-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathMain.c
129 lines (112 loc) · 4.08 KB
/
Main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include "ReflectiveDLLInjection.h"
#include "ReflectiveTransformer.h"
#include "ReflectiveUnloader.h"
// https://support.microsoft.com/en-us/help/94248/how-to-use-the-c-run-time
BOOL WINAPI _CRT_INIT(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved);
DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader(VOID);
HMODULE g_hModule = NULL;
static VOID DumpPEImage(LPTSTR pFile, PVOID pBaseAddress, SIZE_T dwSize) {
HANDLE hFile;
DWORD dwNumberOfBytesWritten;
hFile = CreateFile(pFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
// MessageBox(NULL, _T("Could not open the file for writing."), _T("Failed"), MB_OK);
return;
}
WriteFile(hFile, pBaseAddress, (DWORD)dwSize, &dwNumberOfBytesWritten, NULL);
CloseHandle(hFile);
}
static VOID DumpDLLImage(PDOS_HEADER pDosHeader, SIZE_T dwSize) {
DWORD dwChars;
DWORD dwEntryRVA;
TCHAR ctDllPath[MAX_PATH + 1];
ZeroMemory(ctDllPath, sizeof(ctDllPath));
#ifdef _WIN64
dwChars = ExpandEnvironmentStrings(_T("%USERPROFILE%\\Desktop\\ReflectivePolymorphism.x64.dll"), ctDllPath, MAX_PATH + 1);
#else
#ifdef _WIN32
dwChars = ExpandEnvironmentStrings(_T("%USERPROFILE%\\Desktop\\ReflectivePolymorphism.x86.dll"), ctDllPath, MAX_PATH + 1);
#endif
#endif
if ((dwChars == 0) || (dwChars > MAX_PATH + 1)) {
MessageBox(NULL, _T("Could not get the file path for writing."), _T("Failed"), MB_OK);
return;
}
dwEntryRVA = RVAFromExportName(pDosHeader, "DllMain");
if (!dwEntryRVA) {
MessageBox(NULL, _T("Failed to find the RVA of the DllMain export."), _T("Failed"), MB_OK);
return;
}
if (!ReflectiveTransformerToDLL(pDosHeader, dwEntryRVA)) {
MessageBox(NULL, _T("Failed to transform the file."), _T("Failed"), MB_OK);
return;
}
DumpPEImage(ctDllPath, pDosHeader, dwSize);
}
static VOID DumpEXEImage(PDOS_HEADER pDosHeader, SIZE_T dwSize) {
DWORD dwChars;
DWORD dwEntryRVA;
TCHAR ctExePath[MAX_PATH + 1];
ZeroMemory(ctExePath, sizeof(ctExePath));
#ifdef _WIN64
dwChars = ExpandEnvironmentStrings(_T("%USERPROFILE%\\Desktop\\ReflectivePolymorphism.x64.exe"), ctExePath, MAX_PATH + 1);
#else
#ifdef _WIN32
dwChars = ExpandEnvironmentStrings(_T("%USERPROFILE%\\Desktop\\ReflectivePolymorphism.x86.exe"), ctExePath, MAX_PATH + 1);
#endif
#endif
if ((dwChars == 0) || (dwChars > MAX_PATH + 1)) {
MessageBox(NULL, _T("Could not get the file path for writing."), _T("Failed"), MB_OK);
return;
}
dwEntryRVA = RVAFromExportName(pDosHeader, "ExeMain");
if (!dwEntryRVA) {
MessageBox(NULL, _T("Failed to find the RVA of the ExeMain export."), _T("Failed"), MB_OK);
return;
}
if (!ReflectiveTransformerToEXE(pDosHeader, dwEntryRVA)) {
MessageBox(NULL, _T("Failed to transform the file."), _T("Failed"), MB_OK);
return;
}
DumpPEImage(ctExePath, pDosHeader, dwSize);
}
static VOID ProofOfConcept(HINSTANCE hInstance) {
PDOS_HEADER pDosHeader = NULL;
SIZE_T dwSize;
MessageBox(NULL, _T("Select OK to proceed."), _T("Waiting"), MB_OK);
pDosHeader = ReflectiveUnloader(hInstance, &dwSize);
if (!pDosHeader) {
MessageBox(NULL, _T("Unload failed."), _T("Failed"), MB_OK);
return;
}
DumpDLLImage(pDosHeader, dwSize);
DumpEXEImage(pDosHeader, dwSize);
ReflectiveUnloaderFree(pDosHeader, dwSize);
}
BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD dwReason, LPVOID lpReserved) {
#pragma comment(linker, "/EXPORT:"__FUNCTION__"="__FUNCDNAME__)
if (dwReason == DLL_QUERY_HMODULE) {
if (lpReserved) {
*(HMODULE *)lpReserved = g_hModule;
}
}
else {
if (!_CRT_INIT(hInstDll, dwReason, lpReserved)) {
return FALSE;
}
if ((dwReason == DLL_PROCESS_ATTACH) && (!g_hModule)) {
g_hModule = hInstDll;
// start a new thread so DllMain returns
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ProofOfConcept, hInstDll, 0, 0);
}
}
return TRUE;
}
int WINAPI ExeMain(int argc, char **argv) {
#pragma comment(linker, "/EXPORT:"__FUNCTION__"="__FUNCDNAME__)
ProofOfConcept(GetModuleHandle(NULL));
return 0;
}