Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- unsigned char codeToInject[] =
- {
- // Push a dummy value for the return address
- 0x50, // push rax
- // Save the flags
- 0x9c, // pushfq
- // Save the registers
- 0x50, // push rax
- // rax is saved, now overwrite the return address we pushed earlier
- 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, 0CCCCCCCCCCCCCCCCh
- 0x48, 0x89, 0x84, 0x24, 0x10, 0x00, 0x00, 0x00, // mov qword ptr [rsp+16],rax
- 0x51, // push rcx
- 0x52, // push rdx
- 0x53, // push rbx
- 0x55, // push rbp
- 0x56, // push rsi
- 0x57, // push rdi
- 0x41, 0x50, // push r8
- 0x41, 0x51, // push r9
- 0x41, 0x52, // push r10
- 0x41, 0x53, // push r11
- 0x41, 0x54, // push r12
- 0x41, 0x55, // push r13
- 0x41, 0x56, // push r14
- 0x41, 0x57, // push r15
- // Placeholder for the string address and LoadLibrary
- 0x48, 0xB9, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rcx, 0CCCCCCCCCCCCCCCCh
- 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, 0CCCCCCCCCCCCCCCCh
- // Call LoadLibrary with the string parameter
- 0xFF, 0xD0, // call rax
- // Restore the registers
- 0x41, 0x5F, // pop r15
- 0x41, 0x5E, // pop r14
- 0x41, 0x5D, // pop r13
- 0x41, 0x5C, // pop r12
- 0x41, 0x5B, // pop r11
- 0x41, 0x5A, // pop r10
- 0x41, 0x59, // pop r9
- 0x41, 0x58, // pop r8
- 0x5F, // pop rdi
- 0x5E, // pop rsi
- 0x5D, // pop rbp
- 0x5B, // pop rbx
- 0x5A, // pop rdx
- 0x59, // pop rcx
- 0x58, // pop rax
- // Restore the flags
- 0x9D, // popfq
- 0xC3 // ret
- };
- bool InjectDLL64(__in const DWORD& dwProcessID, __in const WCHAR* const pwszDLLName)
- {
- HANDLE hProcess = NULL;
- LPVOID pRemoteMemDllName = NULL;
- LPVOID pRemoteMemFunction = NULL;
- SIZE_T nDllNameBuffSize = NULL;
- DWORD64 nFunctionBuffSize = sizeof(codeToInject2);
- HANDLE hThread = NULL;
- DWORD dwThreadSuspendCount = -1;
- std::wstring strModuleFilePath = pwszDLLName;
- bool bRet = false;
- hProcess = pi.hProcess;
- // Allocate memory on the target process with current DLL path
- nDllNameBuffSize = (strModuleFilePath.size()+1) * sizeof(WCHAR);
- pRemoteMemDllName = ::VirtualAllocEx(hProcess, NULL, nDllNameBuffSize, MEM_COMMIT,
- PAGE_READWRITE);
- if(!pRemoteMemDllName)
- {
- std::wcout << L"Error: Failed to allocate data on target process" << std::endl;
- goto cleanup;
- }
- SIZE_T nNumBytesWritten = 0;
- ::WriteProcessMemory(hProcess, pRemoteMemDllName, (void*)strModuleFilePath.data(),
- nDllNameBuffSize, &nNumBytesWritten);
- if(nNumBytesWritten != nDllNameBuffSize)
- {
- std::wcout << L"Error: Failed to write data on target process" << std::endl;
- goto cleanup;
- }
- // Allocate memory for the stub
- pRemoteMemFunction = ::VirtualAllocEx(hProcess, NULL, nFunctionBuffSize, MEM_COMMIT,
- PAGE_EXECUTE_READWRITE);
- // Get proc address of LoadLibrary
- HMODULE hKernel32 = ::GetModuleHandleW(L"Kernel32");
- if(!hKernel32)
- {
- std::wcout << L"Error : Failed to load kernel32" << std::endl;
- goto cleanup;
- }
- DWORD64 fnLocLoadLibrary = (DWORD64)::GetProcAddress(hKernel32, "LoadLibraryW");
- if(!fnLocLoadLibrary)
- {
- std::wcout << L"Error : Failed to get LoadLibraryW proc address" << std::endl;
- goto cleanup;
- }
- hThread = pi.hThread;
- // Set the instruction pointer to point to our function
- CONTEXT ctx;
- ctx.ContextFlags = CONTEXT_ALL;
- if(!GetThreadContext(hThread, &ctx))
- {
- std::wcout << L"Error : Failed to get the thread context" << std::endl;
- goto cleanup;
- }
- DWORD64 dwOldIP = ctx.Rip;
- // Jump ahead the stack a little bit so we don't accidentally overwrite something
- ctx.Rsp -= 128;
- // Make sure the stack will be aligned to 16 bytes right at the LoadLibrary call
- ctx.Rsp = ctx.Rsp & ~15;
- ctx.Rsp -= 8;
- ctx.Rip = (DWORD64) pRemoteMemFunction;
- ctx.ContextFlags = CONTEXT_ALL;
- // Replace placeholders
- memcpy(codeToInject + 5, &dwOldIP, sizeof(dwOldIP));
- memcpy(codeToInject + 45, &pRemoteMemDllName, sizeof(pRemoteMemDllName));
- memcpy(codeToInject + 55, &fnLocLoadLibrary, sizeof(fnLocLoadLibrary));
- if(!WriteProcessMemory(hProcess, pRemoteMemFunction, codeToInject, nFunctionBuffSize, NULL))
- {
- std::wcout << L"Error: Failed to write the code cave" << std::endl;
- goto cleanup;
- }
- HMODULE h = LoadLibraryW(INJECTED);
- if(!SetThreadContext(hThread, &ctx))
- {
- std::wcout << L"Error: Failed to modify the thread context" << std::endl;
- goto cleanup;
- }
- // DLL Injection is successful
- bRet = true;
- cleanup:
- // Cleanup allocated data
- //if(dwThreadSuspendCount != -1)
- ResumeThread(hThread);
- if(pRemoteMemDllName)
- VirtualFreeEx(hProcess, pRemoteMemDllName, nDllNameBuffSize, MEM_RELEASE);
- if(pRemoteMemFunction)
- VirtualFreeEx(hProcess, pRemoteMemFunction, nFunctionBuffSize, MEM_RELEASE);
- ::CloseHandle(hProcess);
- ::CloseHandle(hThread);
- return bRet;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement