-
Notifications
You must be signed in to change notification settings - Fork 35
/
NtUtils.Shellcode.Dll.pas
410 lines (341 loc) · 13.4 KB
/
NtUtils.Shellcode.Dll.pas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
unit NtUtils.Shellcode.Dll;
{
This module provides support for improved DLL injection.
}
interface
uses
Ntapi.ntpsapi, NtUtils, NtUtils.Shellcode;
const
PROCESS_INJECT_DLL = NtUtils.Shellcode.PROCESS_REMOTE_EXECUTE;
type
TDllInjectionOptions = set of (
// Force using 64-bit mode injection in WoW64 processes
dioIgnoreWoW64,
// Automatically determine if the DLL requires a 32- or 64- bit injection
dioAutoIgnoreWoW64,
// Temporarily change the current directory to the file location
dioAdjustCurrentDirectory,
// Unload the DLL immediately after loading
dioUnloadImmediately
);
// Force another process into loading a DLL
function RtlxInjectDllProcess(
[Access(PROCESS_INJECT_DLL)] const hxProcess: IHandle;
const DllPath: String;
Options: TDllInjectionOptions = [dioAutoIgnoreWoW64];
ThreadFlags: TThreadCreateFlags = 0;
[opt] const Timeout: Int64 = DEFAULT_REMOTE_TIMEOUT;
[opt] CustomWait: TCustomWaitRoutine = nil;
[out, opt] DllBase: PPointer = nil
): TNtxStatus;
implementation
uses
Ntapi.WinNt, Ntapi.ntdef, Ntapi.ntldr, Ntapi.ntstatus, Ntapi.ntpebteb,
Ntapi.ntioapi, Ntapi.ntmmapi, Ntapi.ImageHlp, DelphiUtils.AutoObjects,
NtUtils.Processes.Info, NtUtils.Threads, NtUtils.Files.Open, NtUtils.Sections,
DelphiApi.Reflection;
{$BOOLEVAL OFF}
{$IFOPT R+}{$DEFINE R+}{$ENDIF}
{$IFOPT Q+}{$DEFINE Q+}{$ENDIF}
type
TDllLoaderContext = record
RtlSetThreadErrorMode: function (
NewMode: TRtlErrorMode;
[out, opt] OldMode: PRtlErrorMode
): NTSTATUS; stdcall;
{$IFDEF Win32}WoW64Padding0: Cardinal;{$ENDIF}
RtlGetCurrentDirectory_U: function (
BufferLength: Cardinal;
[out] Buffer: PWideChar
): Cardinal; stdcall;
{$IFDEF Win32}WoW64Padding1: Cardinal;{$ENDIF}
RtlSetCurrentDirectory_U: function (
const PathName: TNtUnicodeString
): NTSTATUS; stdcall;
{$IFDEF Win32}WoW64Padding2: Cardinal;{$ENDIF}
LdrLockLoaderLock: function(
Options: TLdrLockFlags;
var Disposition: TLdrLoaderLockDisposition;
out Cookie: NativeUInt
): NTSTATUS; stdcall;
{$IFDEF Win32}WoW64Padding3: Cardinal;{$ENDIF}
LdrUnlockLoaderLock: function (
Options: TLdrLockFlags;
Cookie: NativeUInt
): NTSTATUS; stdcall;
{$IFDEF Win32}WoW64Padding4: Cardinal;{$ENDIF}
LdrLoadDll: function (
[in, opt] DllPath: PWideChar;
[in, opt] DllCharacteristics: PCardinal;
const DllName: TNtUnicodeString;
out DllHandle: HMODULE
): NTSTATUS; stdcall;
{$IFDEF Win32}WoW64Padding5: Cardinal;{$ENDIF}
LdrUnloadDll: function (
DllHandle: HMODULE
): NTSTATUS; stdcall;
{$IFDEF Win32}WoW64Padding6: Cardinal;{$ENDIF}
[out] DllHandle: HMODULE;
{$IFDEF Win32}WoW64Padding7: Cardinal;{$ENDIF}
[out] Status: NTSTATUS;
[Bytes] DllNameLength: Word;
[Bytes] DllDirectoryLength: Word;
UnloadImmediately: LongBool;
AdjustCurrentDirectory: LongBool;
PreviousDirectory: array [MAX_LONG_PATH_ARRAY] of WideChar;
DllName: array [ANYSIZE_ARRAY] of WideChar;
end;
PDllLoaderContext = ^TDllLoaderContext;
// A function to execute in a context of another process.
