From 87e72967541f3311e7e9fb80f90fda6f78f6524b Mon Sep 17 00:00:00 2001
From: Grzegorz Rychlik <Grzegorz.Rychlik@f-secure.com>
Date: Tue, 7 Jan 2020 12:59:52 +0100
Subject: [PATCH] Change loader output to DLL

---
 Src/CebuLoader/AccessPayload.h    | 11 +++++++---
 Src/CebuLoader/CebuLoader.vcxproj | 18 ++++++++++------
 Src/CebuLoader/CebuLoaderMain.cpp | 35 ++++++++++++++++---------------
 Src/CebuLoader/Stdafx.h           |  2 ++
 4 files changed, 40 insertions(+), 26 deletions(-)

diff --git a/Src/CebuLoader/AccessPayload.h b/Src/CebuLoader/AccessPayload.h
index 78e701e..27f7cff 100644
--- a/Src/CebuLoader/AccessPayload.h
+++ b/Src/CebuLoader/AccessPayload.h
@@ -6,12 +6,17 @@
 
 // Payload form [16 byte guid][1 byte terminator 0xff][4 byte size][body]
 
-static char* FindStartOfResource(void* startofImage, size_t sizeOfImage)
+static char* FindStartOfResource(void* startofImage)
 {
-	if (sizeOfImage >= 21)
-		for (char* p = (char*) startofImage; p < (char*) startofImage + sizeOfImage - 21; ++p)
+	__try
+	{
+		for (char* p = (char*) startofImage;; ++p)
 			if (!memcmp(p, EMBEDDED_DLL_PAYLOAD, 16) && p[16] == '\xff')
 				return p;
+	}
+	__except (GetExceptionCode() == EXCEPTION_ACCESS_VIOLATION ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)
+	{
+	}
 
 	return NULL;
 }
diff --git a/Src/CebuLoader/CebuLoader.vcxproj b/Src/CebuLoader/CebuLoader.vcxproj
index 1405741..7db9686 100644
--- a/Src/CebuLoader/CebuLoader.vcxproj
+++ b/Src/CebuLoader/CebuLoader.vcxproj
@@ -35,40 +35,40 @@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>v141</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseWithDebInfo|Win32'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>true</UseDebugLibraries>
     <PlatformToolset>v141</PlatformToolset>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
     <CharacterSet>Unicode</CharacterSet>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseWithDebInfo|x64'" Label="Configuration">
-    <ConfigurationType>Application</ConfigurationType>
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
     <UseDebugLibraries>false</UseDebugLibraries>
     <PlatformToolset>v141</PlatformToolset>
     <WholeProgramOptimization>true</WholeProgramOptimization>
@@ -146,6 +146,7 @@
       <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
       <LanguageStandard>stdcpp17</LanguageStandard>
       <RuntimeTypeInfo>false</RuntimeTypeInfo>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -172,6 +173,7 @@
       <LanguageStandard>stdcpp17</LanguageStandard>
       <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
       <RuntimeTypeInfo>false</RuntimeTypeInfo>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -204,6 +206,7 @@
       <RuntimeTypeInfo>false</RuntimeTypeInfo>
       <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
       <OmitFramePointers>true</OmitFramePointers>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -240,6 +243,7 @@
       <SupportJustMyCode>true</SupportJustMyCode>
       <RuntimeTypeInfo>false</RuntimeTypeInfo>
       <InlineFunctionExpansion>Disabled</InlineFunctionExpansion>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -276,6 +280,7 @@
       <RuntimeTypeInfo>false</RuntimeTypeInfo>
       <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
       <OmitFramePointers>true</OmitFramePointers>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -310,6 +315,7 @@
       <SupportJustMyCode>true</SupportJustMyCode>
       <RuntimeTypeInfo>false</RuntimeTypeInfo>
       <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
+      <ExceptionHandling>false</ExceptionHandling>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
diff --git a/Src/CebuLoader/CebuLoaderMain.cpp b/Src/CebuLoader/CebuLoaderMain.cpp
index 354d0ff..14cbf44 100644
--- a/Src/CebuLoader/CebuLoaderMain.cpp
+++ b/Src/CebuLoader/CebuLoaderMain.cpp
@@ -1,6 +1,5 @@
 #include "StdAfx.h"
 #include "AccessPayload.h"
-#include "tlhelp32.h"
 
 #ifdef _WIN64
 #define HOST_MACHINE IMAGE_FILE_MACHINE_AMD64
@@ -62,31 +61,18 @@ LONG CALLBACK PatchCppException(PEXCEPTION_POINTERS exceptionInfo)
 
 /// Search for payload in own memory.
 /// @returns pointer to dll file stored as resource.
-char* GetTargetDll()
+char* GetTargetDll(void* baseAddress)
 {
-	auto ME32 = MODULEENTRY32{ sizeof(MODULEENTRY32), };
-	auto moduleHandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
-
-	Module32First(moduleHandle, &ME32);
-	CloseHandle(moduleHandle);
-
-	auto baseAddress = ME32.modBaseAddr;
-	auto dosHeader = Rva2Va<PIMAGE_DOS_HEADER>(baseAddress, 0);
-	auto ntHeaders = Rva2Va<PIMAGE_NT_HEADERS>(baseAddress, dosHeader->e_lfanew);
-
-	return GetPayload(FindStartOfResource(baseAddress, ntHeaders->OptionalHeader.SizeOfImage));
+	return GetPayload(FindStartOfResource(baseAddress));
 }
 
 /// Entry point of the application.
-/// @param argc number of program arguments.
-/// @param argv vector of program arguments.
-int main(int argc, char* argv[])
+int LoadPe(void* dllData)
 {
 	// Loader code based on Shellcode Reflective DLL Injection by Nick Landers https://github.com/monoxgas/sRDI
 	// which is derived from "Improved Reflective DLL Injection" from Dan Staples https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html
 	// which itself is derived from the original project by Stephen Fewer. https://github.com/stephenfewer/ReflectiveDLLInjection
 
-	auto dllData = GetTargetDll();
 	auto dosHeader = Rva2Va<PIMAGE_DOS_HEADER>(dllData, 0);
 	auto ntHeaders = Rva2Va<PIMAGE_NT_HEADERS>(dllData, dosHeader->e_lfanew);
 	auto sizeOfImage = ntHeaders->OptionalHeader.SizeOfImage;
@@ -344,5 +330,20 @@ int main(int argc, char* argv[])
 	RemoveVectoredExceptionHandler(veh);
 	// TODO cleanup after RtlAddFunctionTable
 	VirtualFree((void*)baseAddress, alignedImageSize, MEM_RELEASE);
+	return 0;
 }
 
+void ExecResource(void* baseAddress)
+{
+	if (auto resource = GetTargetDll(baseAddress))
+		LoadPe(resource);
+}
+
+BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, LPVOID)
+{
+	// Indicate successful load of the library.
+	if (reason == DLL_PROCESS_ATTACH)
+		ExecResource(instance);
+
+	return TRUE;
+}
diff --git a/Src/CebuLoader/Stdafx.h b/Src/CebuLoader/Stdafx.h
index 5a1f7fd..ada2398 100644
--- a/Src/CebuLoader/Stdafx.h
+++ b/Src/CebuLoader/Stdafx.h
@@ -1,5 +1,7 @@
 #pragma once
 
+#define _HAS_EXCEPTIONS 0
+
 // Standard library includes.
 #include <iostream>																										//< For std::cout, std::cerr. Remove when common files will not nead it.
 #include <algorithm>