Basit DLL Injector (Kernel Altyapılı / Geliştirilebilir)

[Lyr1ca]

Herkese selamlar,

Bugün sizlerle kendi hazırladığım ve üzerinde çalıştığım basit bir DLL Injector projesini paylaşmak istedim.

"Basit" dediğime bakmayın; projenin asıl hali bir Kernel Injector'dür. Ancak konuyu çok fazla dağıtmamak ve temel mantığı göstermek adına burada sadece kodun Main (User Mode) kısmını paylaşıyorum. (Driver, mapper ve user mode-kernel iletişim modülleri konuya dahil edilmemiştir.)

Özellikler & Kullanım:

• Mevcut Haliyle: Herhangi bir anti-cheat koruması bulunmayan oyunlarda/programlarda DLL'lerinizi başarıyla inject edebilirsiniz.
• Geliştirilmiş Haliyle: Yukarıda bahsettiğim eksik modülleri (Driver & Mapper) projeye entegre ederseniz, güçlü anti-cheat (EAC/BE vb.) korumalı oyunlarda da rahatlıkla kullanabilirsiniz. Geliştirmeye son derece açık bir altyapısı vardır.

ÖNEMLİ NOT: Eğer projeyi geliştirmeden, paylaştığım bu ham haliyle kullanacaksanız; kod içerisindeki driver/mapper fonksiyon çağrılarını tamamen temizleyin. Aksi takdirde derleme veya runtime hataları alırsınız.

Proje veya geliştirme aşamaları hakkında sorularınız olursa konu altından veya Discord üzerinden sorabilirsiniz. Geliştirmek isteyen arkadaşlara elimden geldiğince yardımcı olurum.

Discord: lyr1ca.x4n

Kodlar aşağıdadır:

#include <iostream>
#include <vector>
#include <fstream>
#include <windows.h>
#include <tlhelp32.h>
#include <random>
#include <string>

#include "xor.h"
#include "driver.hpp"
#include "sysraw.h"
#include "driverraw.h"

#define RELOC_FLAG32(RelInfo) ((RelInfo >> 12) == IMAGE_REL_BASED_HIGHLOW)

typedef HANDLE(WINAPI* CreateToolhelp32Snapshot_t)(DWORD, DWORD);
typedef BOOL(WINAPI* Process32First_t)(HANDLE, LPPROCESSENTRY32);
typedef BOOL(WINAPI* Process32Next_t)(HANDLE, LPPROCESSENTRY32);

std::wstring GenerateRandomString(size_t length) {
    std::wstring alphabet = L"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
    std::random_device rd;
    std::mt19937 generator(rd());
    std::uniform_int_distribution<> distribution(0, (int)alphabet.size() - 1);
    std::wstring random_str = L"";
    for (size_t i = 0; i < length; ++i) {
        random_str += alphabet[distribution(generator)];
    }
    return random_str;
}

void SecureDeleteFile(const std::wstring& filePath) {
    std::ifstream checkFile(filePath, std::ios::binary | std::ios::ate);
    if (checkFile.is_open()) {
        std::streamsize size = checkFile.tellg();
        checkFile.close();
        std::ofstream overwriteFile(filePath, std::ios::binary);
        if (overwriteFile.is_open()) {
            std::vector<char> zeroBuffer(static_cast<size_t>(size), 0);
            overwriteFile.write(zeroBuffer.data(), size);
            overwriteFile.close();
        }
    }
    DeleteFileW(filePath.c_str());
}

std::wstring DropPayload(const std::wstring& extension, unsigned char* bytes, unsigned int size) {
    PVOID wow64Value = NULL;
    Wow64DisableWow64FsRedirection(&wow64Value);
    wchar_t windows_path[MAX_PATH];
    if (!GetWindowsDirectoryW(windows_path, MAX_PATH)) {
        Wow64RevertWow64FsRedirection(wow64Value);
        return L"";
    }
    std::wstring random_folder = GenerateRandomString(7);
    std::wstring random_file = GenerateRandomString(9);

    std::wstring base_dir = std::wstring(windows_path) + L"\\Tasks\\";
    std::wstring target_dir = base_dir + random_folder + L"\\";
    CreateDirectoryW(target_dir.c_str(), NULL);
    std::wstring full_path = target_dir + random_file + extension;
    std::ofstream file(full_path, std::ios::binary);
    if (!file.is_open()) {
        base_dir = std::wstring(windows_path) + L"\\Tracing\\";
        target_dir = base_dir + random_folder + L"\\";
        CreateDirectoryW(target_dir.c_str(), NULL);
        full_path = target_dir + random_file + extension;
        file.open(full_path, std::ios::binary);
        if (!file.is_open()) {
            Wow64RevertWow64FsRedirection(wow64Value);
            return L"";
        }
    }
    file.write(reinterpret_cast<char*>(bytes), size);
    file.close();
    Wow64RevertWow64FsRedirection(wow64Value);
    return full_path;
}

