diff --git a/dll/src/ReflectiveLoader.c b/dll/src/ReflectiveLoader.c index 4e5c95c..b5b5692 100755 --- a/dll/src/ReflectiveLoader.c +++ b/dll/src/ReflectiveLoader.c @@ -30,29 +30,25 @@ // Our loader will set this to a pseudo correct HINSTANCE/HMODULE value HINSTANCE hAppInstance = NULL; //===============================================================================================// -#ifndef __MINGW32__ +#ifdef __MINGW32__ +#define WIN_GET_CALLER() __builtin_extract_return_addr(__builtin_return_address(0)) +#else #pragma intrinsic(_ReturnAddress) +#define WIN_GET_CALLER() _ReturnAddress() #endif // This function can not be inlined by the compiler or we will not get the address we expect. Ideally // this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of // RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics // available (and no inline asm available under x64). -__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); } +__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)WIN_GET_CALLER(); } //===============================================================================================// -#ifdef ENABLE_OUTPUTDEBUGSTRING -#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str) -#else /* ENABLE_OUTPUTDEBUGSTRING */ -#define OUTPUTDBG(str) do{}while(0) -#endif - // Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN, // otherwise the DllMain at the end of this file will be used. // Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR, // otherwise it is assumed you are calling the ReflectiveLoader via a stub. - #ifdef RDIDLL_NOEXPORT #define RDIDLLEXPORT #else @@ -74,9 +70,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) #ifdef ENABLE_STOPPAGING VIRTUALLOCK pVirtualLock = NULL; #endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - OUTPUTDEBUG pOutputDebug = NULL; -#endif USHORT usCounter; @@ -133,7 +126,7 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) #else #ifdef WIN_ARM uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 ); -#else _WIN32 +#else // _WIN32 uiBaseAddress = __readfsdword( 0x30 ); #endif #endif @@ -191,9 +184,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) #ifdef ENABLE_STOPPAGING usCounter++; #endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - usCounter++; -#endif // loop while we still have imports to find while( usCounter > 0 ) @@ -207,9 +197,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) || dwHashValue == VIRTUALALLOC_HASH #ifdef ENABLE_STOPPAGING || dwHashValue == VIRTUALLOCK_HASH -#endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - || dwHashValue == OUTPUTDEBUG_HASH #endif ) { @@ -230,10 +217,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) else if( dwHashValue == VIRTUALLOCK_HASH ) pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) ); #endif -#ifdef ENABLE_OUTPUTDEBUGSTRING - else if( dwHashValue == OUTPUTDEBUG_HASH ) - pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) ); -#endif // decrement our counter usCounter--; @@ -307,9 +290,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) && pVirtualLock #endif && pNtFlushInstructionCache -#ifdef ENABLE_OUTPUTDEBUGSTRING - && pOutputDebug -#endif ) break; @@ -357,6 +337,7 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) // copy the section over uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; + while( uiValueD-- ) *(BYTE *)uiValueB++ = *(BYTE *)uiValueC++; @@ -376,17 +357,11 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) // iterate through all imports until a null RVA is found (Characteristics is mis-named) while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics ) { - OUTPUTDBG("Loading library: "); - OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name)); - OUTPUTDBG("\n"); - // use LoadLibraryA to load the imported module into memory uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) ); if ( !uiLibraryAddress ) { - OUTPUTDBG("Loading library FAILED\n"); - uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); continue; } @@ -426,10 +401,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) // get the VA of this functions import by name struct uiValueB = ( uiBaseAddress + DEREF(uiValueA) ); - OUTPUTDBG("Resolving function: "); - OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name); - OUTPUTDBG("\n"); - // use GetProcAddress and patch in the address for this imported function DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ); } @@ -534,7 +505,6 @@ RDIDLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) // uiValueA = the VA of our newly loaded DLL/EXE's entry point uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint ); - OUTPUTDBG("Flushing the instruction cache"); // We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing. pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 ); diff --git a/dll/src/ReflectiveLoader.h b/dll/src/ReflectiveLoader.h index 3940518..c9b1943 100644 --- a/dll/src/ReflectiveLoader.h +++ b/dll/src/ReflectiveLoader.h @@ -35,37 +35,29 @@ #include "ReflectiveDLLInjection.h" -// Enable this define to turn on OutputDebugString support -//#define ENABLE_OUTPUTDEBUGSTRING 1 - // Enable this define to turn on locking of memory to prevent paging -#define ENABLE_STOPPAGING 1 +#define ENABLE_STOPPAGING #define EXITFUNC_SEH 0xEA320EFE #define EXITFUNC_THREAD 0x0A2A1DE0 #define EXITFUNC_PROCESS 0x56A2B5F0 -typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); -typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); -typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); -typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); +typedef HMODULE(WINAPI*LOADLIBRARYA)(LPCSTR); +typedef FARPROC(WINAPI*GETPROCADDRESS)(HMODULE,LPCSTR); +typedef LPVOID(WINAPI*VIRTUALALLOC)(LPVOID,SIZE_T,DWORD,DWORD); +typedef DWORD(NTAPI*NTFLUSHINSTRUCTIONCACHE)(HANDLE,PVOID,ULONG); -#define KERNEL32DLL_HASH 0x6A4ABC5B -#define NTDLLDLL_HASH 0x3CFA685D +#define KERNEL32DLL_HASH 0x6A4ABC5B +#define NTDLLDLL_HASH 0x3CFA685D -#define LOADLIBRARYA_HASH 0xEC0E4E8E -#define GETPROCADDRESS_HASH 0x7C0DFCAA -#define VIRTUALALLOC_HASH 0x91AFCA54 -#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 +#define LOADLIBRARYA_HASH 0xEC0E4E8E +#define GETPROCADDRESS_HASH 0x7C0DFCAA +#define VIRTUALALLOC_HASH 0x91AFCA54 +#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 #ifdef ENABLE_STOPPAGING -typedef LPVOID (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T ); -#define VIRTUALLOCK_HASH 0x0EF632F2 -#endif - -#ifdef ENABLE_OUTPUTDEBUGSTRING -typedef LPVOID (WINAPI * OUTPUTDEBUG)( LPCSTR ); -#define OUTPUTDEBUG_HASH 0x470D22BC +typedef LPVOID(WINAPI*VIRTUALLOCK)(LPVOID,SIZE_T); +#define VIRTUALLOCK_HASH 0x0EF632F2 #endif #define IMAGE_REL_BASED_ARM_MOV32A 5 diff --git a/inject/src/GetProcAddressR.c b/inject/src/GetProcAddressR.c index 8718caa..5074d7a 100644 --- a/inject/src/GetProcAddressR.c +++ b/inject/src/GetProcAddressR.c @@ -78,7 +78,7 @@ FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ) // import by ordinal... // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) ); + uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)(DWORD_PTR)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) ); // resolve the address for this imported function fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) ); diff --git a/inject/src/LoadLibraryR.c b/inject/src/LoadLibraryR.c index c2472ea..c7ef1da 100644 --- a/inject/src/LoadLibraryR.c +++ b/inject/src/LoadLibraryR.c @@ -92,7 +92,6 @@ DWORD GetReflectiveLoaderOffset(VOID* lpReflectiveDllBuffer, LPCSTR cpReflective is64 = FALSE; // uiNameArray = the address of the modules export directory entry uiNameArray = (UINT_PTR) & ((PIMAGE_NT_HEADERS32)uiExportDir)->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; - } else if (((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B) // PE64 { @@ -124,7 +123,7 @@ DWORD GetReflectiveLoaderOffset(VOID* lpReflectiveDllBuffer, LPCSTR cpReflective // import by ordinal... // use the import ordinal (- export ordinal base) as an index into the array of addresses - uiAddressArray += ((IMAGE_ORDINAL((DWORD)cpReflectiveLoaderName) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD)); + uiAddressArray += ((IMAGE_ORDINAL((DWORD)(DWORD_PTR)cpReflectiveLoaderName) - ((PIMAGE_EXPORT_DIRECTORY)uiExportDir)->Base) * sizeof(DWORD)); // resolve the address for this imported function return Rva2Offset(DEREF_32(uiAddressArray), uiBaseAddress, is64); @@ -253,7 +252,7 @@ HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLeng lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); // create a remote thread in the host process to call the ReflectiveLoader! - hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId ); + hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD_PTR)NULL, &dwThreadId ); } while( 0 );