-
Notifications
You must be signed in to change notification settings - Fork 173
Expand file tree
/
Copy pathmmLoader-shellcode-generator.c
More file actions
312 lines (278 loc) · 9.97 KB
/
mmLoader-shellcode-generator.c
File metadata and controls
312 lines (278 loc) · 9.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
// mmLoader-shellcode-generator.cpp : Defines the entry point for the console
// application.
//
//
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <Strsafe.h>
#include <shlwapi.h>
#include <mmLoader.h>
#pragma comment(linker, "/NODEFAULTLIB")
#pragma comment(linker, "/ENTRY:CodeBag")
LPSTR head = "/************************************************************************/"
"\r\n"
"/* \r\n"
#ifdef _WIN64
" * This file is generated by mmLoaderShellCode Generator (x64)\r\n"
" * Target platform: 64 bit windows application\r\n"
#else
" * This file is generated by mmLoaderShellCode Generator (x86)\r\n"
" * Target platform: 32 bit windows application\r\n"
#endif
" *\r\n"
" * https://github.com/tishion \r\n"
" *\r\n"
"/************************************************************************/"
"\r\n"
"#ifndef __MMLOADERSHELLCODE_H_INCLUDED_\n"
"#define __MMLOADERSHELLCODE_H_INCLUDED_\n"
"#pragma once\n"
"#include <windows.h>\n"
"\n"
"#ifdef __cplusplus\n"
"extern \"C\" {\n"
"#endif\n"
"\n"
"/// <summary>\n"
"/// Error codes.\n"
"/// </summary>\n"
"#define MMEC_OK 0\n"
"#define MMEC_BAD_PE_FORMAT 1\n"
"#define MMEC_ALLOCATED_MEMORY_FAILED 2\n"
"#define MMEC_INVALID_RELOCATION_BASE 3\n"
"#define MMEC_IMPORT_MODULE_FAILED 4\n"
"#define MMEC_PROTECT_SECTION_FAILED 5\n"
"#define MMEC_INVALID_ENTRY_POINT 6\n"
"#define MMEC_INVALID_WIN32_ENV 0xff\n"
"\n"
"/// <summary>\n"
"/// Enums for MemModuleHelper.\n"
"/// </summary>\n"
"typedef enum _MMHELPER_METHOD {\n"
" MHM_BOOL_LOAD, // Call LoadMemModule\n"
" MHM_VOID_FREE, // Call FreeMemModule\n"
" MHM_FARPROC_GETPROC, // Call GetMemModuleProc\n"
"} MMHELPER_METHOD;\n"
"\n"
"typedef void **HMEMMODULE;\n"
"\n"
"/// <summary>\n"
"/// Helper function for using shell code.\n"
"/// </summary>\n"
"typedef LPVOID(*Type_MemModuleHelper)(MMHELPER_METHOD, LPVOID, LPVOID, LPVOID);\n"
"\n"
"/// <summary>\n"
"/// Helper function for using shell code.\n"
"/// </summary>\n"
"/// <remarks>\n"
"/// If the method == MHM_BOOL_LOAD, then the function performs the LoadMemModule function.\n"
"/// If the method == MHM_VOID_FREE, then the function performs the FreeMemModule function.\n"
"/// If the method == MHM_FARPROC_GETPROC, then the function performs the GetMemModuleProc function.\n"
"/// </remarks>\n"
"LPVOID\n"
"MemModuleHelper(_In_ MMHELPER_METHOD method, _In_ LPVOID lpArg1, _In_ LPVOID lpArg2, _In_ "
"LPVOID lpArg3);\n"
"\n"
"/// <summary>\n"
"/// Loads the memory module.\n"
"/// </summary>\n"
"/// <param name=\"lpPeModuleBuffer\">The buffer containing the raw data of the module.</param>\n"
"/// <param name=\"bCallEntry\">Call the module entry if true.</param>\n"
"/// <param name=\"pdwError\">The error code.</param>\n"
"/// <returns>The handle to the memory module instance or NULL.</returns>\n"
"HMEMMODULE\n"
"LoadMemModule(_In_ LPVOID lpPeModuleBuffer, _In_ BOOL bCallEntry, _Inout_ DWORD *pdwError);\n"
"\n"
"/// <summary>\n"
"/// Gets the process address of the specific function in the memory module.\n"
"/// </summary>\n"
"/// <param name=\"MemModuleHandle\">The handle to the memory module instance.</param>\n"
"/// <param name=\"lpName\">The function name.</param>\n"
"/// <returns>The address of the function or null.</returns>\n"
"FARPROC\n"
"GetMemModuleProc(_In_ HMEMMODULE MemModuleHandle, _In_ LPCSTR lpName);\n"
"\n"
"/// <summary>\n"
"/// Frees the memory module.HMEMMODULE\n"
"/// </summary>\n"
"/// <param name=\"MemModuleHandle\">The handle to the memory module instance.</param>\n"
"VOID FreeMemModule(_In_ HMEMMODULE MemModuleHandle);\n"
"\n"
"\r\n"
"/// <summary>\r\n"
"/// The byte array of the mmLoader shell code.\r\n"
"/// </summary>\r\n"
"unsigned char mmLoaderShellCode[] = {\r\n";
LPSTR tail = "\r\n};\r\n"
"\r\n"
"#ifdef __cplusplus\n"
"}\n"
"#endif\n"
"#endif // __MMLOADERSHELLCODE_H_INCLUDED_";
/// <summary>
///
/// </summary>
void
InitializeConsole() {
// Create a console
if (!AllocConsole())
MessageBox(NULL, _T("Failed to allocate console."), _T("Warning"), MB_OK);
}
/// <summary>
///
/// </summary>
/// <param name="message"></param>
void
ConsoleWrite(LPCSTR message) {
if (!message)
return;
DWORD bytesWritten = 0;
HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE);
if (!h || !WriteConsoleA(h, message, lstrlenA(message), &bytesWritten, NULL))
MessageBoxA(NULL, message, "Warning", MB_OK);
}
///
/// </summary>
/// <param name="message"></param>
void
ConsoleWriteW(LPCWSTR message) {
if (!message)
return;
DWORD bytesWritten = 0;
HANDLE h = GetStdHandle(STD_OUTPUT_HANDLE);
if (!h || !WriteConsoleW(h, message, lstrlenW(message), &bytesWritten, NULL))
MessageBoxW(NULL, message, L"Warning", MB_OK);
}
#ifdef _WIN64
#ifdef _DEBUG
#define SHELLCODE_HEADER_FILE_NAME L"mmLoaderShellCode-x64-Debug.h"
#else
#define SHELLCODE_HEADER_FILE_NAME L"mmLoaderShellCode-x64-Release.h"
#endif
#else
#ifdef _DEBUG
#define SHELLCODE_HEADER_FILE_NAME L"mmLoaderShellCode-x86-Debug.h"
#else
#define SHELLCODE_HEADER_FILE_NAME L"mmLoaderShellCode-x86-Release.h"
#endif
#endif
/// <summary>
///
/// </summary>
#define mml_ZeroMemory(p, len) \
for (int i = 0; i < len; i++) \
*(unsigned char *)p = 0
/// <summary>
///
/// </summary>
#define mml_hextoascii(hex)
/// <summary>
/// Frees the memory module.
