RoboDBG
Loading...
Searching...
No Matches
util.cpp
1#include "util.h"
2
3
4namespace RoboDBG::Util {
5 uintptr_t injectDLL(HANDLE hProcess, const char* dllPath) {
6 // Get handle to target process
7 //HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
8 if (hProcess == NULL) {
9 std::cerr << "OpenProcess failed: " << GetLastError() << std::endl;
10 return 0;
11 }
12
13 // Calculate required memory size
14 size_t pathLen = strlen(dllPath) + 1;
15
16 // Allocate memory in target process for DLL path
17 LPVOID pDllPath = VirtualAllocEx(hProcess, NULL, pathLen, MEM_COMMIT, PAGE_READWRITE);
18 if (pDllPath == NULL) {
19 std::cerr << "VirtualAllocEx failed: " << GetLastError() << std::endl;
20 CloseHandle(hProcess);
21 return 0;
22 }
23 std::cerr << "DLL Base: " << std::hex << pDllPath << std::endl;
24 // Write DLL path to target process memory
25 if (!WriteProcessMemory(hProcess, pDllPath, (LPVOID)dllPath, pathLen, NULL)) {
26 std::cerr << "WriteProcessMemory failed: " << GetLastError() << std::endl;
27 VirtualFreeEx(hProcess, pDllPath, 0, MEM_RELEASE);
28 CloseHandle(hProcess);
29 return 0;
30 }
31
32 // Get address of LoadLibraryA in kernel32.dll
33 LPVOID pLoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
34 if (pLoadLibrary == NULL) {
35 std::cerr << "GetProcAddress failed: " << GetLastError() << std::endl;
36 VirtualFreeEx(hProcess, pDllPath, 0, MEM_RELEASE);
37 CloseHandle(hProcess);
38 return 0;
39 }
40 std::cerr << "Loaded!" << std::endl;
41 // Create remote thread to load our DLL
42 HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
43 (LPTHREAD_START_ROUTINE)pLoadLibrary,
44 pDllPath, 0, NULL);
45 if (hThread == NULL) {
46 std::cerr << "CreateRemoteThread failed: " << GetLastError() << std::endl;
47 VirtualFreeEx(hProcess, pDllPath, 0, MEM_RELEASE);
48 CloseHandle(hProcess);
49 return 0;
50 }
51 std::cerr << "Thread created!" << std::endl;
52 return reinterpret_cast<uintptr_t>(pDllPath);
53 }
54
55 std::string getDllName(HANDLE hProcess, LPVOID lpImageName, BOOL isUnicode) {
56 if (!lpImageName) return "<unknown>";
57 LPVOID actualStringPtr = nullptr;
58 SIZE_T bytesRead;
59
60 if (!ReadProcessMemory(hProcess, lpImageName, &actualStringPtr, sizeof(LPVOID), &bytesRead)) {
61 return "<read error>";
62 }
63
64 if (!actualStringPtr) {
65 return "<null pointer>";
66 }
67
68 std::string name;
69
70 if (isUnicode) {
71 wchar_t wbuffer[MAX_PATH] = {};
72 if (ReadProcessMemory(hProcess, actualStringPtr, &wbuffer, sizeof(wbuffer), &bytesRead)) {
73 char buffer[MAX_PATH];
74 WideCharToMultiByte(CP_ACP, 0, wbuffer, -1, buffer, MAX_PATH, nullptr, nullptr);
75 name = buffer;
76 } else {
77 name = "<unicode read error>";
78 }
79 } else {
80 char buffer[MAX_PATH] = {};
81 if (ReadProcessMemory(hProcess, actualStringPtr, &buffer, sizeof(buffer), &bytesRead)) {
82 name = buffer;
83 } else {
84 name = "<ansi read error>";
85 }
86 }
87
88 return name;
89 }
90
91
92
93 bool executeRemote(HANDLE hProcessGlobal, const std::vector<BYTE>& shellcode) {
94 if (shellcode.empty()) return false;
95
96 SIZE_T codeSize = shellcode.size();
97
98 // 1. Allocate memory in remote process (RWX)
99 LPVOID remoteMem = VirtualAllocEx(hProcessGlobal, nullptr, codeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
100 if (!remoteMem) return false;
101
102 // 2. Write shellcode
103 if (!WriteProcessMemory(hProcessGlobal, remoteMem, shellcode.data(), codeSize, nullptr)) {
104 VirtualFreeEx(hProcessGlobal, remoteMem, 0, MEM_RELEASE);
105 return false;
106 }
107
108 // 3. Create remote thread
109 HANDLE hThread = CreateRemoteThread(hProcessGlobal, nullptr, 0,
110 (LPTHREAD_START_ROUTINE)remoteMem,
111 nullptr, 0, nullptr);
112 if (!hThread) {
113 VirtualFreeEx(hProcessGlobal, remoteMem, 0, MEM_RELEASE);
114 return false;
115 }
116
117
118 return true;
119 }
120
121 // Helper function to find process ID by name
122 DWORD findProcessId(const std::string& processName) {
123 PROCESSENTRY32 processInfo;
124 processInfo.dwSize = sizeof(processInfo);
125 HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
126 if (processesSnapshot == INVALID_HANDLE_VALUE) {
127 DWORD error = GetLastError();
128 std::cerr << "CreateToolhelp32Snapshot failed with error: " << error << std::endl;
129 return 0; //Why invalid handle?)
