;
28.     }
29.    
30.     if((mmap=CreateFileMappingA(f,NULL,PAGE_READONLY,0,0,NULL))==NULL)
31.     {
32.         printf("[-]CreateFileMappingA() Failed..");
33.         return NULL;
34.     }
35.    
36.     return MapViewOfFile(mmap,FILE_MAP_READ,0,0,0);
37. }
38.  
39.  
40. BOOL Find_Process(const char * Process_Name,PHANDLE p)
41. {
42.     PROCESSENTRY32 ps;
43.     HANDLE Snap;
44.     ps.dwSize=sizeof(ps);
45.     *p=NULL;
46.     if((Snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0))==INVALID_HANDLE_VALUE)
47.     {
48.         printf("[-]Failed To Enumurate Process");
49.         return FALSE;
50.     }
51.    
52.     if(!Process32First(Snap,&ps))
53.     return FALSE;
54.    
55.     do
56.     {
57.         if(!strcmp(Process_Name,ps.szExeFile))
58.         {
59.             CloseHandle(Snap);
60.             *p=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);
61.             if(*p==NULL)
62.             return FALSE;
63.             else
64.             return TRUE;
65.         }
66.     }while(Process32Next(Snap,&ps));
67.    
68.     return FALSE;
69. }
70.  
71. BOOL Get_Rva(LPVOID base, PIMAGE_NT_HEADERS nt, char * name,PDWORD rva)
72. {
73.     PIMAGE_EXPORT_DIRECTORY exp=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(nt,base,nt->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
74.     PDWORD Name;
75.     PDWORD addr;
76.     PWORD ord;
77.     int i;
78.    
79.     ord=(PWORD)ImageRvaToVa(nt,base,exp->AddressOfNameOrdinals,NULL);
80.     Name=(PDWORD)ImageRvaToVa(nt,base,exp->AddressOfNames,NULL);
81.     addr=(PDWORD)ImageRvaToVa(nt,base,exp->AddressOfFunctions,NULL);
82.    
83.     for(i=0;i<exp->NumberOfNames;i++)
84.     {
85.         LPSTR Func=(LPSTR)ImageRvaToVa(nt,base,Name[i],NULL);
86.         if(!strcmp(Func,name))
87.         {
88.             *rva=addr[ord[i]];
89.             return 1;
90.         }
91.     }
92.  
93.     return 0;
94. }
95.  
96. void Adjust_PE(LPE_INFO pe)
97. {
98.     LPVOID base;
99.     PIMAGE_DOS_HEADER dos;
100.     PIMAGE_NT_HEADERS nt;
101.     PIMAGE_BASE_RELOCATION rloc;
102.     PIMAGE_TLS_DIRECTORY tls;
103.     PIMAGE_TLS_CALLBACK * Callback;
104.     PIMAGE_IMPORT_DESCRIPTOR imp;
105.     PIMAGE_THUNK_DATA Othunk,Fthunk;
106.     void (*Entry)(LPVOID , DWORD , LPVOID);
107.    
108.    
109.     base=pe->base;
110.     dos=(PIMAGE_DOS_HEADER)base;
111.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
112.    
113.     if(!pe->Brloc)
114.     goto Load_Import;
115.    
116.     Base_Reloc:
117.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)
118.         goto Load_Import;
119.        
120.         ULONG64 delta=(ULONG64)base-nt->OptionalHeader.ImageBase;
121.         rloc=(PIMAGE_BASE_RELOCATION)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
122.         while(rloc->VirtualAddress)
123.         {
124.             LPVOID Dest=base+rloc->VirtualAddress;
125.             int n=(rloc->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2;
126.             int i;
127.             PWORD data=(PWORD)((LPVOID)rloc+sizeof(IMAGE_BASE_RELOCATION));
128.             for(i=0;i<n;i++,data++)
129.             {
130.                 if(((*data)>>12)==10)
131.                 {
132.                     PULONG64 p=(PULONG64)(Dest+((*data)&0xfff));
133.                     *p+=delta;
134.                 }
135.             }
136.             rloc=(PIMAGE_BASE_RELOCATION)((LPVOID)rloc+rloc->SizeOfBlock);
137.         }
138.    
139.     Load_Import:
140.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
141.         goto TLS;
142.        
143.         imp=(PIMAGE_IMPORT_DESCRIPTOR)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
144.         while(imp->Name)
145.         {
146.             LPVOID dll=pe->Load_Dll(base+imp->Name);
147.             Othunk=(PIMAGE_THUNK_DATA)(base+imp->OriginalFirstThunk);
148.             Fthunk=(PIMAGE_THUNK_DATA)(base+imp->FirstThunk);
149.            
150.             if(!imp->OriginalFirstThunk)
151.             Othunk=Fthunk;
152.            
153.             while(Othunk->u1.AddressOfData)
154.             {
155.                 if(Othunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
156.                 {
157.                     *(PULONG64)Fthunk=(ULONG64)pe->Get_Proc(dll,(LPSTR)IMAGE_ORDINAL(Othunk->u1.Ordinal));
158.                 }
159.                 else
160.                 {
161.                     PIMAGE_IMPORT_BY_NAME fn=(PIMAGE_IMPORT_BY_NAME)(base+Othunk->u1.AddressOfData);
162.                     *(PULONG64)Fthunk=(ULONG64)pe->Get_Proc(dll,fn->Name);
163.                 }
164.                 Othunk++;
165.                 Fthunk++;
166.             }
167.             imp++;
168.         }
169.     TLS:
170.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress)
171.         goto Execute_Entry;
172.        
