search

TheCruZ / Simple-Manual-Map-Injector

Simple C++ DLL Manual Map Injector For x86 and x64
MIT License
366 stars 77 forks source link

A few questions for the author of this masterpiece #14

Closed nefarearworm closed 9 months ago

nefarearworm commented 10 months ago

Hi, I am from Belarus, That's why I don't write well in English. I am not good at programming, just learning how it works and trying modify ur code. So, I have some questions related to manual mapping topic. I will be gratefull for any answers!

  1. I readed somewhere that erasing of the dll entry point will make injection harder to detect. Do u think this may help? I tried to implement it. The code is below. Check it please. Is I doing right? Unfortunately I dont know how to check it.

NtWriteVirtualMemory(ProcessHandle, (BYTE*)TargetBase + ImageOptionalHeader->AddressOfEntryPoint, ZeroBuffer, 32, &oldp);

Also I discovered that I can erase PE header like this in the end of Shellcode function:

MappingData->DllEntryFunction(MappingData->TargetBase, DLL_PROCESS_ATTACH, nullptr);

MappingData->ModuleHandle = reinterpret_cast<HINSTANCE>(MappingData->TargetBase);

int i = 1024;

unsigned char* ptr = (unsigned char*)MappingData->TargetBase;

while (i-- > 0)         //working
{
    *ptr++ = 0;
}

while (ImageOptionalHeader->SizeOfHeaders-- > 0)        //also working
{
    *ptr++ = 0;
}

unsigned char* ptr = (unsigned char*)MappingData->TargetBase;

int i = ImageOptionalHeader->SizeOfHeaders;

while (i-- > 0)                //dont work
{
        *ptr++ = 0;
}

Its just memset implemention. By bruteforce method I found "1024" which erases all page and target working correctly. But sadly I cant understand how its working. When I pass "4096" or "SizeOfHeaders" my target crashes. The same situation with entry point erasing with the same memset method. Do u see the problem?

  1. What "adjust sections protection" acctually do? As far as I understand when we wrote sections they all got "RWX" permessions after using "NtWriteVirtualMemory". And this function restore "needed" permissions to be a bit sleathier. Correct me if I am wrong please.

  2. Is it profitable to allocate "RW" each time I allocate memory, then change it via "NtProtectVirtualMemory" to needed ... do some work ... and set it to RW or R when finished injection? I tried to do this, but when I exploring memory in ProcessHacker I see 2 "RWX" regions that created after injection. There are shellcode and my dll without headers, so its easy to find by "RWX" cuz its only RW, R and so on in my target process.

  3. Still cant write my custom GetProcAddress correctly into remote process. Its crashes. I replaced "strcmp", Its working in local process, but not in remote. Would you like to update your project and add this feature? :D

Thank u!

nefarearworm commented 10 months ago

I figured out all the questions except the second one. I really want you to answer.