(C++) Manual DLL Injector

Unknown   August 04, 2017   Comment  

Source Code :  Click Disini

Jangan Lupa Komentar ya... 

1. #include <stdio.h>
2. #include <Windows.h>
3.  
4. typedef HMODULE (WINAPI *pLoadLibraryA)(LPCSTR);
5. typedef FARPROC (WINAPI *pGetProcAddress)(HMODULE,LPCSTR);
6.  
7. typedef BOOL (WINAPI *PDLL_MAIN)(HMODULE,DWORD,PVOID);
8.  
9. typedef struct _MANUAL_INJECT
10. {
11.     PVOID ImageBase;
12.     PIMAGE_NT_HEADERS NtHeaders;
13.     PIMAGE_BASE_RELOCATION BaseRelocation;
14.     PIMAGE_IMPORT_DESCRIPTOR ImportDirectory;
15.     pLoadLibraryA fnLoadLibraryA;
16.     pGetProcAddress fnGetProcAddress;
17. }MANUAL_INJECT,*PMANUAL_INJECT;
18.  
19. DWORD WINAPI LoadDll(PVOID p)
20. {
21.     PMANUAL_INJECT ManualInject;
22.  
23.     HMODULE hModule;
24.     DWORD i,Function,count,delta;
25.  
26.     PDWORD ptr;
27.     PWORD list;
28.  
29.     PIMAGE_BASE_RELOCATION pIBR;
30.     PIMAGE_IMPORT_DESCRIPTOR pIID;
31.     PIMAGE_IMPORT_BY_NAME pIBN;
32.     PIMAGE_THUNK_DATA FirstThunk,OrigFirstThunk;
33.  
34.     PDLL_MAIN EntryPoint;
35.  
36.     ManualInject=(PMANUAL_INJECT)p;
37.  
38.     pIBR=ManualInject->BaseRelocation;
39.     delta=(DWORD)((LPBYTE)ManualInject->ImageBase-ManualInject->NtHeaders->OptionalHeader.ImageBase); // Calculate the delta
40.  
41.     // Relocate the image
42.  
43.     while(pIBR->VirtualAddress)
44.     {
45.         if(pIBR->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION))
46.         {
47.             count=(pIBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);
48.             list=(PWORD)(pIBR+1);
49.  
50.             for(i=0;i<count;i++)
51.             {
52.                 if(list[i])
53.                 {
54.                     ptr=(PDWORD)((LPBYTE)ManualInject->ImageBase+(pIBR->VirtualAddress+(list[i] & 0xFFF)));
55.                     *ptr+=delta;
56.                 }
57.             }
58.         }
59.  
60.         pIBR=(PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR+pIBR->SizeOfBlock);
61.     }
62.  
63.     pIID=ManualInject->ImportDirectory;
64.  
65.     // Resolve DLL imports
66.  
67.     while(pIID->Characteristics)
68.     {
69.         OrigFirstThunk=(PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase+pIID->OriginalFirstThunk);
70.         FirstThunk=(PIMAGE_THUNK_DATA)((LPBYTE)ManualInject->ImageBase+pIID->FirstThunk);
71.  
72.         hModule=ManualInject->fnLoadLibraryA((LPCSTR)ManualInject->ImageBase+pIID->Name);
73.  
74.         if(!hModule)
75.         {
76.             return FALSE;
77.         }
78.  
79.         while(OrigFirstThunk->u1.AddressOfData)
80.         {
81.             if(OrigFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
82.             {
83.                 // Import by ordinal
84.                  
85.                 Function=(DWORD)ManualInject->fnGetProcAddress(hModule,(LPCSTR)(OrigFirstThunk->u1.Ordinal & 0xFFFF));
86.  
87.                 if(!Function)
88.                 {
89.                     return FALSE;
90.                 }
91.  
92.                 FirstThunk->u1.Function=Function;
93.             }
94.  
95.             else
96.             {
97.                 // Import by name
98.  
99.                 pIBN=(PIMAGE_IMPORT_BY_NAME)((LPBYTE)ManualInject->ImageBase+OrigFirstThunk->u1.AddressOfData);
100.                 Function=(DWORD)ManualInject->fnGetProcAddress(hModule,(LPCSTR)pIBN->Name);
101.  
102.                 if(!Function)
103.                 {
104.                     return FALSE;
105.                 }
106.  
107.                 FirstThunk->u1.Function=Function;
108.             }
109.  
110.             OrigFirstThunk++;
111.             FirstThunk++;
112.         }
113.  
114.         pIID++;
115.     }
116.  
