Panoptes 1.0.0
Endpoint Detection and Response
Loading...
Searching...
No Matches
Classes | Macros | Typedefs | Enumerations | Functions | Variables
inject.h File Reference

Go to the source code of this file.

Classes

struct  LDR_DATA_TABLE_ENTRY
 
struct  _PEB_LDR_DATA
 
struct  _PEB
 
struct  _IMAGE_DOS_HEADER
 
struct  _IMAGE_FILE_HEADER
 
struct  _IMAGE_DATA_DIRECTORY
 
struct  _IMAGE_OPTIONAL_HEADER64
 
struct  _IMAGE_NT_HEADERS64
 
struct  _IMAGE_EXPORT_DIRECTORY
 
struct  _APC_DATA
 

Macros

#define TAG   'inje'
 
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES   16
 
#define IMAGE_DIRECTORY_ENTRY_EXPORT   0
 

Typedefs

typedef unsigned long DWORD
 
typedef int BOOL
 
typedef unsigned char BYTE
 
typedef unsigned short WORD
 
typedef struct _PEB_LDR_DATA PEB_LDR_DATA
 
typedef struct _PEB_LDR_DATAPPEB_LDR_DATA
 
typedef struct _PEB PEB
 
typedef struct _PEBPPEB
 
typedef struct _IMAGE_DOS_HEADER IMAGE_DOS_HEADER
 
typedef struct _IMAGE_DOS_HEADERPIMAGE_DOS_HEADER
 
typedef struct _IMAGE_FILE_HEADER IMAGE_FILE_HEADER
 
typedef struct _IMAGE_FILE_HEADERPIMAGE_FILE_HEADER
 
typedef struct _IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRECTORY
 
typedef struct _IMAGE_DATA_DIRECTORYPIMAGE_DATA_DIRECTORY
 
typedef struct _IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER64
 
typedef struct _IMAGE_OPTIONAL_HEADER64PIMAGE_OPTIONAL_HEADER64
 
typedef struct _IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS64
 
typedef struct _IMAGE_NT_HEADERS64PIMAGE_NT_HEADERS64
 
typedef struct _IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY
 
typedef struct _IMAGE_EXPORT_DIRECTORYPIMAGE_EXPORT_DIRECTORY
 
typedef enum _KAPC_ENVIRONMENT KAPC_ENVIRONMENT
 
typedef enum _KAPC_ENVIRONMENTPKAPC_ENVIRONMENT
 
typedef VOID(NTAPI * PKNORMAL_ROUTINE) (_In_ PVOID NormalContext, _In_ PVOID SystemArgument1, _In_ PVOID SystemArgument2)
 
typedef VOID KKERNEL_ROUTINE(_In_ PRKAPC Apc, _Inout_opt_ PKNORMAL_ROUTINE *NormalRoutine, _Inout_opt_ PVOID *NormalContext, _Inout_ PVOID *SystemArgument1, _Inout_ PVOID *SystemArgument2)
 
typedef struct _APC_DATA APC_DATA
 
typedef struct _APC_DATAPAPC_DATA
 
typedef VOID(NTAPI * PKRUNDOWN_ROUTINE) (_In_ PRKAPC Apc)
 

Enumerations

enum  _KAPC_ENVIRONMENT { OriginalApcEnvironment , AttachedApcEnvironment , CurrentApcEnvironment , InsertApcEnvironment }
 

Functions

typedef KKERNEL_ROUTINE (NTAPI *PKKERNEL_ROUTINE)
 
VOID NTAPI KeInitializeApc (_Out_ PRKAPC Apc, _In_ PRKTHREAD Thread, _In_ KAPC_ENVIRONMENT Environment, _In_ PKKERNEL_ROUTINE KernelRoutine, _In_opt_ PKRUNDOWN_ROUTINE RundownRoutine, _In_opt_ PKNORMAL_ROUTINE NormalRoutine, _In_opt_ KPROCESSOR_MODE ProcessorMode, _In_opt_ PVOID NormalContext)
 
BOOLEAN NTAPI KeInsertQueueApc (_Inout_ PRKAPC Apc, _In_opt_ PVOID SystemArgument1, _In_opt_ PVOID SystemArgument2, _In_ KPRIORITY Increment)
 
bool InjectDLL (HANDLE ProcessId, PVOID processInfo)
 
NTSTATUS AllocateMemoryInUserProcess (PEPROCESS Process, SIZE_T Size, PVOID *AllocatedAddress)
 
NTSTATUS WriteToTargetProcessMemory (PEPROCESS Process, PVOID TargetAddress, SIZE_T Size, PVOID DataToWrite)
 

Variables

EX_RUNDOWN_REF PendingOperations
 

Macro Definition Documentation

◆ IMAGE_DIRECTORY_ENTRY_EXPORT

#define IMAGE_DIRECTORY_ENTRY_EXPORT   0

Definition at line 9 of file inject.h.

◆ IMAGE_NUMBEROF_DIRECTORY_ENTRIES

#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES   16

Definition at line 8 of file inject.h.

