From f1f52985eef30dd06cf4328384e613b07a618eed Mon Sep 17 00:00:00 2001 From: kruz1337 Date: Tue, 15 Nov 2022 01:25:43 +0300 Subject: [PATCH] $fully_updated --- Kruzinjector/Execution.cpp | 158 ++++++++++++ Kruzinjector/Execution.h | 5 + Kruzinjector/Includes.h | 33 +++ Kruzinjector/Kruzinjector.vcxproj | 23 +- Kruzinjector/Kruzinjector.vcxproj.filters | 43 ++-- Kruzinjector/LoadLibrary.cpp | 39 +++ Kruzinjector/LoadLibrary.h | 4 + Kruzinjector/ManualMap.cpp | 52 ++-- Kruzinjector/ManualMap.h | 8 +- Kruzinjector/Utils.cpp | 88 +++++++ Kruzinjector/Utils.h | 10 + Kruzinjector/appmain.cpp | 286 +++++++--------------- settings.xml | 5 +- 13 files changed, 488 insertions(+), 266 deletions(-) create mode 100644 Kruzinjector/Execution.cpp create mode 100644 Kruzinjector/Execution.h create mode 100644 Kruzinjector/Includes.h create mode 100644 Kruzinjector/LoadLibrary.cpp create mode 100644 Kruzinjector/LoadLibrary.h create mode 100644 Kruzinjector/Utils.cpp create mode 100644 Kruzinjector/Utils.h diff --git a/Kruzinjector/Execution.cpp b/Kruzinjector/Execution.cpp new file mode 100644 index 0000000..7a3f957 --- /dev/null +++ b/Kruzinjector/Execution.cpp @@ -0,0 +1,158 @@ +#include "Execution.h" + +bool CreateThreadEx(HANDLE hProcess, void* shellCode, void* targetBase) +{ + HANDLE thread = CreateRemoteThread(hProcess, nullptr, 0, reinterpret_cast(shellCode), targetBase, 0, nullptr); + if (!thread) + { + printf("[-] Remote thread creation failed. (0x%X)\n", GetLastError()); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + return false; + } + CloseHandle(thread); +} + +bool HijackThread(HANDLE hProcess, void* shellCode, void* targetBase) +{ + void* codeCave = VirtualAllocEx(hProcess, nullptr, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (!codeCave) + { + printf("[-] Failed to open code cave. (0x%X)\n", GetLastError()); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + return false; + } + + DWORD processId = GetProcessId(hProcess); + HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); + HANDLE hThread = NULL; + + THREADENTRY32 te32; + te32.dwSize = sizeof(te32); + + Thread32First(hSnapshot, &te32); + while (Thread32Next(hSnapshot, &te32)) + { + if (te32.th32OwnerProcessID == processId) + { + hThread = OpenThread(THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, FALSE, te32.th32ThreadID); + if (!hThread) + { + printf("[-] Failed to open hijack thread. (0x%X)\n", GetLastError()); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE); + return false; + } + break; + } + } + CloseHandle(hSnapshot); + + if (SuspendThread(hThread) == (DWORD)-1) //https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/ + { + printf("[-] Suspend thread failed. (0x%X)\n", GetLastError()); + CloseHandle(hThread); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE); + return false; + } + + CONTEXT ctx; + ctx.ContextFlags = CONTEXT_FULL; + + if (!GetThreadContext(hThread, &ctx)) + { + printf("[-] Retrieve thread context failed. (0x%X)\n", GetLastError()); + ResumeThread(hThread); + CloseHandle(hThread); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE); + return false; + } + +#ifdef _WIN64 + BYTE code[] = + { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, + 0x83, 0xEC, 0x08, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, + 0x00, 0xC7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, + 0x50, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0x41, 0x52, + 0x41, 0x53, 0x9C, 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x48, 0xB9, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xEC, 0x20, + 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x20, 0x48, 0x8D, 0x0D, + 0xB4, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x01, 