// Notes:
// - Only call routines referenced via the context parameter;
// - Keep in sync with raw assembly bytes below.
procedure Payload(
Context: PDllLoaderContext;
Unused1: Pointer;
Unused2: Pointer
); stdcall;
var
Disposition: TLdrLoaderLockDisposition;
Cookie: NativeUInt;
PreviousDirectoryLength: Cardinal;
Path: TNtUnicodeString;
begin
// Suppress error messages
Context.RtlSetThreadErrorMode(RTL_ERRORMODE_FAILCRITICALERRORS or
RTL_ERRORMODE_NOGPFAULTERRORBOX, nil);
// Try to acquire the loader lock to prevent possible deadlocks
Context.Status := Context.LdrLockLoaderLock(
LDR_LOCK_LOADER_LOCK_FLAG_TRY_ONLY, Disposition, Cookie);
if not NT_SUCCESS(Context.Status) then
Exit;
case Disposition of
// Undo acquiring if necessary
LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_ACQUIRED:
Context.LdrUnlockLoaderLock(0, Cookie);
// Can't load DLLs now, exit
LDR_LOCK_LOADER_LOCK_DISPOSITION_LOCK_NOT_ACQUIRED:
begin
Context.Status := STATUS_POSSIBLE_DEADLOCK;
Exit;
end;
end;
if Context.AdjustCurrentDirectory then
begin
// Backup the current directory
PreviousDirectoryLength := Context.RtlGetCurrentDirectory_U(
SizeOf(Context.PreviousDirectory), @Context.PreviousDirectory[0]);
// Make sure backing up was successful
Context.AdjustCurrentDirectory := (PreviousDirectoryLength > 0) and
(PreviousDirectoryLength <= High(Word));
// Adjust the current directory to the location of the DLL
Path.Buffer := @Context.DllName[0];
Path.Length := Context.DllDirectoryLength;
Path.MaximumLength := Context.DllDirectoryLength;
Context.RtlSetCurrentDirectory_U(Path);
end
else
PreviousDirectoryLength := 0;
// Load the DLL
Path.Buffer := @Context.DllName[0];
Path.Length := Context.DllNameLength;
Path.MaximumLength := Context.DllNameLength;
Context.Status := Context.LdrLoadDll(nil, nil, Path, Context.DllHandle);
// Unload if necessary
if Context.UnloadImmediately and NT_SUCCESS(Context.Status) then
Context.LdrUnloadDll(Context.DllHandle);
if Context.AdjustCurrentDirectory then
begin
// Restore the previous current directory
Path.Buffer := @Context.PreviousDirectory[0];
Path.Length := Word(PreviousDirectoryLength);
Path.MaximumLength := Word(PreviousDirectoryLength);
Context.RtlSetCurrentDirectory_U(Path);
end;
end;
const
{$IFDEF Win64}
// NOTE: Keep it in sync with the function code above
PayloadRaw64: array [0..273] of Byte = (
$55, $56, $53, $48, $83, $EC, $40, $48, $8B, $EC, $48, $89, $CB, $B9, $30,
$00, $00, $00, $33, $D2, $FF, $13, $B9, $02, $00, $00, $00, $48, $8D, $55,
$3C, $4C, $8D, $45, $30, $FF, $53, $18, $89, $43, $40, $85, $C0, $0F, $8C,
$D9, $00, $00, $00, $8B, $45, $3C, $83, $E8, $01, $85, $C0, $74, $09, $83,
$E8, $01, $85, $C0, $75, $19, $EB, $0B, $33, $C9, $48, $8B, $55, $30, $FF,
$53, $20, $EB, $0C, $C7, $43, $40, $94, $01, $00, $C0, $E9, $AF, $00, $00,
$00, $83, $7B, $4C, $00, $74, $4F, $B9, $FE, $FF, $00, $00, $48, $8D, $53,
$50, $FF, $53, $08, $89, $C6, $85, $F6, $76, $08, $81, $FE, $FF, $FF, $00,
$00, $76, $04, $33, $C0, $EB, $02, $B0, $01, $84, $C0, $0F, $95, $C0, $48,
$0F, $B6, $C0, $F7, $D8, $89, $43, $4C, $48, $8D, $83, $4E, $00, $01, $00,
$48, $89, $45, $28, $48, $0F, $B7, $43, $46, $66, $89, $45, $20, $66, $89,
$45, $22, $48, $8D, $4D, $20, $FF, $53, $10, $EB, $02, $33, $F6, $48, $8D,