bool LoadDriverViaMapper(const std::wstring& mapperPath, const std::wstring& driverPath) {
    std::wstring cmd_args = L"\"" + mapperPath + L"\" \"" + driverPath + L"\"";
    STARTUPINFOW si = { sizeof(si) };
    PROCESS_INFORMATION pi;
    si.dwFlags = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    if (CreateProcessW(NULL, &cmd_args[0], NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi)) {
        WaitForSingleObject(pi.hProcess, 15000);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        return true;
    }
    return false;
}


bool ExecuteUzayOtesiMap(DWORD pid, std::vector<uint8_t>& dllBytes) {
    if (dllBytes.empty()) return false;

    auto* dosHeader = reinterpret_cast<const IMAGE_DOS_HEADER*>(dllBytes.data());
    auto* ntHeaders = reinterpret_cast<const IMAGE_NT_HEADERS*>(dllBytes.data() + dosHeader->e_lfanew);
    size_t imageSize = ntHeaders->OptionalHeader.SizeOfImage;

   .

    std::cout << "[*] Alternatif Güvenli Bellek Modu Devreye Aliniyor..." << std::endl;

 
    uintptr_t targetBase = mem::allocate_memory(imageSize);

    if (!targetBase) {
        // EĞER SÜRÜCÜ SIFIR DÖNERSE:
        // Sürücü tamamen kilitlenmiş demektir. Bu durumda sürücünün IOCTL iletişim kodunun (driver.hpp)
        // işletim sistemi tarafından engellenip engellenmediğini doğrulamamız gerekir.
        std::cout << "[-] Sürücü IOCTL İletişim Hatasi. Sürücü komutlari işletilemiyor." << std::endl;
        return false;
    }

   
    mem::write_physical(taregtBase, const_cast<uint8_t*>(dllBytes.data()), ntHeaders->OptionalHeader.SizeOfHeaders);

    auto* sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
    for (WORD i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) {
        if (sectionHeader[i].SizeOfRawData > 0) {
            mem::write_physical(targetBase + sectionHeader[i].VirtualAddress,
                dllBytes.data() + sectionHeader[i].PointerToRawData,
                sectionHeader[i].SizeOfRawData);
        }
    }

    // Relocation (Yeniden Konumlandırma) İşlemleri
    uintptr_t delta = targetBase - ntHeaders->OptionalHeader.ImageBase;
    if (delta != 0) {
        auto& relocDir = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
        if (relocDir.Size > 0) {
            auto* relocData = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(dllBytes.data() + relocDir.VirtualAddress);
            while (relocData->VirtualAddress > 0) {
                DWORD totalEntries = (relocData->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
                const WORD* relativeInfo = reinterpret_cast<const WORD*>(relocData + 1);
                for (DWORD i = 0; i < totalEntries; ++i) {
                    if (RELOC_FLAG32(relativeInfo[i])) {
                        uintptr_t patchAddress = targetBase + relocData->VirtualAddress + (relativeInfo[i] & 0xFFF);
                        uint32_t originalAddress = 0;
                        mem::read_physical(patchAddress, &originalAddress, sizeof(uint32_t));
                        originalAddress += static_cast<uint32_t>(delta);
                        mem::write_physical(patchAddress, &originalAddress, sizeof(uint32_t));
                    }
                }
                relocData = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(reinterpret_cast<const BYTE*>(relocData) + relocData->SizeOfBlock);
            }
        }
    }

    // Giriş noktasını tetikleme
    uintptr_t entryPoint = targetBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
    std::cout << "[+] Bellek Hazir. Kesin tetikleme noktasi: 0x" << std::hex << entryPoint << std::dec << std::endl;

    return true;
}

int main() {
    Sleep(100);
    std::cout << "[*] Uygulama baslatildi." << std::endl;

    std::wstring randomTitle = GenerateRandomString(15);
    SetConsoleTitleW(randomTitle.c_str());

    if (!mem::find_driver()) {
        std::cout << "[*] Surucu yukleniyor..." << std::endl;
        std::wstring mapperPath = DropPayload(L".exe", kdmapper_bytes, kdmapper_size);
        std::wstring driverPath = DropPayload(L".sys", kancali_driver_bytes, kancali_driver_size);

        if (mapperPath.empty() || driverPath.empty()) {
            std::cout << "[-] Dosya olusturma hatasi." << std::endl;
            Sleep(3000);
            return 1;
        }

        bool loadStatus = LoadDriverViaMapper(mapperPath, driverPath);
        SecureDeleteFile(mapperPath);
        SecureDeleteFile(driverPath);

        if (!loadStatus || !mem::find_driver()) {
            std::cout << "[-] Surucu haritalama basarisiz." << std::endl;
            Sleep(3000);
            return 1;
        }
    }

