Hello all thought my second post would be a code release.
Basicly will this little bit of code will allow you to run an executable via Remote threads.
Code i believe MAY already be public, It was given to me as a portfolio by a certain friend who wished to work on a project i was working on.
Unknown to him, I came across this code somewhere else before hand, So he was -Demoted- by the boss's hand
First file is the memory.cpp second is the main.cpp - Enjoy
Rex
#include <windows.h>
#include <tchar.h>
#include <detours.h>
#include <stdio.h>
#include <tchar.h>
#define NTSIGNATURE(ptr) ((LPVOID)((BYTE *)(ptr) + ((PIMAGE_DOS_HEADER)(ptr))->e_lfanew))
#define SIZE_OF_NT_SIGNATURE (sizeof(DWORD))
#define PEFHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE))
#define OPTHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)))
#define SECHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)+sizeof(IMAGE_OPTIONAL_HEADER)))
#define RVATOVA(base,offset) ((LPVOID)((DWORD)(base)+(DWORD)(offset)))
#define VATORVA(base,offset) ((LPVOID)((DWORD)(offset)-(DWORD)(base)))
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef DWORD (WINAPI *PFN_NtMapViewOfSection)( HANDLE SectionHandle,
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
ULONG CommitSize,
PLARGE_INTEGER SectionOffset,
PULONG ViewSize,
SECTION_INHERIT InheritDisposition,
ULONG AllocationType,
ULONG Protect
);
CRITICAL_SECTION _cs;
UINT _nInitCount = 0;
BOOL _fModified;
WORD _OriginalCharacteristics;
BYTE _abTrampolineNtMapViewOfSection[DETOUR_TRAMPOLINE_SIZE];
BYTE _abTrampolineDllMain[DETOUR_TRAMPOLINE_SIZE];
static BOOL APIENTRY PseudoDllMain( HMODULE hModule, DWORD dwReason, LPVOID lpReserved ){
if( dwReason == DLL_PROCESS_ATTACH )
::DisableThreadLibraryCalls( hModule );
return TRUE;
}
static BOOL SetImageCharacteristics( PVOID hModule, WORD dwAdded, WORD dwRemoved, WORD* OldCharacteristics ){
PIMAGE_FILE_HEADER pfh;
PIMAGE_OPTIONAL_HEADER poh;
pfh = (PIMAGE_FILE_HEADER)PEFHDROFFSET(hModule);
poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
WORD newCharacteristics = pfh->Characteristics;
if( OldCharacteristics != NULL )
*OldCharacteristics = newCharacteristics;
newCharacteristics |= dwAdded;
newCharacteristics &= ~dwRemoved;
DWORD newProtect, oldProtect;
newProtect = PAGE_EXECUTE_WRITECOPY;
VirtualProtect(hModule,poh->SizeOfHeaders,newProtect,&oldProtect);
pfh->Characteristics = newCharacteristics;
VirtualProtect(hModule,poh->SizeOfHeaders,oldProtect,&newProtect);
return TRUE;
}
static DWORD WINAPI Mine_NtMapViewOfSection(
HANDLE SectionHandle,
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
ULONG CommitSize,
PLARGE_INTEGER SectionOffset,
PULONG ViewSize,
SECTION_INHERIT InheritDisposition,
ULONG AllocationType,
ULONG Protect
)
{
PFN_NtMapViewOfSection fnNtMapViewOfSection =(PFN_NtMapViewOfSection)&_abTrampolineNtMapViewOfSection[0];
DWORD retval = fnNtMapViewOfSection( SectionHandle,
ProcessHandle,
BaseAddress,
ZeroBits,
CommitSize,
SectionOffset,
ViewSize,
InheritDisposition,
AllocationType,
Protect
);
if( _fModified )
return retval;
_fModified = TRUE;
PVOID hImage = *BaseAddress;
SetImageCharacteristics( hImage, IMAGE_FILE_DLL, IMAGE_FILE_EXECUTABLE_IMAGE, &_OriginalCharacteristics );
PIMAGE_OPTIONAL_HEADER poh;
poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hImage);
DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hImage+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain);
return retval;
}
BOOL init(){
if( _nInitCount++ == 0 )
::InitializeCriticalSection( &_cs );
return TRUE;
}
BOOL Uninit(){
if( --_nInitCount == 0 )
::DeleteCriticalSection( &_cs );
return TRUE;
}
HMODULE WINAPI wLoadEW( LPCWSTR lpszExePath ){
::EnterCriticalSection( &_cs );
FARPROC NtMapViewOfSection = ::GetProcAddress( GetModuleHandleW( L"NTDLL.DLL" ), "NtMapViewOfSection" );
memset( _abTrampolineNtMapViewOfSection, 0x90, sizeof(_abTrampolineNtMapViewOfSection) );
memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
DetourFunctionWithEmptyTrampoline( _abTrampolineNtMapViewOfSection,(PBYTE)NtMapViewOfSection,(PBYTE)Mine_NtMapViewOfSection );
