├── ModExMap.sln ├── ModExMap ├── ModExMap.cpp ├── ModExMap.h ├── ModExMap.vcxproj ├── ModExMap.vcxproj.filters ├── ModExMap.vcxproj.user ├── includes.h ├── main.cpp ├── pestruct.h └── shellcode.h └── README.md /ModExMap.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31205.134 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ModExMap", "ModExMap\ModExMap.vcxproj", "{21573076-ED53-402D-BD74-9C46507197F4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {21573076-ED53-402D-BD74-9C46507197F4}.Debug|x64.ActiveCfg = Debug|x64 17 | {21573076-ED53-402D-BD74-9C46507197F4}.Debug|x64.Build.0 = Debug|x64 18 | {21573076-ED53-402D-BD74-9C46507197F4}.Debug|x86.ActiveCfg = Debug|Win32 19 | {21573076-ED53-402D-BD74-9C46507197F4}.Debug|x86.Build.0 = Debug|Win32 20 | {21573076-ED53-402D-BD74-9C46507197F4}.Release|x64.ActiveCfg = Release|x64 21 | {21573076-ED53-402D-BD74-9C46507197F4}.Release|x64.Build.0 = Release|x64 22 | {21573076-ED53-402D-BD74-9C46507197F4}.Release|x86.ActiveCfg = Release|Win32 23 | {21573076-ED53-402D-BD74-9C46507197F4}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {C903FFFC-05B5-4326-9DD5-9F7DEBF2B39B} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ModExMap/ModExMap.cpp: -------------------------------------------------------------------------------- 1 | #include "includes.h" 2 | #include "shellcode.h" 3 | 4 | bool is_32_bit; 5 | int modcount; 6 | DWORD pid; 7 | uintptr_t base; 8 | HANDLE prochandle; 9 | 10 | template 11 | T read(uintptr_t addy) { 12 | T buffer; 13 | ReadProcessMemory(prochandle, (LPVOID)addy, &buffer, sizeof(T), 0); 14 | return buffer; 15 | } 16 | template 17 | void write(uintptr_t addy, T buffer) { 18 | WriteProcessMemory(prochandle, (LPVOID)addy, &buffer, sizeof(T), 0); 19 | } 20 | 21 | 22 | DWORD get_pid(const char* exename) { 23 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 24 | if (hSnap == INVALID_HANDLE_VALUE) { 25 | printf("Failed opening Snapshot! 0x%x", GetLastError()); 26 | return 0; 27 | } 28 | 29 | PROCESSENTRY32 pe32{ 0 }; 30 | pe32.dwSize = sizeof(pe32); 31 | 32 | BOOL status = Process32First(hSnap, &pe32); 33 | while (status) { 34 | if (!strcmp(pe32.szExeFile, exename)) { 35 | CloseHandle(hSnap); 36 | return pe32.th32ProcessID; 37 | } 38 | status = Process32Next(hSnap, &pe32); 39 | } 40 | CloseHandle(hSnap); 41 | return 0; 42 | } 43 | uintptr_t get_base(const char* modname, DWORD pid) { 44 | uintptr_t base_buffer = 0; 45 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid); 46 | if (hSnap == INVALID_HANDLE_VALUE) { 47 | printf("Failed opening Snapshot! 0x%x", GetLastError()); 48 | return 0; 49 | } 50 | 51 | MODULEENTRY32 me32{ 0 }; 52 | me32.dwSize = sizeof(me32); 53 | 54 | BOOL status = Module32First(hSnap, &me32); 55 | while (status) { 56 | if (!strcmp(me32.szModule, modname)) { 57 | base_buffer = (uintptr_t)me32.modBaseAddr; 58 | IsWow64Process(prochandle, (PBOOL)&is_32_bit); 59 | } 60 | status = Module32Next(hSnap, &me32); 61 | modcount++; 62 | } 63 | CloseHandle(hSnap); 64 | return base_buffer; 65 | } 66 | 67 | bool ModExMap::attach(const char* proc_name) { 68 | pid = get_pid(proc_name); 69 | if (!pid) { 70 | printf("Couldn't find process\n"); 71 | return false; 72 | } 73 | prochandle = OpenProcess(PROCESS_ALL_ACCESS, 0, pid); 74 | if (prochandle <= 0) { 75 | printf("Couldn't open handle with all access\n"); 76 | return false; 77 | } 78 | base = get_base(proc_name, pid); 79 | if (!base) { 80 | printf("Couldn't get base. Guess its protected\n"); 81 | return false; 82 | } 83 | 84 | if (is_32_bit) 85 | printf("Proc is 32bit\n"); 86 | return TRUE; 87 | 88 | 89 | } 90 | 91 | extern "C"{ 92 | __kernel_entry NTSTATUS 93 | NTAPI 94 | NtQueryInformationProcess( 95 | IN HANDLE ProcessHandle, 96 | IN PROCESSINFOCLASS ProcessInformationClass, 97 | OUT