STRLCPY/GhostInjector

Update injection.cpp
l1thium committed with GitHub 1 month ago

d752e96c

1 parent ac4a174c

Total 1 files

■ ■ ■ ■ ■ ■

Injector/injection.cpp

1	1		#include "injection.h"
2	2
3	3		bool InjectDll(std::vector<uint8_t> fileData, uint32_t pid) {
4		-	PeHeader peHdr(fileData.data());
5	4
6		-	uint64_t imgSize = peHdr.ntHdr->OptionalHeader.SizeOfImage;
7		-	uint64_t hdrSize = peHdr.ntHdr->OptionalHeader.SizeOfHeaders;
	5	+	//
	6	+	// initialize pe headers
	7	+	//
	8	+
	9	+	PeHeader peHdr(fileData.data());
8	10
9	11		//
10	12		// allocate remote buffer
		skipped 1 lines
12	14
13	15		GhostWrite gw;
14	16		gw.Init(pid);
15		-	uintptr_t remoteMem = gw.Allocate(imgSize - hdrSize);
	17	+	uintptr_t remoteMem = gw.Allocate(peHdr.ntHdr->OptionalHeader.SizeOfImage);
16	18
17	19
18	20		//
		skipped 61 lines
80	82		std::printf("imports resolved\n");
81	83
82	84		//
83		-	// map into memory
	85	+	// map into memory, (exclude pe headers)
84	86		//
85	87
86	88		for (auto sectHdr : peHdr.sectHdrs) {
87		-	uintptr_t writeAddr = remoteMem + sectHdr->VirtualAddress - hdrSize;
88		-	uint8_t* sectStart = fileData.data() + sectHdr->PointerToRawData;
	89	+	uint8_t* sectStart = fileData.data() + sectHdr->PointerToRawData;
	90	+	uintptr_t remoteSect = remoteMem + sectHdr->VirtualAddress;
89	91
90		-	std::printf("mapping section, name: %.8s, size: %d, ---> 0x%llx\n", sectHdr->Name, sectHdr->SizeOfRawData, writeAddr);
91		-	gw.WriteMemory(writeAddr, std::vector<uint8_t>(sectStart, sectStart + sectHdr->SizeOfRawData));
	92	+	std::printf("mapping section, name: %.8s, size: %d, ---> 0x%llx\n", sectHdr->Name, sectHdr->SizeOfRawData, remoteSect);
	93	+	gw.WriteMemory(remoteSect, std::vector<uint8_t>(sectStart, sectStart + sectHdr->SizeOfRawData));
92	94		}
93	95
94		-	uintptr_t remoteEntry = remoteMem + peHdr.ntHdr->OptionalHeader.AddressOfEntryPoint - hdrSize;
	96	+	//
	97	+	// set protections
	98	+	//
	99	+
	100	+	for (auto sectHdr : peHdr.sectHdrs) {
	101	+	uintptr_t remoteSect = remoteMem + sectHdr->VirtualAddress;
	102	+
	103	+	uint32_t characteristics = sectHdr->Characteristics;
	104	+	uint32_t prot = 0;
	105	+	std::string protStr = "";
	106	+
	107	+	if (characteristics & IMAGE_SCN_MEM_EXECUTE) {
	108	+	prot = PAGE_EXECUTE;
	109	+	protStr = "X";
	110	+	if (characteristics & IMAGE_SCN_MEM_READ) {
	111	+	prot = PAGE_EXECUTE_READ;
	112	+	protStr = "RX";
	113	+	}
	114	+	if (characteristics & IMAGE_SCN_MEM_WRITE) {
	115	+	prot = PAGE_EXECUTE_WRITECOPY;
	116	+	protStr = "WCX";
	117	+	}
	118	+	if ((characteristics & IMAGE_SCN_MEM_READ) && (characteristics & IMAGE_SCN_MEM_WRITE)) {
	119	+	prot = PAGE_EXECUTE_READWRITE;
	120	+	protStr = "RWX";
	121	+	}
	122	+	}
	123	+	else {
	124	+	if (characteristics & IMAGE_SCN_MEM_READ) {
	125	+	prot = PAGE_READONLY;
	126	+	protStr = "RO";
	127	+	}
	128	+	if (characteristics & IMAGE_SCN_MEM_WRITE) {
	129	+	prot = PAGE_WRITECOPY;
	130	+	protStr = "WC";
	131	+	}
	132	+	if ((characteristics & IMAGE_SCN_MEM_READ) && (characteristics & IMAGE_SCN_MEM_WRITE)) {
	133	+	prot = PAGE_READWRITE;
	134	+	protStr = "RW";
	135	+	}
	136	+	}
	137	+
	138	+	std::printf("triggering NtProtectVirtualMemory (RW-->%s)\n", protStr.c_str());
	139	+	gw.Protect(remoteSect, sectHdr->SizeOfRawData, prot);
	140	+	}
95	141
96	142		//
97	143		// execute
98	144		//
99	145
	146	+	uint64_t remoteEntry = remoteMem + peHdr.ntHdr->OptionalHeader.AddressOfEntryPoint;
	147	+
100	148		std::printf("triggering dll entrypoint : 0x%llx\n", remoteEntry);
101	149		gw.TriggerFunction(reinterpret_cast<void*>(remoteEntry), { remoteMem, DLL_PROCESS_ATTACH, 0 });
102	150		}
	151	+

Update injection.cpp