📄 addprocessinitdll.h
字号:
/*
AddProcessInitDLL.h - add user DLL as first static DLL to new & suspended NT process.
32bit version for 32bit modules.
Not optimized, not thread-safe, not leak-checked.
Not carefully tested.
*/
////////////////////////////////////////////////////////////////////////////////////////////////
DWORD WINAPI GetMainModuleBase(HANDLE hProcess, PDWORD pPEHeader) {
HINSTANCE hntdll;
DWORD MainModuleBase = 0;
if(pPEHeader)
*pPEHeader = 0;
typedef LONG (WINAPI *TNQIP)(HANDLE, DWORD, PVOID, DWORD, PDWORD);
static TNQIP NQIP = NULL;
if(NQIP == NULL)
if(hntdll = GetModuleHandle(TEXT("ntdll.dll")))
NQIP = (TNQIP)GetProcAddress(hntdll, "NtQueryInformationProcess");
if(NQIP) {
DWORD pbi[6];
if(NQIP(hProcess, 0, &pbi, sizeof(pbi), NULL) >= 0)
ReadProcessMemory(hProcess, (PVOID)(pbi[1] +8), &MainModuleBase, sizeof(MainModuleBase), NULL);
if(pPEHeader) {
if(MainModuleBase) {
DWORD pPE;
if(ReadProcessMemory(hProcess, (PVOID)(MainModuleBase+0x3C), &pPE, sizeof(pPE), NULL))
*pPEHeader = MainModuleBase+pPE;
}
}
}
return(MainModuleBase);
}
////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI GetMainModuleDirectoryEntry(HANDLE hProcess, DWORD pPE, DWORD DirectoryEntry, PIMAGE_DATA_DIRECTORY pIDD) {
BOOL Result = FALSE;
if(pPE)
Result = ReadProcessMemory(hProcess, (PVOID)(pPE +4 +IMAGE_SIZEOF_FILE_HEADER +IMAGE_SIZEOF_NT_OPTIONAL32_HEADER
+(DirectoryEntry -IMAGE_NUMBEROF_DIRECTORY_ENTRIES)*
sizeof(IMAGE_DATA_DIRECTORY)), pIDD, sizeof(*pIDD), NULL);
return(Result);
}
////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI SetMainModuleDirectoryEntry(HANDLE hProcess, DWORD pPE, DWORD DirectoryEntry, PIMAGE_DATA_DIRECTORY pIDD) {
BOOL Result = FALSE;
if(pPE) {
pPE += +4 +IMAGE_SIZEOF_FILE_HEADER +IMAGE_SIZEOF_NT_OPTIONAL32_HEADER +(DirectoryEntry -IMAGE_NUMBEROF_DIRECTORY_ENTRIES)
*sizeof(IMAGE_DATA_DIRECTORY);
DWORD OldProt;
if(VirtualProtectEx(hProcess, (PVOID)pPE, sizeof(*pIDD), PAGE_EXECUTE_READWRITE, &OldProt)) {
Result = WriteProcessMemory(hProcess, (PVOID)pPE, pIDD, sizeof(*pIDD), NULL);
VirtualProtectEx(hProcess, (PVOID)pPE, sizeof(*pIDD), OldProt, &OldProt);
}
}
return(Result);
}
////////////////////////////////////////////////////////////////////////////////////////////////
typedef LPVOID (WINAPI *TAPIDVirtualAllocEx)(HANDLE, LPVOID, DWORD, DWORD, DWORD);
static TAPIDVirtualAllocEx APIDVirtualAllocEx = NULL;
typedef LPVOID (WINAPI *TAPIDVirtualFreeEx)(HANDLE, LPVOID, DWORD, DWORD);
static TAPIDVirtualFreeEx APIDVirtualFreeEx = NULL;
////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI hAddProcessInitDLLA(HANDLE hProcess, LPCSTR DllName, DWORD TimeDateStamp,
LPCSTR lpHomeDirectory, LPCSTR lpCurrentDirectory) {
BOOL Result = FALSE;
if(DWORD l = lstrlenA(DllName)) {
if(APIDVirtualAllocEx == NULL) {
HINSTANCE hK32 = GetModuleHandle(TEXT("KERNEL32.dll"));
if(hK32) {
APIDVirtualAllocEx = (TAPIDVirtualAllocEx)GetProcAddress(hK32, "VirtualAllocEx");