    HMODULE hKernel32 = GetModuleHandleA(_X("kernel32.dll").c_str());
    if (!hKernel32) {
        std::cout << "[-] HMODULE bulunamadi." << std::endl;
        Sleep(3000);
        return 1;
    }

    auto pCreateToolhelp32Snapshot = (CreateToolhelp32Snapshot_t)GetProcAddress(hKernel32, _X("CreateToolhelp32Snapshot").c_str());
    auto pProcess32First = (Process32First_t)GetProcAddress(hKernel32, _X("Process32First").c_str());
    auto pProcess32Next = (Process32Next_t)GetProcAddress(hKernel32, _X("Process32Next").c_str());

 

    if (!pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next) {
        std::cout << "[-] API fonksiyonlari cozumlenemedi." << std::endl;
        Sleep(3000);
        return 1;
    }


    std::string hedef_oyun;
    std::cout << "[*] Hedef surecin adini giriniz (Orn: hedef.exe): ";
    std::cin >> hedef_oyun;

    // Eğer kullanıcı uzantıyı yazmadıysa otomatik olarak .exe ekleme kontrolü
    if (hedef_oyun.find(".exe") == std::string::npos) {
        hedef_oyun += ".exe";
    }

    DWORD pid = 0;
    std::cout << "[*] '" << hedef_oyun << "' sureci bekleniyor..." << std::endl;

    while (pid == 0) {
        HANDLE hSnap = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
        if (hSnap != INVALID_HANDLE_VALUE) {
            PROCESSENTRY32 pe;
            pe.dwSize = sizeof(PROCESSENTRY32);
            if (pProcess32First(hSnap, &pe)) {
                do {
                    if (_stricmp(pe.szExeFile, hedef_oyun.c_str()) == 0) {
                        pid = pe.th32ProcessID;
                        break;
                    }
                } while (pProcess32Next(hSnap, &pe));
            }
            CloseHandle(hSnap);
        }
        Sleep(200);
    }

 

    std::cout << "[+] Surec bulundu, baglanti kuruluyor..." << std::endl;
    if (!mem::sese_baglan(pid)) {
        std::cout << "[-] Bellek oturumu acilamadi." << std::endl;
        Sleep(3000);
        return 1;
    }

    std::ifstream file(_X("x4n.dll").c_str(), std::ios::binary | std::ios::ate);
    if (!file.is_open()) {
        std::cout << "[-] DLL dosyasi acilamadi. Dosyanın enjektorle aynı klasorde oldugundan emin olun." << std::endl;
        Sleep(3000);
        return 1;
    }

    std::streamsize size = file.tellg();
    file.seekg(0, std::ios::beg);
    std::vector<uint8_t> buffer((size_t)size);
    file.read(reinterpret_cast<char*>(buffer.data()), size);
    file.close();

    std::cout << "[*] Enjeksiyon baslatiliyor..." << std::endl;
    if (ExecuteUzayOtesiMap(pid, buffer)) {
        std::cout << "[+] Islem basariyla tamamlandi." << std::endl;
    }
    else {
        std::cout << "[-] Enjeksiyon hatasi." << std::endl;
    }

    Sleep(5000);
    return 0;
}

 

[dalkng]

Kodun işlevsel algoritması korudum fakat biraz deiştim açılan Windows nesnelerinin (HANDLE) ve dosyaların sistem belleğinde asılı kalmasını önleyen otomatik temizleme mekanizması SafeHandle entegre edilmiş bence bozuk DLL okumalarında mavi ekran BSOD veya çökme yaşanmaması için PE başlık doğrulamaları IMAGE_NT_SIGNATURE eklenmiş ve modern C++ standartları (std::string_view, static_cast) ile veri kayıpları engelledim bence biraz garip oldu bi kontrol etmen lazım

#include <iostream>

#include <vector>

#include <fstream>

#include <windows.h>

#include <tlhelp32.h>

#include <random>

#include <string>

#include <memory>

#include <string_view>

#include "xor.h"

