Small Manual Mapping improvement, updated shells, added function to dump shells into txt file (define DUMP_SHELLCODE in Error.h (bottom)), deleted a dumb line by mambda in the symbol parser

Broihon · Broihon · commit 06be54dae51d · 2020-11-26T03:58:01.000+01:00
diff --git a/GH Injector Library/Error.h b/GH Injector Library/Error.h
@@ -301,4 +301,6 @@ memcpy(data.szFunctionName, __FUNCTIONW__, ((size_t)lstrlenW(__FUNCTIONW__)) * 2
 #define LOG printf
 #else
 #define LOG
-#endif
+#endif
+
+//#define DUMP_SHELLCODE
diff --git a/GH Injector Library/Injection Generic.cpp b/GH Injector Library/Injection Generic.cpp
@@ -12,6 +12,11 @@ DWORD InjectionShell_End();
 
 DWORD InjectDLL(const wchar_t * szDllFile, HANDLE hTargetProc, INJECTION_MODE Mode, LAUNCH_METHOD Method, DWORD Flags, HINSTANCE & hOut, DWORD Timeout, ERROR_DATA & error_data)
 {
+#if !defined(_WIN64) && defined (DUMP_SHELLCODE)
+	auto length = ReCa<BYTE*>(InjectionShell_End) - ReCa<BYTE*>(InjectionShell);
+	DumpShellcode(ReCa<BYTE*>(InjectionShell), length, L"InjectionShell_WOW64");
+#endif
+
 	LOG("InjectDll called\n");
 
 	if (Mode == INJECTION_MODE::IM_ManualMap)
diff --git a/GH Injector Library/Manual Mapping.cpp b/GH Injector Library/Manual Mapping.cpp
@@ -12,6 +12,11 @@ DWORD ManualMapping_Shell_End();
 
 DWORD MMAP_NATIVE::ManualMap(const wchar_t * szDllFile, HANDLE hTargetProc, LAUNCH_METHOD Method, DWORD Flags, HINSTANCE & hOut, DWORD Timeout, ERROR_DATA & error_data)
 {
+#if !defined(_WIN64) && defined (DUMP_SHELLCODE)
+	auto length = ReCa<BYTE*>(ManualMapping_Shell_End) - ReCa<BYTE*>(ManualMapping_Shell);
+	DumpShellcode(ReCa<BYTE*>(ManualMapping_Shell), length, L"ManualMapping_Shell_WOW64");
+#endif
+
 	LOG("Begin ManualMap\n");
 		
 	MANUAL_MAPPING_DATA data{ 0 };
diff --git a/GH Injector Library/Symbol Parser.cpp b/GH Injector Library/Symbol Parser.cpp
@@ -112,8 +112,7 @@ bool SYMBOL_PARSER::VerifyExistingPdb(const GUID & guid)
 		streams.insert({ i, numbers });
 	}
 
-	auto pdb_info_stream = streams.at(1);
-	auto pdb_info_page_index = pdb_info_stream.at(0);
+	auto pdb_info_page_index = streams.at(1).at(0);
 
 	auto * stream_data = ReCa<GUID_StreamData*>(pdb_raw + (size_t)(pdb_info_page_index) * pPDBHeader->page_size);
 
diff --git a/GH Injector Library/Tools.cpp b/GH Injector Library/Tools.cpp
@@ -242,4 +242,63 @@ std::wstring LaunchMethodToString(LAUNCH_METHOD method)
 	}
 
