tishion / mmloader Goto Github PK

View Code? Open in Web Editor NEW

525.0 26.0 164.0 294 KB

A library for loading dll module bypassing windows PE loader from memory (x86/x64)

Home Page: http://tishion.github.io/mmLoader/

License: MIT License

C 87.04% Batchfile 1.56% CMake 11.40%

pe-loader memory-module windows-pe-loader

mmloader's Introduction

mmLoader

mmLoader is a library used for loading DLL modules from memory directly. Also, it will bypass the Windows PE loader with processing the import/export table correctly.

triplets	status
x86-windows-static
x64-windows-static

DOC

vcpkg support

mmloader is available on vcpkg now, just install it by the command:

vcpkg install mmloader:x86-windows-static

vcpkg install mmloader:x64-windows-static

if you want to use mmloader in shellcode mode, you need to install it with feature shellcode:

vcpkg install mmloader[shellcode]:x86-windows-static

vcpkg install mmloader[shellcode]:x64-windows-static

build from source

The build system has been switched to CMake, you can generate and build the project with the following commands:

generate the project files

cmake -S . -B .build -G "Visual Studio 16 2019" -A Win32 -DBUILD_SHELLCODE_GEN=TRUE -DBUILD_MMLOADER_DEMO=TRUE

-S .: the source tree root folder
-B .build: the build folder .build
-G "Visual Studio xx xxxx": generate the solution file for VS
-A : target architecture, support Win32 & x64 only
-DBUILD_SHELLCODE_GEN=TRUE: enable shellcode generator
-DBUILD_MMLOADER_DEMO=TRUE: enable demo projects

build the projects

cmake --build .build

How to use

Use mmLoader source code:
- Just include the source files in your projects.
Use mmLoader static library
- Build the projects and collect the static library file, then add reference to it in your projects.
Use mmLoader shell code
- Build project mmLoader-shellcode-generator then run it, collect the generated header file.
- Include the header file in your project

FAQ

Q: Why no dynamic version?

A: Compiling mmLoader as separated dynamic module is not recommended for some obvious reasons.

Q: Can mmloader process DLLs with static TLS linked?

A: No, currently mmloader cannot load the DLLs with static TLS linked, please refer to this issue: Bad behavior on static std::string #15

mmloader's People

Contributors

Stargazers

Watchers

Forkers

drupalhunter-team leelib yzx65 ezhong0812 asdlei00 jgj212 supertanglang ioxuy waaaagit ohio813 yoohooyoo boogie77 thepapanoob sidneyli jackbro tbirdch zhuhuibeishadiao emcifuntik layerfsd yang123vc asuralove huangchao209 cnsuhao umerov1999 fantasyboy bosstonx evol4 tempbottle a-new upant2017 ltears songbei6 galenika pc123456 explife0011 dnhdang94 alexndrejoly exgns frankzhyue x0xa coderaldrich lp25 hymeca blackhat1987 secart255 luzhlon marcosd4h sudami fcccode applesky6 ccccccccz zys0807 kyle-go hjbfa cpkt9762 adpushpop soarsystem honshow hmyit crackercat fly8888 k3v1n1990s killvxk arryboom wyrover zhouzu zhengsyou attackgithub qiqi1 o-mdr xets007 no-realm qiufeng1988 morelli690 zh4x cheewill yuanbi assqingt bb33bb rafalohaki yeshencheng lilu0826 ayameaqua daredemo-daisuki axax002 r00tkiter iamasbcx fengjixuchui linecode yyq453 darkersquirrel guobbs novice42195 freeide tobbyt orenfoettol zha0 schrodyn indiazhangsan qqq694637644

mmloader's Issues

Crash if some exception throw in dll

if this code in dll, it will be crashed.
try { throw std::exception("d"); } catch (...) { printf("some exception.\r\n"); }

any idea? thx

Invalid crt linkage

Hi! I am trying to add mmloader into vcpkg recently: microsoft/vcpkg#9542, and encountered an uncompatible crt linkage issue: mmloader will always try to link to a dynamic version MSVC crt. To make vcpkg happy, I have to patch the VS project file: https://github.com/microsoft/vcpkg/pull/9542/files#diff-3a9c7d34d8547c670266e53060650a3c

I am wondering if it is possible to fix this issue in the upstrem, so that I don't need to patch the port I created.

Access violation in shell code

MHM_BOOL_LOAD exit whit status 3 (ERROR_PATH_NOT_FOUND)

While loading library and execution CallModuleEntry with DLL_PROCESS_ATTACH process exited with exception in ntdll.dll. Optimization disabled.

Windows 7 x64

x86 version works fine!

Please, help any tips how i can fix it

Failed at SetMemProtectStatus

The logic of SetMemProtectStatus is incorrect.

What if virtual size is more than section alignment when raw size is zero?

mmLoader/src/mmLoader/mmLoader.cpp

Line 311 in 00648bb

if (0 == pImageSectionHeader[i].SizeOfRawData)

You seem to check if the raw size is zero and if so, we allocate section alignment size. For BCC sections, the raw size is always zero, and virtual size could be much larger (even larger than section alignment). In such cases, we need to allocate the size specified in virtual size and initialize to zero.

Split nugget package to mt and mtdll version

Currentlt, the nugget package includes both multithreaded and multithreadeddll versions. But the target file cannot work correctly. Need to split it into two packages.