_fModified = FALSE;
HMODULE h = LoadLibraryW(lpszExePath);
_fModified = TRUE;
DetourRemove( _abTrampolineDllMain, (PBYTE)PseudoDllMain );
DetourRemove( _abTrampolineNtMapViewOfSection, (PBYTE)Mine_NtMapViewOfSection );
if( h != NULL )
SetImageCharacteristics( h, _OriginalCharacteristics, IMAGE_FILE_DLL, NULL );
::LeaveCriticalSection( &_cs );
return h;
}
HMODULE WINAPI wLoadEA( LPCSTR lpszExePath ){
WCHAR szPath[MAX_PATH];
::MultiByteToWideChar( CP_ACP, 0,
lpszExePath, -1,
szPath, sizeof(szPath) );
return wLoadEW(szPath);
}
BOOL WINAPI wFreebin( HMODULE hModule ){
::EnterCriticalSection( &_cs );
memset( _abTrampolineDllMain, 0x90, sizeof(_abTrampolineDllMain) );
PIMAGE_OPTIONAL_HEADER poh;
poh=(PIMAGE_OPTIONAL_HEADER) OPTHDROFFSET(hModule);
DetourFunctionWithEmptyTrampoline( _abTrampolineDllMain,(PBYTE)((DWORD)hModule+poh->AddressOfEntryPoint),(PBYTE)PseudoDllMain);
FreeLibrary( hModule );
::LeaveCriticalSection( &_cs );
return TRUE;
}
Main.cpp
#include <Windows.h>
// Non Member Functions
NtOpenSectionPtr NtOpenSection = NULL;
NtClosePtr NtClose = NULL;
NtMapViewOfSectionPtr NtMapViewOfSection = NULL;
NtUnmapViewOfSectionPtr NtUnmapViewOfSection = NULL;
RtlInitUnicodeStringPtr RtlInitUnicodeString = NULL;
ZwSystemDebugControlPtr ZwSystemDebugControl = NULL;
EnumSystemFirmwareTablesPtr EnumSystemFirmwareTables = NULL;
GetSystemFirmwareTablePtr GetSystemFirmwareTable = NULL;
u8 * CBlockBuffer = NULL;
u8 * EBlockBuffer = NULL;
int wsFuncLoad(void){
HMODULE hNtdll;
HMODULE hKerneldll;
hNtdll = GetModuleHandle(L"ntdll.dll");
hKerneldll = GetModuleHandle( L"kernel32.dll" );
if (!(hNtdll && hKerneldll))
return FALSE;
NtOpenSection = (NtOpenSectionPtr) GetProcAddress(hNtdll, "NtOpenSection");
NtClose = (NtClosePtr) GetProcAddress(hNtdll, "NtClose");
NtMapViewOfSection = (NtMapViewOfSectionPtr) GetProcAddress(hNtdll, "NtMapViewOfSection");
NtUnmapViewOfSection = (NtUnmapViewOfSectionPtr) GetProcAddress(hNtdll, "NtUnmapViewOfSection");
RtlInitUnicodeString = (RtlInitUnicodeStringPtr) GetProcAddress(hNtdll, "RtlInitUnicodeString");
ZwSystemDebugControl = (ZwSystemDebugControlPtr) GetProcAddress(hNtdll, "ZwSystemDebugControl");
EnumSystemFirmwareTables = (EnumSystemFirmwareTablesPtr) GetProcAddress(hKerneldll, "EnumSystemFirmwareTables");
GetSystemFirmwareTable = (GetSystemFirmwareTablePtr) GetProcAddress(hKerneldll, "GetSystemFirmwareTable");
return TRUE;
}
HANDLE OpenMemAccess(void){
UNICODE_STRING usDevmem;
OBJECT_ATTRIBUTES oaAttrs;
NTSTATUS status;
HANDLE hPhysMem = NULL;
RtlInitUnicodeString(&usDevmem, L"\\device\\physicalmemory");
InitializeObjectAttributes(&oaAttrs, &usDevmem, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = NtOpenSection(&hPhysMem, SECTION_MAP_READ, &oaAttrs);
if (!NT_SUCCESS(status)){
hPhysMem = NULL;
}
return hPhysMem;
}
int CloseMemAccess(HANDLE hPhysMem){
NTSTATUS status;
status = NtClose(hPhysMem);
if (!NT_SUCCESS(status)){
return FALSE;
}
return TRUE;
}
int MapMem(HANDLE hPhysMem, PVOID pBaseAddr, PDWORD pPhysAddr, PDWORD pSize){
NTSTATUS status;
PHYSICAL_ADDRESS paAddr;
* (DWORD *) pBaseAddr = (DWORD) NULL;
paAddr.HighPart = 0;
paAddr.LowPart = *pPhysAddr;
00119 status = NtMapViewOfSection(hPhysMem, NtCurrentProcess(), (PVOID *) pBaseAddr, 0L,
*pSize, &paAddr, pSize, ViewShare, 0, PAGE_READONLY);
if (!NT_SUCCESS(status))
{
hPhysMem = NULL;
return FALSE;
}
*pPhysAddr = paAddr.LowPart;
return TRUE;
}
int UnMapMem(PVOID pBaseAddr){
NTSTATUS status;
status = NtUnmapViewOfSection(NtCurrentProcess(), pBaseAddr);
if (!NT_SUCCESS(status)){
return FALSE;
}
return TRUE;
}
static BOOL setPrivilege(LPCTSTR privilegeName, BOOL enable){
HANDLE hToken;
HANDLE hCurrentProcess;
DWORD err;
TOKEN_PRIVILEGES tkprivs;
hCurrentProcess = GetCurrentProcess();
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){
LookupPrivilegeValue(NULL, privilegeName, &tkprivs.Privileges[0].Luid);
tkprivs.PrivilegeCount = 1; // one privilege to set
tkprivs.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tkprivs, 0, (PTOKEN_PRIVILEGES)NULL, NULL);
}
err = GetLastError();
return err == ERROR_SUCCESS;
}