APIDVirtualFreeEx = (TAPIDVirtualFreeEx)GetProcAddress(hK32, "VirtualFreeEx");
}
}
if(!APIDVirtualAllocEx || !APIDVirtualFreeEx)
return(FALSE);
DWORD pPE;
DWORD MMB = GetMainModuleBase(hProcess, &pPE);
IMAGE_DATA_DIRECTORY IDEBI;
if(GetMainModuleDirectoryEntry(hProcess, pPE, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT, &IDEBI)
&& (IDEBI.VirtualAddress) && (IDEBI.Size)) {
if(TimeDateStamp == 0) {
BOOL cdset = FALSE;
CHAR cd[MAX_PATH];
if(GetCurrentDirectoryA(MAX_PATH, cd))
cdset = TRUE;
if(cdset && lpHomeDirectory)
SetCurrentDirectoryA(lpHomeDirectory);
HINSTANCE hDll = LoadLibraryExA(DllName, NULL, DONT_RESOLVE_DLL_REFERENCES);
if((hDll == NULL) && cdset && lpCurrentDirectory) {
SetCurrentDirectoryA(lpCurrentDirectory);
hDll = LoadLibraryExA(DllName, NULL, DONT_RESOLVE_DLL_REFERENCES);
}
if(cdset)
SetCurrentDirectoryA(cd);
if(hDll == NULL)
return(FALSE);
TimeDateStamp = *(PDWORD)(*(PDWORD)((DWORD)hDll+0x3C) +(DWORD)hDll +8);
FreeLibrary(hDll);
if(TimeDateStamp == 0)
return(FALSE);
}
DWORD SizePlus = ((l+1 +sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR))+3)&~3;
if(DWORD NewMMBI = (DWORD)APIDVirtualAllocEx(hProcess, NULL, IDEBI.Size +SizePlus, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) {
PVOID OriginalMMBI;
PVOID LocalNewMMBI;
if(LocalNewMMBI = LocalAlloc(LPTR, IDEBI.Size +SizePlus)) {
if(!ReadProcessMemory(hProcess, OriginalMMBI = (PVOID)(IDEBI.VirtualAddress+MMB), (PVOID)((DWORD)LocalNewMMBI +sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR)), IDEBI.Size, NULL)) {
LocalFree(LocalNewMMBI);
APIDVirtualFreeEx(hProcess, (PVOID)NewMMBI, NULL, MEM_RELEASE);
return(FALSE);
}
}
PIMAGE_BOUND_IMPORT_DESCRIPTOR pibid = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)LocalNewMMBI;
pibid->TimeDateStamp = TimeDateStamp;
pibid->OffsetModuleName = IDEBI.Size +sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR);
while((++pibid)->OffsetModuleName)
pibid->OffsetModuleName +=sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR);
lstrcpyA((PSTR)LocalNewMMBI +IDEBI.Size +sizeof(IMAGE_BOUND_IMPORT_DESCRIPTOR), DllName);
IDEBI.Size +=SizePlus;
if(WriteProcessMemory(hProcess, (PVOID)NewMMBI, LocalNewMMBI, IDEBI.Size, NULL)) {
IDEBI.VirtualAddress = NewMMBI -MMB;
if(SetMainModuleDirectoryEntry(hProcess, pPE, IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT, &IDEBI)) {
Result = TRUE;
APIDVirtualFreeEx(hProcess, OriginalMMBI, NULL, MEM_RELEASE); //disputable
}
}
LocalFree(LocalNewMMBI);
}
}
else {
if(GetMainModuleDirectoryEntry(hProcess, pPE, IMAGE_DIRECTORY_ENTRY_IMPORT, &IDEBI)
&& (IDEBI.VirtualAddress) && (IDEBI.Size)) {
DWORD SizePlus = ((l+1 +sizeof(IMAGE_IMPORT_DESCRIPTOR))+3)&~3;
if(DWORD NewMMI = (DWORD)APIDVirtualAllocEx(hProcess, NULL, IDEBI.Size +SizePlus, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) {
PVOID OriginalMMI;
if(PVOID LocalNewMMI = LocalAlloc(LPTR, IDEBI.Size +SizePlus)) {
