_xeroxz
/
nozzle
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added an injector example

Browse Source
master
xerox 4 years ago
parent 013810cd30
commit 60d7e92eec
6 changed files with 305 additions and 134 deletions
Show Stats Download Patch File Download Diff File

2
example/dllmain.cpp
Unescape View File

@ -3,5 +3,7 @@
void main(pimage_data this_image) void main(pimage_data this_image)
{ {
MessageBoxA(NULL, "Hello World!", "INFO", NULL); MessageBoxA(NULL, "Hello World!", "INFO", NULL);
// only use this inside of main...
ZERO_DLL(this_image->image_base, this_image->image_size); ZERO_DLL(this_image->image_base, this_image->image_size);
} }

151
injector/injector.vcxproj
Unescape View File

@ -0,0 +1,151 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{50e65491-59af-43f8-a045-e66ae0676298}</ProjectGuid>
<RootNamespace>injector</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="nozzle.hpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

23
injector/injector.vcxproj.filters
Unescape View File

@ -0,0 +1,23 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<Filter Include="Source Files">
<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
</Filter>
<Filter Include="Header Files">
<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="nozzle.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
</Project>

4
injector/injector.vcxproj.user
Unescape View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>

12
injector/main.cpp
Unescape View File

@ -0,0 +1,12 @@
#include <stdio.h>
#include "nozzle.hpp"
int main()
{
nozzle::injector injector("example.dll", nozzle::util::get_pid(L"notepad.exe"));
const auto module_base = injector.inject();
const auto thread_handle = injector.call_entry();
std::printf("[+] module base => 0x%p, thread handle => 0x%x\n", module_base, thread_handle);
std::getchar();
}

