Skip to content

Commit

Permalink
fix(injection): review changes
Browse files Browse the repository at this point in the history
  • Loading branch information
@dledda-r7
dledda-r7 committed Oct 4, 2024
1 parent b3099d8 commit afb11ee
Showing 1 changed file with 78 additions and 71 deletions.
149 changes: 78 additions & 71 deletions c/meterpreter/source/metsrv/pool_party.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,59 +8,68 @@ POOLPARTY_INJECTOR* poolLifeguard = NULL;
NtDll* GetOrInitNtDll() {
BOOL bError = FALSE;
HANDLE hHeap = GetProcessHeap();
bError = (hHeap == NULL);

if (pNtDll != NULL) {
return pNtDll;
}
do {
if (pNtDll != NULL || hHeap == NULL) {
break;
}

if (!bError) {
pNtDll = (NtDll*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(pNtDll));
bError = pNtDll == NULL;
if (!bError) {
HMODULE hNtDll = NULL;
hNtDll = GetModuleHandleA("ntdll.dll");
if(hNtDll == NULL || hNtDll == INVALID_HANDLE_VALUE){
hNtDll = LoadLibraryA("ntdll.dll");
}
pNtDll->pNtQueryInformationProcess = (NTSTATUS(NTAPI*)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(hNtDll, "NtQueryInformationProcess");
pNtDll->pNtQueryObject = (NTSTATUS(NTAPI*)(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(hNtDll, "NtQueryObject");
if(!pNtDll) {
break;
}

if(pNtDll->pNtQueryInformationProcess == NULL || pNtDll->pNtQueryObject == NULL) {
HeapFree(hHeap, 0, pNtDll);
pNtDll = NULL;
return pNtDll;
HMODULE hNtDll = NULL;
hNtDll = GetModuleHandleA("ntdll.dll");
if(!hNtDll) {
hNtDll = LoadLibraryA("ntdll.dll");
bError = hNtDll == NULL;
if(bError) {
break;
}
dprintf("[INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: %p NtQueryObject: %p", ntdll->pNtQueryInformationProcess, ntdll->pNtQueryObject);

pNtDll->pZwSetIoCompletion = (NTSTATUS(NTAPI*)(HANDLE, PVOID, PVOID, NTSTATUS, ULONG_PTR))GetProcAddress(hNtDll, "ZwSetIoCompletion");
if (pNtDll->pZwSetIoCompletion != NULL) {
if (poolLifeguard != NULL) {
poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].isSystemSupported = TRUE;
}
}

pNtDll->pNtQueryInformationProcess = (NTSTATUS(NTAPI*)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(hNtDll, "NtQueryInformationProcess");
pNtDll->pNtQueryObject = (NTSTATUS(NTAPI*)(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(hNtDll, "NtQueryObject");

if(pNtDll->pNtQueryInformationProcess == NULL || pNtDll->pNtQueryObject == NULL) {
bError = TRUE;
break;
}
dprintf("[INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: %p NtQueryObject: %p", ntdll->pNtQueryInformationProcess, ntdll->pNtQueryObject);

pNtDll->pZwSetIoCompletion = (NTSTATUS(NTAPI*)(HANDLE, PVOID, PVOID, NTSTATUS, ULONG_PTR))GetProcAddress(hNtDll, "ZwSetIoCompletion");
if (pNtDll->pZwSetIoCompletion != NULL) {
if (poolLifeguard != NULL) {
poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].isSystemSupported = TRUE;
}
dprintf("[INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: %p", ntdll->pZwSetIoCompletion);
}
dprintf("[INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: %p", ntdll->pZwSetIoCompletion);

//ntdll->pZwAssociateWaitCompletionPacket = (NTSTATUS(NTAPI*)(HANDLE, HANDLE, HANDLE, PVOID, PVOID, NTSTATUS, ULONG_PTR, PBOOLEAN))GetProcAddress(hNtDll, "ZwAssociateWaitCompletionPacket");
//if (ntdll->pZwAssociateWaitCompletionPacket != NULL) {
// if (poolLifeguard != NULL) {
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].isSystemSupported = TRUE;
// }
//}
//dprintf("[INJECT][inject_via_poolparty][ntdll_init] ZwAssociateWaitCompletionPacket: %p", ntdll->pZwAssociateWaitCompletionPacket);
//ntdll->pZwAssociateWaitCompletionPacket = (NTSTATUS(NTAPI*)(HANDLE, HANDLE, HANDLE, PVOID, PVOID, NTSTATUS, ULONG_PTR, PBOOLEAN))GetProcAddress(hNtDll, "ZwAssociateWaitCompletionPacket");
//if (ntdll->pZwAssociateWaitCompletionPacket != NULL) {
// if (poolLifeguard != NULL) {
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].isSystemSupported = TRUE;
// }
//}
//dprintf("[INJECT][inject_via_poolparty][ntdll_init] ZwAssociateWaitCompletionPacket: %p", ntdll->pZwAssociateWaitCompletionPacket);