PVOID ProcessInformation, 98 | IN ULONG ProcessInformationLength, 99 | OUT PULONG ReturnLength OPTIONAL 100 | ); 101 | 102 | } 103 | uintptr_t find_avail_memory(size_t size) { 104 | uintptr_t allocation = 0x0; 105 | PROCESS_BASIC_INFORMATION64 pI; 106 | NtQueryInformationProcess(prochandle, (PROCESSINFOCLASS)0, &pI, sizeof(pI), 0); 107 | if (is_32_bit) { 108 | pI.PebBaseAddress += 0x1000; //32 bit processes have 2 PEBs. Since we are 64 we get the 64 addy. + 1 page = 32bit 109 | _PEB32 peb = read<_PEB32>(pI.PebBaseAddress); 110 | 111 | DWORD first_entry = read(peb.Ldr + 0xC); 112 | while (peb.Ldr + 0xC != first_entry) { //Iterate all modules 113 | START: 114 | DWORD modbase = read(first_entry + 0x18); 115 | DWORD modsize = read(first_entry + 0x20); 116 | 117 | IMAGE_DOS_HEADER dos = read(modbase); 118 | IMAGE_NT_HEADERS32 nt = read(modbase + dos.e_lfanew); 119 | 120 | DWORD end_of_curr_module = modbase + nt.OptionalHeader.SizeOfImage; 121 | DWORD to_allocate = end_of_curr_module; 122 | 123 | while (to_allocate % 0x10000 != 0) { 124 | to_allocate += 0x1; 125 | } 126 | DWORD skipped = to_allocate - end_of_curr_module; 127 | bool found = false; 128 | for (int i = 0; i <= (size / 0x1000); i++) { 129 | MEMORY_BASIC_INFORMATION mbi; 130 | VirtualQueryEx(prochandle, (LPCVOID)(to_allocate + i * 0x1000), &mbi, sizeof(MEMORY_BASIC_INFORMATION)); 131 | if (mbi.AllocationBase) { 132 | found = true; 133 | break; 134 | } 135 | } 136 | if (found) { 137 | first_entry = read(first_entry); 138 | goto START; 139 | } 140 | write(first_entry + 0x20, (DWORD)(size + modsize + skipped)); 141 | IMAGE_NT_HEADERS32 NTFAKE = nt; 142 | NTFAKE.OptionalHeader.SizeOfImage = nt.OptionalHeader.SizeOfImage + skipped + size; 143 | DWORD old; 144 | VirtualProtectEx(prochandle, (LPVOID)(modbase + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS32), PAGE_READWRITE, &old); 145 | write(modbase + dos.e_lfanew, NTFAKE); 146 | VirtualProtectEx(prochandle, (LPVOID)(modbase + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS32), old, &old); 147 | allocation = to_allocate; 148 | break; 149 | } 150 | 151 | 152 | } 153 | else 154 | { 155 | _PEB64 peb = read<_PEB64>(pI.PebBaseAddress); 156 | 157 | uintptr_t first_entry = read(peb.Ldr + 0x10); 158 | while (peb.Ldr + 0x10 != first_entry) { //Iterate all modules 159 | START2: 160 | uintptr_t modbase = read(first_entry + 0x30); 161 | uintptr_t modsize = read(first_entry + 0x40); 162 | 163 | IMAGE_DOS_HEADER dos = read(modbase); 164 | IMAGE_NT_HEADERS nt = read(modbase + dos.e_lfanew); 165 | 166 | uintptr_t end_of_curr_module = modbase + nt.OptionalHeader.SizeOfImage; 167 | uintptr_t to_allocate = end_of_curr_module; 168 | 169 | while (to_allocate % 0x10000 != 0) { 170 | to_allocate += 0x1; 171 | } 172 | uintptr_t skipped = to_allocate - end_of_curr_module; 173 | bool found = false; 174 | for (int i = 0; i <= (size / 0x1000); i++) { 175 | MEMORY_BASIC_INFORMATION mbi; 176 | VirtualQueryEx(prochandle, (LPCVOID)(to_allocate + i * 0x1000), &mbi, sizeof(MEMORY_BASIC_INFORMATION)); 177 | if (mbi.AllocationBase) { 178 | found = true; 179 | break; 180 | } 181 | } 182 | if (found) { 183 | first_entry = read(first_entry); 184 | goto START2; 185 | } 186 | write(first_entry + 0x40, (uintptr_t)(size + modsize + skipped)); 187 | IMAGE_NT_HEADERS NTFAKE = nt; 188 | NTFAKE.OptionalHeader.SizeOfImage = nt.OptionalHeader.SizeOfImage + skipped + size; 189 | DWORD old; 190 | VirtualProtectEx(prochandle, (LPVOID)(modbase + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS), PAGE_READWRITE, &old); 191 | write(modbase + dos.e_lfanew, NTFAKE); 192 | VirtualProtectEx(prochandle, (LPVOID)(modbase + dos.e_lfanew), sizeof(IMAGE_NT_HEADERS), old, &old); 193 | allocation = to_allocate; 194 | break; 195 | } 196 | } 197 | 198 | 199 | return allocation; 200 | } 201 | 202 | DWORD get_export(const char* modname, const char* funcname) { 203 | uintptr_t base_buffer = 0; 204 | HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid); 205 | if (hSnap == INVALID_HANDLE_VALUE) { 206 | printf("Failed opening Snapshot! 