247
nozzle.hpp → injector/nozzle.hpp
Unescape View File

@ -34,117 +34,109 @@
#include <cassert> #include <cassert>
#include <DbgHelp.h> #include <DbgHelp.h>
#include <functional> #include <functional>
#pragma comment(lib, "Dbghelp.lib") #pragma comment(lib, "Dbghelp.lib")
#define FIND_NT_HEADER(x) reinterpret_cast<PIMAGE_NT_HEADERS>( uint64_t(x) + reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew )
#define RET_CHK(x)\ namespace nozzle
if (!x)\
{\
LOG_LAST_ERROR();\
return false;\
}\
//
// coded by paracord.
// see: https://github.com/haram/splendid_implanter/blob/master/splendid_implanter/win_utils.hpp
//
namespace util
{ {
using uq_handle = std::unique_ptr<void, decltype(&CloseHandle)>; //
inline void open_binary_file(const std::string& file, std::vector<uint8_t>& data) // coded by paracord.
// see: https://github.com/haram/splendid_implanter/blob/master/splendid_implanter/win_utils.hpp
//
namespace util
{ {
std::ifstream fstr(file, std::ios::binary); using uq_handle = std::unique_ptr<void, decltype(&CloseHandle)>;
fstr.unsetf(std::ios::skipws); inline void open_binary_file(const std::string& file, std::vector<uint8_t>& data)
fstr.seekg(0, std::ios::end); {
std::ifstream fstr(file, std::ios::binary);
const auto file_size = fstr.tellg(); fstr.unsetf(std::ios::skipws);
fstr.seekg(0, std::ios::end);
fstr.seekg(NULL, std::ios::beg); const auto file_size = fstr.tellg();
data.reserve(static_cast<uint32_t>(file_size));
data.insert(data.begin(), std::istream_iterator<uint8_t>(fstr), std::istream_iterator<uint8_t>());
}
inline uint32_t get_process_id(const std::wstring_view process_name) fstr.seekg(NULL, std::ios::beg);
{ data.reserve(static_cast<uint32_t>(file_size));
// open a system snapshot of all loaded processes data.insert(data.begin(), std::istream_iterator<uint8_t>(fstr), std::istream_iterator<uint8_t>());
uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle }; }
if (snap_shot.get() == INVALID_HANDLE_VALUE)
return NULL;
PROCESSENTRY32W process_entry{ sizeof(PROCESSENTRY32W) }; inline uint32_t get_pid(const std::wstring_view process_name)
{
// open a system snapshot of all loaded processes
uq_handle snap_shot{ CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0), &CloseHandle };
// enumerate through processes if (snap_shot.get() == INVALID_HANDLE_VALUE)
for (Process32FirstW(snap_shot.get(), &process_entry); Process32NextW(snap_shot.get(), &process_entry); ) return NULL;
if (std::wcscmp(process_name.data(), process_entry.szExeFile) == NULL)
return process_entry.th32ProcessID;
return NULL; PROCESSENTRY32W process_entry{ sizeof(PROCESSENTRY32W) };
}
inline std::pair<void*, std::wstring> get_module_data(HANDLE process_handle, const std::wstring_view module_name) // enumerate through processes
{ for (Process32FirstW(snap_shot.get(), &process_entry); Process32NextW(snap_shot.get(), &process_entry); )
auto loaded_modules = std::make_unique<HMODULE[]>(64); if (std::wcscmp(process_name.data(), process_entry.szExeFile) == NULL)
DWORD loaded_module_sz = 0; return process_entry.th32ProcessID;
// enumerate all modules by handle, using size of 512 since the required size is in bytes, and an HMODULE is 8 bytes large. return NULL;
if (!EnumProcessModules(process_handle, loaded_modules.get(), 512, &loaded_module_sz)) }
return {};
for (auto i = 0u; i < loaded_module_sz / 8u; i++) inline std::pair<void*, std::wstring> get_module_data(HANDLE process_handle, const std::wstring_view module_name)
{ {
wchar_t file_name[MAX_PATH] = L""; auto loaded_modules = std::make_unique<HMODULE[]>(64);
DWORD loaded_module_sz = 0;
// get the full working path for the current module // enumerate all modules by handle, using size of 512 since the required size is in bytes, and an HMODULE is 8 bytes large.
if (!GetModuleFileNameExW(process_handle, loaded_modules.get()[i], file_name, _countof(file_name))) if (!EnumProcessModules(process_handle, loaded_modules.get(), 512, &loaded_module_sz))
continue; return {};
// module name returned will be a full path, check only for file name sub string. for (auto i = 0u; i < loaded_module_sz / 8u; i++)
if (std::wcsstr(file_name, module_name.data()) != nullptr) {
return { loaded_modules.get()[i], file_name }; wchar_t file_name[MAX_PATH] = L"";
}
return {}; // get the full working path for the current module
} if (!GetModuleFileNameExW(process_handle, loaded_modules.get()[i], file_name, _countof(file_name)))
continue;
inline std::vector<uint8_t> get_file_data(const HANDLE file_handle, const std::wstring_view file_path) // module name returned will be a full path, check only for file name sub string.
{ if (std::wcsstr(file_name, module_name.data()) != nullptr)
const auto file_size = std::filesystem::file_size(file_path); return { loaded_modules.get()[i], file_name };
std::vector<uint8_t> file_bytes{}; }
file_bytes.resize(file_size);
DWORD bytes_read = 0;
if (!ReadFile(file_handle, file_bytes.data(), static_cast<DWORD>(file_size), &bytes_read, nullptr))
return {}; return {};
}
return file_bytes; inline std::vector<uint8_t> get_file_data(const HANDLE file_handle, const std::wstring_view file_path)
} {
const auto file_size = std::filesystem::file_size(file_path);
std::vector<uint8_t> file_bytes{};
file_bytes.resize(file_size);
inline bool enable_privilege(const std::wstring_view privilege_name) DWORD bytes_read = 0;
{ if (!ReadFile(file_handle, file_bytes.data(), static_cast<DWORD>(file_size), &bytes_read, nullptr))
HANDLE token_handle = nullptr; return {};
