BOOL WINAPI DllMain(HINSTANCE hi, DWORD reason, LPVOID reserved)
{
if (reason == DLL_PROCESS_ATTACH)
{
LogWrap = LogWrapper;
LogErrorWrap = LogWrapper;
GetModuleFileNameW(hi, NtApiIniPath, _countof(NtApiIniPath));
WCHAR *temp = wcsrchr(NtApiIniPath, L'\\');
if (temp)
{
temp++;
*temp = 0;
wcscpy(ScyllaHideDllPath, NtApiIniPath);
wcscat(ScyllaHideDllPath, ScyllaHideDllFilename);
wcscpy(ScyllaHideIniPath, NtApiIniPath);
wcscat(ScyllaHideIniPath, ScyllaHideIniFilename);
wcscat(NtApiIniPath, NtApiIniFilename);
ReadCurrentProfile();
ReadSettings();
SetDebugPrivileges(); //set debug privilege
}
}
return TRUE;
}
HANDLE attachToProcess(DWORD procID)
{
OSVERSIONINFO osver;
// SetDebugPrivileges SE_DEBUG_NAME
printf("[+] Setting Debug Privileges [%d]\n", SetDebugPrivileges());
osver.dwOSVersionInfoSize = sizeof(osver);
if(GetVersionEx(&osver)) {
if(osver.dwMajorVersion == 5) {
printf("\t[+] Detected Windows XP\n");
return OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, 0, procID);
}
if(osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0) {
printf("\t[+] Detected Windows Vista\n");
return NULL;
}
if(osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1) {
printf("\t[+] Detected Windows 7\n");
printf("\t[+] Attaching to Process ID: %d\n", procID);
return OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, procID);
}
} else {
printf("\n[!] Could not detect OS version\n");
}
return NULL;
}
int main(int argc, char* argv[])
{
printf( "This method was first used by BlackLight and it turned out to be very effective yet simple."
"Here, it enumerates through process id from 0 to 0x41DC and then check if that process exist by calling OpenProcess function."
"Then this list of discovered processes are compared with normal process list got using standard enumeration functions (such as Process32First, EnumProcesses functions).\n");
SetDebugPrivileges();
BruteforceProcessIds();
return 0;
}
HANDLE DllInjector::attachToProcess(DWORD procID)
{
SetDebugPrivileges();
if (IsWindows7OrGreater()) {
return OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, procID);
}
else {
if (_logger) _logger->error("get version ex Failed (probably bad win version!)! [%d]", GetLastError());
}
/* if (osver.dwMajorVersion == 5) {
return OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, 0, procID);
}*/
return NULL;
}
int main(int argc, char* argv[]) {
char dllToInject[512],iniFilePath[512];
char cmd[512];
DWORD pid=0;
opt options;
FILE *in;
SetDebugPrivileges();
//printf("%s\n",getfile_fullpath("\\\\.\\pipe\\mojo.6136.4468.15747523823731339023"));
//return 1;
char basePath[512];
_fullpath(basePath, argv[0], sizeof(basePath));
for(char *p=basePath+strlen(basePath);p>basePath;p--){
if(*p=='\\') {
*(p+1)=0;
break;
}
}
//build ini path
strcpy(iniFilePath,basePath);
strcat(iniFilePath,INIFILE);
options.dumpIAT = FALSE;
options.loadINI = TRUE;
options.hook = TRUE;
options.unhook = FALSE;
options.cmdline = NULL;
options.waitKeyPress = FALSE;
options.iniPath = iniFilePath;
options.suspended=FALSE;
iniFile *ini=parseIni(iniFilePath);
options.ini=ini;
//build dll path
strcpy(dllToInject,basePath);
strcat(dllToInject,ini->dll);
if(argc<2) usage(dllToInject,iniFilePath);
in=fopen(dllToInject,"r");
if(in==NULL){
sprintf(cmd,"Error: DLL to inject NOT FOUND: %s",dllToInject);
logger(ini,"injector",cmd,strlen(cmd));
printf("DLL to inject not found... Path:\n");
printf("%s\n",dllToInject);
return 0;
}
fclose(in);
if(argc>1 && argv[1][0]=='/'){
//list processes
if(argv[1][1]=='?' || argv[1][1]=='h') usage(dllToInject,iniFilePath);
if(argv[1][1]=='l'){
listProcesses();
exit(0);
}
//read command line
if(argv[1][1]=='x' || argv[1][1]=='X'){
options.cmdline=argv[2];
options.waitKeyPress=argv[1][1]=='X'?TRUE:FALSE;
}
//read the pid
if(argv[1][1]=='p' || argv[1][1]=='P' || argv[1][1]=='i' || argv[1][1]=='u'){
pid=atoi(argv[2]);
if(argv[1][1]=='i') {
options.dumpIAT=TRUE;
options.hook=FALSE;
sprintf(cmd,"Dump IAT requested for Pid %d",pid);
logger(ini,"injector",cmd,strlen(cmd));
}
if(argv[1][1]=='u') {
options.dumpIAT=FALSE;
options.hook=FALSE;
options.loadINI=FALSE;
options.unhook=TRUE;
sprintf(cmd,"Unhook requested for PID %d",pid);
logger(ini,"injector",cmd,strlen(cmd));
}
if(argv[1][1]=='P') options.suspended=TRUE;
}
}
printf(TITLE"\n");
if(pid==0 && options.cmdline==NULL) return 1;
if(pid!=0){
HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid);
if(process == NULL) {
printf("[Error] the specified process couldn't be found. Code: %d\n",GetLastError());
sprintf(cmd,"Error: Invalid Pid %d",pid);
logger(ini,"injector",cmd,strlen(cmd));
return 1;
}
}
if(ini->debuglevel>3){
sprintf(cmd,"sinjector.exe called...",pid);
logger(ini,"injector",cmd,strlen(cmd));
sprintf(cmd,"Ini: %s",iniFilePath);
logger(ini,"injector",cmd,strlen(cmd));
sprintf(cmd,"DLL: %s",dllToInject);
logger(ini,"injector",cmd,strlen(cmd));
}
//dump ini options
if(ini && ini->debuglevel>0){
printf("[ini] dll=%s\n",*ini->dll?ini->dll:"Error!!!");
if(ini->monitor) printf("[ini] monitor=%s\n",*ini->monitor?ini->monitor:"none (DISABLED)");
if(ini->logfile) printf("[ini] logfile=%s\n",*ini->logfile?ini->logfile:"none (DISABLED)");
if(ini->iatfile) printf("[ini] iatfile=%s\n",*ini->iatfile?ini->iatfile:"none (DISABLED)");
if(ini->backup) printf("[ini] backup=%s\n",*ini->backup?ini->backup:"none (DISABLED)");
printf("[ini] debuglevel=%d\n",ini->debuglevel);
printf("[ini] reinject=%d (%s)\n",ini->reinject,ini->reinject?"ENABLED":"DISABLED");
if(ini->reinject_blacklist) printf("[ini] reinject_blacklist=%s\n",*ini->reinject_blacklist?ini->reinject_blacklist:"none (DISABLED)");
}else{
options.loadINI=FALSE;
}
if(options.cmdline!=NULL){
spwanAndHook(dllToInject,&options);
}else{
injecta(pid,dllToInject,&options);
}
//printf("Press [intro] to exit...\n");
//getchar();
return 0;
/*
//Classic DLL Injection
//Get process handle passing in the process ID.
HANDLE process = OpenProcess(MAXIMUM_ALLOWED, FALSE, pid);
if(process == NULL) {
printf("Error: the specified process couldn't be found\n");
printf("PID: %d Last error: %d\n",pid,GetLastError());
return FALSE;
}
//Get address of the LoadLibrary function.
LPVOID addrLoadLib = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if(addrLoadLib == NULL) {
printf("Error: the LoadLibraryA function was not found inside kernel32.dll library\n");
}
//Allocate new memory region inside the process's address space.
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if(arg == NULL) {
printf("Error: the memory could not be allocated inside the chosen process\n");
}
//Write the argument to LoadLibraryA to the process's newly allocated memory region.
int n = WriteProcessMemory(process, arg, buffer, strlen(buffer), NULL);
if(n == 0) {
printf("Error: there was no bytes written to the process's address space\n");
}
//Inject our DLL into the process's address space.
printf("Waiting for process (if it's suspended...)\n");
WaitForInputIdle(process,INFINITE);
HANDLE threadID = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)addrLoadLib, arg, 0, NULL);
if(threadID == NULL) {
printf("Error: the remote thread could not be created\n");
}
else {
printf("Success: the remote thread was successfully created\n");
}
//Close the handle to the process, becuase we've already injected the DLL.
CloseHandle(process);
*/
return 0;
}
