- A simple program that injects itself into other PE+ files (executables) that are in the same directory.
- requirements: gcc version 9.2.0 (x86_64-w64-mingw32)
- run
others/payload.cmdto compile and run example. - toggle
#define DO_TASK1 0to determine whether to perform task1 or not.
Behavior of injected PE+ files when executed:
- Execute exactly the same function of payolad.exe
- Do its original job
- Currently it works well with my executables that are generated by gcc from .c files, but for "normal" .exe files, such as a starter of a game, the target .exe file just, seems, to be corrupted after being injected. Also Windows seems to be no longer recognizing it as a valid executable.
- However for "side" executables like KillPot64.exe of PotPlayer and UnityCrashHandler64.exe of many unity games, it works well.
- payload.exe is selfcontained, i.e., it reads all contents in its
".virus"(macroV_SECT_NAME) section (onlymain()is not in this section), then writes it into other .exe files (with some minor modifications). - the only thing that
main()does is callingpayload():int main() { payload(); exit(0); }
- after enterting
payload(), it fistly gets the address of kernel32.dll (in memory) and retrieve function addresses from there. - load msvcrt.dll.
- puts a test message
"_|Hallo|_". - do
task1() - do
infect() - jmp to the original entrypoint of infected program.
- search .txt file under current directory and randomly select one.
- create a folder and copy the selected .txt file into it (the name of new file is macro
NAME_OF_NEW_FILE).
- do
get_payload(): read from the .exe file itself, store the payload and return it with its size. - calculate in-file offset of the final jmp instruction.
- search .exe file under current directory and do
inject()to inject payload into file.