$83, $4E, $00, $01, $00, $48, $89, $45, $28, $48, $0F, $B7, $43, $44, $66,
$89, $45, $20, $66, $89, $45, $22, $33, $C9, $33, $D2, $4C, $8D, $45, $20,
$4C, $8D, $4B, $38, $FF, $53, $28, $89, $43, $40, $83, $7B, $48, $00, $74,
$0B, $85, $C0, $7C, $07, $48, $8B, $4B, $38, $FF, $53, $30, $83, $7B, $4C,
$00, $74, $17, $48, $8D, $43, $50, $48, $89, $45, $28, $66, $89, $75, $20,
$66, $89, $75, $22, $48, $8D, $4D, $20, $FF, $53, $10, $48, $8D, $65, $40,
$5B, $5E, $5D, $C3
);
{$ENDIF}
// NOTE: Keep it in sync with the function code above
PayloadRaw32: array [0..254] of Byte = (
$55, $8B, $EC, $83, $C4, $F0, $53, $56, $57, $8B, $5D, $08, $6A, $00, $6A,
$30, $FF, $13, $8D, $45, $F8, $50, $8D, $45, $FC, $50, $6A, $02, $FF, $53,
$18, $8B, $F0, $89, $73, $40, $8B, $C6, $85, $C0, $0F, $8C, $C8, $00, $00,
$00, $8B, $45, $FC, $48, $74, $05, $48, $74, $0D, $EB, $17, $8B, $45, $F8,
$50, $6A, $00, $FF, $53, $20, $EB, $0C, $C7, $43, $40, $94, $01, $00, $C0,
$E9, $A6, $00, $00, $00, $83, $7B, $4C, $00, $74, $45, $8D, $43, $50, $50,
$68, $FE, $FF, $00, $00, $FF, $53, $08, $8B, $F0, $85, $F6, $76, $08, $81,
$FE, $FF, $FF, $00, $00, $76, $04, $33, $C0, $EB, $02, $B0, $01, $F6, $D8,
$1B, $C0, $89, $43, $4C, $8D, $83, $4E, $00, $01, $00, $89, $45, $F4, $0F,
$B7, $43, $46, $66, $89, $45, $F0, $66, $89, $45, $F2, $8D, $45, $F0, $50,
$FF, $53, $10, $EB, $02, $33, $F6, $8D, $83, $4E, $00, $01, $00, $89, $45,
$F4, $0F, $B7, $43, $44, $66, $89, $45, $F0, $66, $89, $45, $F2, $8D, $43,
$38, $50, $8D, $45, $F0, $50, $6A, $00, $6A, $00, $FF, $53, $28, $8B, $F8,
$89, $7B, $40, $83, $7B, $48, $00, $74, $0D, $8B, $C7, $85, $C0, $7C, $07,
$8B, $43, $38, $50, $FF, $53, $30, $83, $7B, $4C, $00, $74, $17, $8D, $43,
$50, $89, $45, $F4, $8B, $C6, $66, $89, $45, $F0, $66, $89, $45, $F2, $8D,
$45, $F0, $50, $FF, $53, $10, $5F, $5E, $5B, $8B, $E5, $5D, $C2, $0C, $00
);
function RtlxAutoSelectModeDll(
const DllPath: String;
var Options: TDllInjectionOptions
): TNtxStatus;
var
hxSection: IHandle;
Info: TSectionImageInformation;
begin
// Create a section from the DLL using the image layout
Result := RtlxCreateFileSection(hxSection, FileParameters
.UseFileName(DllPath, fnWin32).UseOptions(FILE_NON_DIRECTORY_FILE),
PAGE_READONLY, RtlxSecImageNoExecute);
if not Result.IsSuccess then
Exit;
// Query information from its headers
Result := NtxSection.Query(hxSection, SectionImageInformation, Info);
if not Result.IsSuccess then
Exit;
// The image does not require WoW64, select to ignore it
if Info.Machine = IMAGE_FILE_MACHINE_AMD64 then
Include(Options, dioIgnoreWoW64);
end;
function RtlxInjectDllProcess;
var
TargetIsWoW64: Boolean;
CodeRef: TMemory;
LocalContext: IMemory<PDllLoaderContext>;
LocalCode, RemoteCode, RemoteContext: IMemory;
ThreadMain: Pointer;
Dependencies: TArray<Pointer>;
hxThread: IHandle;
ApcOptions: TThreadApcOptions;
i: Integer;
begin
// Prevent WoW64 -> Native
Result := RtlxAssertWoW64Compatible(hxProcess, TargetIsWoW64);
if not Result.IsSuccess then
Exit;
if dioAutoIgnoreWoW64 in Options then
begin
// Lookup the bitness of the DLL to select the mode
Result := RtlxAutoSelectModeDll(DllPath, Options);
if not Result.IsSuccess then
Exit;
end;
// Choose a suitable shellcode
{$IFDEF Win64}
if (dioIgnoreWoW64 in Options) or not TargetIsWoW64 then