if(!ReadProcessMemory(hProcess, OriginalMMI = (PVOID)(IDEBI.VirtualAddress+MMB), (PVOID)((DWORD)LocalNewMMI +sizeof(IMAGE_IMPORT_DESCRIPTOR)), IDEBI.Size, NULL)) {
LocalFree(LocalNewMMI);
APIDVirtualFreeEx(hProcess, (PVOID)NewMMI, NULL, MEM_RELEASE);
return(FALSE);
}
PIMAGE_IMPORT_DESCRIPTOR piid = (PIMAGE_IMPORT_DESCRIPTOR)LocalNewMMI;
piid->TimeDateStamp = 0x80000001;
piid->Name = NewMMI +IDEBI.Size +sizeof(IMAGE_IMPORT_DESCRIPTOR) -MMB;
piid->FirstThunk = NewMMI +((DWORD)&piid->TimeDateStamp -(DWORD)piid) -MMB;
IMAGE_DATA_DIRECTORY IDIAT;
if(GetMainModuleDirectoryEntry(hProcess, pPE, IMAGE_DIRECTORY_ENTRY_IAT, &IDIAT)) {
if(IDIAT.Size == 0) {
//just an approach - the whole image should be unprotected
if(!SetMainModuleDirectoryEntry(hProcess, pPE, IMAGE_DIRECTORY_ENTRY_IAT, &IDEBI)) {
LocalFree(LocalNewMMI);
APIDVirtualFreeEx(hProcess, (PVOID)NewMMI, NULL, MEM_RELEASE);
return(FALSE);
}
}
}
lstrcpyA((PSTR)LocalNewMMI +IDEBI.Size +sizeof(IMAGE_IMPORT_DESCRIPTOR), DllName);
IDEBI.Size +=SizePlus;
for(++piid; piid->Name; piid++)
if(piid->TimeDateStamp == 0x80000001) {
piid->Name += NewMMI -(DWORD)OriginalMMI +sizeof(IMAGE_IMPORT_DESCRIPTOR);
piid->FirstThunk += NewMMI -(DWORD)OriginalMMI +sizeof(IMAGE_IMPORT_DESCRIPTOR);
}
if(WriteProcessMemory(hProcess, (PVOID)NewMMI, LocalNewMMI, IDEBI.Size, NULL)) {
IDEBI.VirtualAddress = NewMMI -MMB;
if(SetMainModuleDirectoryEntry(hProcess, pPE, IMAGE_DIRECTORY_ENTRY_IMPORT, &IDEBI)) {
Result = TRUE;
APIDVirtualFreeEx(hProcess, OriginalMMI, NULL, MEM_RELEASE); //disputable
}
}
LocalFree(LocalNewMMI);
}
}
}
}
}
else {
return(TRUE);
}
return(Result);
}
////////////////////////////////////////////////////////////////////////////////////////////////
BOOL WINAPI hAddProcessInitDLLW(HANDLE hProcess, LPCWSTR DllName, DWORD TimeDateStamp,
LPCWSTR lpHomeDirectory, LPCWSTR lpCurrentDirectory) {
CHAR DllNameA[MAX_PATH];
if(WideCharToMultiByte(CP_ACP, 0, DllName, -1, DllNameA, MAX_PATH, NULL, NULL) == 0)
return(FALSE);
CHAR HomeDirectoryA[MAX_PATH];
LPSTR lpHomeDirectoryA = (LPSTR)lpHomeDirectory;
if(lpHomeDirectoryA) {
lpHomeDirectoryA = HomeDirectoryA;
if(WideCharToMultiByte(CP_ACP, 0, lpHomeDirectory, -1, lpHomeDirectoryA, MAX_PATH, NULL, NULL) == 0)
return(FALSE);
}
CHAR CurrentDirectoryA[MAX_PATH];
LPSTR lpCurrentDirectoryA = (LPSTR)lpCurrentDirectory;
if(lpCurrentDirectoryA) {
lpCurrentDirectoryA = CurrentDirectoryA;
if(WideCharToMultiByte(CP_ACP, 0, lpCurrentDirectory, -1, lpCurrentDirectoryA, MAX_PATH, NULL, NULL) == 0)
return(FALSE);
}
return(hAddProcessInitDLLA(hProcess, DllNameA, TimeDateStamp, lpHomeDirectoryA, lpCurrentDirectoryA));
}
////////////////////////////////////////////////////////////////////////////////////////////////
#ifdef UNICODE
#define hAddProcessInitDLL hAddProcessInitDLLW
#else
#define hAddProcessInitDLL hAddProcessInitDLLA
#endif
////////////////////////////////////////////////////////////////////////////////////////////////⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -