PureInjector x86

1. ; PureInjector x86
2. ; xorc1zt
3. ; 2011
4.  
5. #VERSION = "1.0"
6.  
7. Enumeration
8.   #INJECTION
9.   #UNLOAD
10. EndEnumeration
11.  
12. Structure ProcessListStr
13.   ProcessName.s
14.   ProcessID.l
15. EndStructure
16.  
17. Structure ModuleListStr
18.   ModuleName.s
19.   ModuleAddress.l
20.   ModulePath.s
21. EndStructure
22.  
23. Global NewList ProcessList.ProcessListStr()
24. Global NewList ModuleList.ModuleListStr()
25. Global SelectedProcess.l
26. Global SelectedModule.s
27. Global ConsoleBuff.s
28. Global DLLToInject.s
29.  
30. ; Refresh the console buff and go to the last line
31. Procedure UpdateConsole()
32.   SetGadgetText(2, ConsoleBuff)
33.   lines=SendMessage_(GadgetID(2),#EM_GETLINECOUNT,0,0)
34.     SendMessage_(GadgetID(2), #EM_LINESCROLL, 0, lines)
35. EndProcedure
36.  
37. ; Parse each procress name and each process id to the linked list ProcessList()
38. Procedure.b GetProcesslist()
39.   ;clear process list and gadget
40.   ClearList(ProcessList())
41.   ClearGadgetItems(0)
42.  
43.   hProcessSnap.i = CreateToolhelp32Snapshot_(#TH32CS_SNAPPROCESS, NULL)
44.   If( hProcessSnap = #INVALID_HANDLE_VALUE ) : ProcedureReturn #False : EndIf
45.  
46.   ;initialize process structure
47.   ProcessInfos.PROCESSENTRY32
48.   ProcessInfos\dwSize = SizeOf(PROCESSENTRY32)
49.  
50.   ;parse first process on the list
51.   Process32First_(hProcessSnap, @ProcessInfos)
52.   AddElement(ProcessList())
53.   ProcessList()\ProcessName = PeekS(@ProcessInfos\szExeFile)
54.   ProcessList()\ProcessID = ProcessInfos\th32ProcessID
55.   AddGadgetItem(0, -1, Str(ProcessList()\ProcessID)+Chr(10)+ProcessList()\ProcessName)
56.   ;parse next process on the list
57.   While Process32Next_(hProcessSnap, @ProcessInfos) > 0
58.     AddElement(ProcessList())
59.     ProcessList()\ProcessName = PeekS(@ProcessInfos\szExeFile)
60.     ProcessList()\ProcessID = ProcessInfos\th32ProcessID
61.     AddGadgetItem(0, -1, Str(ProcessList()\ProcessID)+Chr(10)+ProcessList()\ProcessName)
62.   Wend
63.   ConsoleBuff+Str(ListSize(ProcessList()))+" Processus found"+#CRLF$
64.   UpdateConsole()
65.   ProcedureReturn #True
66. EndProcedure
67.  
68. ; Parse each module from process id to the linked list ModuleList()
69. Procedure.b GetModuleList(ProcessID.l)
70.   ;clear module list and gadget
71.   ClearList(ModuleList())
72.   ClearGadgetItems(1)
73.  
74.   hProcessSnap.i = CreateToolhelp32Snapshot_(#TH32CS_SNAPMODULE, ProcessID)
75.  
76.   If( hProcessSnap = #INVALID_HANDLE_VALUE )
77.     ErrorCode.l = GetLastError_()
78.     Select ErrorCode
79.       Case 5 ; acces denied
80.         ConsoleBuff+ProcessList()\ProcessName+": Access denied"+#CRLF$
81.       Case 299 ; 32 bits processus can't read 64 bits processus
82.         ConsoleBuff+ProcessList()\ProcessName+" is a 64 bits processus"+#CRLF$
83.     EndSelect
84.     UpdateConsole()
85.     ProcedureReturn #False
86.   EndIf
87.  