0x%x", GetLastError()); 207 | } 208 | 209 | MODULEENTRY32 me32{ 0 }; 210 | me32.dwSize = sizeof(me32); 211 | 212 | BOOL status = Module32First(hSnap, &me32); 213 | while (status) { 214 | if (!_stricmp(me32.szModule, modname)) { 215 | uintptr_t base = (uintptr_t)me32.modBaseAddr; 216 | IMAGE_DOS_HEADER dos_header = { 0 }; 217 | IMAGE_NT_HEADERS32 nt_headers = { 0 }; 218 | 219 | if (!ReadProcessMemory(prochandle, (LPVOID)base, &dos_header, sizeof(dos_header), 0) || dos_header.e_magic != IMAGE_DOS_SIGNATURE || 220 | !ReadProcessMemory(prochandle, (LPVOID)(base + dos_header.e_lfanew), &nt_headers, sizeof(nt_headers), 0) || nt_headers.Signature != IMAGE_NT_SIGNATURE) { 221 | printf("ERROR\n"); 222 | return 0; 223 | } 224 | 225 | 226 | 227 | const auto export_base = nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; 228 | const auto export_base_size = nt_headers.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; 229 | 230 | if (!export_base || !export_base_size) { 231 | printf("ERROR\n"); 232 | return 0; 233 | } 234 | 235 | 236 | const auto export_data = reinterpret_cast(VirtualAlloc(nullptr, export_base_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)); 237 | 238 | if (!ReadProcessMemory(prochandle, (LPVOID)(base + export_base), export_data, export_base_size, 0)) 239 | { 240 | VirtualFree(export_data, 0, MEM_RELEASE); 241 | printf("ERROR\n"); 242 | return 0; 243 | } 244 | 245 | const auto delta = reinterpret_cast(export_data) - export_base; 246 | 247 | const auto name_table = reinterpret_cast(export_data->AddressOfNames + delta); 248 | const auto ordinal_table = reinterpret_cast(export_data->AddressOfNameOrdinals + delta); 249 | const auto function_table = reinterpret_cast(export_data->AddressOfFunctions + delta); 250 | 251 | for (auto i = 0u; i < export_data->NumberOfNames; ++i) { 252 | const std::string current_function_name = std::string(reinterpret_cast(name_table[i] + delta)); 253 | 254 | if (!_stricmp(current_function_name.c_str(), funcname)) { 255 | const auto function_ordinal = ordinal_table[i]; 256 | const auto function_address = base + function_table[function_ordinal]; 257 | 258 | if (function_address >= base + export_base && function_address <= base + export_base + export_base_size) { 259 | VirtualFree(export_data, 0, MEM_RELEASE); 260 | return 0; // No forwarded exports on 64bit? 261 | } 262 | 263 | VirtualFree(export_data, 0, MEM_RELEASE); 264 | return function_address; 265 | } 266 | } 267 | 268 | VirtualFree(export_data, 0, MEM_RELEASE); 269 | return 0; 270 | 271 | 272 | CloseHandle(hSnap); 273 | } 274 | status = Module32Next(hSnap, &me32); 275 | } 276 | CloseHandle(hSnap); 277 | return 0; 278 | } 279 | template 280 | void map_sections(uintptr_t remote_base, char* img, T nt) { 281 | PIMAGE_SECTION_HEADER cSectionHeader = IMAGE_FIRST_SECTION(nt); 282 | for (int i = 0; i < nt->FileHeader.NumberOfSections; ++i, ++cSectionHeader) { 283 | if (cSectionHeader->SizeOfRawData) { 284 | if (WriteProcessMemory(prochandle, (char*)remote_base + cSectionHeader->VirtualAddress, (BYTE*)img + cSectionHeader->PointerToRawData, cSectionHeader->SizeOfRawData, 0)) { 285 | printf("Wrote %i section to %p\n", i, remote_base + cSectionHeader->VirtualAddress); 286 | } 287 | else 288 | printf("Failed writing %i section to %p error %x\n", i, remote_base + cSectionHeader->VirtualAddress, GetLastError()); 289 | } 290 | } 291 | } 292 | template 293 | struct injectiondata { 294 | T loadlibrary; 295 | T getprocaddress; 296 | T dll; 297 | }; 298 | bool