0x9D, 0x41, + 0x5B, 0x41, 0x5A, 0x41, 0x59, 0x41, 0x58, 0x5A, 0x59, + 0x58, 0xC6, 0x05, 0xA9, 0xFF, 0xFF, 0xFF, 0x00, 0xC3 + }; + + DWORD funcOffset = 0x08; + DWORD checkByteOffset = 0x03 + funcOffset; + + *reinterpret_cast(code + 0x07 + funcOffset) = (DWORD)(ctx.Rip & 0xFFFFFFFF); + *reinterpret_cast(code + 0x0F + funcOffset) = (DWORD)((ctx.Rip >> 0x20) & 0xFFFFFFFF); + *reinterpret_cast(code + 0x21 + funcOffset) = shellCode; + *reinterpret_cast(code + 0x2B + funcOffset) = targetBase; + + ctx.Rip = reinterpret_cast(codeCave) + funcOffset; +#else + BYTE code[] = + { + 0x00, 0x00, 0x00, 0x00, 0x83, 0xEC, 0x04, 0xC7, 0x04, + 0x24, 0x00, 0x00, 0x00, 0x00, 0x50, 0x51, 0x52, 0x9C, + 0xB9, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x00, 0x00, 0x00, + 0x00, 0x51, 0xFF, 0xD0, 0xA3, 0x00, 0x00, 0x00, 0x00, + 0x9D, 0x5A, 0x59, 0x58, 0xC6, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0xC3 + }; + + DWORD funcOffset = 0x04; + DWORD checkByteOffset = 0x02 + funcOffset; + + *reinterpret_cast(code + 0x06 + funcOffset) = ctx.Eip; + *reinterpret_cast(code + 0x0F + funcOffset) = targetBase; + *reinterpret_cast(code + 0x14 + funcOffset) = shellCode; + *reinterpret_cast(code + 0x1C + funcOffset) = codeCave; + *reinterpret_cast(code + 0x26 + funcOffset) = reinterpret_cast(codeCave) + checkByteOffset; + + ctx.Eip = reinterpret_cast(codeCave) + funcOffset; +#endif + + if (!WriteProcessMemory(hProcess, codeCave, code, sizeof(code), NULL)) + { + printf("[-] Shellcode injection failed. (0x%X)\n", GetLastError()); + ResumeThread(hThread); + CloseHandle(hThread); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE); + return false; + } + + if (!SetThreadContext(hThread, &ctx)) + { + printf("[-] Hijacking failed. (0x%X)\n", GetLastError()); + ResumeThread(hThread); + CloseHandle(hThread); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE); + return false; + } + + if (ResumeThread(hThread) == (DWORD)-1) + { + printf("[-] Resume thread failed. (0x%X)\n", GetLastError()); + CloseHandle(hThread); + VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); + VirtualFreeEx(hProcess, codeCave, 0, MEM_RELEASE); + return false; + } + + CloseHandle(hThread); +} \ No newline at end of file diff --git a/Kruzinjector/Execution.h b/Kruzinjector/Execution.h new file mode 100644 index 0000000..434fce2 --- /dev/null +++ b/Kruzinjector/Execution.h @@ -0,0 +1,5 @@ +#pragma once +#include "Includes.h" + +bool HijackThread(HANDLE hProcess, void* shellCode, void* targetBase); +bool CreateThreadEx(HANDLE hProcess, void* shellCode, void* targetBase); \ No newline at end of file diff --git a/Kruzinjector/Includes.h b/Kruzinjector/Includes.h new file mode 100644 index 0000000..d9f8318 --- /dev/null +++ b/Kruzinjector/Includes.h @@ -0,0 +1,33 @@ +#pragma once +#include +#include +#include +#include +#include +#include +#include + +#include "rapidxml/rapidxml.hpp" + +#define FLAG32(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_HIGHLOW) +#define FLAG64(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_DIR64) + +#ifdef _WIN64 +#define MACHINE_ARC IMAGE_FILE_MACHINE_AMD64 +#define RELOC_FLAG FLAG64 +#else +#define MACHINE_ARC IMAGE_FILE_MACHINE_I386 +#define RELOC_FLAG FLAG32 +#endif + +enum INJECTION_TYPE +{ + T_LoadLibrary, + T_ManualMap, +}; + +enum EXECUTION_METHOD +{ + M_NtCreateThreadEx, + M_ThreadHijacking +}; \ No newline at end of file diff --git a/Kruzinjector/Kruzinjector.vcxproj b/Kruzinjector/Kruzinjector.vcxproj index 9f49860..3d95b79 100644 --- a/Kruzinjector/Kruzinjector.vcxproj +++ b/Kruzinjector/Kruzinjector.vcxproj @@ -29,26 +29,26 @@ Application true - v143 + v142 MultiByte Application false - v143 + v142 true MultiByte Application true - v143 + v142 MultiByte