//ntdll->pNtQueryInformationWorkerFactory = (NTSTATUS(NTAPI*)(HANDLE, _WORKERFACTORYINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(hNtDll, "NtQueryInformationWorkerFactory"); // WIN 7
//dprintf("[INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationWorkerFactory: %p", ntdll->pNtQueryInformationWorkerFactory);
//ntdll->pNtQueryInformationWorkerFactory = (NTSTATUS(NTAPI*)(HANDLE, _WORKERFACTORYINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(hNtDll, "NtQueryInformationWorkerFactory"); // WIN 7
//dprintf("[INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationWorkerFactory: %p", ntdll->pNtQueryInformationWorkerFactory);

//ntdll->pNtSetInformationWorkerFactory = (NTSTATUS(NTAPI*)(HANDLE, _WORKERFACTORYINFOCLASS, PVOID, ULONG))GetProcAddress(hNtDll, "NtSetInformationWorkerFactory"); // WIN7
//dprintf("[INJECT][inject_via_poolparty][ntdll_init] NtSetInformationWorkerFactory: %p", ntdll->pNtSetInformationWorkerFactory);
//ntdll->pNtSetInformationWorkerFactory = (NTSTATUS(NTAPI*)(HANDLE, _WORKERFACTORYINFOCLASS, PVOID, ULONG))GetProcAddress(hNtDll, "NtSetInformationWorkerFactory"); // WIN7
//dprintf("[INJECT][inject_via_poolparty][ntdll_init] NtSetInformationWorkerFactory: %p", ntdll->pNtSetInformationWorkerFactory);

//if (ntdll->pNtQueryInformationWorkerFactory != NULL && ntdll->pNtSetInformationWorkerFactory != NULL) {
// if (poolLifeguard != NULL) {
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_WORKER_FACTORY_OVERWRITE].isSystemSupported = TRUE;
// }
//}
}
//if (ntdll->pNtQueryInformationWorkerFactory != NULL && ntdll->pNtSetInformationWorkerFactory != NULL) {
// if (poolLifeguard != NULL) {
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_WORKER_FACTORY_OVERWRITE].isSystemSupported = TRUE;
// }
//}
}while(0);

if (bError) {
HeapFree(hHeap, 0, pNtDll);
pNtDll = NULL;
}
return pNtDll;
}
Expand All @@ -69,49 +78,47 @@ POOLPARTY_INJECTOR* GetOrInitPoolParty(DWORD dwSourceArch, DWORD dwDestinationAr
BOOL bError = FALSE;
HANDLE hHeap = GetProcessHeap();
bError = (hHeap == NULL);
BOOL isWow64;
IsWow64Process(GetCurrentProcess(), &isWow64);
do {

if (poolLifeguard != NULL) {
return poolLifeguard;
}
if (poolLifeguard != NULL) {
break;
}

if (!bError) {
poolLifeguard = (POOLPARTY_INJECTOR*)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(POOLPARTY_INJECTOR));
bError = poolLifeguard == NULL;

if(!bError) {
poolLifeguard->init = FALSE;
if (pNtDll == NULL) {
bError = GetOrInitNtDll() == NULL;
}
if(!poolLifeguard) {
break;
}

if (!bError) {
if (dwSourceArch == PROCESS_ARCH_X64) {
if (dwDestinationArch == PROCESS_ARCH_X64) {
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].isInjectionSupported = poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].isSystemSupported;

poolLifeguard->init = FALSE;
if (pNtDll == NULL) {
if(!GetOrInitNtDll()) {
// We weren't able to initialize NtDll
// Set the bError to true so we can Free the heap allocation.
bError = TRUE;
break;
}
poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].isInjectionSupported = poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].isSystemSupported;
}
if (dwSourceArch == PROCESS_ARCH_X64) {
if (dwDestinationArch == PROCESS_ARCH_X64) {
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].isInjectionSupported = poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].isSystemSupported;
}
poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].isInjectionSupported = poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].isSystemSupported;
}
poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].handler = remote_tp_direct_insertion;
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].handler = remote_tp_wait_insertion;
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_WORKER_FACTORY_OVERWRITE].handler = worker_factory_start_routine_overwrite;
poolLifeguard->init = TRUE;

if (!bError) {
poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION].handler = remote_tp_direct_insertion;
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_TP_WAIT_INSERTION].handler = remote_tp_wait_insertion;
// poolLifeguard->variants[POOLPARTY_TECHNIQUE_WORKER_FACTORY_OVERWRITE].handler = worker_factory_start_routine_overwrite;
poolLifeguard->init = TRUE;
}
}
}while(0);

if (bError && poolLifeguard != NULL) {
HeapFree(hHeap, 0, poolLifeguard);
poolLifeguard = NULL;
}
return poolLifeguard;
};
}

// For now we support only Windows >= 10 and x64 -> x64
// For now we support only Windows >= 10 and x64 | wow64 -> x64
BOOL supports_poolparty_injection(DWORD dwSourceArch, DWORD dwDestinationArch) {
OSVERSIONINFO os = { 0 };
os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
Expand Down

0 comments on commit afb11ee

Please sign in to comment.