-
Notifications
You must be signed in to change notification settings - Fork 131
/
Copy pathinjdll.c
427 lines (381 loc) · 11.9 KB
/
injdll.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
/*
Inject the DLL into the target process by modifying its import descriptor
table. The target process must have been created suspended. However, for a
64-bit system with a .NET AnyCPU process, inject via LdrLoadDll in ntdll.dll
and CreateRemoteThread (since AnyCPU is stored as i386, but loads as AMD64,
preventing imports from working).
*/
#include "ansicon.h"
// Search for a suitable free area after the main image (32-bit code could
// really go anywhere, but let's keep it relatively local.)
static PVOID FindMem( HANDLE hProcess, PBYTE base, DWORD len )
{
MEMORY_BASIC_INFORMATION minfo;
PBYTE ptr;
PVOID mem;
for (ptr = base;
VirtualQueryEx( hProcess, ptr, &minfo, sizeof(minfo) );
ptr += minfo.RegionSize)
{
if ((minfo.State & MEM_FREE) && minfo.RegionSize >= len)
{
#ifdef _WIN64
if ((PBYTE)minfo.BaseAddress - base > 0xFFFFffff - len)
return NULL;
#endif
// Round up to the allocation granularity, presumed to be 64Ki.
mem = VirtualAllocEx( hProcess, (PVOID)
(((DWORD_PTR)minfo.BaseAddress + 0xFFFF) & ~0xFFFF),
len, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE );
if (mem != NULL)
return mem;
}
}
return NULL;
}
// Count the imports directly (including the terminator), since the size of the
// import directory is not necessarily correct (Windows doesn't use it at all).
static DWORD sizeof_imports( LPPROCESS_INFORMATION ppi,
PBYTE pBase, DWORD rImports )
{
IMAGE_IMPORT_DESCRIPTOR import;
PIMAGE_IMPORT_DESCRIPTOR pImports;
DWORD cnt;
if (rImports == 0)
return 0;
pImports = (PIMAGE_IMPORT_DESCRIPTOR)(pBase + rImports);
cnt = 0;
do
{
++cnt;
ReadProcVar( pImports++, &import );
} while (import.Name != 0);
return cnt * sizeof(import);
}
void InjectDLL( LPPROCESS_INFORMATION ppi, PBYTE pBase )
{
DWORD rva;
PVOID pMem;
DWORD len, import_size;
DWORD pr;
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS NTHeader, *pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImports;
IMAGE_COR20_HEADER ComHeader, *pComHeader;
union
{
PBYTE pB;
PLONG_PTR pL;
PIMAGE_IMPORT_DESCRIPTOR pI;
} ip;
ReadProcVar( pBase, &DosHeader );
pNTHeader = (PIMAGE_NT_HEADERS)(pBase + DosHeader.e_lfanew);
ReadProcVar( pNTHeader, &NTHeader );
// Windows 8 and later require the IDT to be part of a section when there's
// no IAT. This means we can't move the imports, so remote load instead.
if (NTHeader.DATADIRS <= IMAGE_DIRECTORY_ENTRY_IAT &&
get_os_version() >= 0x602)
{
#ifdef _WIN64
RemoteLoad64( ppi );
#else
RemoteLoad32( ppi );
#endif
return;
}
import_size = sizeof_imports( ppi, pBase, NTHeader.IMPORTDIR.VirtualAddress );
len = 2 * PTRSZ + ansi_len + sizeof(*pImports) + import_size;
pImports = HeapAlloc( hHeap, 0, len );
if (pImports == NULL)
{
DEBUGSTR( 1, " Failed to allocate memory" );
return;
}
pMem = FindMem( ppi->hProcess, pBase, len );
if (pMem == NULL)
{
DEBUGSTR( 1, " Failed to allocate virtual memory (%u)", GetLastError() );
HeapFree( hHeap, 0, pImports );
return;
}
rva = (DWORD)((PBYTE)pMem - pBase);
ip.pL = (PLONG_PTR)pImports;
*ip.pL++ = IMAGE_ORDINAL_FLAG + 1;
*ip.pL++ = 0;
RtlMoveMemory( ip.pB, ansi_dll, ansi_len );
ip.pB += ansi_len;
ip.pI->OriginalFirstThunk = 0;
ip.pI->TimeDateStamp = 0;
ip.pI->ForwarderChain = 0;
ip.pI->Name = rva + 2 * PTRSZ;
ip.pI->FirstThunk = rva;
ReadProcMem( pBase+NTHeader.IMPORTDIR.VirtualAddress, ip.pI+1, import_size );
WriteProcMem( pMem, pImports, len );
HeapFree( hHeap, 0, pImports );
// If there's no IAT, copy the original IDT (to allow writable ".idata").