Application false - v143 + v142 true MultiByte @@ -110,7 +110,7 @@ - Level3 + TurnOffAllWarnings true true @@ -123,6 +123,7 @@ true true true + RequireAdministrator @@ -157,19 +158,23 @@ true true true + RequireAdministrator - + - + + - + + - + + diff --git a/Kruzinjector/Kruzinjector.vcxproj.filters b/Kruzinjector/Kruzinjector.vcxproj.filters index 11edc17..4377d3c 100644 --- a/Kruzinjector/Kruzinjector.vcxproj.filters +++ b/Kruzinjector/Kruzinjector.vcxproj.filters @@ -13,41 +13,44 @@ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms - - {4b850bcc-2e2b-4d6e-b97c-53d6a9fb635c} - - - {407d2a6f-e975-4293-9950-6047ad4ceba3} - - - {df90de97-9ca6-4a81-b15d-34d52741e5f9} + + {1f2e0c8a-ee0e-4a5c-b3e4-2c09ffbf73a6} Source Files - - Header Files\Standart - - - Header Files\Bypass + + Header Files - Header Files\ManualMap + Header Files + + + Header Files + + + Header Files + + Header Files + - Header Files\ManualMap + Header Files + + + Header Files\Resources - - Header Files\Standart + + Header Files - - Header Files\Bypass + + Header Files - + Header Files diff --git a/Kruzinjector/LoadLibrary.cpp b/Kruzinjector/LoadLibrary.cpp new file mode 100644 index 0000000..38622d6 --- /dev/null +++ b/Kruzinjector/LoadLibrary.cpp @@ -0,0 +1,39 @@ +#include "LoadLibrary.h" +#include "Execution.h" + +bool ILoadLibrary(HANDLE hProcess, const char* dllFile, EXECUTION_METHOD execution) +{ + DWORD exitCode; + if (!GetExitCodeProcess(hProcess, &exitCode)) + { + printf("[-] Process is not valid. (0x%X)\n", GetLastError()); + CloseHandle(hProcess); + return false; + } + + void* memory = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); + if (!memory) + { + printf("[-] Memory failed to allocate. (0x%X)\n", GetLastError()); + CloseHandle(hProcess); + return false; + } + + if (!WriteProcessMemory(hProcess, memory, dllFile, strlen(dllFile) + 1, 0)) + { + printf("[-] Write process memory failed. (0x%X)\n", GetLastError()); + CloseHandle(hProcess); + return false; + } + + if (execution == M_NtCreateThreadEx) + { + CreateThreadEx(hProcess, LoadLibraryA, memory); + } + else if (execution == M_ThreadHijacking) + { + HijackThread(hProcess, LoadLibraryA, memory); + } + + return true; +} \ No newline at end of file diff --git a/Kruzinjector/LoadLibrary.h b/Kruzinjector/LoadLibrary.h new file mode 100644 index 0000000..f1faa7e --- /dev/null +++ b/Kruzinjector/LoadLibrary.h @@ -0,0 +1,4 @@ +#pragma once +#include "Includes.h" + +bool ILoadLibrary(HANDLE hProcess, const char* dllFile, EXECUTION_METHOD execution); \ No newline at end of file diff --git a/Kruzinjector/ManualMap.cpp b/Kruzinjector/ManualMap.cpp index 07b7136..9b319c7 100644 --- a/Kruzinjector/ManualMap.cpp +++ b/Kruzinjector/ManualMap.cpp @@ -1,19 +1,7 @@ #include "ManualMap.h" +#include "Execution.h" -/* ---------------------------- */ -#define FLAG32(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_HIGHLOW) -#define FLAG64(RelInfo) ((RelInfo >> 0x0C) == IMAGE_REL_BASED_DIR64) - -#ifdef _WIN64 -#define RELOC_FLAG FLAG64 -#define MACHINE_ARC IMAGE_FILE_MACHINE_AMD64 -#else -#define RELOC_FLAG FLAG32 -#define MACHINE_ARC IMAGE_FILE_MACHINE_I386 -#endif -/* ---------------------------- */ - -bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize) +bool IManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize, EXECUTION_METHOD execution) { BYTE* targetBase = nullptr; IMAGE_NT_HEADERS* ntHeaders = nullptr; @@ -24,13 +12,13 @@ bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize) optHeader = &ntHeaders->OptionalHeader; fileHeader = &ntHeaders->FileHeader; targetBase = reinterpret_cast(VirtualAllocEx(hProcess, reinterpret_cast(optHeader->ImageBase), optHeader->SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)); - + if (!targetBase) { targetBase = reinterpret_cast(VirtualAllocEx(hProcess, nullptr, optHeader->SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)); if (!targetBase) { - printf("[!] Memory failed to AllocateEx. (0x%X)\n", GetLastError()); + printf("[-] Memory failed to AllocateEx. (0x%X)\n", GetLastError()); return false; } } @@ -39,9 +27,9 @@ bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize) data.pLoadLibraryA = LoadLibraryA; data.pGetProcAddress = reinterpret_cast<_GetProcAddress>(GetProcAddress); - if (!WriteProcessMemory(hProcess, targetBase, sourceData, 0x1000, nullptr)) + if (!WriteProcessMemory(hProcess, targetBase, sourceData, 0x1000, nullptr)) { - printf("[!] Can't write file header 0x%X\n", GetLastError()); + printf("[-] Can't write file header 0x%X\n", GetLastError()); VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); return false; } @@ -53,46 +41,45 @@ bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize) { if (!WriteProcessMemory(hProcess, targetBase + sectionheader->VirtualAddress, sourceData + sectionheader->PointerToRawData, sectionheader->SizeOfRawData, nullptr)) { - printf("[!] Can't map sections. (0x%X)\n", GetLastError()); + printf("[-] Can't map sections. (0x%X)\n", GetLastError()); VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); return false; } } } - memcpy(sourceData, &data, sizeof(data)); if (!WriteProcessMemory(hProcess, targetBase, sourceData, 0x1000, nullptr)) { - printf("[!] Failed to write process memory. (0x%X)\n", GetLastError()); + printf("[-] Failed to write process memory. (0x%X)\n", GetLastError()); VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); return false; } + WriteProcessMemory(hProcess, targetBase, &data, sizeof(data), nullptr); void* shellCode = VirtualAllocEx(hProcess, nullptr, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (!shellCode) { - printf("[!] Memory failed to AllocateEx. (0x%X)\n", GetLastError()); + printf("[-] Shellcode allocation failed. (0x%X)\n", GetLastError()); VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); return false; } - if (!WriteProcessMemory(hProcess, shellCode, ShellCode, 0x1000, nullptr)) + if (!WriteProcessMemory(hProcess, shellCode, ShellCode, 0x1000, nullptr)) { - printf("[!] Failed to write shellcode 0x%X\n", GetLastError()); + printf("[-] Failed to write shellcode (0x%X)\n", GetLastError()); VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); return false; } - HANDLE thread = CreateRemoteThread(hProcess, nullptr, 0, reinterpret_cast(shellCode), targetBase, 0, nullptr); - if (!thread) + if (execution == M_NtCreateThreadEx) { - printf("[!] Failed to create thread. (0x%X)\n", GetLastError()); - VirtualFreeEx(hProcess, targetBase, 0, MEM_RELEASE); - VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); - return false; + CreateThreadEx(hProcess, shellCode, targetBase); + } + else if (execution == M_ThreadHijacking) + { + HijackThread(hProcess, shellCode, targetBase); } - CloseHandle(thread); HINSTANCE hCheck = NULL; while (!hCheck) @@ -102,7 +89,7 @@ bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize) if (exitcode != STILL_ACTIVE) { - printf("[!] Process crashed. (ExitCode: %d)\n", exitcode); + printf("[-] Process crashed. (ExitCode: %d)\n", exitcode); return false; } @@ -113,7 +100,6 @@ bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize) } VirtualFreeEx(hProcess, shellCode, 0, MEM_RELEASE); - return true; } diff --git a/Kruzinjector/ManualMap.h b/Kruzinjector/ManualMap.h index 4cbc2e4..753e4c1 100644 --- a/Kruzinjector/ManualMap.h +++ b/Kruzinjector/ManualMap.h @@ -1,9 +1,5 @@ #pragma once - -#include -#include -#include -#include +#include "Includes.h" using _LoadLibraryA = HINSTANCE(WINAPI*)(const