tishion / mmloader Goto Github PK
View Code? Open in Web Editor NEWA library for loading dll module bypassing windows PE loader from memory (x86/x64)
Home Page: http://tishion.github.io/mmLoader/
License: MIT License
A library for loading dll module bypassing windows PE loader from memory (x86/x64)
Home Page: http://tishion.github.io/mmLoader/
License: MIT License
modify the project demo-module
std::string
get_str() {
return "hello string";
}
// This is an example of an exported function.
__declspec(dllexport) BOOL _stdcall demoFunction(unsigned char *buffer, unsigned int size) {
OutputDebugStringA("demoFunction1 in\n");
printf("demoFunction1 in\n");
static std::string the_string = get_str(); // crash on windows xp
if (!the_string.empty()) {
printf(the_string.c_str());
OutputDebugStringA(the_string.c_str());
} else {
// bad behavior on windows 7 and later. string is always emtpy
OutputDebugStringA("the the_string is empty().\n");
printf("the the_string is empty().\n");
}
OutputDebugStringA("demoFunction2 after static std::string\n");
printf("demoFunction2 after static std::string\n");
if (!buffer)
return FALSE;
char *p = "{f56fee02-16d1-44a3-b191-4d7535f92ca5}";
memcpy_s(buffer, size, p, strlen(p));
return TRUE;
}
THE LINE: static std::string the_string = get_str(); will crash on windows xp.
and on windows 7 and later, the string is always empty;
Any idea?
btw: I test it with project "demo-mmloader-shellcode" with x86.
The logic of SetMemProtectStatus is incorrect.
While loading library and execution CallModuleEntry with DLL_PROCESS_ATTACH process exited with exception in ntdll.dll. Optimization disabled.
Windows 7 x64
x86 version works fine!
Please, help any tips how i can fix it
mmLoader/src/mmLoader/mmLoader.cpp
Line 311 in 00648bb
You seem to check if the raw size is zero and if so, we allocate section alignment size. For BCC sections, the raw size is always zero, and virtual size could be much larger (even larger than section alignment). In such cases, we need to allocate the size specified in virtual size and initialize to zero.
Is it possible to have an example of how to download a module data from remote without writing it to the disk and then load it?
Hi, Is it possible to load and run an exe?
If donot call FreeMemModule, LoadMemModule will crash in the second time call.
In my opinion, this will cause a memory leak or resource leak, but it crash. There must be sth wrong.
CRASH IN LINE 947 of file mmLoader.c
BOOL
CallModuleEntry(PMEM_MODULE pMemModule, DWORD dwReason) {
if (NULL == pMemModule || NULL == pMemModule->pImageDosHeader)
return FALSE;
PIMAGE_NT_HEADERS pImageNtHeader =
MakePointer(PIMAGE_NT_HEADERS, pMemModule->pImageDosHeader, pMemModule->pImageDosHeader->e_lfanew);
Type_DllMain pfnModuleEntry = NULL;
// If there is no entry point return false
if (0 == pImageNtHeader->OptionalHeader.AddressOfEntryPoint) {
return FALSE;
}
pfnModuleEntry = MakePointer(Type_DllMain, pMemModule->lpBase, pImageNtHeader->OptionalHeader.AddressOfEntryPoint);
if (NULL == pfnModuleEntry) {
pMemModule->dwErrorCode = MMEC_INVALID_ENTRY_POINT;
return FALSE;
}
// ⬇⬇⬇ THIS LINE WILL BE CRASH ⬇⬇⬇
return pfnModuleEntry(pMemModule->hModule, dwReason, NULL);
}
Thanks! Best regards.
Demo Code:
...
while (true) {
// Load the module from the buffer
hMemModule = (HMEMMODULE)MemModuleHelper(MHM_BOOL_LOAD, moduleBuffer, (LPVOID)FALSE, &dwErrorCode);
if (hMemModule) {
_tprintf(_T("Module was loaded successfully. Module Base: 0x%p!\r\n"), (LPVOID)hMemModule);
// will crash in second time call
LPVOID lpAddr = (LPVOID)MemModuleHelper(MHM_FARPROC_GETPROC, hMemModule, "demoFunction", 0);
if (lpAddr) {
_tprintf(_T("Get address of demoFunction successfully. Address: 0x%p!\r\n"), lpAddr);
// Function pointer type of demoFunction
typedef BOOL(_stdcall * Type_TargetFunction)(unsigned char *, unsigned int);
// Call the demoFunction
Type_TargetFunction pfnFunction = (Type_TargetFunction)lpAddr;
unsigned char buf[MAX_PATH] = {0};
if (pfnFunction(buf, MAX_PATH)) {
printf("%s\n", buf);
} else
_tprintf(_T("Failed to get address of demoFunction from memory module.\r\n"));
// donot free the module.
//MemModuleHelper(MHM_VOID_FREE, hMemModule, 0, 0);
}
} else
_tprintf(_T("Failed to load the module!\r\n"));
}
First of all, thanks for this amazing project,
I wanna use your shellcode manualmap injection project, I just couldnt find the place to define the target process in which we want to inject our dll.
Any tips would be appreciated.
Thanks again.
DLL using OpenSSL library, there will be problems when loading
hi friend you have contact email i can speak re issue i face. thanks
Hi! I am trying to add mmloader
into vcpkg
recently: microsoft/vcpkg#9542, and encountered an uncompatible crt linkage issue: mmloader
will always try to link to a dynamic version MSVC crt. To make vcpkg
happy, I have to patch the VS project file: https://github.com/microsoft/vcpkg/pull/9542/files#diff-3a9c7d34d8547c670266e53060650a3c
I am wondering if it is possible to fix this issue in the upstrem, so that I don't need to patch the port I created.
Add support for X64
If you load the module, you have no choice to call the module main function. But he will also call it when uninstalling. When no module main function is unloaded, it will crash directly
You should also add the parameters of the main function of the module to be unloaded. It is best to judge whether there is a module main function.
Besides, when no entry point is present, OptionalHeader.AddressOfEntryPoint is zero.
in the CallModuleEntry function
pfnModuleEntry = MakePointer(
Type_DllMain,
pMemModule->lpBase,
pImageNtHeader->OptionalHeader.AddressOfEntryPoint);
if (NULL == pfnModuleEntry)
{
pMemModule->dwErrorCode = MMEC_INVALID_ENTRY_POINT;
return FALSE;
}
I don't get export functions of my DLL after used GetMemModuleProc in mmLoader and GetProcAddress in win32 api lib.
when I used GetMemModuleProc, I found member of NumberOfFunctions of ExportDirectory is zero, but I exported two functions in my DLL.
maybe problem is in ResolveImportTable function.
In the description of this repo, lirary -> library :)
Currentlt, the nugget package includes both multithreaded and multithreadeddll versions. But the target file cannot work correctly. Need to split it into two packages.
if this code in dll, it will be crashed.
try { throw std::exception("d"); } catch (...) { printf("some exception.\r\n"); }
any idea? thx
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.