if (NTHeader.DATADIRS > IMAGE_DIRECTORY_ENTRY_IAT &&
NTHeader.IATDIR.VirtualAddress == 0)
NTHeader.IATDIR = NTHeader.IMPORTDIR;
NTHeader.IMPORTDIR.VirtualAddress = rva + 2 * PTRSZ + ansi_len;
//NTHeader.IMPORTDIR.Size += sizeof(*pImports);
// Remove bound imports, so the updated import table is used.
if (NTHeader.DATADIRS > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT)
{
NTHeader.BOUNDDIR.VirtualAddress = 0;
//NTHeader.BOUNDDIR.Size = 0;
}
VirtProtVar( pNTHeader, PAGE_READWRITE );
WriteProcVar( pNTHeader, &NTHeader );
VirtProtVar( pNTHeader, pr );
// Remove the IL-only flag on a managed process.
if (NTHeader.DATADIRS > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR &&
NTHeader.COMDIR.VirtualAddress != 0)
{
pComHeader = (PIMAGE_COR20_HEADER)(pBase + NTHeader.COMDIR.VirtualAddress);
ReadProcVar( pComHeader, &ComHeader );
if (ComHeader.Flags & COMIMAGE_FLAGS_ILONLY)
{
ComHeader.Flags &= ~COMIMAGE_FLAGS_ILONLY;
VirtProtVar( pComHeader, PAGE_READWRITE );
WriteProcVar( pComHeader, &ComHeader );
VirtProtVar( pComHeader, pr );
}
}
}
#ifdef _WIN64
void InjectDLL32( LPPROCESS_INFORMATION ppi, PBYTE pBase )
{
DWORD rva;
PVOID pMem;
DWORD len, import_size;
DWORD pr;
IMAGE_DOS_HEADER DosHeader;
IMAGE_NT_HEADERS32 NTHeader, *pNTHeader;
PIMAGE_IMPORT_DESCRIPTOR pImports;
IMAGE_COR20_HEADER ComHeader, *pComHeader;
union
{
PBYTE pB;
PLONG pL;
PIMAGE_IMPORT_DESCRIPTOR pI;
} ip;
ReadProcVar( pBase, &DosHeader );
pNTHeader = (PIMAGE_NT_HEADERS32)(pBase + DosHeader.e_lfanew);
ReadProcVar( pNTHeader, &NTHeader );
if (NTHeader.DATADIRS <= IMAGE_DIRECTORY_ENTRY_IAT &&
get_os_version() >= 0x602)
{
RemoteLoad32( ppi );
return;
}
import_size = sizeof_imports( ppi, pBase, NTHeader.IMPORTDIR.VirtualAddress );
len = 8 + ansi_len + sizeof(*pImports) + import_size;
pImports = HeapAlloc( hHeap, 0, len );
if (pImports == NULL)
{
DEBUGSTR( 1, " Failed to allocate memory" );
return;
}
pMem = FindMem( ppi->hProcess, pBase, len );
if (pMem == NULL)
{
DEBUGSTR( 1, " Failed to allocate virtual memory" );
HeapFree( hHeap, 0, pImports );
return;
}
rva = (DWORD)((PBYTE)pMem - pBase);
ip.pL = (PLONG)pImports;
*ip.pL++ = IMAGE_ORDINAL_FLAG32 + 1;
*ip.pL++ = 0;
RtlMoveMemory( ip.pB, ansi_dll, ansi_len );
ip.pB += ansi_len;
ip.pI->OriginalFirstThunk = 0;
ip.pI->TimeDateStamp = 0;
ip.pI->ForwarderChain = 0;
ip.pI->Name = rva + 8;
ip.pI->FirstThunk = rva;
ReadProcMem( pBase+NTHeader.IMPORTDIR.VirtualAddress, ip.pI+1, import_size );
WriteProcMem( pMem, pImports, len );
HeapFree( hHeap, 0, pImports );
if (NTHeader.DATADIRS > IMAGE_DIRECTORY_ENTRY_IAT &&
NTHeader.IATDIR.VirtualAddress == 0)
