Make the proof of concept into an RDLL

Author: zeroSteiner

.gitignore

@@ -1,7 +1,8 @@
+*.dll
+*.exe
+*.vcxproj.user
 .vs/*
 Release/
 Debug/
 x64/
 ReflectiveUnloader.v12.suo
-*.dll
-*.exe

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "ReflectiveDLLInjection"]
+	path = ReflectiveDLLInjection
+	url = [email protected]:zeroSteiner/ReflectiveDLLInjection

ReflectiveDLLInjection

@@ -1,13 +1,18 @@
 #include <stdio.h>
+#include <tchar.h>
+#include <Windows.h>
+#include "ReflectiveDLLInjection.h"
 #include "ReflectiveUnloader.h"
 
-VOID DumpImage(LPCSTR pFile, PVOID pBaseAddress, SIZE_T dwSize) {
+HMODULE g_hModule = NULL;
+
+VOID DumpImage(LPTSTR pFile, PVOID pBaseAddress, SIZE_T dwSize) {
 	HANDLE hFile;
 	DWORD dwNumberOfBytesWritten;
 
 	hFile = CreateFile(pFile, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
 	if (hFile == INVALID_HANDLE_VALUE) {
-		printf("[-] Failed to open the file for writting.\n");
+		MessageBox(NULL, _T("Could not open the file for writing."), _T("Failed"), MB_OK);
 		return;
 	}
 	WriteFile(hFile, pBaseAddress, (DWORD)dwSize, &dwNumberOfBytesWritten, NULL);
@@ -17,18 +22,45 @@ VOID DumpImage(LPCSTR pFile, PVOID pBaseAddress, SIZE_T dwSize) {
 VOID ProofOfConcept(HINSTANCE hInstance) {
 	PVOID pBaseAddress = NULL;
 	SIZE_T dwSize;
+	TCHAR ctPath[MAX_PATH + 1];
+	DWORD dwChars;
+
+	MessageBox(NULL, _T("Select OK to proceed."), _T("Waiting"), MB_OK);
 
 	pBaseAddress = ReflectiveUnloader(hInstance, &dwSize);
 	if (!pBaseAddress) {
-		printf("[-] Unload failed.\n");
+		MessageBox(NULL, _T("Unload failed."), _T("Failed"), MB_OK);
 		return;
 	}
-	printf("[+] Unload succedded.\n");
-	DumpImage("unloaded.exe", pBaseAddress, dwSize);
+
+	dwChars = ExpandEnvironmentStrings(_T("%USERPROFILE%\\Desktop\\unloaded.dll"), ctPath, MAX_PATH + 1);
+	if ((dwChars == 0) || (dwChars > MAX_PATH + 1)) {
+		MessageBox(NULL, _T("Could not get the file path for writing."), _T("Failed"), MB_OK);
+		return;
+	}
+	DumpImage(ctPath, pBaseAddress, dwSize);
 	ReflectiveUnloaderFree(pBaseAddress, dwSize);
 }
 
-int main(int argc, char **argv) {
-	ProofOfConcept(GetModuleHandle(NULL));
-	return 0;
-}
+BOOL WINAPI DllMain(HINSTANCE hInstDll, DWORD dwReason, LPVOID lpReserved) {
+	switch (dwReason) {
+	case DLL_QUERY_HMODULE:
+		if (lpReserved) {
+			*(HMODULE *)lpReserved = g_hModule;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		if (!g_hModule) {
+			g_hModule = hInstDll;
+			/* start a new thread so DllMain returns */
+			CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ProofOfConcept, hInstDll, 0, 0);
+		}
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	default:
+		break;
+	}
+	return TRUE;
+}

ReflectiveUnloader/Main.c

@@ -268,9 +268,9 @@ PVOID ReflectiveUnloader(HINSTANCE hInstance, PSIZE_T pdwSize) {
 	pImgSecHeader = (PIMAGE_SECTION_HEADER)((ULONG_PTR)pImgNtHeaders + sizeof(IMAGE_NT_HEADERS));
 
 	/*
-	* 0x00400000 for EXEs and 0x10000000 for DLLs
-	* see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
-	*/
+	 * 0x00400000 for EXEs and 0x10000000 for DLLs
+	 * see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
+	 */
 	if (pImgNtHeaders->FileHeader.Characteristics & IMAGE_FILE_DLL) {
 		pImgNtHeaders->OptionalHeader.ImageBase = IMAGE_BASE_DLL;
 	}

ReflectiveUnloader/ReflectiveUnloader.c

@@ -26,26 +26,24 @@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>v120_xp</PlatformToolset>
-    <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v120_xp</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
-    <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>v120_xp</PlatformToolset>
     <CharacterSet>MultiByte</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v120_xp</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
@@ -69,24 +67,53 @@
     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
   </ImportGroup>
   <PropertyGroup Label="UserMacros" />
-  <PropertyGroup />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <TargetName>$(ProjectName).x64</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <TargetName>$(ProjectName).x64</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <TargetName>$(ProjectName).x86</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <TargetName>$(ProjectName).x86</TargetName>
+  </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
       <SDLCheck>true</SDLCheck>
       <TreatWarningAsError>true</TreatWarningAsError>
-      <PreprocessorDefinitions>_MBCS;%(PreprocessorDefinitions);DEBUG</PreprocessorDefinitions>
+      <PreprocessorDefinitions>REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(SolutionDir)ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
+    <PostBuildEvent>
+      <Command>python $(SolutionDir)pe_patch.py "$(TargetPath)" "$(TargetPath)"</Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Patch in the .restore section</Message>
+    </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <ClCompile>
       <WarningLevel>Level3</WarningLevel>
       <Optimization>Disabled</Optimization>
       <SDLCheck>true</SDLCheck>
       <TreatWarningAsError>true</TreatWarningAsError>
-      <PreprocessorDefinitions>_MBCS;%(PreprocessorDefinitions);DEBUG</PreprocessorDefinitions>
+      <PreprocessorDefinitions>REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(SolutionDir)ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
+    <PostBuildEvent>
+      <Command>python $(SolutionDir)pe_patch.py "$(TargetPath)" "$(TargetPath)"</Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Patch in the .restore section</Message>
+    </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <ClCompile>
@@ -96,11 +123,19 @@
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>true</SDLCheck>
       <TreatWarningAsError>true</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(SolutionDir)ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <Link>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
     </Link>
+    <PostBuildEvent>
+      <Command>python $(SolutionDir)pe_patch.py "$(TargetPath)" "$(TargetPath)"</Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Patch in the .restore section</Message>
+    </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <ClCompile>
@@ -110,17 +145,27 @@
       <IntrinsicFunctions>true</IntrinsicFunctions>
       <SDLCheck>true</SDLCheck>
       <TreatWarningAsError>true</TreatWarningAsError>
+      <AdditionalIncludeDirectories>$(SolutionDir)ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
     </ClCompile>
     <Link>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
     </Link>
+    <PostBuildEvent>
+      <Command>python $(SolutionDir)pe_patch.py "$(TargetPath)" "$(TargetPath)"</Command>
+    </PostBuildEvent>
+    <PostBuildEvent>
+      <Message>Patch in the .restore section</Message>
+    </PostBuildEvent>
   </ItemDefinitionGroup>
   <ItemGroup>
+    <ClCompile Include="..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
     <ClCompile Include="Main.c" />
     <ClCompile Include="ReflectiveUnloader.c" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
     <ClInclude Include="ReflectiveUnloader.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

ReflectiveUnloader/ReflectiveUnloader.vcxproj

@@ -21,10 +21,16 @@
     <ClCompile Include="Main.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="ReflectiveUnloader.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>