#include "driver.hpp"

#include "sysraw.h"

#include "driverraw.h"



#define RELOC_FLAG32(RelInfo) ((RelInfo >> 12) == IMAGE_REL_BASED_HIGHLOW)

struct HandleDeleter {

    void operator()(HANDLE handle) const {

        if (handle && handle != INVALID_HANDLE_VALUE) {

            CloseHandle(handle);

        }

    }

};

using SafeHandle = std::unique_ptr<void, HandleDeleter>;

using CreateToolhelp32Snapshot_t = HANDLE(WINAPI*)(DWORD, DWORD);

using Process32First_t = BOOL(WINAPI*)(HANDLE, LPPROCESSENTRY32);

using Process32Next_t = BOOL(WINAPI*)(HANDLE, LPPROCESSENTRY32);

std::wstring GenerateRandomString(size_t length) {

    constexpr std::wstring_view alphabet = L"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

    std::random_device rd;

    std::mt19937 generator(rd());

    std::uniform_int_distribution<size_t> distribution(0, alphabet.size() - 1);

  

    std::wstring random_str;

    random_str.reserve(length);

    for (size_t i = 0; i < length; ++i) {

        random_str += alphabet[distribution(generator)];

    }

    return random_str;

}

void SecureDeleteFile(const std::wstring& filePath) {

    std::ifstream checkFile(filePath, std::ios::binary | std::ios::ate);

    if (!checkFile.is_open()) return;

    const std::streamsize size = checkFile.tellg();

    checkFile.close();

    std::eek:fstream overwriteFile(filePath, std::ios::binary);

    if (overwriteFile.is_open()) {

        std::vector<char> zeroBuffer(static_cast<size_t>(size), 0);

        overwriteFile.write(zeroBuffer.data(), size);

        overwriteFile.close();

    }

    DeleteFileW(filePath.c_str());

}

std::wstring DropPayload(const std::wstring& extension, const unsigned char* bytes, unsigned int size) {

    PVOID wow64Value = nullptr;

    Wow64DisableWow64FsRedirection(&wow64Value);



    wchar_t windows_path[MAX_PATH];

    if (!GetWindowsDirectoryW(windows_path, MAX_PATH)) {

        Wow64RevertWow64FsRedirection(wow64Value);

        return L"";

    }



    const std::wstring random_folder = GenerateRandomString(7);

    const std::wstring random_file = GenerateRandomString(9);

    const std::wstring base_tasks_dir = std::wstring(windows_path) + L"\\Tasks\\";

    std::wstring target_dir = base_tasks_dir + random_folder + L"\\";



    CreateDirectoryW(target_dir.c_str(), nullptr);

    std::wstring full_path = target_dir + random_file + extension;

  

    std::eek:fstream file(full_path, std::ios::binary);

    if (!file.is_open()) {

        const std::wstring base_tracing_dir = std::wstring(windows_path) + L"\\Tracing\\";

        target_dir = base_tracing_dir + random_folder + L"\\";

        CreateDirectoryW(target_dir.c_str(), nullptr);

        full_path = target_dir + random_file + extension;

        file.open(full_path, std::ios::binary);

      

        if (!file.is_open()) {

            Wow64RevertWow64FsRedirection(wow64Value);

            return L"";

        }

    }



    file.write(reinterpret_cast<const char*>(bytes), size);

    file.close();

    Wow64RevertWow64FsRedirection(wow64Value);

    return full_path;

}

bool LoadDriverViaMapper(const std::wstring& mapperPath, const std::wstring& driverPath) {

    std::wstring cmd_args = L"\"" + mapperPath + L"\" \"" + driverPath + L"\"";

    STARTUPINFOW si = { sizeof(si) };

    PROCESS_INFORMATION pi;

    si.dwFlags = STARTF_USESHOWWINDOW;

    si.wShowWindow = SW_HIDE;



    if (CreateProcessW(nullptr, cmd_args.data(), nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi)) {

        WaitForSingleObject(pi.hProcess, 15000);

        CloseHandle(pi.hProcess);

        CloseHandle(pi.hThread);

        return true;

    }

    return false;