NTHeader.IATDIR = NTHeader.IMPORTDIR;
NTHeader.IMPORTDIR.VirtualAddress = rva + 8 + ansi_len;
//NTHeader.IMPORTDIR.Size += sizeof(*pImports);
if (NTHeader.DATADIRS > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT)
{
NTHeader.BOUNDDIR.VirtualAddress = 0;
//NTHeader.BOUNDDIR.Size = 0;
}
VirtProtVar( pNTHeader, PAGE_READWRITE );
WriteProcVar( pNTHeader, &NTHeader );
VirtProtVar( pNTHeader, pr );
if (NTHeader.DATADIRS > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR &&
NTHeader.COMDIR.VirtualAddress != 0)
{
pComHeader = (PIMAGE_COR20_HEADER)(pBase + NTHeader.COMDIR.VirtualAddress);
ReadProcVar( pComHeader, &ComHeader );
if (ComHeader.Flags & COMIMAGE_FLAGS_ILONLY)
{
ComHeader.Flags &= ~COMIMAGE_FLAGS_ILONLY;
VirtProtVar( pComHeader, PAGE_READWRITE );
WriteProcVar( pComHeader, &ComHeader );
VirtProtVar( pComHeader, pr );
}
}
}
#endif
/*
Locate the base address of ntdll.dll. This is supposedly really at the same
address for every process, but let's find it anyway. A newly-created
suspended process has two images in memory: the process itself and ntdll.dll.
Thus the one that is a DLL must be ntdll.dll. However, a WOW64 process also
has the 64-bit version, so test the machine.
*/
#ifdef _WIN64
static PBYTE get_ntdll( LPPROCESS_INFORMATION ppi, WORD machine )
#else
static PBYTE get_ntdll( LPPROCESS_INFORMATION ppi )
#endif
{
PBYTE ptr;
MEMORY_BASIC_INFORMATION minfo;
IMAGE_DOS_HEADER dos_header;
IMAGE_NT_HEADERS nt_header;
for (ptr = NULL;
VirtualQueryEx( ppi->hProcess, ptr, &minfo, sizeof(minfo) );
ptr += minfo.RegionSize)
{
if (minfo.BaseAddress == minfo.AllocationBase
&& ReadProcVar( minfo.BaseAddress, &dos_header )
&& dos_header.e_magic == IMAGE_DOS_SIGNATURE
&& ReadProcVar( (PBYTE)minfo.BaseAddress + dos_header.e_lfanew,
&nt_header )
&& nt_header.Signature == IMAGE_NT_SIGNATURE
&& (nt_header.FileHeader.Characteristics & IMAGE_FILE_DLL)
#ifdef _WIN64
&& nt_header.FileHeader.Machine == machine
#endif
)
{
return minfo.BaseAddress;
}
}
DEBUGSTR( 1, " Failed to find ntdll.dll!" );
return NULL;
}
#ifdef _WIN64
void RemoteLoad64( LPPROCESS_INFORMATION ppi )
{
PBYTE ntdll;
DWORD rLdrLoadDll;
PBYTE pMem;
DWORD len;
HANDLE thread;
BYTE code[64];
union
{
PBYTE pB;
PUSHORT pS;
PDWORD pD;
PBYTE* pL;
} ip;
ntdll = get_ntdll( ppi, IMAGE_FILE_MACHINE_AMD64 );
if (ntdll == NULL)
return;
rLdrLoadDll = GetProcRVA( L"ntdll.dll", "LdrLoadDll", 64 );
if (rLdrLoadDll == 0)
return;
pMem = VirtualAllocEx( ppi->hProcess, NULL, 4096, MEM_COMMIT,
PAGE_EXECUTE_READ );
if (pMem == NULL)
{
DEBUGSTR(1, " Failed to allocate virtual memory (%u)", GetLastError());
return;
}
len = (DWORD)TSIZE(lstrlen( DllName ) + 1);