117.     if(ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint)
118.     {
119.         EntryPoint=(PDLL_MAIN)((LPBYTE)ManualInject->ImageBase+ManualInject->NtHeaders->OptionalHeader.AddressOfEntryPoint);
120.         return EntryPoint((HMODULE)ManualInject->ImageBase,DLL_PROCESS_ATTACH,NULL); // Call the entry point
121.     }
122.  
123.     return TRUE;
124. }
125.  
126. DWORD WINAPI LoadDllEnd()
127. {
128.     return 0;
129. }
130.  
131. int wmain(int argc,wchar_t* argv[])
132. {
133.     PIMAGE_DOS_HEADER pIDH;
134.     PIMAGE_NT_HEADERS pINH;
135.     PIMAGE_SECTION_HEADER pISH;
136.      
137.     HANDLE hProcess,hThread,hFile,hToken;
138.     PVOID buffer,image,mem;
139.     DWORD i,FileSize,ProcessId,ExitCode,read;
140.  
141.     TOKEN_PRIVILEGES tp;
142.     MANUAL_INJECT ManualInject;
143.  
144.     if(argc<3)
145.     {
146.         printf("\nUsage: ManualInject [DLL name] [PID]\n");
147.         return -1;
148.     }
149.  
150.     if(OpenProcessToken((HANDLE)-1,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
151.     {
152.         tp.PrivilegeCount=1;
153.         tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
154.  
155.         tp.Privileges[0].Luid.LowPart=20;
156.         tp.Privileges[0].Luid.HighPart=0;
157.  
158.         AdjustTokenPrivileges(hToken,FALSE,&tp,0,NULL,NULL);
159.         CloseHandle(hToken);
160.     }
161.  
162.     printf("\nOpening the DLL.\n");
163.     hFile=CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL); // Open the DLL
164.  
165.     if(hFile==INVALID_HANDLE_VALUE)
166.     {
167.         printf("\nError: Unable to open the DLL (%d)\n",GetLastError());
168.         return -1;
169.     }
170.  
171.     FileSize=GetFileSize(hFile,NULL);
172.     buffer=VirtualAlloc(NULL,FileSize,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
173.  
174.     if(!buffer)
175.     {
176.         printf("\nError: Unable to allocate memory for DLL data (%d)\n",GetLastError());
177.          
178.         CloseHandle(hFile);
179.         return -1;
180.     }
181.  
182.     // Read the DLL
183.  
184.     if(!ReadFile(hFile,buffer,FileSize,&read,NULL))
185.     {
186.         printf("\nError: Unable to read the DLL (%d)\n",GetLastError());
187.  
188.         VirtualFree(buffer,0,MEM_RELEASE);
189.         CloseHandle(hFile);
190.  
191.         return -1;
192.     }
193.  
194.     CloseHandle(hFile);
195.  
196.     pIDH=(PIMAGE_DOS_HEADER)buffer;
197.  
198.     if(pIDH->e_magic!=IMAGE_DOS_SIGNATURE)
199.     {
200.         printf("\nError: Invalid executable image.\n");
201.          
202.         VirtualFree(buffer,0,MEM_RELEASE);
203.         return -1;
204.     }
205.  
206.     pINH=(PIMAGE_NT_HEADERS)((LPBYTE)buffer+pIDH->e_lfanew);
207.  
208.     if(pINH->Signature!=IMAGE_NT_SIGNATURE)
209.     {
210.         printf("\nError: Invalid PE header.\n");
211.          
212.         VirtualFree(buffer,0,MEM_RELEASE);
213.         return -1;
214.     }
215.  
216.     if(!(pINH->FileHeader.Characteristics & IMAGE_FILE_DLL))
217.     {
218.         printf("\nError: The image is not DLL.\n");
219.          
220.         VirtualFree(buffer,0,MEM_RELEASE);
221.         return -1;
222.     }
223.  
224.     ProcessId=wcstoul(argv[2],NULL,0);
225.  
226.     printf("\nOpening target process.\n");
227.     hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessId);
228.  
229.     if(!hProcess)
230.     {
231.         printf("\nError: Unable to open target process (%d)\n",GetLastError());
232.          
233.         VirtualFree(buffer,0,MEM_RELEASE);
234.         CloseHandle(hProcess);
235.  
236.         return -1;
237.     }
238.  
239.     printf("\nAllocating memory for the DLL.\n");
240.     image=VirtualAllocEx(hProcess,NULL,pINH->OptionalHeader.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); // Allocate memory for the DLL
241.  
242.     if(!image)
243.     {
244.         printf("\nError: Unable to allocate memory for the DLL (%d)\n",GetLastError());
245.          
246.         VirtualFree(buffer,0,MEM_RELEASE);
247.         CloseHandle(hProcess);
248.  
249.         return -1;
250.     }
251.  
252.     // Copy the header to target process
253.  
254.     printf("\nCopying headers into target process.\n");
255.  
256.     if(!WriteProcessMemory(hProcess,image,buffer,pINH->OptionalHeader.SizeOfHeaders,NULL))
257.     {
258.         printf("\nError: Unable to copy headers to target process (%d)\n",GetLastError());
259.          
260.         VirtualFreeEx(hProcess,image,0,MEM_RELEASE);
261.         CloseHandle(hProcess);
262.  
263.         VirtualFree(buffer,0,MEM_RELEASE);
264.         return -1;
265.     }
266.  
267.     pISH=(PIMAGE_SECTION_HEADER)(pINH+1);
268.  
269.     // Copy the DLL to target process
270.  
271.     printf("\nCopying sections to target process.\n");
272.  
273.     for(i=0;i<pINH->FileHeader.NumberOfSections;i++)
274.     {
275.         WriteProcessMemory(hProcess,(PVOID)((LPBYTE)image+pISH[i].VirtualAddress),(PVOID)((LPBYTE)buffer+pISH[i].PointerToRawData),pISH[i].SizeOfRawData,NULL);
276.     }
277.  
278.     printf("\nAllocating memory for the loader code.\n");
279.     mem=VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); // Allocate memory for the loader code
280.  
281.     if(!mem)
282.     {
283.         printf("\nError: Unable to allocate memory for the loader code (%d)\n",GetLastError());
284.  
285.         VirtualFreeEx(hProcess,image,0,MEM_RELEASE);
286.         CloseHandle(hProcess);
287.  
288.         VirtualFree(buffer,0,MEM_RELEASE);
289.         return -1;
290.     }
291.  
292.     printf("\nLoader code allocated at %#x\n",mem);
293.     memset(&ManualInject,0,sizeof(MANUAL_INJECT));
294.  
295.     ManualInject.ImageBase=image;
296.     ManualInject.NtHeaders=(PIMAGE_NT_HEADERS)((LPBYTE)image+pIDH->e_lfanew);
297.     ManualInject.BaseRelocation=(PIMAGE_BASE_RELOCATION)((LPBYTE)image+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
298.     ManualInject.ImportDirectory=(PIMAGE_IMPORT_DESCRIPTOR)((LPBYTE)image+pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
299.     ManualInject.fnLoadLibraryA=LoadLibraryA;
300.     ManualInject.fnGetProcAddress=GetProcAddress;
301.  
302.     printf("\nWriting loader code to target process.\n");
303.  
304.     WriteProcessMemory(hProcess,mem,&ManualInject,sizeof(MANUAL_INJECT),NULL); // Write the loader information to target process
305.     WriteProcessMemory(hProcess,(PVOID)((PMANUAL_INJECT)mem+1),LoadDll,(DWORD)LoadDllEnd-(DWORD)LoadDll,NULL); // Write the loader code to target process
306.  
307.     printf("\nExecuting loader code.\n");
308.     hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)((PMANUAL_INJECT)mem+1),mem,0,NULL); // Create a remote thread to execute the loader code
309.  
310.     if(!hThread)
311.     {
312.         printf("\nError: Unable to execute loader code (%d)\n",GetLastError());
313.  
314.         VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
315.         VirtualFreeEx(hProcess,image,0,MEM_RELEASE);
316.  
317.         CloseHandle(hProcess);
318.  
319.         VirtualFree(buffer,0,MEM_RELEASE);
320.         return -1;
321.     }
322.  
323.     WaitForSingleObject(hThread,INFINITE);
324.     GetExitCodeThread(hThread,&ExitCode);
325.  
326.     if(!ExitCode)
327.     {
328.         VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
329.         VirtualFreeEx(hProcess,image,0,MEM_RELEASE);
330.  
331.         CloseHandle(hThread);
332.         CloseHandle(hProcess);
333.  
334.         VirtualFree(buffer,0,MEM_RELEASE);
335.         return -1;
336.     }
337.  
338.     CloseHandle(hThread);
339.     VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
340.  
341.     CloseHandle(hProcess);
342.  
343.     printf("\nDLL injected at %#x\n",image);
344.      
345.     if(pINH->OptionalHeader.AddressOfEntryPoint)
346.     {
347.         printf("\nDLL entry point: %#x\n",(PVOID)((LPBYTE)image+pINH->OptionalHeader.AddressOfEntryPoint));
348.     }
349.  
350.     VirtualFree(buffer,0,MEM_RELEASE);
351.     return 0;
352. }