◆ TAG

#define TAG   'inje'

Definition at line 7 of file inject.h.

Typedef Documentation

◆ APC_DATA

typedef struct _APC_DATA APC_DATA

◆ BOOL

typedef int BOOL

Definition at line 3 of file inject.h.

◆ BYTE

typedef unsigned char BYTE

Definition at line 4 of file inject.h.

◆ DWORD

typedef unsigned long DWORD

Definition at line 2 of file inject.h.

◆ IMAGE_DATA_DIRECTORY

typedef struct _IMAGE_DATA_DIRECTORY IMAGE_DATA_DIRECTORY

◆ IMAGE_DOS_HEADER

typedef struct _IMAGE_DOS_HEADER IMAGE_DOS_HEADER

◆ IMAGE_EXPORT_DIRECTORY

typedef struct _IMAGE_EXPORT_DIRECTORY IMAGE_EXPORT_DIRECTORY

◆ IMAGE_FILE_HEADER

typedef struct _IMAGE_FILE_HEADER IMAGE_FILE_HEADER

◆ IMAGE_NT_HEADERS64

typedef struct _IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS64

◆ IMAGE_OPTIONAL_HEADER64

typedef struct _IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER64

◆ KAPC_ENVIRONMENT

typedef enum _KAPC_ENVIRONMENT KAPC_ENVIRONMENT

◆ KKERNEL_ROUTINE

typedef VOID KKERNEL_ROUTINE(_In_ PRKAPC Apc, _Inout_opt_ PKNORMAL_ROUTINE *NormalRoutine, _Inout_opt_ PVOID *NormalContext, _Inout_ PVOID *SystemArgument1, _Inout_ PVOID *SystemArgument2)

Definition at line 214 of file inject.h.

◆ PAPC_DATA

typedef struct _APC_DATA * PAPC_DATA

◆ PEB

typedef struct _PEB PEB

◆ PEB_LDR_DATA

typedef struct _PEB_LDR_DATA PEB_LDR_DATA

◆ PIMAGE_DATA_DIRECTORY

typedef struct _IMAGE_DATA_DIRECTORY * PIMAGE_DATA_DIRECTORY

◆ PIMAGE_DOS_HEADER

typedef struct _IMAGE_DOS_HEADER * PIMAGE_DOS_HEADER

◆ PIMAGE_EXPORT_DIRECTORY

typedef struct _IMAGE_EXPORT_DIRECTORY * PIMAGE_EXPORT_DIRECTORY

◆ PIMAGE_FILE_HEADER

typedef struct _IMAGE_FILE_HEADER * PIMAGE_FILE_HEADER

◆ PIMAGE_NT_HEADERS64

typedef struct _IMAGE_NT_HEADERS64 * PIMAGE_NT_HEADERS64

◆ PIMAGE_OPTIONAL_HEADER64

typedef struct _IMAGE_OPTIONAL_HEADER64 * PIMAGE_OPTIONAL_HEADER64

◆ PKAPC_ENVIRONMENT

typedef enum _KAPC_ENVIRONMENT * PKAPC_ENVIRONMENT

◆ PKNORMAL_ROUTINE

typedef VOID(NTAPI * PKNORMAL_ROUTINE) (_In_ PVOID NormalContext, _In_ PVOID SystemArgument1, _In_ PVOID SystemArgument2)

Definition at line 208 of file inject.h.

◆ PKRUNDOWN_ROUTINE

typedef VOID(NTAPI * PKRUNDOWN_ROUTINE) (_In_ PRKAPC Apc)

Definition at line 230 of file inject.h.

◆ PPEB

typedef struct _PEB * PPEB

◆ PPEB_LDR_DATA

typedef struct _PEB_LDR_DATA * PPEB_LDR_DATA

◆ WORD

typedef unsigned short WORD

Definition at line 5 of file inject.h.

Enumeration Type Documentation

◆ _KAPC_ENVIRONMENT

enum _KAPC_ENVIRONMENT
Enumerator
OriginalApcEnvironment 
AttachedApcEnvironment 
CurrentApcEnvironment 
InsertApcEnvironment 

Definition at line 201 of file inject.h.

201 {
202 OriginalApcEnvironment,
203 AttachedApcEnvironment,
204 CurrentApcEnvironment,
205 InsertApcEnvironment
206} KAPC_ENVIRONMENT, * PKAPC_ENVIRONMENT;
PKAPC_ENVIRONMENT
enum _KAPC_ENVIRONMENT * PKAPC_ENVIRONMENT
AttachedApcEnvironment
@ AttachedApcEnvironment
Definition inject.h:203
OriginalApcEnvironment
@ OriginalApcEnvironment
Definition inject.h:202
CurrentApcEnvironment
@ CurrentApcEnvironment
Definition inject.h:204
InsertApcEnvironment
@ InsertApcEnvironment
Definition inject.h:205
KAPC_ENVIRONMENT
enum _KAPC_ENVIRONMENT KAPC_ENVIRONMENT

Function Documentation

◆ AllocateMemoryInUserProcess()

NTSTATUS AllocateMemoryInUserProcess ( PEPROCESS  Process,
SIZE_T  Size,
PVOID *  AllocatedAddress 
)

Definition at line 69 of file inject.cpp.