char* libFileName); using _GetProcAddress = UINT_PTR(WINAPI*)(HMODULE hModule, const char* processName); @@ -16,5 +12,5 @@ struct MANUAL_MAPPING_STRUCT HINSTANCE hMain; }; -bool ManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize); +bool IManualMap(HANDLE hProcess, BYTE* sourceData, SIZE_T dllSize, EXECUTION_METHOD execution); void __stdcall ShellCode(MANUAL_MAPPING_STRUCT* data); \ No newline at end of file diff --git a/Kruzinjector/Utils.cpp b/Kruzinjector/Utils.cpp new file mode 100644 index 0000000..9fd78cf --- /dev/null +++ b/Kruzinjector/Utils.cpp @@ -0,0 +1,88 @@ +#include "Utils.h" + +/* Gets process id from process name */ +DWORD GetProcessIdByName(const char* ProcessName) +{ + PROCESSENTRY32 procEntry; + HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); + procEntry.dwSize = sizeof(PROCESSENTRY32); + if (Process32First(hSnap, &procEntry)) + { + while (Process32Next(hSnap, &procEntry)) + { + if (!_strcmpi(procEntry.szExeFile, ProcessName)) + { + CloseHandle(hSnap); + return procEntry.th32ProcessID; + } + } + } + + CloseHandle(hSnap); + return 0; +} + +/* Returns true if the process is an 64-bit process */ +BOOL IsWow64bit(HANDLE hProcess) +{ + BOOL is64bit = FALSE; + + typedef BOOL(WINAPI* LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); + LPFN_ISWOW64PROCESS is64bitProcess; + is64bitProcess = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process"); + + if (is64bitProcess != NULL && !is64bitProcess(hProcess, &is64bit)) + { + printf("Handle Error..\n"); + return false; + } + return is64bit; +} + +/* Checks if the process is a 32-bit process running on 64-bit */ +bool IsX86Process(HANDLE hProcess) +{ + SYSTEM_INFO systemInfo = { 0 }; + GetNativeSystemInfo(&systemInfo); + + if (systemInfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL) + { + return true; + } + + return IsWow64bit(hProcess); +} + +std::string ToLower(std::string string) +{ + for (int i = 0; i < string.length(); i++) + { + string[i] = tolower(string[i]); + } + + return string; +} + +const char* GetSetting(const char* item, rapidxml::xml_document<>& doc) +{ + rapidxml::xml_node<>* root_node = NULL; + root_node = doc.first_node("Settings"); + + return root_node->last_node(item)->value(); +} + +const char* GetSubSetting(const char* item, rapidxml::xml_document<>& doc) +{ + rapidxml::xml_node<>* root_node = NULL; + root_node = doc.first_node("Settings"); + + return root_node->last_node("AutoInject")->last_node(item)->value(); +} + +const char* GetAttrSetting(const char* item, const char* attr, rapidxml::xml_document<> &doc) +{ + rapidxml::xml_node<>* root_node = NULL; + root_node = doc.first_node("Settings"); + + return root_node->last_node(item)->first_attribute(attr)->value(); +} \ No newline at end of file diff --git a/Kruzinjector/Utils.h b/Kruzinjector/Utils.h new file mode 100644 index 0000000..babe688 --- /dev/null +++ b/Kruzinjector/Utils.h @@ -0,0 +1,10 @@ +#pragma once +#include "Includes.h" + +const char* GetSetting(const char* item, rapidxml::xml_document<>& doc); +const char* GetSubSetting(const char* item, rapidxml::xml_document<>& doc); +const char* GetAttrSetting(const char* item, const char* attr, rapidxml::xml_document<>& doc); +std::string ToLower(std::string string); +DWORD GetProcessIdByName(const char* ProcessName); +BOOL IsWow64bit(HANDLE hProcess); +bool IsX86Process(HANDLE hProcess); \ No newline at end of file diff --git a/Kruzinjector/appmain.cpp b/Kruzinjector/appmain.cpp index 38b81e5..1823e31 100644 --- a/Kruzinjector/appmain.cpp +++ b/Kruzinjector/appmain.cpp @@ -1,25 +1,12 @@ -#include - -#include "Standart.h" +#include "Utils.h" +#include "LoadLibrary.h" #include "ManualMap.h" -#include "Bypass.h" -#include -#include -#include "rapidxml/rapidxml.hpp" - -#ifdef _WIN64 -#define MACHINE_ARC IMAGE_FILE_MACHINE_AMD64 -#else -#define MACHINE_ARC IMAGE_FILE_MACHINE_I386 -#endif -rapidxml::xml_document<> doc; -bool isCorrupt = 0; +using namespace std; void createAscii() { SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 4); - std::cout << R"( ____ __ _ __ ____ / __ \___ ____ ___ _____ _____/ /| |/ / / __ \___ _ __ @@ -30,137 +17,54 @@ void createAscii() SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 94); } -void customCls() +void clearCMD() { SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 1); system("CLS"); createAscii(); } -/* Gets process id from process name */ -DWORD GetProcessIdByName(const char* ProcessName) -{ - PROCESSENTRY32 procEntry; - HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - procEntry.dwSize = sizeof(PROCESSENTRY32); - if (Process32First(hSnap, &procEntry)) - { - while (Process32Next(hSnap, &procEntry)) - { - if (!_strcmpi(procEntry.szExeFile, ProcessName)) - { - CloseHandle(hSnap); - return procEntry.th32ProcessID; - } - } - } - - CloseHandle(hSnap); - return 0; -} - -/* Returns true if the process is an 64-bit process */ -BOOL isWow64bit(HANDLE hProcess) -{ - BOOL is64bit = FALSE; - - typedef BOOL(WINAPI* LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); - LPFN_ISWOW64PROCESS is64bitProcess; - is64bitProcess = (LPFN_ISWOW64PROCESS)GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process"); - - if (is64bitProcess != NULL && !is64bitProcess(hProcess, &is64bit)) - { - printf("Handle Error..\n"); - return false; - } - return is64bit; -} - -/* Checks if the process is a 32-bit process running on 64-bit */ -bool isx86Process(HANDLE hProcess) -{ - SYSTEM_INFO systemInfo = { 0 }; - GetNativeSystemInfo(&systemInfo); - - if (systemInfo.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL) - { - return true; - } - - return isWow64bit(hProcess); -} - -/* Converts text lowercase */ -std::string toLower(std::string string) -{ - for (int i = 0; i < string.length(); i++) - { - string[i] = tolower(string[i]); - } - - return string; -} - -/* Xml config functions */ -std::string getSetting(const char* item) -{ - rapidxml::xml_node<>* root_node = NULL; - root_node = doc.first_node("Settings"); - - return root_node->last_node(item)->value(); -} - -std::string getSettingSub(const char* item) -{ - rapidxml::xml_node<>* root_node = NULL; - root_node = doc.first_node("Settings"); - - return root_node->last_node("AutoInject")->last_node(item)->value(); -} - -std::string getSettingAttr(const char* item, const char* attr) -{ - rapidxml::xml_node<>* root_node = NULL; - root_node = doc.first_node("Settings"); - - return root_node->last_node(item)->first_attribute(attr)->value(); -} +rapidxml::xml_document<> xmlConfig; +bool isBrokenConfig; /* Main inject part */ -bool StartInject(int injectType, const char* injectName, const char* dllFile) +bool StartInject(const char* injectName, const char* dllFile, INJECTION_TYPE type, EXECUTION_METHOD execution) { - DWORD PID; + DWORD processId; std::ifstream Dll(dllFile, std::ios::binary | std::ios::ate); - /* Process control part */ - if (!GetProcessIdByName(injectName)) + char releativePath[MAX_PATH]; + GetFullPathNameA(dllFile, MAX_PATH, releativePath, nullptr); + dllFile = releativePath; + + processId = GetProcessIdByName(injectName); + if (!processId) { - printf("[!] Process is not valid. (0x%X)\n", GetLastError()); + printf("[-] Process is not valid. (0x%X)\n", GetLastError()); return false; } - PID = GetProcessIdByName(injectName); if (!Dll) // Check Dll file is exits { - printf("[!] Dll file doesn't exist\n"); + printf("[-] Dll file doesn't exist\n"); return false; } if (Dll.fail()) // Check that there is an openable file { - printf("[!] Dll file open failed. (0x%X)\n", (DWORD)Dll.rdstate()); + printf("[-] Dll file open failed. (0x%X)\n", (DWORD)Dll.rdstate()); return false; } auto dllSize = Dll.tellg(); if (dllSize < 0x1000) // Check file is valid { - printf("[!] Invalid dll file size.