ModExMap::map_dll(char* img, size_t disksize,bool wait_for_dllreturn, bool erasepeheader) { 299 | PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)img; 300 | DWORD shellcodesize = is_32_bit ? sizeof(shellcode32) : sizeof(shellcode64); 301 | PIMAGE_NT_HEADERS32 nt32 = (PIMAGE_NT_HEADERS32)(img + dos->e_lfanew); 302 | PIMAGE_NT_HEADERS nt64 = (PIMAGE_NT_HEADERS)(img + dos->e_lfanew); 303 | DWORD totalsize = (is_32_bit ? nt32->OptionalHeader.SizeOfImage : nt64->OptionalHeader.SizeOfImage) + shellcodesize + disksize; 304 | 305 | uintptr_t remote_base = find_avail_memory(totalsize); 306 | VirtualAllocEx(prochandle, (LPVOID)remote_base, totalsize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 307 | printf("Allocated at %p\n", remote_base); 308 | WriteProcessMemory(prochandle, (LPVOID)remote_base, img, 0x1000, 0); 309 | if(is_32_bit) 310 | map_sections(remote_base, img, nt32); 311 | else 312 | map_sections(remote_base, img, nt64); 313 | 314 | 315 | if (is_32_bit) { 316 | injectiondata data; 317 | data.loadlibrary = get_export("KERNEL32.DLL", "LoadLibraryA"); 318 | data.getprocaddress = get_export("KERNELBASE.DLL", "GetProcAddress"); 319 | data.dll = 0; 320 | write>(remote_base, data); 321 | } 322 | else 323 | { 324 | injectiondata data; 325 | data.loadlibrary = (uintptr_t)LoadLibraryA; 326 | data.getprocaddress = (uintptr_t)GetProcAddress; 327 | data.dll = 0; 328 | write>(remote_base, data); 329 | } 330 | 331 | WriteProcessMemory(prochandle, (LPVOID)(remote_base + totalsize - 0x1000), (LPVOID)(is_32_bit ? shellcode32 : shellcode64), shellcodesize,0); 332 | HANDLE ThreadHandle = CreateRemoteThread(prochandle, 0, 0, (LPTHREAD_START_ROUTINE)(remote_base + totalsize - 0x1000), (LPVOID)remote_base, 0, 0); 333 | CloseHandle(ThreadHandle); 334 | 335 | if (wait_for_dllreturn) { 336 | DWORD offset = is_32_bit ? 0x8 : 0x10; 337 | while (!read(remote_base + offset)) { 338 | Sleep(1000); //Wait for hdll to be set 339 | } 340 | } 341 | else 342 | { 343 | Sleep(5000); 344 | } 345 | char buffer[0x1000]; 346 | memset(buffer, 0, 0x1000); 347 | if (erasepeheader) { 348 | WriteProcessMemory(prochandle, (LPVOID)remote_base, buffer, sizeof(buffer), 0); 349 | } 350 | 351 | WriteProcessMemory(prochandle, (LPVOID)(remote_base + totalsize - 0x1000), buffer, shellcodesize, 0); 352 | CloseHandle(prochandle); 353 | free(img); 354 | return true; 355 | } -------------------------------------------------------------------------------- /ModExMap/ModExMap.h: -------------------------------------------------------------------------------- 1 | namespace ModExMap { 2 | bool attach(const char* proc_name); 3 | bool map_dll(char* img, size_t disksize, bool wait_for_dllreturn, bool erasepeheader); 4 | } -------------------------------------------------------------------------------- /ModExMap/ModExMap.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {21573076-ed53-402d-bd74-9c46507197f4} 25 | ModExMap 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | MultiByte 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | false 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Level3 88 | true 89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 90 | true 91 | 92 | 93 | Console 94 | true 95 | 96 | 97 | 98 | 99 | Level3 100 | true 101 | true 102 | true 103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 104 | true 105 | 106 | 107 | Console 108 | true 109 | true 110 | true 111 | 112 | 113 | 114 | 115 | Level3 116 | true 117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 118 | true 119 | 120 | 121 | Console 122 | true 123 | 124 | 125 | 126 | 127 | Level3 128 | true 129 | true 130 | true 131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 132 | true 133 | 134 | 135 | Console 136 | true 137 | true 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /ModExMap/ModExMap.