173.         tls=(PIMAGE_TLS_DIRECTORY)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
174.         if(!tls->AddressOfCallBacks)
175.         goto Execute_Entry;
176.        
177.         Callback=(PIMAGE_TLS_CALLBACK *)tls->AddressOfCallBacks;
178.         while(*Callback)
179.         {
180.             (*Callback)(base,1,NULL);
181.             Callback++;
182.         }
183.        
184.     Execute_Entry:
185.         if(pe->Cleanup)
186.         {
187.             Entry=(base+pe->Cleanup_RVA);
188.             (*Entry)(base,nt->OptionalHeader.AddressOfEntryPoint,pe);
189.         }
190.         else
191.         {
192.             Entry=(base+nt->OptionalHeader.AddressOfEntryPoint);
193.             (*Entry)(base,1,NULL);
194.         }
195.    
196. }
197.  
198.  
199. int main(int i,char *arg[])
200. {
201.     LPVOID base,Rbase;
202.     PIMAGE_DOS_HEADER dos;
203.     PIMAGE_NT_HEADERS nt;
204.     PIMAGE_SECTION_HEADER sec;
205.     HANDLE proc;PE_INFO pe;
206.    
207.     if(i!=3)
208.     {
209.         printf("[!]Usage %s <DLL> <Process Name>",arg[0]);
210.         return 1;
211.     }
212.    
213.     if((base=Memory_Map_File(arg[1]))==NULL)
214.     {
215.         printf("[-]Failed To Memory Map File");
216.         return 1;
217.     }
218.    
219.     printf("[+]File is Memory Mapped Successfully\n");
220.    
221.     ZeroMemory(&pe,sizeof(pe));
222.    
223.     dos=(PIMAGE_DOS_HEADER)base;
224.    
225.     if(dos->e_magic!=23117)
226.     {
227.         printf("\n[-]Invalid PE");
228.         return 1;
229.     }
230.    
231.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
232.    
233.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC)
234.     {
235.         printf("[-]Please use x64 PE");
236.         return 1;
237.     }
238.    
239.    
240.     if(!Find_Process(arg[2],&proc))
241.     {
242.         printf("\n[-]Failed To Open Process");
243.         return 1;
244.     }
245.     else
246.     printf("[+]\'%s\' is Openned\n",arg[2]);
247.      
248.     printf("[!]Allocating Memory Into \'%s\'\n",arg[2]);
249.      
250.      
251.      
252.     if((Rbase=VirtualAllocEx(proc,(LPVOID)nt->OptionalHeader.ImageBase,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE ,PAGE_EXECUTE_READWRITE))==NULL)
253.     {
254.         pe.Brloc=TRUE;
255.         if((Rbase=VirtualAllocEx(proc,NULL,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE ,PAGE_EXECUTE_READWRITE))==NULL)
256.         {
257.             printf("\n[-]Failed To Allocate Memory Into Remote Process");
258.             CloseHandle(proc);
259.             return 1;
260.         }
261.     }
262.    
263.     printf("\n[+]Copying File Content into Remote Process\n");
264.    
265.     WriteProcessMemory(proc,Rbase,base,nt->OptionalHeader.SizeOfHeaders,NULL);
266.    
267.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+sizeof(IMAGE_NT_HEADERS));
268.    
269.     for(i=0;i<nt->FileHeader.NumberOfSections;i++)
270.     {
271.         WriteProcessMemory(proc,Rbase+sec->VirtualAddress,base+sec->PointerToRawData,sec->SizeOfRawData,NULL);
272.         sec++;
273.     }  
274.        
275.     pe.base=Rbase;
276.     pe.Get_Proc=GetProcAddress;
277.     pe.Load_Dll=LoadLibraryA;
278.    
279.     if(Get_Rva(base,nt,"_PE_CLEANUP",&pe.Cleanup_RVA))
280.     {
281.         pe.Cleanup=TRUE;
282.     }
283.    
284.    
285.     DWORD len=(DWORD)((ULONG64)main-(ULONG64)Adjust_PE);
286.     LPVOID temp=VirtualAllocEx(proc,NULL,len+sizeof(pe),MEM_COMMIT | MEM_RESERVE , PAGE_EXECUTE_READWRITE);
287.     if(temp==NULL)
288.     {
289.         printf("\n[-]Insufficiant Memory For PE Configurator\n");
290.         VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
291.         return 1;
292.     }
293.    
294.    
295.     WriteProcessMemory(proc,temp,&pe,sizeof(pe),NULL);
296.     WriteProcessMemory(proc,temp+sizeof(pe),Adjust_PE,len,NULL);
297.    
298.     printf("\n[+]Configuring PE and Executing...");
299.     if(!CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)temp+sizeof(pe),temp,0,NULL))
300.     {
301.         printf("\n[-]Failed To Create Thread..");VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
302.         return 1;
303.     }
304.     CloseHandle(proc);
305.     return 0;
306. }