WARNING: This version can only work if there's enough empty space on idata section. Two more methods are being worked on to allow for cases where not enough space is available.
From old version:
This is a small tool that can generate a hooked PE file which will import your custom DLL into its process. With this you can inject a payload into a process using a DLL. I took inspiration to make this tool from Michael Chourdakis' article, but his implementation was not suited for my needs, so after some research and testing I created this tool. The first implementation I made used the same method described in the article to create a proxy DLL, this version however modifies a DLL/Exe imports table to force Windows to import your payload DLL into the process. If you're interested in this method you can learn more about PE Format and the Import Table (it's a lot of stuff tho, so get some coffee first). Also, consider checking my brief explanation on how this tool works here: Injecting payloads in DLLs.
Requirements:
- Enough padding space for import table size plus one entry;
- Import table size bigger or equal to payload data size.
standard idata section structure after relocation
────────┬──────────────────┬────── ────────┬──────────────────┬──────
.idata │ │ start .idata │ │ start
section │ address tables │ section │ address tables │
│ (thunk) │ │ (thunk) │
┌──┼ ◄─┐ ┌────► ┼─┐
│ ├──────────────────┤ │ │ ├──────────────────┤ │
│ │ ┼─┘ │ + + │
│ │ import table ┼──┐ │ + payload data + │
│ │ ┼─┐│ │┌───► + │
│ ├──────────────────┤ ││ ││ ├──────────────────┤ │
│ │ ◄─┘│ ││ │ │ │
│ │ lookup tables │ │ ││ │ lookup tables │ │
│ │ (32/64) │ │ ││┌──► (32/64) │ │
│┌─┼ │ │ │││┌─┼ │ │
││ ├──────────────────┤ │ ││││ ├──────────────────┤ │
│└─► ◄──┘ │││└─► ◄─┘
│ │names and ordinals│ │││ │names and ordinals│
└──► │ │││ │ ◄─┐
└──────────────────┘ │││ ├──────────────────┤ │
: : ││└──┼ ┼─┘
: padding : │└───┼ import table │
: : end └────┼ │ end
────────────────────────────────── ────────┴──────────────────┴──────
NOT IMPLEMENTED YET
Requirements:
- Enough padding space for one table entry plus data;
- All relative virtual addresses (RVAs) in
idatamust be re-calculated.
After import table expansion and re-building:
────────┬──────────────────┬──────
.idata │ address tables │ start
section │ (thunk) │
│- - - - - - - - - │
┌──┼ payload ◄─┐
│ ├──────────────────┤ │
│ │ import table ┼─┘
│ │- - - - - - - - - ┼──┐
│ │ payload ┼─┐│
│ ├──────────────────┤ ││
│ │ lookup tables ◄─┘│
│┌─┼ (32/64) │ │
││ │- - - - - - - - - │ │
││ │ payload │ │
││ ├──────────────────┤ │
│└─► ◄──┘
│ │names and ordinals│
│ │- - - - - - - - - │
│ │ payload │
└──► │
└──────────────────┘
: padding : end
──────────────────────────────────
NOT IMPLEMENTED YET
Requirements:
- Offset of new section entry must be less than section alignment;
- All RVAs must be incremented by virtual offset.
before append after append
┌──────────────────┐ ┌──────────────────┐
PE file │ headers │ PE file │ headers │
│ │ │ │
─────────┼──────────────────┼────── ─────────┼──────────────────┼──────
sections │ │ start sections │ │ start
│ .rsrc │ │ .rsrc │
├──────────────────┤ ├──────────────────┤
│ │ │ │
│ .data │ │ .data │
├──────────────────┤ ├──────────────────┤
│ │ │ │
│ .idata │ │ (empty) │
├──────────────────┤ ├──────────────────┤
: : : :
: ... : : ... :
: : : :
├──────────────────┤ ├──────────────────┤
│ │ │ │
│ │ │
5865
│
│ .text │ │ .text │
│ │ │ │
│ │ end │ │
────────┴──────────────────┴────── - - - - ┼──────────────────┼ - - -
│ │
│ .idata │ end
────────┴──────────────────┴──────