From 9cf1d722f73ba7063f0f6e6dc88bad8654aa368d Mon Sep 17 00:00:00 2001 From: zeffy Date: Sat, 1 Jul 2017 18:37:13 -0700 Subject: [PATCH] optimize dll injection and fix memory leaks - use ZeroMemory where applicable - fixed a couple memory leaks - optimized dll injection (before it would allocate+write MAX_PATH*sizeof(TCHAR) bytes to svchost.exe, now it will only allocate+write what is needed to fit the dll path) --- wufuc/core.c | 1 + wufuc/patternfind.c | 12 +++++++----- wufuc/rundll32.c | 12 ++++++++---- wufuc/util.c | 1 + 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/wufuc/core.c b/wufuc/core.c index c47e72e..e10b3bc 100644 --- a/wufuc/core.c +++ b/wufuc/core.c @@ -22,6 +22,7 @@ DWORD WINAPI NewThreadProc(LPVOID lpParam) { } SECURITY_ATTRIBUTES sa; + ZeroMemory(&sa, sizeof(SECURITY_ATTRIBUTES)); sa.nLength = sizeof(SECURITY_ATTRIBUTES); ConvertStringSecurityDescriptorToSecurityDescriptor(_T("D:PAI(A;;FA;;;BA)"), SDDL_REVISION_1, &sa.lpSecurityDescriptor, NULL); sa.bInheritHandle = FALSE; diff --git a/wufuc/patternfind.c b/wufuc/patternfind.c index 3a4c103..8140378 100644 --- a/wufuc/patternfind.c +++ b/wufuc/patternfind.c @@ -63,6 +63,7 @@ SIZE_T patternfind(LPCBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR patt SIZE_T result = -1; SIZE_T searchpatternsize = strlen(pattern); LPPATTERNBYTE searchpattern = calloc(searchpatternsize, sizeof(PATTERNBYTE)); + if (patterntransform(pattern, searchpattern, &searchpatternsize)) { for (SIZE_T i = startindex, j = 0; i < datasize; i++) //search for the pattern { @@ -79,6 +80,7 @@ SIZE_T patternfind(LPCBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR patt } } } + free(searchpattern); return result; } @@ -100,12 +102,12 @@ VOID patternwrite(LPBYTE data, SIZE_T datasize, LPCSTR pattern) { writepatternsize = datasize; } LPPATTERNBYTE writepattern = calloc(writepatternsize, sizeof(PATTERNBYTE)); - if (!patterntransform(pattern, writepattern, &writepatternsize)) { - return; - } - for (size_t i = 0; i < writepatternsize; i++) { - patternwritebyte(&data[i], &writepattern[i]); + if (patterntransform(pattern, writepattern, &writepatternsize)) { + for (size_t i = 0; i < writepatternsize; i++) { + patternwritebyte(&data[i], &writepattern[i]); + } } + free(writepattern); } SIZE_T patternsnr(LPBYTE data, SIZE_T datasize, SIZE_T startindex, LPCSTR searchpattern, LPCSTR replacepattern) { diff --git a/wufuc/rundll32.c b/wufuc/rundll32.c index e0d5a5b..5659c05 100644 --- a/wufuc/rundll32.c +++ b/wufuc/rundll32.c @@ -50,15 +50,19 @@ void CALLBACK Rundll32Entry(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int n if (!result) { return; } - TCHAR lpLibFileName[MAX_PATH]; - GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName)); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); if (!hProcess) { return; } - LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, sizeof(lpLibFileName), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); - if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, sizeof(lpLibFileName), NULL)) { + + TCHAR lpLibFileName[MAX_PATH]; + GetModuleFileName(HINST_THISCOMPONENT, lpLibFileName, _countof(lpLibFileName)); + + SIZE_T size = (_tcslen(lpLibFileName) + 1) * sizeof(TCHAR); + + LPVOID lpBaseAddress = VirtualAllocEx(hProcess, NULL, size, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); + if (lpBaseAddress && WriteProcessMemory(hProcess, lpBaseAddress, lpLibFileName, size, NULL)) { HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), diff --git a/wufuc/util.c b/wufuc/util.c index 121286e..505ce1f 100644 --- a/wufuc/util.c +++ b/wufuc/util.c @@ -55,6 +55,7 @@ VOID DetourIAT(HMODULE hModule, LPSTR lpFuncName, LPVOID *lpOldAddress, LPVOID l VOID SuspendProcessThreads(DWORD dwProcessId, DWORD dwThreadId, HANDLE *lphThreads, SIZE_T dwSize, SIZE_T *lpcb) { HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); THREADENTRY32 te; + ZeroMemory(&te, sizeof(THREADENTRY32)); te.dwSize = sizeof(te); Thread32First(hSnap, &te);