updated readme/exmaple header

Author: Broihon

Injection.h

@@ -58,7 +58,8 @@ enum class LAUNCH_METHOD
 	LM_NtCreateThreadEx,
 	LM_HijackThread,
 	LM_SetWindowsHookEx,
-	LM_QueueUserAPC
+	LM_QueueUserAPC,
+	LM_KernelCallback
 };
 
 //ansi version of the info structure:
@@ -129,13 +130,15 @@ struct HookInfo
 //Manual mapping options:
 #define INJ_MM_CLEAN_DATA_DIR			0x00010000	//removes data from the dlls PE header, ignored if INJ_MM_SET_PAGE_PROTECTIONS is set
 #define INJ_MM_RESOLVE_IMPORTS			0x00020000	//resolves dll imports
-#define INJ_MM_RESOLVE_DELAY_IMPORTS	0x00040000	//resolves delayed imports
-#define INJ_MM_EXECUTE_TLS				0x00080000	//executes TLS callbacks and initializes static TLS data
+#define INJ_MM_RESOLVE_DELAY_IMPORTS		0x00040000	//resolves delayed imports
+#define INJ_MM_EXECUTE_TLS			0x00080000	//executes TLS callbacks and initializes static TLS data
 #define INJ_MM_ENABLE_EXCEPTIONS		0x00100000	//enables exception handling
 #define INJ_MM_SET_PAGE_PROTECTIONS		0x00200000	//sets page protections based on section characteristics, if set INJ_MM_CLEAN_DATA_DIR will be ignored
 #define INJ_MM_INIT_SECURITY_COOKIE		0x00400000	//initializes security cookie for buffer overrun protection
-#define INJ_MM_RUN_DLL_MAIN				0x00800000	//executes DllMain
-													//this option induces INJ_MM_RESOLVE_IMPORTS
+#define INJ_MM_RUN_DLL_MAIN			0x00800000	//executes DllMain
+								//this option induces INJ_MM_RESOLVE_IMPORTS
+#define INJ_MM_RUN_UNDER_LDR_LOCK		0x01000000	//runs the DllMain under the loader lock
+#define INJ_MM_SHIFT_MODULE_BASE		0x02000000	//shifts the module base by a random offset
 
 #define MM_DEFAULT (INJ_MM_RESOLVE_IMPORTS | INJ_MM_RESOLVE_DELAY_IMPORTS | INJ_MM_INIT_SECURITY_COOKIE | INJ_MM_EXECUTE_TLS | INJ_MM_ENABLE_EXCEPTIONS | INJ_MM_RUN_DLL_MAIN | INJ_MM_SET_PAGE_PROTECTIONS)
 
@@ -149,8 +152,11 @@ using f_GetVersionA = HRESULT(__stdcall *)(char		* out, size_t cb_size);
 using f_GetVersionW = HRESULT(__stdcall *)(wchar_t	* out, size_t cb_size);
 
 using f_GetSymbolState = DWORD(__stdcall *)();
+using f_GetImportState = DWORD(__stdcall *)();
 
 using f_GetDownloadProgress = float(__stdcall *)(bool bWoW64);
+using f_StartDownload = void(__stdcall *)();
+using f_InterruptDownload = void(__stdcall *)();
 
 using f_raw_print_callback = void(__stdcall *)(const char * szText);
 using f_SetRawPrintCallback = DWORD(__stdcall *)(f_raw_print_callback callback);

README.md

@@ -20,6 +20,7 @@ Session seperation can be bypassed with all methods.
 - Thread hijacking
 - SetWindowsHookEx
 - QueueUserAPC
+- KernelCallback
 
 ### Manual mapping features:
 
@@ -30,6 +31,9 @@ Session seperation can be bypassed with all methods.
 - SEH support
 - TLS initialization
 - Security cookie initalization
+- Loader Lock
+- Shift image
+- Clean datadirectories
 
 ### Additional features:
 
@@ -46,9 +50,9 @@ Session seperation can be bypassed with all methods.
 
 You can easily use mapper by including the compiled binaries in your project. Check the provided Injection.h header for more information.
 Make sure you have the compiled binaries in the working directory of your program.
-On first run the injection module will download pdb files for the native (and when run on x64 the wow64) version of the ntdll.dll to resolve symbol addresses.
-The injector can only function if that process is finished. The injection module exports GetSymbolState which will return INJ_ERROR_SUCCESS (0) if the pdb download and resolving of all required addresses is completed.
-Additionally GetDownloadProgress can be used to determine the progress of the download as percentage.
+On first run the injection module has to download PDB files for the native (and when run on x64 the wow64) version of the ntdll.dll to resolve symbol addresses. Use the exported StartDownload function to begin the download.
+The injector can only function if the downloads are finished. The injection module exports GetSymbolState and GetImportState which will return INJ_ERROR_SUCCESS (0) if the PDB download and resolving of all required addresses is completed.
+Additionally GetDownloadProgress can be used to determine the progress of the download as percentage. If the injection module is to be unloaded during the download process call InterruptDownload or there's a chance that the dll will deadlock your process.
 
 ```cpp
 
@@ -58,12 +62,21 @@ HINSTANCE hInjectionMod = LoadLibrary(GH_INJ_MOD_NAME);
 
 auto InjectA = (f_InjectA)GetProcAddress(hInjectionMod, "InjectA");
 auto GetSymbolState = (f_GetSymbolState)GetProcAddress(hInjectionMod, "GetSymbolState");
+auto GetImportState = (f_GetSymbolState)GetProcAddress(hInjectionMod, "GetImportState");
+auto StartDownload = (f_StartDownload)GetProcAddress(hInjectionMod, "StartDownload");
+
+StartDownload();
 
 while (GetSymbolState() != 0)
 {
 	Sleep(10);
 }
 
+while (GetImportState() != 0)
+{
+	Sleep(10);
+}
+
 DWORD TargetProcessId;
 
 INJECTIONDATAA data =