-
Notifications
You must be signed in to change notification settings - Fork 5
/
myinject.cpp
119 lines (83 loc) · 3.07 KB
/
myinject.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
// myinject.cpp : Defines the entry point for the console application.
//
#include <windows.h>
#include <tlhelp32.h>
#include <iostream.h>
#include <shlwapi.h>
//We will be writing our own little function called CreateRemoteThreadInject
BOOL CreateRemoteThreadInject(DWORD PID, const char * dll) {
//Declare the handle of the process.
HANDLE Process;
//Declare the memory we will be allocating
LPVOID Memory;
//Declare LoadLibrary
LPVOID LoadLibrary;
//If there's no process ID we return false.
if(!PID) {
return false;
}
//Open the process with read , write and execute priviledges
Process = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, PID);
//Get the address of LoadLibraryA
LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate space in the process for our DLL
Memory = (LPVOID)VirtualAllocEx(Process, NULL, strlen(dll)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
// Write the string name of our DLL in the memory allocated
WriteProcessMemory(Process, (LPVOID)Memory, (void *)dll, strlen(dll)+1, NULL);
// Load our DLL, by forcing the process to call LoadLibrary("mydll.dll");
CreateRemoteThread(Process, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)Memory, NULL, NULL);
//Let the program regain control of itself
CloseHandle(Process);
//Lets free the memory we are not using anymore.
VirtualFreeEx(Process , (LPVOID)Memory , 0, MEM_RELEASE);
return true;
}
DWORD GetProcessId(IN PCHAR szExeName)
{
DWORD dwRet = 0;
DWORD dwCount = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe = {0};
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot, &pe);
while (bRet)
{
if (!_stricmp(pe.szExeFile, szExeName))
{
dwCount++;
dwRet = pe.th32ProcessID;
}
bRet = Process32Next(hSnapshot, &pe);
}
if (dwCount > 1)
dwRet = 0xFFFFFFFF;
CloseHandle(hSnapshot);
}
return dwRet;
}
//----------------------------
int main(int argc, char* argv[])
{
// Declare our dll variable
char dll[MAX_PATH];
if ( argc != 3 ) {
cout << "Usage :" << argv[0] << " <PROCESS NAME> <DLL FULL PATH>" << endl;
exit(1);
}
// Get the full path of our .dll
GetFullPathName( argv[2] , MAX_PATH, dll , NULL);
// Get PID of notepad.exe
DWORD ID = GetProcessId(argv[1]);
if (!CreateRemoteThreadInject(ID, dll)) {
//If CreateRemoteThreadInject Returned true
cout << "Injection failed!" << endl ;
exit(1);
} else {
//If CreateRemoteThreadInject Returned true
cout << "Injection of" << argv[2] << " into " << argv[1] << " is successful!" << endl;
exit(1);
}
return 0;
}