70{
71 HANDLE processHandle = NULL;
72 NTSTATUS status;
73 SIZE_T allocSize = Size;
74 PVOID baseAddress = NULL;
75
76 // Open a handle to the process
77 status = ObOpenObjectByPointer(targetProcess,
78 OBJ_KERNEL_HANDLE,
79 NULL,
80 PROCESS_ALL_ACCESS,
81 *PsProcessType,
82 KernelMode,
83 &processHandle);
84
85 if (NT_SUCCESS(status)) {
86 // Allocate memory in the target process
87 status = ZwAllocateVirtualMemory(processHandle,
88 &baseAddress,
89 0,
90 &allocSize,
91 MEM_COMMIT | MEM_RESERVE,
92 PAGE_READWRITE);
93
94 if (NT_SUCCESS(status)) {
95 //RtlZeroMemory(baseAddress, Size);
96 *AllocatedAddress = baseAddress;
97 }
98
99 // Close the process handle
100 ZwClose(processHandle);
101 }
102
103 // Dereference the process
104 ObDereferenceObject(targetProcess);
105
106 return status;
107}

◆ InjectDLL()

bool InjectDLL ( HANDLE  ProcessId,
PVOID  processInfo 
)

◆ KeInitializeApc()

VOID NTAPI KeInitializeApc ( _Out_ PRKAPC  Apc,
_In_ PRKTHREAD  Thread,
_In_ KAPC_ENVIRONMENT  Environment,
_In_ PKKERNEL_ROUTINE  KernelRoutine,
_In_opt_ PKRUNDOWN_ROUTINE  RundownRoutine,
_In_opt_ PKNORMAL_ROUTINE  NormalRoutine,
_In_opt_ KPROCESSOR_MODE  ProcessorMode,
_In_opt_ PVOID  NormalContext 
)

Referenced by InjectDllKernelApc(), and InstallKernelModeApcToInjectDll().

◆ KeInsertQueueApc()

BOOLEAN NTAPI KeInsertQueueApc ( _Inout_ PRKAPC  Apc,
_In_opt_ PVOID  SystemArgument1,
_In_opt_ PVOID  SystemArgument2,
_In_ KPRIORITY  Increment 
)

Referenced by InjectDllKernelApc(), and InstallKernelModeApcToInjectDll().

◆ KKERNEL_ROUTINE()

typedef KKERNEL_ROUTINE ( NTAPI *  PKKERNEL_ROUTINE)

◆ WriteToTargetProcessMemory()

NTSTATUS WriteToTargetProcessMemory ( PEPROCESS  Process,
PVOID  TargetAddress,
SIZE_T  Size,
PVOID  DataToWrite 
)

Definition at line 11 of file inject.cpp.

12{
13 KAPC_STATE apcState;
14 PMDL mdl = NULL;
15 PVOID kernelAddress = NULL;
16 NTSTATUS status = STATUS_SUCCESS;
17
18 // Attach to the target process
19 KeStackAttachProcess(targetProcess, &apcState);
20
21 __try {
22 // Create the MDL for the target process memory
23 mdl = IoAllocateMdl(TargetAddress, (ULONG)Size, FALSE, FALSE, NULL);
24 if (!mdl) {
25 status = STATUS_INSUFFICIENT_RESOURCES;
26 __leave;
27 }
28
29 __try {
30 // Probe and lock the pages
31 MmProbeAndLockPages(mdl, KernelMode, IoWriteAccess);
32
33 // Map the MDL to system address space
34 kernelAddress = MmGetSystemAddressForMdlSafe(mdl, NormalPagePriority);
35 if (!kernelAddress) {
36 status = STATUS_INSUFFICIENT_RESOURCES;
37 __leave;
38 }
39
40 // Write to the mapped address
41 RtlCopyMemory(kernelAddress, DataToWrite, Size);
42 }
43 __except (EXCEPTION_EXECUTE_HANDLER) {
44 status = GetExceptionCode();
45 }
46 }
47 __finally {
48 // Cleanup
49 if (kernelAddress) {
50 MmUnmapLockedPages(kernelAddress, mdl);
51 }
52 if (mdl) {
53 if (mdl->MdlFlags & MDL_PAGES_LOCKED) {
54 MmUnlockPages(mdl);
55 }
56 IoFreeMdl(mdl);
57 }
58
59 // Detach from the target process
60 KeUnstackDetachProcess(&apcState);
61
62 // Dereference the process
63 ObDereferenceObject(targetProcess);
64 }
65
66 return status;
67}

Variable Documentation

◆ PendingOperations

EX_RUNDOWN_REF PendingOperations
extern
Generated by doxygen 1.9.8