CodeRef := TMemory.Reference(PayloadRaw64)
else
{$ENDIF}
CodeRef := TMemory.Reference(PayloadRaw32);
// Create a shared memory region for the payload code
Result := RtlxMapSharedMemory(hxProcess, CodeRef.Size, LocalCode,
RemoteCode, [mmAllowExecute]);
if not Result.IsSuccess then
Exit;
// Fill in the payload code
Move(CodeRef.Address^, LocalCode.Data^, CodeRef.Size);
// Create a shared memory region for the context
Result := RtlxMapSharedMemory(hxProcess, SizeOf(TDllLoaderContext) +
StringSizeNoZero(DllPath), IMemory(LocalContext),
RemoteContext, [mmAllowWrite]);
if not Result.IsSuccess then
Exit;
// Resolve dependencies for the payload
Result := RtlxFindKnownDllExports(
ntdll,
TargetIsWoW64 and not (dioIgnoreWoW64 in Options),
[
'RtlSetThreadErrorMode',
'RtlGetCurrentDirectory_U',
'RtlSetCurrentDirectory_U',
'LdrLockLoaderLock',
'LdrUnlockLoaderLock',
'LdrLoadDll',
'LdrUnloadDll'
],
Dependencies
);
if not Result.IsSuccess then
Exit;
// Fill in payload's context
LocalContext.Data.RtlSetThreadErrorMode := Dependencies[0];
LocalContext.Data.RtlGetCurrentDirectory_U := Dependencies[1];
LocalContext.Data.RtlSetCurrentDirectory_U := Dependencies[2];
LocalContext.Data.LdrLockLoaderLock := Dependencies[3];
LocalContext.Data.LdrUnlockLoaderLock := Dependencies[4];
LocalContext.Data.LdrLoadDll := Dependencies[5];
LocalContext.Data.LdrUnloadDll := Dependencies[6];
LocalContext.Data.Status := STATUS_UNSUCCESSFUL;
LocalContext.Data.UnloadImmediately := dioUnloadImmediately in Options;
LocalContext.Data.DllNameLength := StringSizeNoZero(DllPath);
MarshalString(DllPath, @LocalContext.Data.DllName[0]);
// Extract the path from the DLL name
if dioAdjustCurrentDirectory in Options then
for i := High(DllPath) downto Low(DllPath) do
if DllPath[i] = '\' then
begin
LocalContext.Data.AdjustCurrentDirectory := True;
LocalContext.Data.DllDirectoryLength := (i - Low(DllPath) + 1) *
SizeOf(WideChar);
Break;
end;
// Find a function to execute as the thread main
Result := RtlxFindKnownDllExport(ntdll, TargetIsWoW64, 'NtTestAlert',
ThreadMain);
if not Result.IsSuccess then
Exit;
// Create a suspended thread
Result := NtxCreateThreadEx(hxThread, hxProcess, ThreadMain,
Pointer(UIntPtr(STATUS_SUCCESS)), THREAD_CREATE_FLAGS_CREATE_SUSPENDED or
ThreadFlags);
if not Result.IsSuccess then
Exit;
ApcOptions := [];
// Choose execution mode for APC between 32- and 64- bits
if TargetIsWoW64 and not (dioIgnoreWoW64 in Options) then
Include(ApcOptions, apcWoW64);
// Queue the APC for executing the payload
Result := NtxQueueApcThreadEx(hxThread, RemoteCode.Data, RemoteContext.Data,
nil, nil, ApcOptions);
if not Result.IsSuccess then
Exit;
// Resume and execute the APC
Result := NtxResumeThread(hxThread);
if not Result.IsSuccess then
Exit;
// Wait for injection to complete; prolong remote memory lifetime on timeout
Result := RtlxSyncThread(hxProcess, hxThread, Timeout, [RemoteContext,
RemoteCode], CustomWait);
if not Result.IsSuccess then
Exit;
// Read the operation status from the shared memory
Result.Location := 'Remote::LdrLoadDll';
Result.Status := LocalContext.Data.Status;
// Copy the base address back if necessary
if Result.IsSuccess and Assigned(DllBase) then
HMODULE(DllBase^) := LocalContext.Data.DllHandle
end;
end.