\n"); + printf("[-] Invalid dll file size.\n"); return false; } BYTE* sourceData = new BYTE[(UINT_PTR)dllSize]; if (!sourceData) { - printf("[!] Dll file can't allocate.\n"); + printf("[-] Dll file can't allocate.\n"); Dll.close(); return false; } @@ -169,9 +73,9 @@ bool StartInject(int injectType, const char* injectName, const char* dllFile) Dll.read(reinterpret_cast(sourceData), dllSize); Dll.close(); - if (reinterpret_cast(sourceData)->e_magic != 0x5A4D) /* Checks MZ */ + if (reinterpret_cast(sourceData)->e_magic != 0x5A4D) // Checks MZ { - printf("[!] Invalid dll file.\n"); + printf("[-] Invalid dll file.\n"); return false; } @@ -181,87 +85,60 @@ bool StartInject(int injectType, const char* injectName, const char* dllFile) if (fileHeader->Machine != MACHINE_ARC) // Check injector platform { #ifdef _WIN64 - printf("[!] Invalid platform, use x86 platform!\n"); + printf("[-] Invalid platform, use x86 platform!\n"); #else - printf("[!] Invalid platform, use x64 platform!\n"); + printf("[-] Invalid platform, use x64 platform!\n"); #endif - - return false; - } - - HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (hSnap == INVALID_HANDLE_VALUE) - { - printf("[!] Failed to Create Snapshot. (0x%X)\n", GetLastError()); - return false; } // Checks if the file is injected into the correct process (64-32) - HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID); - if (fileHeader->Machine == IMAGE_FILE_MACHINE_AMD64 && isx86Process(hProcess)) + HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId); + if (fileHeader->Machine == IMAGE_FILE_MACHINE_AMD64 && IsX86Process(hProcess)) { - printf("[!] You cannot inject 64-bit file into 32-bit application!\n"); - + printf("[-] You cannot inject 64-bit file into 32-bit application!\n"); return false; } - else if (fileHeader->Machine == IMAGE_FILE_MACHINE_I386 && !isx86Process(hProcess)) + else if (fileHeader->Machine == IMAGE_FILE_MACHINE_I386 && !IsX86Process(hProcess)) { - printf("[!] You cannot inject 32-bit file into 64-bit application!\n"); - + printf("[-] You cannot inject 32-bit file into 64-bit application!\n"); return false; } - printf("[*] Injection started..\n"); + printf("[*] Injection started..\n\n"); + Sleep(isBrokenConfig ? 500 : stoi(GetSetting("Delay", xmlConfig))); - if (!isCorrupt) - { - Sleep(stoi(getSetting("Delay"))); - } - else + if (type == T_LoadLibrary) { - Sleep(500); - } - - if (injectType == 0) - { - if (LoadLibraryInject(hProcess, dllFile)) + if (ILoadLibrary(hProcess, dllFile, execution)) { - printf("[+] Dll file is succesfully injected into game. (Type: 0, Process ID: %X)\n", PID); + printf("[+] Dll file is succesfully injected into game.\n"); } else { - printf("[!] Something went wrong...\n"); + printf("[-] Something went wrong...\n"); CloseHandle(hProcess); return false; } } - else if (injectType == 1) + else if (type == T_ManualMap) { - if (ManualMap(hProcess, sourceData, dllSize)) + if (IManualMap(hProcess, sourceData, dllSize, execution)) { - printf("[+] Dll file is succesfully injected into game. (Type: 1, Process ID: %X)\n", PID); + printf("[+] Dll file is succesfully injected into game.\n"); } else { - printf("[!] Something went wrong...\n"); - CloseHandle(hProcess); - return false; - } - } - else if (injectType == 2) - { - if (BypassInject(hProcess, dllFile)) - { - printf("[+] Dll file is succesfully injected into game. (Type: 2, Process ID: %X)\n", PID); - } - else - { - printf("[!] Something went wrong...