88.   ModuleInfos.MODULEENTRY32
89.   ModuleInfos\dwSize = SizeOf(MODULEENTRY32)
90.   Module32First_(hProcessSnap, @ModuleInfos)
91. ; first module is alway the target process
92. ;   AddElement(ModuleList())
93. ;   ModuleList()\ModuleName = PeekS(@ModuleInfos\szModule)
94. ;   ModuleList()\ModuleAddress = ModuleInfos\modBaseAddr
95. ;   ModuleList()\ModulePath = PeekS(@ModuleInfos\szExePath)
96. ;   AddGadgetItem(1, -1, Str(ModuleList()\ModuleAddress)+Chr(10)+ModuleList()\ModuleName)
97.  
98.   While Module32Next_(hProcessSnap, @ModuleInfos) > 0
99.     AddElement(ModuleList())
100.     ModuleList()\ModuleName = PeekS(@ModuleInfos\szModule)
101.     ModuleList()\ModuleAddress = ModuleInfos\modBaseAddr
102.     ModuleList()\ModulePath = PeekS(@ModuleInfos\szExePath)
103.     AddGadgetItem(1, -1, Hex(ModuleList()\ModuleAddress)+Chr(10)+ModuleList()\ModuleName)
104.   Wend
105.   ConsoleBuff+ProcessList()\ProcessName+": "+Str(ListSize(ModuleList()))+" Modules found"+#CRLF$
106.   UpdateConsole()
107. EndProcedure
108.  
109. Procedure.b DLL(dwProcessId.l, pszLibFile$, Mode.b = 0)
110.   hProcess.i
111.   hThread.i
112.   lzLibFileRemote.i
113.   lSize.i
114.   endSize.i
115.   lsThreadRtn.i
116.   hProcess = OpenProcess_(#PROCESS_QUERY_INFORMATION | #PROCESS_CREATE_THREAD | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE, 0, dwProcessId)
117.   If hProcess = 0 : Goto ErrHandle : EndIf
118.   lSize = 1 + Len(pszLibFile$)
119.   endSize = lSize
120.  
121.   OpenLibrary(0, "Kernel32.dll")
122.   If mode
123.     modestr.s = "Unload"
124.     lsThreadRtn = GetFunction(0, "GetModuleHandleA")
125.   Else
126.     modestr.s = "Injection"
127.     lsThreadRtn = GetFunction(0, "LoadLibraryA")
128.     CloseLibrary(0)
129.   EndIf
130.  
131.   lzLibFileRemote = VirtualAllocEx_(hProcess, #Null, endSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_READWRITE)
132.   If lzLibFileRemote = 0 : Goto ErrHandle : EndIf
133.   If Not WriteProcessMemory_(hProcess, lzLibFileRemote, pszLibFile$, endSize, #Null) : Goto ErrHandle : EndIf
134.  
135.   If lsThreadRtn = 0 : Goto ErrHandle : EndIf
136.   hThread = CreateRemoteThread_(hProcess, #Null, #Null, lsThreadRtn, lzLibFileRemote, #THREAD_QUERY_INFORMATION, #Null)
137.   If (hThread = 0) : Goto ErrHandle : EndIf
138.  
139.   WaitForSingleObject_(hThread, #INFINITE)
140.  
141.   If lzLibFileRemote<>0
142.     VirtualFreeEx_(hProcess, lzLibFileRemote, 0, #MEM_RELEASE)
143.   Else
144.     Goto ErrHandle
145.   EndIf
146.  
147.   If mode
148.     hModule.i = 0
149.     GetExitCodeThread_(hThread, @hModule)
150.     CloseHandle_(hThread)
151.     CloseHandle_(hProcess)
152.     hProcess = OpenProcess_(#PROCESS_QUERY_INFORMATION | #PROCESS_CREATE_THREAD | #PROCESS_VM_OPERATION | #PROCESS_VM_WRITE, 0, dwProcessId)
153.     lzLibFileRemote = VirtualAllocEx_(hProcess, #Null, 4, #MEM_COMMIT | #MEM_RESERVE, #PAGE_READWRITE)
154.     If Not WriteProcessMemory_(hProcess, lzLibFileRemote, hModule, 4, #Null) : Goto ErrHandle : EndIf
155.     lsThreadRtn = GetFunction(0, "FreeLibrary")
156.     hThread = CreateRemoteThread_(hProcess, #Null, #Null, lsThreadRtn, lzLibFileRemote, #THREAD_QUERY_INFORMATION, #Null)
157.     WaitForSingleObject_(hThread, #INFINITE)
158.     GetExitCodeThread_(hThread, @hModule)
159.     CloseLibrary(0)
160.     CloseHandle_(hThread)
161.   EndIf
162.  