Bad behavior on static std::string

modify the project demo-module

std::string
get_str() {
  return "hello string";
}
// This is an example of an exported function.
__declspec(dllexport) BOOL _stdcall demoFunction(unsigned char *buffer, unsigned int size) {
  OutputDebugStringA("demoFunction1 in\n");
  printf("demoFunction1 in\n");
  static std::string the_string = get_str(); // crash on windows xp
  if (!the_string.empty()) {
    printf(the_string.c_str());
    OutputDebugStringA(the_string.c_str());
  } else {
	  // bad behavior on windows 7 and later.  string is always  emtpy
    OutputDebugStringA("the the_string is empty().\n");
    printf("the the_string is empty().\n");
  }
  OutputDebugStringA("demoFunction2 after static std::string\n");
  printf("demoFunction2 after static std::string\n");

  if (!buffer)
    return FALSE;

  char *p = "{f56fee02-16d1-44a3-b191-4d7535f92ca5}";
  memcpy_s(buffer, size, p, strlen(p));
  return TRUE;
}

THE LINE: static std::string the_string = get_str(); will crash on windows xp.
and on windows 7 and later, the string is always empty;
Any idea?

btw: I test it with project "demo-mmloader-shellcode" with x86.

The unloading module has a bug.

If you load the module, you have no choice to call the module main function. But he will also call it when uninstalling. When no module main function is unloaded, it will crash directly

You should also add the parameters of the main function of the module to be unloaded. It is best to judge whether there is a module main function.

Besides, when no entry point is present, OptionalHeader.AddressOfEntryPoint is zero.
in the CallModuleEntry function

pfnModuleEntry = MakePointer(
Type_DllMain,
pMemModule->lpBase,
pImageNtHeader->OptionalHeader.AddressOfEntryPoint);

if (NULL == pfnModuleEntry)
{
    pMemModule->dwErrorCode = MMEC_INVALID_ENTRY_POINT;
    return FALSE;
}

Where do we define the target process?

First of all, thanks for this amazing project,

I wanna use your shellcode manualmap injection project, I just couldnt find the place to define the target process in which we want to inject our dll.
Any tips would be appreciated.

Thanks again.

Example of downloading the module data from remote

Is it possible to have an example of how to download a module data from remote without writing it to the disk and then load it?

Unable to get export functions of DLL

I don't get export functions of my DLL after used GetMemModuleProc in mmLoader and GetProcAddress in win32 api lib.
when I used GetMemModuleProc, I found member of NumberOfFunctions of ExportDirectory is zero, but I exported two functions in my DLL.
maybe problem is in ResolveImportTable function.

LoadMemModule will crash in the second time call if donot FreeMemModule the module return by the first time call LoadMemModule

If donot call FreeMemModule, LoadMemModule will crash in the second time call.
In my opinion， this will cause a memory leak or resource leak, but it crash. There must be sth wrong.

CRASH IN LINE 947 of file mmLoader.c

BOOL
CallModuleEntry(PMEM_MODULE pMemModule, DWORD dwReason) {
  if (NULL == pMemModule || NULL == pMemModule->pImageDosHeader)
    return FALSE;

  PIMAGE_NT_HEADERS pImageNtHeader =
      MakePointer(PIMAGE_NT_HEADERS, pMemModule->pImageDosHeader, pMemModule->pImageDosHeader->e_lfanew);

  Type_DllMain pfnModuleEntry = NULL;

  // If there is no entry point return false
  if (0 == pImageNtHeader->OptionalHeader.AddressOfEntryPoint) {
    return FALSE;
  }

  pfnModuleEntry = MakePointer(Type_DllMain, pMemModule->lpBase, pImageNtHeader->OptionalHeader.AddressOfEntryPoint);

  if (NULL == pfnModuleEntry) {
    pMemModule->dwErrorCode = MMEC_INVALID_ENTRY_POINT;
    return FALSE;
  }

 // ⬇⬇⬇ THIS LINE WILL BE CRASH  ⬇⬇⬇
  return pfnModuleEntry(pMemModule->hModule, dwReason, NULL);
}

Thanks! Best regards.

Demo Code:

...
while (true) {
    // Load the module from the buffer
    hMemModule = (HMEMMODULE)MemModuleHelper(MHM_BOOL_LOAD, moduleBuffer, (LPVOID)FALSE, &dwErrorCode);

    if (hMemModule) {
      _tprintf(_T("Module was loaded successfully. Module Base: 0x%p!\r\n"), (LPVOID)hMemModule);

      // will crash in second time call 
      LPVOID lpAddr = (LPVOID)MemModuleHelper(MHM_FARPROC_GETPROC, hMemModule, "demoFunction", 0);
      if (lpAddr) {
        _tprintf(_T("Get address of demoFunction successfully. Address: 0x%p!\r\n"), lpAddr);

        // Function pointer type of demoFunction
      typedef BOOL(_stdcall * Type_TargetFunction)(unsigned char *, unsigned int);

        // Call the demoFunction
        Type_TargetFunction pfnFunction = (Type_TargetFunction)lpAddr;

        unsigned char buf[MAX_PATH] = {0};
      if (pfnFunction(buf, MAX_PATH)) {
          printf("%s\n", buf);
        } else
          _tprintf(_T("Failed to get address of demoFunction from memory module.\r\n"));

        // donot free the module.
        //MemModuleHelper(MHM_VOID_FREE, hMemModule, 0, 0);
      }
    } else
      _tprintf(_T("Failed to load the module!\r\n"));
  }