\n"); + printf("[-] Something went wrong...\n"); CloseHandle(hProcess); return false; } } + + printf("[*] Injection Type: %i\n", type); + printf("[*] Execution Method: %i\n", execution); + printf("[*] Process ID: %i\n", processId); + CloseHandle(hProcess); delete[] sourceData; @@ -273,72 +150,89 @@ int main() std::string injectName = ""; std::string dllFile = ""; std::string advancedOptions; - int injectType = 1; - - SetConsoleTitle("DLL INJECTOR | Kruzinjector v1.0"); + int injectType = 0; + int executionMethod = 0; + SetConsoleTitle("DLL INJECTOR | Kruzinjector v1.1"); createAscii(); + // Config Part std::ifstream xmlFile("settings.xml"); std::vector buffer((std::istreambuf_iterator(xmlFile)), std::istreambuf_iterator()); buffer.push_back('\0'); if (xmlFile.fail()) { - printf("[*] Config file can't opened!\n"); - isCorrupt = 1; + isBrokenConfig = true; } - xmlFile.close(); - - try - { - doc.parse<0>(&buffer[0]); - } - catch (...) + else { - printf("[*] Config file is corrupt!\n"); - isCorrupt = 1; + try + { + xmlConfig.parse<0>(&buffer[0]); + } + catch (...) + { + printf("[*] Config file is corrupt!\n"); + isBrokenConfig = true; + } } + xmlFile.close(); // If Auto Inject enabled, automatically start injection part - if (!isCorrupt) + if (!isBrokenConfig) { - if (getSettingAttr("AutoInject", "enabled") == "true") + int IType = stoi(GetSubSetting("InjectionType", xmlConfig)); + int IMethod = atoi(GetSubSetting("ExecutionMethod", xmlConfig)); + const char* PName = GetSubSetting("ProcessName", xmlConfig); + const char* IFile = GetSubSetting("InjectionFile", xmlConfig); + + if (strcmp(GetAttrSetting("AutoInject", "enabled", xmlConfig), "true") == 0) { - if (!(getSettingSub("IType") == "0" || getSettingSub("IType") == "1" || getSettingSub("IType") == "2")) + if (IType != 0 && IType != 1) { - customCls(); - printf("[*] CONFIG: Invalid Injection Type...\n"); + clearCMD(); + printf("[-] CONFIG: Invalid Injection Type...\n"); system("PAUSE"); return 0; } - StartInject(stoi(getSettingSub("IType")), getSettingSub("ProcessName").c_str(), getSettingSub("IFile").c_str()); + StartInject(PName, IFile, (INJECTION_TYPE)IType, (EXECUTION_METHOD)IMethod); system("PAUSE"); return 0; } } - printf("Process Name: "); + + printf("\n[*] Process Name: \n> "); std::cin >> injectName; - printf("\n- 0: Standart\n- 1: Manual Mapping\n- 2: Load Library Bypass\n"); - printf("Select Injection Type: "); + printf("\n[*] Choose injection type. (0: LoadLibrary, 1: ManualMap)\n> "); std::cin >> injectType; - if (!std::cin >> injectType || !(injectType == 0 || injectType == 1 || injectType == 2)) + printf("\n[*] Choose execution method. (0: CreateThreadEx, 1: ThreadHijacking)\n> "); + std::cin >> executionMethod; + + if (!std::cin >> injectType || !(injectType == 0 || injectType == 1)) { - customCls(); - printf("[*] Invalid Injection Type.\n"); + clearCMD(); + printf("[-] Invalid injection type.\n"); return 0; } - printf("\nSelect Dll File: "); + if (!std::cin >> executionMethod || !(executionMethod == 0 || executionMethod == 1)) + { + clearCMD(); + printf("[-] Invalid execution method.\n"); + return 0; + } + + printf("\n[*] DLL File Path: \n> "); std::cin >> dllFile; - customCls(); + clearCMD(); - StartInject(injectType, injectName.c_str(), dllFile.c_str()); + StartInject(injectName.c_str(), dllFile.c_str(), (INJECTION_TYPE)injectType, (EXECUTION_METHOD)executionMethod); system("PAUSE"); return 0; -} +} \ No newline at end of file diff --git a/settings.xml b/settings.xml index 39fd6af..8728560 100644 --- a/settings.xml +++ b/settings.xml @@ -1,9 +1,10 @@  - 1 cmd.exe - hello-world-x64.dll + hello-world-x64.dll + 0 + 0 500 \ No newline at end of file