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
return false;
LUID luid{}; return file_bytes;
if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid)) }
return false;
inline bool enable_privilege(const std::wstring_view privilege_name)
{
HANDLE token_handle = nullptr;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token_handle))
return false;
TOKEN_PRIVILEGES token_state{}; LUID luid{};
token_state.PrivilegeCount = 1; if (!LookupPrivilegeValueW(nullptr, privilege_name.data(), &luid))
token_state.Privileges[0].Luid = luid; return false;
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) TOKEN_PRIVILEGES token_state{};
return false; token_state.PrivilegeCount = 1;
token_state.Privileges[0].Luid = luid;
token_state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
CloseHandle(token_handle); if (!AdjustTokenPrivileges(token_handle, FALSE, &token_state, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr))
return true; return false;
CloseHandle(token_handle);
return true;
}
} }
}
namespace nozzle
{
// //
// class programmed by wlan // class programmed by wlan
// link: https://github.com/not-wlan/drvmap/blob/master/drvmap/drv_image.hpp // link: https://github.com/not-wlan/drvmap/blob/master/drvmap/drv_image.hpp
@ -223,47 +215,43 @@ namespace nozzle
bool pe_image::process_relocation(uintptr_t image_base_delta, uint16_t data, uint8_t* relocation_base) bool pe_image::process_relocation(uintptr_t image_base_delta, uint16_t data, uint8_t* relocation_base)
{ {
#define IMR_RELOFFSET(x) (x & 0xFFF) #define IMR_RELOFFSET(x) (x & 0xFFF)
switch (data >> 12 & 0xF) switch (data >> 12 & 0xF)
{ {
case IMAGE_REL_BASED_HIGH: case IMAGE_REL_BASED_HIGH:
{ {
const auto raw_address = reinterpret_cast<int16_t*>(relocation_base + IMR_RELOFFSET(data)); const auto raw_address = reinterpret_cast<int16_t*>(relocation_base + IMR_RELOFFSET(data));
*raw_address += static_cast<unsigned long>(HIWORD(image_base_delta)); *raw_address += static_cast<unsigned long>(HIWORD(image_base_delta));
break; break;
} }
case IMAGE_REL_BASED_LOW: case IMAGE_REL_BASED_LOW:
{ {
const auto raw_address = reinterpret_cast<int16_t*>(relocation_base + IMR_RELOFFSET(data)); const auto raw_address = reinterpret_cast<int16_t*>(relocation_base + IMR_RELOFFSET(data));
*raw_address += static_cast<unsigned long>(LOWORD(image_base_delta)); *raw_address += static_cast<unsigned long>(LOWORD(image_base_delta));
break; break;
} }
case IMAGE_REL_BASED_HIGHLOW: case IMAGE_REL_BASED_HIGHLOW:
{ {
const auto raw_address = reinterpret_cast<size_t*>(relocation_base + IMR_RELOFFSET(data)); const auto raw_address = reinterpret_cast<size_t*>(relocation_base + IMR_RELOFFSET(data));
*raw_address += static_cast<size_t>(image_base_delta); *raw_address += static_cast<size_t>(image_base_delta);
break; break;
} }
case IMAGE_REL_BASED_DIR64: case IMAGE_REL_BASED_DIR64:
{ {
auto UNALIGNED raw_address = reinterpret_cast<DWORD_PTR UNALIGNED*>(relocation_base + IMR_RELOFFSET(data)); auto UNALIGNED raw_address = reinterpret_cast<DWORD_PTR UNALIGNED*>(relocation_base + IMR_RELOFFSET(data));
*raw_address += image_base_delta; *raw_address += image_base_delta;
break; break;
} }
case IMAGE_REL_BASED_ABSOLUTE: // No action required case IMAGE_REL_BASED_ABSOLUTE: // No action required
case IMAGE_REL_BASED_HIGHADJ: // no action required case IMAGE_REL_BASED_HIGHADJ: // no action required
{ {
break; break;
} }
default: default:
{ {
throw std::runtime_error("gay relocation!"); return false;
return false; }
}
} }
#undef IMR_RELOFFSET #undef IMR_RELOFFSET
return true; return true;
} }
@ -345,11 +333,9 @@ namespace nozzle
class injector class injector
{ {
public: public:
injector()
{};
injector(void* pe_image, std::size_t size, unsigned pid); injector(void* pe_image, std::size_t size, unsigned pid);
injector(std::vector<std::uint8_t> image_buffer, unsigned pid); injector(std::vector<std::uint8_t> image_buffer, unsigned pid);
injector(char* path, unsigned pid); injector(const char* path, unsigned pid);
void* inject(); void* inject();
HANDLE call_entry(); HANDLE call_entry();
@ -394,7 +380,7 @@ namespace nozzle
target_handle(::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)) target_handle(::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid))
{} {}
injector::injector(char* path, unsigned pid) injector::injector(const char* path, unsigned pid)
: :
target_pid(pid), target_pid(pid),
target_handle(::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid)) target_handle(::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid))
@ -420,13 +406,6 @@ namespace nozzle
// //
static const auto _get_module = [](std::string_view module_name) -> std::uintptr_t static const auto _get_module = [](std::string_view module_name) -> std::uintptr_t
{ {
assert(
!stricmp(module_name, "kernel32.dll") ||
!stricmp(module_name, "user32.dll") ||
!stricmp(module_name, "ntdll.dll"),
"import from dll %s is invalid, only globally mapped dlls can be resolved!",
module_name
);
return reinterpret_cast<std::uintptr_t>(LoadLibraryA(module_name.data())); return reinterpret_cast<std::uintptr_t>(LoadLibraryA(module_name.data()));
}; };
@ -504,7 +483,7 @@ namespace nozzle
void injector::set_target(std::wstring proc_name) void injector::set_target(std::wstring proc_name)
{ {
target_pid = util::get_process_id(proc_name); target_pid = util::get_pid(proc_name);
} }
void* injector::get_pe_image() const void* injector::get_pe_image() const
Write Preview
Loading…
Cancel
Save