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Ressourcendateien 20 | 21 | 22 | Headerdateien 23 | 24 | 25 | 26 | 27 | Headerdateien 28 | 29 | 30 | Headerdateien 31 | 32 | 33 | Headerdateien 34 | 35 | 36 | Headerdateien 37 | 38 | 39 | -------------------------------------------------------------------------------- /ModExMap/ModExMap.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /ModExMap/includes.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #pragma comment(lib, "ntdll.lib") 8 | #include "pestruct.h" 9 | #include "ModExMap.h" 10 | -------------------------------------------------------------------------------- /ModExMap/main.cpp: -------------------------------------------------------------------------------- 1 | #include "includes.h" 2 | bool LoadDLL(const char* path, uintptr_t* copy, size_t* size) { 3 | if (!GetFileAttributesA(path)) 4 | printf("File doesn't exist\n"); 5 | 6 | std::ifstream sFile(path, std::ios::binary | std::ios::ate); 7 | 8 | if (sFile.fail()) 9 | printf("Couldn't open filestream\n"); 10 | 11 | *size = sFile.tellg(); 12 | 13 | if (!*size) 14 | printf("File too short"); 15 | 16 | *copy = (uintptr_t)malloc(*size); 17 | if (!*copy) 18 | printf("Error allocating memory in local process\n"); 19 | printf("Allocated memory for dll in local process at: 0x%p\n", *copy); 20 | 21 | sFile.seekg(0, std::ios::beg); 22 | sFile.read((char*)*copy, *size); 23 | sFile.close(); 24 | printf("Read file! Dump {%x, %x}\n", *(uint8_t*)*copy, *(uint8_t*)((uintptr_t)*copy + 1)); 25 | return true; 26 | } 27 | 28 | 29 | 30 | int main() { 31 | 32 | 33 | 34 | uintptr_t base; size_t size; 35 | if (!LoadDLL("C:\\Users\\weak\\Desktop\\old projects\\OldStuff\\Helloworld\\x64\\Release\\Helloworld.dll", &base, &size)) { 36 | printf("Couldn't load dll\n"); 37 | goto END; 38 | } 39 | if (!ModExMap::attach("PortalWars-Win64-Shipping.exe")) { 40 | printf("Couldn't attach to proc\n"); 41 | goto END; 42 | } 43 | 44 | if (!ModExMap::map_dll((char*)base, size, true, true)) 45 | { 46 | printf("Couldn't map dll\n"); 47 | goto END; 48 | } 49 | END: 50 | system("pause"); 51 | } -------------------------------------------------------------------------------- /ModExMap/pestruct.h: -------------------------------------------------------------------------------- 1 | template 2 | struct _UNICODE_STRING_T 3 | { 4 | WORD Length; 5 | WORD MaximumLength; 6 | T Buffer; 7 | }; 8 | 9 | template 10 | struct _LIST_ENTRY_T 11 | { 12 | T Flink; 13 | T Blink; 14 | }; 15 | 16 | template 17 | struct _PEB_T 18 | { 19 | typedef T type; 20 | 21 | union 22 | { 23 | struct 24 | { 25 | BYTE InheritedAddressSpace; 26 | BYTE ReadImageFileExecOptions; 27 | BYTE BeingDebugged; 28 | BYTE BitField; 29 | }; 30 | T dummy01; 31 | }; 32 | T Mutant; 33 | T ImageBaseAddress; 34 | T Ldr; 35 | T ProcessParameters; 36 | T SubSystemData; 37 | T ProcessHeap; 38 | T FastPebLock; 39 | T AtlThunkSListPtr; 40 | T IFEOKey; 41 | T CrossProcessFlags; 42 | T UserSharedInfoPtr; 43 | DWORD SystemReserved; 44 | DWORD AtlThunkSListPtr32; 45 | T ApiSetMap; 46 | T TlsExpansionCounter; 47 | T TlsBitmap; 48 | DWORD TlsBitmapBits[2]; 49 | T ReadOnlySharedMemoryBase; 50 | T HotpatchInformation; 51 | T ReadOnlyStaticServerData; 52 | T AnsiCodePageData; 53 | T OemCodePageData; 54 | T UnicodeCaseTableData; 55 | DWORD NumberOfProcessors; 56 | union 57 | { 58 | DWORD NtGlobalFlag; 59 | NGF dummy02; 60 | }; 61 | LARGE_INTEGER CriticalSectionTimeout; 62 | T HeapSegmentReserve; 63 | T HeapSegmentCommit; 64 | T HeapDeCommitTotalFreeThreshold; 65 | T HeapDeCommitFreeBlockThreshold; 66 | DWORD NumberOfHeaps; 67 | DWORD MaximumNumberOfHeaps; 68 | T ProcessHeaps; 69 | T GdiSharedHandleTable; 70 | T ProcessStarterHelper; 71 | T GdiDCAttributeList; 72 | T