/// </summary>
extern void
mmLoaderCodeEnd();
/// <summary>
/// main function.
/// </summary>
/// <returns></returns>
int
CodeBag() {
// Initialize the console
InitializeConsole();
LPCWSTR pFolderPath = SHELLCODE_HEADER_FILE_NAME;
WCHAR pathBuffer[MAX_PATH];
for (int i = 0; i < MAX_PATH; i++)
pathBuffer[i] = 0;
// Get command line
LPCWSTR pCmd = GetCommandLineW();
// Parse command line
int nCount = 0;
LPWSTR *pArgs = NULL;
if (pCmd)
pArgs = CommandLineToArgvW(pCmd, &nCount);
if (nCount >= 2) {
if (GetFullPathNameW(pArgs[1], MAX_PATH, pathBuffer, NULL) <= 0) {
ConsoleWrite("Failed to get the full path of the folder: ");
ConsoleWriteW(pArgs[2]);
ConsoleWrite("\r\n");
return -1;
}
if (!PathFileExistsW(pathBuffer)) {
ConsoleWrite("Path does not exist: ");
ConsoleWriteW(pathBuffer);
ConsoleWrite("\r\n");
return -1;
}
if (PathCombineW(pathBuffer, pathBuffer, SHELLCODE_HEADER_FILE_NAME) <= 0) {
ConsoleWrite("Failed to build file path.\r\n");
return -1;
}
pFolderPath = pathBuffer;
}
// Get code start and end address
unsigned char *pStart = (unsigned char *)&MemModuleHelper;
unsigned char *pEnd = (unsigned char *)&mmLoaderCodeEnd;
// Get code length
ULONGLONG codeLength = (pEnd - pStart);
// Get the buffer length
size_t textLength = 512 * 1024;
// Allocate the heap buffer for the file content
ConsoleWrite("Allocating buffer..\r\n");
LPSTR pBuffer = (LPSTR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, textLength);
if (!pBuffer) {
ConsoleWrite("Failed to allocate memory buffer.\r\n");
return -1;
}
// Start to build the file content
ConsoleWrite("Building the file content..\r\n");
StringCchCatA(pBuffer, textLength, head);
unsigned char charTable[] = {"0123456789ABCDEF"};
unsigned char buf[3] = {0, 0, 0};
int n = 0;
for (unsigned char *p = pStart; p < pEnd; p++) {
// Start one row
if (0 == n++)
StringCchCatA(pBuffer, textLength, "\t");
{
// Hex to string
StringCchCatA(pBuffer, textLength, "0x");
buf[0] = charTable[*p >> 4];
buf[1] = charTable[*p & 0x0f];
StringCchCatA(pBuffer, textLength, (char *)buf);
StringCchCatA(pBuffer, textLength, ", ");
}
// End one row
if (n == 16) {
StringCchCatA(pBuffer, textLength, "\r\n");
n = 0;
}
}
StringCchCatA(pBuffer, textLength, tail);
ConsoleWrite("File content build done:\r\n\r\n");
ConsoleWrite(pBuffer);
// Get the valid string length
StringCchLengthA(pBuffer, textLength, &textLength);
ConsoleWrite("Create file mmLoaderShellCode.h\r\n");
// Create file to save the content
HANDLE h = CreateFileW(pFolderPath, FILE_WRITE_ACCESS, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
DWORD dwBytesWritten = 0;
if (INVALID_HANDLE_VALUE == h || NULL == h) {
ConsoleWrite("Failed to create file \"mmLoaderShellCode\".\r\n");
return -1;
} else {
// Write the string content to the disk file
if (!WriteFile(h, pBuffer, (DWORD)textLength, &dwBytesWritten, NULL)) {
ConsoleWrite("Failed to write content to file \"mmLoaderShellCode\".\r\n");
return -1;
}
FlushFileBuffers(h);
CloseHandle(h);
}
// Free the content buffer
HeapFree(GetProcessHeap(), 0, pBuffer);
// Wait for the return key
ConsoleWrite("\r\nShell code generated done.\r\n");
//::WaitForSingleObject(::GetCurrentProcess(), INFINITE);
ExitProcess(0);
}