ip.pB = code;
*ip.pL++ = ntdll + rLdrLoadDll; // address of LdrLoadDll
*ip.pD++ = 0x38ec8348; // sub rsp, 0x38
*ip.pD++ = 0x244c8d4c; // lea r9, [rsp+0x20]
*ip.pD++ = 0x058d4c20; // lea r8, L"path\to\ANSI64.dll"
*ip.pD++ = 16; // xor edx, edx
*ip.pD++ = 0xc933d233; // xor ecx, ecx
*ip.pS++ = 0x15ff; // call LdrLoadDll
*ip.pD++ = -34; // add rsp, 0x38
*ip.pD++ = 0x38c48348; // ret
*ip.pS++ = 0x00c3; // alignment for the name
*ip.pS++ = (USHORT)(len - TSIZE(1)); // UNICODE_STRING.Length
*ip.pS++ = (USHORT)len; // UNICODE_STRING.MaximumLength
*ip.pD++ = 0; // padding
*ip.pL++ = pMem + 56; // UNICODE_STRING.Buffer
WriteProcMem( pMem, code, ip.pB - code );
*(PDWORD)DllNameType = 0x340036/*L'46'*/;
WriteProcMem( pMem + (ip.pB - code), DllName, len );
thread = CreateRemoteThread( ppi->hProcess, NULL, 4096,
(LPTHREAD_START_ROUTINE)(pMem + 8), NULL, 0, NULL );
WaitForSingleObject( thread, INFINITE );
CloseHandle( thread );
VirtualFreeEx( ppi->hProcess, pMem, 0, MEM_RELEASE );
}
#endif
void RemoteLoad32( LPPROCESS_INFORMATION ppi )
{
PBYTE ntdll;
DWORD rLdrLoadDll;
PBYTE pMem;
DWORD bMem;
DWORD len;
HANDLE thread;
BYTE code[64];
union
{
PBYTE pB;
PUSHORT pS;
PDWORD pD;
} ip;
#ifdef _WIN64
ntdll = get_ntdll( ppi, IMAGE_FILE_MACHINE_I386 );
#else
ntdll = get_ntdll( ppi );
#endif
if (ntdll == NULL)
return;
#ifdef _WIN64
rLdrLoadDll = GetProcRVA( L"ntdll.dll", "LdrLoadDll", 32 );
#else
rLdrLoadDll = GetProcRVA( L"ntdll.dll", "LdrLoadDll" );
#endif
if (rLdrLoadDll == 0)
return;
pMem = VirtualAllocEx( ppi->hProcess, NULL, 4096, MEM_COMMIT,
PAGE_EXECUTE_READ );
if (pMem == NULL)
{
DEBUGSTR(1, " Failed to allocate virtual memory (%u)", GetLastError());
return;
}
bMem = PtrToUint( pMem );
len = (DWORD)TSIZE(lstrlen( DllName ) + 1);
ip.pB = code;
*ip.pS++ = 0x5451; // push ecx esp
*ip.pB++ = 0x68; // push
*ip.pD++ = bMem + 20; // L"path\to\ANSI32.dll"
*ip.pD++ = 0x006A006A; // push 0 0
*ip.pB++ = 0xe8; // call LdrLoadDll
*ip.pD++ = PtrToUint( ntdll ) + rLdrLoadDll - (bMem + 16);
*ip.pD++ = 0xc359; // pop ecx / ret and padding
*ip.pS++ = (USHORT)(len - TSIZE(1)); // UNICODE_STRING.Length
*ip.pS++ = (USHORT)len; // UNICODE_STRING.MaximumLength
*ip.pD++ = bMem + 28; // UNICODE_STRING.Buffer
WriteProcMem( pMem, code, ip.pB - code );
#ifdef _WIN64
*(PDWORD)DllNameType = 0x320033/*L'23'*/;
#endif
WriteProcMem( pMem + (ip.pB - code), DllName, len );
thread = CreateRemoteThread( ppi->hProcess, NULL, 4096,
(LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL );
WaitForSingleObject( thread, INFINITE );
CloseHandle( thread );
VirtualFreeEx( ppi->hProcess, pMem, 0, MEM_RELEASE );
}