//////////////////////////////////////////////////////////////////////////////// // Reads in the image to be injected //////////////////////////////////////////////////////////////////////////////// internal Boolean ReadSourceImageFile(String sourceImage) { String file = System.IO.Path.GetFullPath(sourceImage); if (!System.IO.File.Exists(file)) { Console.WriteLine("[-] File Not Found"); return(false); } image = System.IO.File.ReadAllBytes(file); pinnedArray = GCHandle.Alloc(image, GCHandleType.Pinned); imagePtr = pinnedArray.AddrOfPinnedObject(); imageDosHeader = (Winnt._IMAGE_DOS_HEADER)Marshal.PtrToStructure(imagePtr, typeof(Winnt._IMAGE_DOS_HEADER)); IntPtr ntHeaderPtr = new IntPtr(imagePtr.ToInt64() + imageDosHeader.e_lfanew); imageFileHeader = (Winnt._IMAGE_FILE_HEADER)Marshal.PtrToStructure(new IntPtr(ntHeaderPtr.ToInt64() + sizeof(UInt32)), typeof(Winnt._IMAGE_FILE_HEADER)); if (is32Bit) { imageNTHeader32 = (Winnt._IMAGE_NT_HEADERS)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS)); } else { imageNTHeader64 = (Winnt._IMAGE_NT_HEADERS64)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS64)); } return(true); }
//////////////////////////////////////////////////////////////////////////////// // Reads in the image to be injected //////////////////////////////////////////////////////////////////////////////// internal Boolean ReadSourceImageString(String sourceImage) { image = Convert.FromBase64String(sourceImage); pinnedArray = GCHandle.Alloc(image, GCHandleType.Pinned); imagePtr = pinnedArray.AddrOfPinnedObject(); imageDosHeader = (Winnt._IMAGE_DOS_HEADER)Marshal.PtrToStructure(imagePtr, typeof(Winnt._IMAGE_DOS_HEADER)); IntPtr ntHeaderPtr = new IntPtr(imagePtr.ToInt64() + imageDosHeader.e_lfanew); imageFileHeader = (Winnt._IMAGE_FILE_HEADER)Marshal.PtrToStructure(new IntPtr(ntHeaderPtr.ToInt64() + sizeof(UInt32)), typeof(Winnt._IMAGE_FILE_HEADER)); if (is32Bit) { imageNTHeader32 = (Winnt._IMAGE_NT_HEADERS)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS)); } else { imageNTHeader64 = (Winnt._IMAGE_NT_HEADERS64)Marshal.PtrToStructure(ntHeaderPtr, typeof(Winnt._IMAGE_NT_HEADERS64)); } return(true); }
//////////////////////////////////////////////////////////////////////////////// // //////////////////////////////////////////////////////////////////////////////// private Boolean ReadHeaders(ref BinaryReader binaryReader) { binaryReader.ReadUInt32(); imageFileHeader = FromBinaryReader <Winnt._IMAGE_FILE_HEADER>(binaryReader); if (Winnt.CHARACTERISTICS.IMAGE_FILE_DLL == (imageFileHeader.Characteristics & Winnt.CHARACTERISTICS.IMAGE_FILE_DLL)) { Console.WriteLine("[*] Injecting DLL"); isDll = true; } else if (Winnt.CHARACTERISTICS.IMAGE_FILE_EXECUTABLE_IMAGE == (imageFileHeader.Characteristics & Winnt.CHARACTERISTICS.IMAGE_FILE_EXECUTABLE_IMAGE)) { Console.WriteLine("[*] Injecting EXE"); isExe = true; } foreach (Winnt.CHARACTERISTICS c in (Winnt.CHARACTERISTICS[])Enum.GetValues(typeof(Winnt.CHARACTERISTICS))) { if ((UInt16)c == (UInt16)(c & imageFileHeader.Characteristics)) { Console.WriteLine("[*] PE Characteristic: {0}", (Winnt.CHARACTERISTICS)(c & imageFileHeader.Characteristics)); } } UInt16 subsystem = 0; switch (imageFileHeader.Machine) { case Winnt.IMAGE_FILE_MACHINE.IMAGE_FILE_MACHINE_I386: imageOptionalHeader32 = FromBinaryReader <Winnt._IMAGE_OPTIONAL_HEADER>(binaryReader); sizeOfImage = imageOptionalHeader32.SizeOfImage; baseRelocationTableAddress = imageOptionalHeader32.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.BaseRelocationTable].VirtualAddress; importTableAddress = imageOptionalHeader32.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.ImportTable].VirtualAddress; addressOfEntryPoint = imageOptionalHeader32.AddressOfEntryPoint; imageBase = imageOptionalHeader32.ImageBase; subsystem = (UInt16)imageOptionalHeader32.Subsystem; dllCharacteristics = (UInt16)imageOptionalHeader32.DllCharacteristics; is64Bit = false; break; case Winnt.IMAGE_FILE_MACHINE.IMAGE_FILE_MACHINE_AMD64: imageOptionalHeader64 = FromBinaryReader <Winnt._IMAGE_OPTIONAL_HEADER64>(binaryReader); sizeOfImage = imageOptionalHeader64.SizeOfImage; baseRelocationTableAddress = imageOptionalHeader64.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.BaseRelocationTable].VirtualAddress; importTableAddress = imageOptionalHeader64.ImageDataDirectory[(Int32)IMAGE_DATA_DIRECTORY_OPTIONS.ImportTable].VirtualAddress; addressOfEntryPoint = imageOptionalHeader64.AddressOfEntryPoint; imageBase = imageOptionalHeader64.ImageBase; subsystem = (UInt16)imageOptionalHeader64.Subsystem; dllCharacteristics = (UInt16)imageOptionalHeader64.DllCharacteristics; is64Bit = true; break; default: return(false); } ; Console.WriteLine("[+] ImageBase: 0x{0}", imageBase.ToString("X4")); Console.WriteLine("[+] EntryPoint: 0x{0}", addressOfEntryPoint.ToString("X4")); foreach (Winnt.SUBSYSTEM ss in (Winnt.SUBSYSTEM[])Enum.GetValues(typeof(Winnt.SUBSYSTEM))) { if ((UInt16)ss == ((UInt16)ss & subsystem)) { Console.WriteLine("[*] PE SubSystem: {0}", (Winnt.SUBSYSTEM)((UInt16)ss & subsystem)); } } foreach (Winnt.DLL_CHARACTERISTICS dll in (Winnt.DLL_CHARACTERISTICS[])Enum.GetValues(typeof(Winnt.DLL_CHARACTERISTICS))) { if ((UInt16)dll == ((UInt16)dll & dllCharacteristics)) { Console.WriteLine("[*] DLL Characteristics: {0}", (Winnt.DLL_CHARACTERISTICS)((UInt16)dll & dllCharacteristics)); } } imageSectionHeaders = new Winnt._IMAGE_SECTION_HEADER[(Int32)imageFileHeader.NumberOfSections]; for (int i = 0; i < (Int32)imageFileHeader.NumberOfSections; ++i) { imageSectionHeaders[i] = FromBinaryReader <Winnt._IMAGE_SECTION_HEADER>(binaryReader); } return(true); }