LoaderLock; 73 | DWORD OSMajorVersion; 74 | DWORD OSMinorVersion; 75 | WORD OSBuildNumber; 76 | WORD OSCSDVersion; 77 | DWORD OSPlatformId; 78 | DWORD ImageSubsystem; 79 | DWORD ImageSubsystemMajorVersion; 80 | T ImageSubsystemMinorVersion; 81 | T ActiveProcessAffinityMask; 82 | T GdiHandleBuffer[A]; 83 | T PostProcessInitRoutine; 84 | T TlsExpansionBitmap; 85 | DWORD TlsExpansionBitmapBits[32]; 86 | T SessionId; 87 | ULARGE_INTEGER AppCompatFlags; 88 | ULARGE_INTEGER AppCompatFlagsUser; 89 | T pShimData; 90 | T AppCompatInfo; 91 | _UNICODE_STRING_T CSDVersion; 92 | T ActivationContextData; 93 | T ProcessAssemblyStorageMap; 94 | T SystemDefaultActivationContextData; 95 | T SystemAssemblyStorageMap; 96 | T MinimumStackCommit; 97 | T FlsCallback; 98 | _LIST_ENTRY_T FlsListHead; 99 | T FlsBitmap; 100 | DWORD FlsBitmapBits[4]; 101 | T FlsHighIndex; 102 | T WerRegistrationData; 103 | T WerShipAssertPtr; 104 | T pContextData; 105 | T pImageHeaderHash; 106 | T TracingFlags; 107 | T CsrServerReadOnlySharedMemoryBase; 108 | }; 109 | 110 | typedef _PEB_T _PEB32; 111 | typedef _PEB_T _PEB64; 112 | 113 | typedef struct _STRING_32 114 | { 115 | WORD Length; 116 | WORD MaximumLength; 117 | UINT32 Buffer; 118 | } STRING32, * PSTRING32; 119 | 120 | typedef struct _STRING_64 121 | { 122 | WORD Length; 123 | WORD MaximumLength; 124 | UINT64 Buffer; 125 | } STRING64, * PSTRING64; 126 | 127 | typedef struct _RTL_DRIVE_LETTER_CURDIR_32 128 | { 129 | WORD Flags; 130 | WORD Length; 131 | ULONG TimeStamp; 132 | STRING32 DosPath; 133 | } RTL_DRIVE_LETTER_CURDIR32, * PRTL_DRIVE_LETTER_CURDIR32; 134 | 135 | typedef struct _RTL_DRIVE_LETTER_CURDIR_64 136 | { 137 | WORD Flags; 138 | WORD Length; 139 | ULONG TimeStamp; 140 | STRING64 DosPath; 141 | } RTL_DRIVE_LETTER_CURDIR64, * PRTL_DRIVE_LETTER_CURDIR64; 142 | 143 | typedef struct _UNICODE_STRING_32 144 | { 145 | WORD Length; 146 | WORD MaximumLength; 147 | UINT32 Buffer; 148 | } UNICODE_STRING32, * PUNICODE_STRING32; 149 | 150 | typedef struct _UNICODE_STRING_64 151 | { 152 | WORD Length; 153 | WORD MaximumLength; 154 | UINT64 Buffer; 155 | } UNICODE_STRING64, * PUNICODE_STRING64; 156 | 157 | 158 | typedef struct _CURDIR_32 159 | { 160 | UNICODE_STRING32 DosPath; 161 | UINT32 Handle; 162 | } CURDIR32, * PCURDIR32; 163 | 164 | typedef struct _RTL_USER_PROCESS_PARAMETERS_32 165 | { 166 | ULONG MaximumLength; 167 | ULONG Length; 168 | ULONG Flags; 169 | ULONG DebugFlags; 170 | UINT32 ConsoleHandle; 171 | ULONG ConsoleFlags; 172 | UINT32 StandardInput; 173 | UINT32 StandardOutput; 174 | UINT32 StandardError; 175 | CURDIR32 CurrentDirectory; 176 | UNICODE_STRING32 DllPath; 177 | UNICODE_STRING32 ImagePathName; 178 | UNICODE_STRING32 CommandLine; 179 | UINT32 Environment; 180 | ULONG StartingX; 181 | ULONG StartingY; 182 | ULONG CountX; 183 | ULONG CountY; 184 | ULONG CountCharsX; 185 | ULONG CountCharsY; 186 | ULONG FillAttribute; 187 | ULONG WindowFlags; 188 | ULONG ShowWindowFlags; 189 | UNICODE_STRING32 WindowTitle; 190 | UNICODE_STRING32 DesktopInfo; 191 | UNICODE_STRING32 ShellInfo; 192 | UNICODE_STRING32 RuntimeData; 193 | RTL_DRIVE_LETTER_CURDIR32 CurrentDirectores[32]; 194 | ULONG EnvironmentSize; 195 | } RTL_USER_PROCESS_PARAMETERS32, * PRTL_USER_PROCESS_PARAMETERS32; 196 | 197 | 198 | typedef struct _CURDIR_64 199 | { 200 | UNICODE_STRING64 DosPath; 201 | UINT64 Handle; 202 | } CURDIR64, * PCURDIR64; 203 | 204 | typedef struct _RTL_USER_PROCESS_PARAMETERS_64 205 | { 206 | ULONG MaximumLength; 207 | ULONG Length; 208 | ULONG Flags; 209 | ULONG DebugFlags; 210 | UINT64 ConsoleHandle; 211 | ULONG ConsoleFlags; 212 | UINT64 StandardInput; 213 | UINT64 StandardOutput; 214 | UINT64 StandardError; 215 | CURDIR64 CurrentDirectory; 216 | UNICODE_STRING64 DllPath; 217 | UNICODE_STRING64 ImagePathName; 