130 }
131
132 Process32First(processesSnapshot, &processInfo);
133 if (!processName.compare(processInfo.szExeFile)) {
134 CloseHandle(processesSnapshot);
135 return processInfo.th32ProcessID;
136 }
137
138 while (Process32Next(processesSnapshot, &processInfo)) {
139 if (!processName.compare(processInfo.szExeFile)) {
140 CloseHandle(processesSnapshot);
141 return processInfo.th32ProcessID;
142 }
143 }
144
145 CloseHandle(processesSnapshot);
146 return 0;
147 }
148
149 bool EnableDebugPrivilege() {
150 HANDLE hToken;
151 TOKEN_PRIVILEGES tp;
152 LUID luid;
153
154 // Step 1: Open the current process token
155 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
156 std::cerr << "[-] OpenProcessToken failed: " << GetLastError() << "\n";
157 return false;
158 }
159
160 // Step 2: Get the LUID for SeDebugPrivilege
161 if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) {
162 std::cerr << "[-] LookupPrivilegeValue failed: " << GetLastError() << "\n";
163 CloseHandle(hToken);
164 return false;
165 }
166
167 // Step 3: Set up the TOKEN_PRIVILEGES structure
168 tp.PrivilegeCount = 1;
169 tp.Privileges[0].Luid = luid;
170 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
171
172 // Step 4: Adjust token privileges to enable SeDebugPrivilege
173 if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr)) {
174 std::cerr << "[-] AdjustTokenPrivileges failed: " << GetLastError() << "\n";
175 CloseHandle(hToken);
176 return false;
177 }
178
179 if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) {
180 std::cerr << "[-] The token does not have the specified privilege.\n";
181 CloseHandle(hToken);
182 return false;
183 }
184
185 CloseHandle(hToken);
186 return true;
187 }
188
189 // Helper function to get entry point from PE headers
190 DWORD_PTR getEntryPoint(HANDLE hProcess, LPVOID baseAddress) {
191 IMAGE_DOS_HEADER dosHeader;
192 IMAGE_NT_HEADERS ntHeaders;
193
194 SIZE_T bytesRead;
195
196 // Read DOS header
197 if (!ReadProcessMemory(hProcess, baseAddress, &dosHeader, sizeof(dosHeader), &bytesRead) ||
198 bytesRead != sizeof(dosHeader) || dosHeader.e_magic != IMAGE_DOS_SIGNATURE) {
199 return 0;
200 }
201
202 // Read NT headers
203 LPVOID ntHeadersAddr = (LPBYTE)baseAddress + dosHeader.e_lfanew;
204 if (!ReadProcessMemory(hProcess, ntHeadersAddr, &ntHeaders, sizeof(ntHeaders), &bytesRead) ||
205 bytesRead != sizeof(ntHeaders) || ntHeaders.Signature != IMAGE_NT_SIGNATURE) {
206 return 0;
207 }
208
209 // Calculate entry point address
210 DWORD_PTR entryPoint = (DWORD_PTR)baseAddress + ntHeaders.OptionalHeader.AddressOfEntryPoint;
211 return entryPoint;
212 }
213}
RoboDBG::Util
Utility helper functions for more high-level stuff.
Definition util.cpp:4
RoboDBG::Util::getEntryPoint
DWORD_PTR getEntryPoint(HANDLE hProcess, LPVOID baseAddress)
Gets the entry point address of a loaded module in a remote process.
Definition util.cpp:190
RoboDBG::Util::EnableDebugPrivilege
bool EnableDebugPrivilege()
Enables the SeDebugPrivilege privilege for the current process.
Definition util.cpp:149
RoboDBG::Util::findProcessId
DWORD findProcessId(const std::string &processName)
Finds the process ID of a process by name.
Definition util.cpp:122
RoboDBG::Util::getDllName
std::string getDllName(HANDLE hProcess, LPVOID lpImageName, BOOL isUnicode)
Retrieves the name of a DLL from a remote process.
Definition util.cpp:55
RoboDBG::Util::executeRemote
bool executeRemote(HANDLE hProcessGlobal, const std::vector< BYTE > &shellcode)
Executes shellcode in a remote process.
Definition util.cpp:93
RoboDBG::Util::injectDLL
uintptr_t injectDLL(HANDLE hProcess, const char *dllPath)
Injects a DLL into the specified process.
Definition util.cpp:5
util.h
Various high-level Utility functions.