 	return std::wstring(L"bruh moment");
+}
+
+void DumpShellcode(BYTE * start, int length, const wchar_t * szShellname)
+{
+	wchar_t Shellcodename[] = L"Shellcodes.txt";
+
+	wchar_t FullPath[MAX_PATH]{ 0 };
+	StringCbCopyW(FullPath, sizeof(FullPath), g_RootPathW.c_str());
+	StringCbCatW(FullPath, sizeof(FullPath), Shellcodename);
+
+	std::wofstream shellcodes(FullPath, std::ios_base::out | std::ios_base::app);
+	if (!shellcodes.good())
+	{
+		LOG("Failed to open/create shellcodename.txt file:\n%ls\n", FullPath);
+
+		return;
+	}
+
+	shellcodes << L"inline unsigned char " << szShellname << L"[] =\n";
+	shellcodes << L"{";
+
+	int row_length = 500;
+	int char_count = 6 * length - 2 + (length / row_length + 1) * 2 + 1; 
+	wchar_t * array_out = new wchar_t[char_count]();
+
+	if (!array_out)
+	{
+		LOG("Failed to allocate buffer for shellcode data\n");
+	
+		shellcodes.close();
+	}
+
+	int idx = 0;
+
+	for (auto i = 0; i < length; ++i)
+	{
+		if (!(i % row_length))
+		{
+			array_out[idx++] = '\n';
+			array_out[idx++] = '\t';
+		}
+
+		swprintf_s(&array_out[idx], char_count - idx, L"0x%02X", start[i]);
+
+		idx += 4;
+
+		if (i == length - 1)
+		{
+			break;
+		}
+
+		array_out[idx++] = ',';
+		array_out[idx++] = ' ';
+	}
+
+	shellcodes << array_out;
+	shellcodes << L"\n};\n\n";
+
+	shellcodes.close();
 }
diff --git a/GH Injector Library/Tools.h b/GH Injector Library/Tools.h
@@ -134,4 +134,10 @@ void ErrorLog(ERROR_INFO * info);
 //		info (ERROR_INFO*):
 ///			A pointer to an ERROR_INFO structure which contains information about what went wrong.
 //
-//Returnvalue (void)
+//Returnvalue (void)
+
+#if !defined(_WIN64) && defined(DUMP_SHELLCODE)
+
+void DumpShellcode(BYTE * start, int length, const wchar_t * szShellname);
+
+#endif
diff --git a/GH Injector Library/WOW64 Shells.h b/GH Injector Library/WOW64 Shells.h
diff --git a/GH Injector Library/main.cpp b/GH Injector Library/main.cpp
@@ -2,13 +2,25 @@
 
 #include "Tools.h"
 
+#if !defined(_WIN64) && defined (DUMP_SHELLCODE)
+#include "Manual Mapping.h"
+#include "Injection Internal.h"
+#endif
+
 BOOL WINAPI DllMain(HINSTANCE hDll, DWORD dwReason, void * pReserved)
 {
 	UNREFERENCED_PARAMETER(pReserved);
 	
 	if (dwReason == DLL_PROCESS_ATTACH)
 	{
 
+#if !defined(_WIN64) && defined (DUMP_SHELLCODE)
+		HINSTANCE	dummy_instance{ 0 };
+		ERROR_DATA	dummy_data{ 0 };
+		InjectDLL(nullptr, nullptr, INJECTION_MODE::IM_LoadLibraryExW, LAUNCH_METHOD::LM_NtCreateThreadEx, NULL, dummy_instance, 0, dummy_data);
+		MMAP_NATIVE::ManualMap(nullptr, nullptr, LAUNCH_METHOD::LM_NtCreateThreadEx, NULL, dummy_instance, 0, dummy_data);
+#endif
+
 #ifdef DEBUG_INFO
 		AllocConsole();
 

Original file line number	Diff line number	Diff line change
`@@ -112,8 +112,7 @@ bool SYMBOL_PARSER::VerifyExistingPdb(const GUID & guid)`
`112`	`112`	`streams.insert({ i, numbers });`
`113`	`113`	`}`
`114`	`114`
`115`		`- auto pdb_info_stream = streams.at(1);`
`116`		`- auto pdb_info_page_index = pdb_info_stream.at(0);`
	`115`	`+ auto pdb_info_page_index = streams.at(1).at(0);`
`117`	`116`
`118`	`117`	`auto * stream_data = ReCa<GUID_StreamData>(pdb_raw + (size_t)(pdb_info_page_index) pPDBHeader->page_size);`
`119`	`118`