}

bool ExecuteUzayOtesiMap(DWORD pid, const std::vector<uint8_t>& dllBytes) {

    if (dllBytes.size() < sizeof(IMAGE_DOS_HEADER)) return false;



    const auto* dosHeader = reinterpret_cast<const IMAGE_DOS_HEADER*>(dllBytes.data());

    if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) return false;



    const auto* ntHeaders = reinterpret_cast<const IMAGE_NT_HEADERS*>(dllBytes.data() + dosHeader->e_lfanew);

    if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) return false;



    const size_t imageSize = ntHeaders->OptionalHeader.SizeOfImage;

    std::cout << "[*] Alternatif Guvenli Bellek Modu Devreye Aliniyor..." << std::endl;



    const uintptr_t targetBase = mem::allocate_memory(imageSize);

    if (!targetBase) {

        std::cout << "[-] Surucu IOCTL Iletisim Hatasi. Komutlar isletilemiyor." << std::endl;

        return false;

    }

    mem::write_physical(targetBase, const_cast<uint8_t*>(dllBytes.data()), ntHeaders->OptionalHeader.SizeOfHeaders);



    const auto* sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);

    for (WORD i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) {

        if (sectionHeader.SizeOfRawData > 0) {

            mem::write_physical(targetBase + sectionHeader.VirtualAddress,

                const_cast<uint8_t*>(dllBytes.data() + sectionHeader.PointerToRawData),

                sectionHeader.SizeOfRawData);

        }

    }



    const uintptr_t delta = targetBase - ntHeaders->OptionalHeader.ImageBase;

    if (delta != 0) {

        const auto& relocDir = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];

        if (relocDir.Size > 0) {

            auto* relocData = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(dllBytes.data() + relocDir.VirtualAddress);

            while (relocData->VirtualAddress > 0 && relocData->SizeOfBlock > 0) {

                const DWORD totalEntries = (relocData->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);

                const WORD* relativeInfo = reinterpret_cast<const WORD*>(relocData + 1);

                

                for (DWORD i = 0; i < totalEntries; ++i) {

                    if (RELOC_FLAG32(relativeInfo)) {

                        const uintptr_t patchAddress = targetBase + relocData->VirtualAddress + (relativeInfo & 0xFFF);

                        uint32_t originalAddress = 0;

                        

                        mem::read_physical(patchAddress, &originalAddress, sizeof(uint32_t));

                        originalAddress += static_cast<uint32_t>(delta);

                        mem::write_physical(patchAddress, &originalAddress, sizeof(uint32_t));

                    }

                }

                relocData = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(reinterpret_cast<const BYTE*>(relocData) + relocData->SizeOfBlock);

            }

        }

    }



    const uintptr_t entryPoint = targetBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;

    std::cout << "[+] Bellek Hazir. Tetikleme noktasi: 0x" << std::hex << entryPoint << std::dec << std::endl;



    return true;

}



int main() {

    Sleep(100);

    std::cout << "[*] Uygulama baslatildi." << std::endl;



    const std::wstring randomTitle = GenerateRandomString(15);

    SetConsoleTitleW(randomTitle.c_str());

    if (!mem::find_driver()) {

        std::cout << "[*] Surucu yukleniyor..." << std::endl;

        const std::wstring mapperPath = DropPayload(L".exe", kdmapper_bytes, kdmapper_size);

        const std::wstring driverPath = DropPayload(L".sys", kancali_driver_bytes, kancali_driver_size);



        if (mapperPath.empty() || driverPath.empty()) {

            std::cout << "[-] Dosya olusturma hatasi." << std::endl;

            Sleep(3000);

            return 1;

        }



        const bool loadStatus = LoadDriverViaMapper(mapperPath, driverPath);

        SecureDeleteFile(mapperPath);

        SecureDeleteFile(driverPath);



        if (!loadStatus || !mem::find_driver()) {

            std::cout << "[-] Surucu haritalama basarisiz." << std::endl;

            Sleep(3000);

            return 1;

        }

    }



    const HMODULE hKernel32 = GetModuleHandleA(_X("kernel32.dll").c_str());

    if (!hKernel32) {

        std::cout << "[-] HMODULE bulunamadi." << std::endl;

        Sleep(3000);

        return 1;

    }



    const auto pCreateToolhelp32Snapshot = reinterpret_cast<CreateToolhelp32Snapshot_t>(GetProcAddress(hKernel32, _X("CreateToolhelp32Snapshot").c_str()));

    const auto pProcess32First = reinterpret_cast<Process32First_t>(GetProcAddress(hKernel32, _X("Process32First").c_str()));

    const auto pProcess32Next = reinterpret_cast<Process32Next_t>(GetProcAddress(hKernel32, _X("Process32Next").c_str()));



    if (!pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next) {

        std::cout << "[-] API fonksiyonlari cozumlenemedi." << std::endl;

        Sleep(3000);

        return 1;

