Wrappem
A small tool to patch PE files' import address table with an external payload DLL.
Install / Use
/learn @oAGoulart/WrappemREADME
[!WARNING] Currently, only Method I and Method III are implemented.
From old version:
This is a small tool that can generate a hooked PE file which will import your custom DLL into its process. With this you can inject a payload into a process using a DLL. I took inspiration to make this tool from Michael Chourdakis' article, but his implementation was not suited for my needs, so after some research and testing I created this tool. The first implementation I made used the same method described in the article to create a proxy DLL, this version however modifies a DLL/Exe imports table to force Windows to import your payload DLL into the process. If you're interested in this method you can learn more about PE Format and the Import Table (it's a lot of stuff tho, so get some coffee first).
Why "WrappEm"?
Because the first version of this tool would literally "wrap" its target to be used as a proxy DLL, so this "wrap" would serve only to redirect its exported calls to the original DLL. This is no longer the method used by this tool.
Building
No dependencies, all PE Format structs are defined within PEFormat.h.
MinGW build:
g++ -g main.cpp -Og -o WrappEm.exe -std=c++17
LLVM-clang build:
clang++ -g main.cpp -Og -o WrappEm.exe -std=c++17
MSVC build:
cl main.cpp /std:c++17 /EHsc /out:WrappEm.exe /Debug /Og
Method I
Requirements:
- Enough padding space for import table size plus one entry;
- Import table size bigger or equal to payload data size.
standard idata section structure after relocation
────────┬──────────────────┬────── ────────┬──────────────────┬──────
.idata │ │ start .idata │ │ start
section │ address tables │ section │ address tables │
│ (thunk) │ │ (thunk) │
┌──┼ ◄─┐ ┌────► ┼─┐
│ ├──────────────────┤ │ │ ├──────────────────┤ │
│ │ ┼─┘ │ + + │
│ │ import table ┼──┐ │ + payload data + │
│ │ ┼─┐│ │┌───► + │
│ ├──────────────────┤ ││ ││ ├──────────────────┤ │
│ │ ◄─┘│ ││ │ │ │
│ │ lookup tables │ │ ││ │ lookup tables │ │
│ │ (32/64) │ │ ││┌──► (32/64) │ │
│┌─┼ │ │ │││┌─┼ │ │
││ ├──────────────────┤ │ ││││ ├──────────────────┤ │
│└─► ◄──┘ │││└─► ◄─┘
│ │names and ordinals│ │││ │names and ordinals│
└──► │ │││ │ ◄─┐
└──────────────────┘ │││ ├──────────────────┤ │
: : ││└──┼ ┼─┘
: padding : │└───┼ import table │
: : end └────┼ │ end
────────────────────────────────── ────────┴──────────────────┴──────
Method II
[!CAUTION] NOT IMPLEMENTED YET
Requirements:
- Enough padding space for one table entry plus data;
- All relative virtual addresses (RVAs) in
idatamust be re-calculated.
────────┬──────────────────┬──────
.idata │ address tables │ start
section │ (thunk) │
│- - - - - - - - - │
┌──┼ payload ◄─┐
│ ├──────────────────┤ │
│ │ import table ┼─┘
│ │- - - - - - - - - ┼──┐
│ │ payload ┼─┐│
│ ├──────────────────┤ ││
│ │ lookup tables ◄─┘│
│┌─┼ (32/64) │ │
││ │- - - - - - - - - │ │
││ │ payload │ │
││ ├──────────────────┤ │
│└─► ◄──┘
│ │names and ordinals│
│ │- - - - - - - - - │
│ │ payload │
└──► │
└──────────────────┘
: padding : end
──────────────────────────────────
Method III
Requirements:
- Offset of new section entry must be less than section alignment;
- All RVAs must be incremented by virtual offset.
before append after append
┌──────────────────┐ ┌──────────────────┐
PE file │ headers │ PE file │ headers │
│ │ │ │
─────────┼──────────────────┼────── ─────────┼──────────────────┼──────
sections │ │ start sections │ │ start
│ .rsrc │ │ .rsrc │
├──────────────────┤ ├──────────────────┤
│ │ │ │
│ .data │ │ .data │
├──────────────────┤ ├──────────────────┤
│ │ │ │
│ .idata │ │ (empty) │
├──────────────────┤ ├──────────────────┤
: : : :
: ... : : ... :
: : : :
├──────────────────┤ ├──────────────────┤
│ │ │ │
│ │ │ │
│ .text │ │ .text │
│ │ │ │
│ │ end │ │
────────┴──────────────────┴────── - - - - ┼──────────────────┼ - - -
│ │
│ .idata │ end
────────┴──────────────────┴──────