163.   CloseHandle_(hProcess)
164.   ConsoleBuff+modestr+" Success"+#CRLF$
165.   UpdateConsole()
166.   ProcedureReturn #True
167.  
168.   ErrHandle:
169.       Debug GetLastError_()
170.       VirtualFreeEx_(hProcess, lzLibFileRemote, 0, #MEM_RELEASE)
171.       CloseHandle_(hThread)
172.       CloseHandle_(hProcess)
173.       ConsoleBuff+modestr+" Failed"+#CRLF$
174.       UpdateConsole()
175.       ProcedureReturn #False
176. EndProcedure
177.    
178. #WindowWidth  = 546
179. #WindowHeight = 565
180.  
181. If OpenWindow(0, 100, 200, #WindowWidth, #WindowHeight, "PureInjector x86 "+#VERSION+" - Xorc1zt", #PB_Window_SystemMenu | #PB_Window_MinimizeGadget)
182.  
183.   ;Process list
184.   ListIconGadget(0, 1, 1, 270, 200, "Process ID", 65, #PB_ListIcon_FullRowSelect)
185.   AddGadgetColumn(0, 1, "Name", 165)
186.  
187.   ;Module list
188.   ListIconGadget(1, 275, 1, 270, 500, "Base Address", 80, #PB_ListIcon_FullRowSelect)
189.   AddGadgetColumn(1, 1, "Name", 165)
190.  
191.   StringGadget(2, 1, 221, 270, 280, "Hello", #PB_String_ReadOnly | #ES_MULTILINE | #WS_VSCROLL | #WS_HSCROLL)
192.   ConsoleBuff = "PureInjector ( V"+#VERSION+" "+FormatDate("%dd/%mm/%yyyy - %hh:%ii:%ss", #PB_Compiler_Date)+" )"+#CRLF$
193.   StringGadget(3, 1, 505, 525, 20, "dll to inject")
194.   ButtonGadget(4, 525, 505, 21, 20, "...")
195.   ButtonGadget(5, 0, 525, 545, 20, "Inject !")
196.   ButtonGadget(6, 0, 545, 545, 20, "Unload selected module")
197.   ButtonGadget(7, 0, 200, 270, 20, "Refresh list")
198.   If Not GetProcesslist() : MessageRequester("Error", "GetProcesslist() Failed") : EndIf
199.  
200.   Repeat
201.     EventID = WaitWindowEvent()
202.    
203.     If EventID = #PB_Event_Gadget
204.       Select EventGadget()
205.         Case 0 ; process list
206.           If EventType() = #PB_EventType_LeftClick And GetGadgetState(0) > -1
207.             SelectElement(ProcessList(), GetGadgetState(0))
208.             SelectedProcess = ProcessList()\ProcessID
209.             GetModuleList(SelectedProcess)
210.           EndIf
211.         Case 1 ; module list
212.           If EventType() = #PB_EventType_LeftClick And GetGadgetState(1) > -1
213.             SelectElement(ModuleList(), GetGadgetState(1))
214.             SelectedModule = ModuleList()\ModulePath;ModuleList()\ModuleName
215.             ConsoleBuff+ModuleList()\ModuleName+" Path: "+ModuleList()\ModulePath+#CRLF$
216.             UpdateConsole()
217.           EndIf
218.         Case 3
219.           If EventType() = #PB_EventType_Change
220.             DLLToInject = GetGadgetText(3)
221.           EndIf  
222.         Case 4
223.           DLLToInject = OpenFileRequester("Please choose file to load", "", "DLL (*.dll)|*.dll", 0)
224.           SetGadgetText(3,DLLToInject)
225.         Case 5 ;inject dll
226.           DLL(SelectedProcess, DLLToInject)
227.         Case 6 ;unload unload module
228.           DLL(SelectedProcess, SelectedModule, #UNLOAD)
229.         Case 7 ; refresh list
230.           If Not GetProcesslist() : MessageRequester("Error", "GetProcesslist() Failed") : EndIf
231.       EndSelect    
232.     EndIf
233.        ;
234.   Until EventID = #PB_Event_CloseWindow
235. EndIf