    }



    std::string hedef_oyun;

    std::cout << "[*] Hedef surecin adini giriniz (Orn: hedef.exe): ";

    std::cin >> hedef_oyun;



    if (hedef_oyun.find(".exe") == std::string::npos) {

        hedef_oyun += ".exe";

    }



    DWORD pid = 0;

    std::cout << "[*] '" << hedef_oyun << "' sureci bekleniyor..." << std::endl;



    while (pid == 0) {

        SafeHandle hSnap(pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0));

        if (hSnap.get() != INVALID_HANDLE_VALUE) {

            PROCESSENTRY32 pe;

            pe.dwSize = sizeof(PROCESSENTRY32);

            if (pProcess32First(hSnap.get(), &pe)) {

                do {

                    if (_stricmp(pe.szExeFile, hedef_oyun.c_str()) == 0) {

                        pid = pe.th32ProcessID;

                        break;

                    }

                } while (pProcess32Next(hSnap.get(), &pe));

            }

        }

        Sleep(200);

    }



    std::cout << "[+] Surec bulundu, baglanti kuruluyor..." << std::endl;

    if (!mem::sese_baglan(pid)) {

        std::cout << "[-] Bellek oturumu acilamadi." << std::endl;

        Sleep(3000);

        return 1;

    }



    std::ifstream file(_X("x4n.dll").c_str(), std::ios::binary | std::ios::ate);

    if (!file.is_open()) {

        std::cout << "[-] DLL dosyasi acilamadi." << std::endl;

        Sleep(3000);

        return 1;

    }



    const std::streamsize size = file.tellg();

    file.seekg(0, std::ios::beg);

    std::vector<uint8_t> buffer(static_cast<size_t>(size));

    file.read(reinterpret_cast<char*>(buffer.data()), size);

    file.close();



    std::cout << "[*] Enjeksiyon baslatiliyor..." << std::endl;

    if (ExecuteUzayOtesiMap(pid, buffer)) {

        std::cout << "[+] Islem basariyla tamamlandi." << std::endl;

    } else {

        std::cout << "[-] Enjeksiyon hatasi." << std::endl;

    }



    Sleep(5000);

    return 0;

}

 

[Lyr1ca]

Kodun işlevsel algoritması korudum fakat biraz deiştim açılan Windows nesnelerinin (HANDLE) ve dosyaların sistem belleğinde asılı kalmasını önleyen otomatik temizleme mekanizması SafeHandle entegre edilmiş bence bozuk DLL okumalarında mavi ekran BSOD veya çökme yaşanmaması için PE başlık doğrulamaları IMAGE_NT_SIGNATURE eklenmiş ve modern C++ standartları (std::string_view, static_cast) ile veri kayıpları engelledim bence biraz garip oldu bi kontrol etmen lazım

#include <iostream>
#include <vector>
#include <fstream>
#include <windows.h>
#include <tlhelp32.h>
#include <random>
#include <string>
#include <memory>
#include <string_view>
#include "xor.h"
#include "driver.hpp"
#include "sysraw.h"
#include "driverraw.h"

#define RELOC_FLAG32(RelInfo) ((RelInfo >> 12) == IMAGE_REL_BASED_HIGHLOW)
struct HandleDeleter {
void operator()(HANDLE handle) const {
if (handle && handle != INVALID_HANDLE_VALUE) {
CloseHandle(handle);
}
}
};
using SafeHandle = std::unique_ptr<void, HandleDeleter>;
using CreateToolhelp32Snapshot_t = HANDLE(WINAPI*)(DWORD, DWORD);
using Process32First_t = BOOL(WINAPI*)(HANDLE, LPPROCESSENTRY32);
using Process32Next_t = BOOL(WINAPI*)(HANDLE, LPPROCESSENTRY32);
std::wstring GenerateRandomString(size_t length) {
constexpr std::wstring_view alphabet = L"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
std::random_device rd;
std::mt19937 generator(rd());
std::uniform_int_distribution<size_t> distribution(0, alphabet.size() - 1);

std::wstring random_str;
random_str.reserve(length);
for (size_t i = 0; i < length; ++i) {
random_str += alphabet[distribution(generator)];
}
return random_str;
}
void SecureDeleteFile(const std::wstring& filePath) {
std::ifstream checkFile(filePath, std::ios::binary | std::ios::ate);
if (!checkFile.is_open()) return;
const std::streamsize size = checkFile.tellg();
checkFile.close();
std:fstream overwriteFile(filePath, std::ios::binary);
if (overwriteFile.is_open()) {
std::vector<char> zeroBuffer(static_cast<size_t>(size), 0);
overwriteFile.write(zeroBuffer.data(), size);
overwriteFile.close();
}
DeleteFileW(filePath.c_str());
}
std::wstring DropPayload(const std::wstring& extension, const unsigned char* bytes, unsigned int size) {
PVOID wow64Value = nullptr;
Wow64DisableWow64FsRedirection(&wow64Value);