218 | UNICODE_STRING64 CommandLine; 219 | UINT64 Environment; 220 | ULONG StartingX; 221 | ULONG StartingY; 222 | ULONG CountX; 223 | ULONG CountY; 224 | ULONG CountCharsX; 225 | ULONG CountCharsY; 226 | ULONG FillAttribute; 227 | ULONG WindowFlags; 228 | ULONG ShowWindowFlags; 229 | UNICODE_STRING64 WindowTitle; 230 | UNICODE_STRING64 DesktopInfo; 231 | UNICODE_STRING64 ShellInfo; 232 | UNICODE_STRING64 RuntimeData; 233 | RTL_DRIVE_LETTER_CURDIR64 CurrentDirectores[32]; 234 | ULONG EnvironmentSize; 235 | } RTL_USER_PROCESS_PARAMETERS64, * PRTL_USER_PROCESS_PARAMETERS64; 236 | 237 | 238 | 239 | typedef struct _PROCESS_BASIC_INFORMATION64 { 240 | NTSTATUS ExitStatus; 241 | UINT32 Reserved0; 242 | UINT64 PebBaseAddress; 243 | UINT64 AffinityMask; 244 | UINT32 BasePriority; 245 | UINT32 Reserved1; 246 | UINT64 UniqueProcessId; 247 | UINT64 InheritedFromUniqueProcessId; 248 | } PROCESS_BASIC_INFORMATION64; 249 | 250 | typedef struct _PROCESS_BASIC_INFORMATION32 { 251 | NTSTATUS ExitStatus; 252 | UINT32 PebBaseAddress; 253 | UINT32 AffinityMask; 254 | UINT32 BasePriority; 255 | UINT32 UniqueProcessId; 256 | UINT32 InheritedFromUniqueProcessId; 257 | } PROCESS_BASIC_INFORMATION32; 258 | 259 | typedef enum _PROCESSINFOCLASS { 260 | ProcessBasicInformation = 0, 261 | ProcessDebugPort = 7, 262 | ProcessWow64Information = 26, 263 | ProcessImageFileName = 27, 264 | ProcessBreakOnTermination = 29 265 | } PROCESSINFOCLASS; -------------------------------------------------------------------------------- /ModExMap/shellcode.h: -------------------------------------------------------------------------------- 1 | unsigned char shellcode64[506] = { 2 | 0x48, 0x85, 0xC9, 0x0F, 0x84, 0xF0, 0x01, 0x00, 0x00, 0x56, 0x48, 0x83, 3 | 0xEC, 0x50, 0x48, 0x8B, 0x01, 0x4C, 0x8B, 0xD9, 0x48, 0x89, 0x5C, 0x24, 4 | 0x70, 0x48, 0x8B, 0xF1, 0x48, 0x89, 0x7C, 0x24, 0x40, 0x4C, 0x89, 0x64, 5 | 0x24, 0x38, 0x4C, 0x63, 0x61, 0x3C, 0x4C, 0x89, 0x6C, 0x24, 0x30, 0x4C, 6 | 0x03, 0xE1, 0x4C, 0x89, 0x7C, 0x24, 0x20, 0x4C, 0x8B, 0x79, 0x08, 0x48, 7 | 0x89, 0x44, 0x24, 0x60, 0x45, 0x8B, 0x6C, 0x24, 0x28, 0x4C, 0x03, 0xE9, 8 | 0x4C, 0x89, 0x6C, 0x24, 0x68, 0x4D, 0x2B, 0x5C, 0x24, 0x30, 0x0F, 0x84, 9 | 0x91, 0x00, 0x00, 0x00, 0x41, 0x83, 0xBC, 0x24, 0xB4, 0x00, 0x00, 0x00, 10 | 0x00, 0x0F, 0x84, 0x74, 0x01, 0x00, 0x00, 0x45, 0x8B, 0x8C, 0x24, 0xB0, 11 | 0x00, 0x00, 0x00, 0x4C, 0x03, 0xC9, 0x41, 0x83, 0x39, 0x00, 0x74, 0x71, 12 | 0xBB, 0x00, 0xF0, 0x00, 0x00, 0xBF, 0x00, 0xA0, 0x00, 0x00, 0x0F, 0x1F, 13 | 0x40, 0x00, 0x66, 0x66, 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 14 | 0x41, 0x8B, 0x49, 0x04, 0x4D, 0x8D, 0x41, 0x08, 0x48, 0x8D, 0x41, 0xF8, 15 | 0x48, 0xD1, 0xE8, 0x85, 0xC0, 0x74, 0x3B, 0x44, 0x8B, 0xD0, 0x66, 0x66, 16 | 0x0F, 0x1F, 0x84, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x0F, 0xB7, 0x10, 17 | 0x0F, 0xB7, 0xC2, 0x66, 0x23, 0xC3, 0x66, 0x3B, 0xC7, 0x75, 0x11, 0x41, 18 | 0x8B, 0x09, 0x81, 0xE2, 0xFF, 0x0F, 0x00, 0x00, 0x48, 0x8D, 0x04, 0x16, 19 | 0x4C, 0x01, 0x1C, 0x01, 0x49, 0x83, 0xC0, 0x02, 0x49, 0x83, 0xEA, 0x01, 20 | 0x75, 0xD6, 0x41, 0x8B, 0x49, 0x04, 0x8B, 0xC1, 0x4C, 0x03, 0xC8, 0x41, 21 | 0x83, 0x39, 0x00, 0x75, 0xA7, 0x41, 0x83, 0xBC, 0x24, 0x94, 0x00, 0x00, 22 | 0x00, 0x00, 0x0F, 0x84, 0x98, 0x00, 0x00, 0x00, 0x4C, 0x89, 0x74, 0x24, 23 | 0x28, 0x45, 0x8B, 0xB4, 0x24, 0x90, 0x00, 0x00, 0x00, 0x4C, 0x03, 0xF6, 24 | 0x41, 0x8B, 0x46, 0x0C, 0x85, 0xC0, 0x74, 0x7B, 0x4C, 0x8B, 0x6C, 0x24, 25 | 0x60, 0x48, 0x89, 0x6C, 0x24, 0x48, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, 26 | 0x8B, 0xC8, 0x48, 0x03, 0xCE, 0x41, 0xFF, 0xD5, 0x45, 0x8B, 0x06, 0x48, 27 | 0x8B, 0xE8, 0x41, 0x8B, 0x56, 0x10, 0x49, 0x8D, 0x0C, 0x30, 0x48, 0x85, 28 | 0xC9, 0x48, 0x8D, 0x3C, 0x32, 0x41, 0x0F, 0x45, 0xD0, 0x48, 0x8B, 0x0C, 29 | 0x32, 0x48, 