-
Notifications
You must be signed in to change notification settings - Fork 47
Expand file tree
/
Copy pathmain.cpp
More file actions
66 lines (54 loc) · 1.94 KB
/
main.cpp
File metadata and controls
66 lines (54 loc) · 1.94 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include "pch.h"
#include <stdio.h>
#include <string>
#include <Shlwapi.h>
#include <vector>
#pragma comment(lib, "shlwapi.lib")
typedef WINBASEAPI BOOL(WINAPI* CreateProcessHid)(
_In_opt_ LPCWSTR lpApplicationName,
_Inout_opt_ LPWSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCWSTR lpCurrentDirectory,
_In_ LPSTARTUPINFOW lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
void InjectDll(HANDLE hProcess, HANDLE hThread, const std::wstring& path)
{
size_t strSize = (path.size() + 1) * sizeof(WCHAR);
LPVOID pBuf = VirtualAllocEx(hProcess, 0, strSize, MEM_COMMIT, PAGE_READWRITE);
if (pBuf == NULL)
return;
SIZE_T written;
if (!WriteProcessMemory(hProcess, pBuf, path.c_str(), strSize, &written))
return;
LPVOID pLoadLibraryW = GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW");
QueueUserAPC((PAPCFUNC)pLoadLibraryW, hThread, (ULONG_PTR)pBuf);
}
std::wstring GetExecutableDir()
{
WCHAR buf[MAX_PATH];
GetModuleFileName(nullptr, buf, MAX_PATH);
PathRemoveFileSpec(buf);
return buf;
}
typedef BOOL(WINAPI* SetWindowBand)(HWND hWnd, HWND hwndInsertAfter, DWORD dwBand);
int CALLBACK WinMain(_In_ HINSTANCE hInstance, _In_ HINSTANCE hPrevInstance, _In_ LPSTR lpCmdLine, _In_ int nCmdShow)
{
std::wstring path = GetExecutableDir();
path += L"\\MobileShellExtension.dll";
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION procInfo = { 0 };
WCHAR cmdline[] = L"MiniBroker.exe";
startInfo.cb = sizeof(startInfo);
const auto createprocess = CreateProcessHid(GetProcAddressNew(L"kernel32.dll", L"CreateProcessW"));
if (createprocess(nullptr, cmdline, nullptr, nullptr, FALSE, CREATE_SUSPENDED, nullptr, nullptr, &startInfo, &procInfo))
{
InjectDll(procInfo.hProcess, procInfo.hThread, path);
ResumeThread(procInfo.hThread);
}
return 0;
}