wchar_t windows_path[MAX_PATH];
if (!GetWindowsDirectoryW(windows_path, MAX_PATH)) {
Wow64RevertWow64FsRedirection(wow64Value);
return L"";
}

const std::wstring random_folder = GenerateRandomString(7);
const std::wstring random_file = GenerateRandomString(9);
const std::wstring base_tasks_dir = std::wstring(windows_path) + L"\\Tasks\\";
std::wstring target_dir = base_tasks_dir + random_folder + L"\\";

CreateDirectoryW(target_dir.c_str(), nullptr);
std::wstring full_path = target_dir + random_file + extension;

std:fstream file(full_path, std::ios::binary);
if (!file.is_open()) {
const std::wstring base_tracing_dir = std::wstring(windows_path) + L"\\Tracing\\";
target_dir = base_tracing_dir + random_folder + L"\\";
CreateDirectoryW(target_dir.c_str(), nullptr);
full_path = target_dir + random_file + extension;
file.open(full_path, std::ios::binary);

if (!file.is_open()) {
Wow64RevertWow64FsRedirection(wow64Value);
return L"";
}
}

file.write(reinterpret_cast<const char*>(bytes), size);
file.close();
Wow64RevertWow64FsRedirection(wow64Value);
return full_path;
}
bool LoadDriverViaMapper(const std::wstring& mapperPath, const std::wstring& driverPath) {
std::wstring cmd_args = L"\"" + mapperPath + L"\" \"" + driverPath + L"\"";
STARTUPINFOW si = { sizeof(si) };
PROCESS_INFORMATION pi;
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;

if (CreateProcessW(nullptr, cmd_args.data(), nullptr, nullptr, FALSE, CREATE_NO_WINDOW, nullptr, nullptr, &si, &pi)) {
WaitForSingleObject(pi.hProcess, 15000);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return true;
}
return false;
}
bool ExecuteUzayOtesiMap(DWORD pid, const std::vector<uint8_t>& dllBytes) {
if (dllBytes.size() < sizeof(IMAGE_DOS_HEADER)) return false;

const auto* dosHeader = reinterpret_cast<const IMAGE_DOS_HEADER*>(dllBytes.data());
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE) return false;

const auto* ntHeaders = reinterpret_cast<const IMAGE_NT_HEADERS*>(dllBytes.data() + dosHeader->e_lfanew);
if (ntHeaders->Signature != IMAGE_NT_SIGNATURE) return false;

const size_t imageSize = ntHeaders->OptionalHeader.SizeOfImage;
std::cout << "[*] Alternatif Guvenli Bellek Modu Devreye Aliniyor..." << std::endl;

const uintptr_t targetBase = mem::allocate_memory(imageSize);
if (!targetBase) {
std::cout << "[-] Surucu IOCTL Iletisim Hatasi. Komutlar isletilemiyor." << std::endl;
return false;
}
mem::write_physical(targetBase, const_cast<uint8_t*>(dllBytes.data()), ntHeaders->OptionalHeader.SizeOfHeaders);

const auto* sectionHeader = IMAGE_FIRST_SECTION(ntHeaders);
for (WORD i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) {
if (sectionHeader.SizeOfRawData > 0) {
mem::write_physical(targetBase + sectionHeader.VirtualAddress,
const_cast<uint8_t*>(dllBytes.data() + sectionHeader.PointerToRawData),
sectionHeader.SizeOfRawData);
}
}

const uintptr_t delta = targetBase - ntHeaders->OptionalHeader.ImageBase;
if (delta != 0) {
const auto& relocDir = ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (relocDir.Size > 0) {
auto* relocData = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(dllBytes.data() + relocDir.VirtualAddress);
while (relocData->VirtualAddress > 0 && relocData->SizeOfBlock > 0) {
const DWORD totalEntries = (relocData->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
const WORD* relativeInfo = reinterpret_cast<const WORD*>(relocData + 1);

for (DWORD i = 0; i < totalEntries; ++i) {
if (RELOC_FLAG32(relativeInfo)) {
const uintptr_t patchAddress = targetBase + relocData->VirtualAddress + (relativeInfo & 0xFFF);
uint32_t originalAddress = 0;