0x8D, 0x1C, 0x32, 0x48, 0x85, 0xC9, 0x74, 0x27, 0x79, 0x05, 30 | 0x0F, 0xB7, 0xD1, 0xEB, 0x07, 0x48, 0x8D, 0x56, 0x02, 0x48, 0x03, 0xD1, 31 | 0x48, 0x8B, 0xCD, 0x41, 0xFF, 0xD7, 0x48, 0x83, 0xC3, 0x08, 0x48, 0x89, 32 | 0x07, 0x48, 0x83, 0xC7, 0x08, 0x48, 0x8B, 0x0B, 0x48, 0x85, 0xC9, 0x75, 33 | 0xD9, 0x41, 0x8B, 0x46, 0x20, 0x49, 0x83, 0xC6, 0x14, 0x85, 0xC0, 0x75, 34 | 0x9F, 0x4C, 0x8B, 0x6C, 0x24, 0x68, 0x48, 0x8B, 0x6C, 0x24, 0x48, 0x4C, 35 | 0x8B, 0x74, 0x24, 0x28, 0x41, 0x83, 0xBC, 0x24, 0xD4, 0x00, 0x00, 0x00, 36 | 0x00, 0x74, 0x2F, 0x41, 0x8B, 0x84, 0x24, 0xD0, 0x00, 0x00, 0x00, 0x48, 37 | 0x8B, 0x5C, 0x30, 0x18, 0x48, 0x85, 0xDB, 0x74, 0x1D, 0x0F, 0x1F, 0x00, 38 | 0x48, 0x8B, 0x03, 0x48, 0x85, 0xC0, 0x74, 0x12, 0x45, 0x33, 0xC0, 0x48, 39 | 0x8B, 0xCE, 0x41, 0x8D, 0x50, 0x01, 0xFF, 0xD0, 0x48, 0x83, 0xC3, 0x08, 40 | 0x75, 0xE6, 0x45, 0x33, 0xC0, 0x48, 0x8B, 0xCE, 0x41, 0x8D, 0x50, 0x01, 41 | 0x41, 0xFF, 0xD5, 0x48, 0x89, 0x76, 0x10, 0x4C, 0x8B, 0x6C, 0x24, 0x30, 42 | 0x4C, 0x8B, 0x64, 0x24, 0x38, 0x48, 0x8B, 0x7C, 0x24, 0x40, 0x48, 0x8B, 43 | 0x5C, 0x24, 0x70, 0x4C, 0x8B, 0x7C, 0x24, 0x20, 0x48, 0x83, 0xC4, 0x50, 44 | 0x5E, 0xC3 45 | }; 46 | const static unsigned char shellcode32[328] = { 47 | 0x55, 0x8B, 0xEC, 0x83, 0xEC, 0x14, 0x57, 0x8B, 0x7D, 0x08, 0x85, 0xFF, 48 | 0x0F, 0x84, 0x2F, 0x01, 0x00, 0x00, 0x8B, 0x4F, 0x3C, 0x8B, 0x47, 0x04, 49 | 0x03, 0xCF, 0x8B, 0x17, 0x89, 0x45, 0xFC, 0x53, 0x8B, 0x41, 0x28, 0x03, 50 | 0xC7, 0x89, 0x4D, 0xF0, 0x89, 0x45, 0xEC, 0x8B, 0xC7, 0x2B, 0x41, 0x34, 51 | 0x56, 0x89, 0x55, 0xF4, 0x89, 0x45, 0x08, 0x74, 0x60, 0x83, 0xB9, 0xA4, 52 | 0x00, 0x00, 0x00, 0x00, 0x0F, 0x84, 0xF9, 0x00, 0x00, 0x00, 0x8B, 0xB1, 53 | 0xA0, 0x00, 0x00, 0x00, 0x03, 0xF7, 0x83, 0x3E, 0x00, 0x74, 0x46, 0x8B, 54 | 0x46, 0x04, 0x8D, 0x56, 0x08, 0x8D, 0x58, 0xF8, 0xD1, 0xEB, 0x74, 0x2C, 55 | 0x0F, 0xB7, 0x02, 0x8B, 0xC8, 0x81, 0xE1, 0x00, 0xF0, 0x00, 0x00, 0x81, 56 | 0xF9, 0x00, 0x30, 0x00, 0x00, 0x75, 0x0E, 0x8B, 0x4D, 0x08, 0x25, 0xFF, 57 | 0x0F, 0x00, 0x00, 0x03, 0xC7, 0x03, 0x06, 0x01, 0x08, 0x83, 0xC2, 0x02, 58 | 0x83, 0xEB, 0x01, 0x75, 0xD7, 0x8B, 0x46, 0x04, 0x03, 0xF0, 0x83, 0x3E, 59 | 0x00, 0x75, 0xC0, 0x8B, 0x4D, 0xF0, 0x8B, 0x55, 0xF4, 0x83, 0xB9, 0x84, 60 | 0x00, 0x00, 0x00, 0x00, 0x74, 0x69, 0x8B, 0x99, 0x80, 0x00, 0x00, 0x00, 61 | 0x03, 0xDF, 0x89, 0x5D, 0xF8, 0x8B, 0x43, 0x0C, 0x85, 0xC0, 0x74, 0x57, 62 | 0x03, 0xC7, 0x50, 0xFF, 0xD2, 0x8B, 0x13, 0x8B, 0x73, 0x10, 0x89, 0x45, 63 | 0x08, 0x8D, 0x0C, 0x3A, 0x85, 0xC9, 0x8D, 0x1C, 0x3E, 0x0F, 0x45, 0xF2, 64 | 0x03, 0xF7, 0x8B, 0x06, 0x85, 0xC0, 0x74, 0x21, 0x79, 0x05, 0x0F, 0xB7, 65 | 0xC0, 0xEB, 0x05, 0x83, 0xC0, 0x02, 0x03, 0xC7, 0x50, 0xFF, 0x75, 0x08, 66 | 0xFF, 0x55, 0xFC, 0x83, 0xC6, 0x04, 0x89, 0x03, 0x83, 0xC3, 0x04, 0x8B, 67 | 0x06, 0x85, 0xC0, 0x75, 0xDF, 0x8B, 0x5D, 0xF8, 0x8B, 0x55, 0xF4, 0x83, 68 | 0xC3, 0x14, 0x89, 0x5D, 0xF8, 0x8B, 0x43, 0x0C, 0x85, 0xC0, 0x75, 0xAC, 69 | 0x8B, 0x4D, 0xF0, 0x83, 0xB9, 0xC4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x20, 70 | 0x8B, 0x81, 0xC0, 0x00, 0x00, 0x00, 0x8B, 0x74, 0x38, 0x0C, 0x85, 0xF6, 71 | 0x74, 0x12, 0x8B, 0x06, 0x85, 0xC0, 0x74, 0x0C, 0x6A, 0x00, 0x6A, 0x01, 72 | 0x57, 0xFF, 0xD0, 0x83, 0xC6, 0x04, 0x75, 0xEE, 0x6A, 0x00, 0x6A, 0x01, 73 | 0x57, 0xFF, 0x55, 0xEC, 0x89, 0x7F, 0x08, 0x5E, 0x5B, 0x5F, 0x8B, 0xE5, 74 | 0x5D, 0xC2, 0x04, 0x00 75 | }; 76 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ModExMap 2 | Project inspired by https://github.com/btbd/modmap 3 | 4 | x64 Dll manual mapper that can map 64 aswell as 32bit dlls into other processes. 5 | It iterates all modules and checks if your dll fits between them. If thats the case the module is modified and the dll mapped in between 6 | --------------------------------------------------------------------------------