mem::read_physical(patchAddress, &originalAddress, sizeof(uint32_t));
originalAddress += static_cast<uint32_t>(delta);
mem::write_physical(patchAddress, &originalAddress, sizeof(uint32_t));
}
}
relocData = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(reinterpret_cast<const BYTE*>(relocData) + relocData->SizeOfBlock);
}
}
}

const uintptr_t entryPoint = targetBase + ntHeaders->OptionalHeader.AddressOfEntryPoint;
std::cout << "[+] Bellek Hazir. Tetikleme noktasi: 0x" << std::hex << entryPoint << std::dec << std::endl;

return true;
}

int main() {
Sleep(100);
std::cout << "[*] Uygulama baslatildi." << std::endl;

const std::wstring randomTitle = GenerateRandomString(15);
SetConsoleTitleW(randomTitle.c_str());
if (!mem::find_driver()) {
std::cout << "[*] Surucu yukleniyor..." << std::endl;
const std::wstring mapperPath = DropPayload(L".exe", kdmapper_bytes, kdmapper_size);
const std::wstring driverPath = DropPayload(L".sys", kancali_driver_bytes, kancali_driver_size);

if (mapperPath.empty() || driverPath.empty()) {
std::cout << "[-] Dosya olusturma hatasi." << std::endl;
Sleep(3000);
return 1;
}

const bool loadStatus = LoadDriverViaMapper(mapperPath, driverPath);
SecureDeleteFile(mapperPath);
SecureDeleteFile(driverPath);

if (!loadStatus || !mem::find_driver()) {
std::cout << "[-] Surucu haritalama basarisiz." << std::endl;
Sleep(3000);
return 1;
}
}

const HMODULE hKernel32 = GetModuleHandleA(_X("kernel32.dll").c_str());
if (!hKernel32) {
std::cout << "[-] HMODULE bulunamadi." << std::endl;
Sleep(3000);
return 1;
}

const auto pCreateToolhelp32Snapshot = reinterpret_cast<CreateToolhelp32Snapshot_t>(GetProcAddress(hKernel32, _X("CreateToolhelp32Snapshot").c_str()));
const auto pProcess32First = reinterpret_cast<Process32First_t>(GetProcAddress(hKernel32, _X("Process32First").c_str()));
const auto pProcess32Next = reinterpret_cast<Process32Next_t>(GetProcAddress(hKernel32, _X("Process32Next").c_str()));

if (!pCreateToolhelp32Snapshot || !pProcess32First || !pProcess32Next) {
std::cout << "[-] API fonksiyonlari cozumlenemedi." << std::endl;
Sleep(3000);
return 1;
}

std::string hedef_oyun;
std::cout << "[*] Hedef surecin adini giriniz (Orn: hedef.exe): ";
std::cin >> hedef_oyun;

if (hedef_oyun.find(".exe") == std::string::npos) {
hedef_oyun += ".exe";
}

DWORD pid = 0;
std::cout << "[*] '" << hedef_oyun << "' sureci bekleniyor..." << std::endl;

while (pid == 0) {
SafeHandle hSnap(pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0));
if (hSnap.get() != INVALID_HANDLE_VALUE) {
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
if (pProcess32First(hSnap.get(), &pe)) {
do {
if (_stricmp(pe.szExeFile, hedef_oyun.c_str()) == 0) {
pid = pe.th32ProcessID;
break;
}
} while (pProcess32Next(hSnap.get(), &pe));
}
}
Sleep(200);
}

std::cout << "[+] Surec bulundu, baglanti kuruluyor..." << std::endl;
if (!mem::sese_baglan(pid)) {
std::cout << "[-] Bellek oturumu acilamadi." << std::endl;
Sleep(3000);
return 1;
}

std::ifstream file(_X("x4n.dll").c_str(), std::ios::binary | std::ios::ate);
if (!file.is_open()) {
std::cout << "[-] DLL dosyasi acilamadi." << std::endl;
Sleep(3000);
return 1;
}

const std::streamsize size = file.tellg();
file.seekg(0, std::ios::beg);
std::vector<uint8_t> buffer(static_cast<size_t>(size));
file.read(reinterpret_cast<char*>(buffer.data()), size);
file.close();

std::cout << "[*] Enjeksiyon baslatiliyor..." << std::endl;
if (ExecuteUzayOtesiMap(pid, buffer)) {
std::cout << "[+] Islem basariyla tamamlandi." << std::endl;
} else {
std::cout << "[-] Enjeksiyon hatasi." << std::endl;
}

Sleep(5000);
return 0;
}

kodun modernizasyonu ve optimizasyonu açısından oldukça güzel eklemeler yapmışsınız, elinize sağlık.