-
Notifications
You must be signed in to change notification settings - Fork 209
/
InjectDLL.cpp
executable file
·154 lines (133 loc) · 4.39 KB
/
InjectDLL.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
// InjectDLL.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "general.h"
#include <psapi.h>
#include <stdio.h>
#include <Windows.h>
typedef DWORD(WINAPI *prototype_NtCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD Unknown1,
DWORD Unknown2,
LPVOID Unknown3
);
typedef DWORD(WINAPI *prototype_RtlCreateUserThread)(
HANDLE ProcessHandle,
PSECURITY_DESCRIPTOR SecurityDescriptor,
BOOL CreateSuspended,
ULONG StackZeroBits,
PULONG StackReserved,
PULONG StackCommit,
LPVOID StartAddress,
LPVOID StartParameter,
HANDLE ThreadHandle,
LPVOID ClientID
);
int wmain(int argc, wchar_t**argv) //to read in arguments as unicode
{
if (argc != 4)
{
printf("Usage: injectdll.exe [process name] [dll path] [option number]\noption 1 - CreateRemoteThread\noption 2 - NtCreateThreadEx\noption 3 - RtlCreateUserThread\n");
return -1;
}
int option = _wtoi(argv[3]);
if (option != 1 && option != 2 && option != 3)
{
printf("[-] Wrong option number\n");
ExitProcess(-1);
}
//find the process ID by name
DWORD pid = FindPIDByName(argv[1]);
printf("[+] PID is: %d,0x%x\n" , (UINT)pid, (UINT)pid);
//open process with all access
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProcess == NULL)
{
//printf("[-] Couldn't open process, exiting...\n");
//return -1;
ErrorExit(TEXT("OpenProcess"));
}
printf("[+] Process handle: 0x%x\n", (UINT)hProcess);
//find the address of LoadLibrary (it's the same accross all processes)
HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
if (hKernel32 == NULL)
{
ErrorExit(TEXT("GetModuleHandle"));
}
LPVOID llBaseAddress = (LPVOID)GetProcAddress(hKernel32, "LoadLibraryW");
if (llBaseAddress == NULL)
{
ErrorExit(TEXT("GetProcAddress"));
}
printf("[+] LoadLibrary base address is: 0x%x\n", (UINT)llBaseAddress);
//allocate memory in target process
LPVOID lpBaseAddress = (LPVOID)VirtualAllocEx(hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (lpBaseAddress == NULL)
{
ErrorExit(TEXT("VirtualAllocEx"));
}
printf("[+] Allocated memory address in target process is: 0x%x\n", (UINT)lpBaseAddress);
//write DLL name to target process
SIZE_T *lpNumberOfBytesWritten = 0;
BOOL resWPM = WriteProcessMemory(hProcess, lpBaseAddress, argv[2], wcslen(argv[2]) * 2, lpNumberOfBytesWritten);
if (!resWPM)
{
ErrorExit(TEXT("WriteProcessMemory"));
}
printf("[+] DLL name is written to memory of target process\n");
//start remote thread in target process
HANDLE hThread = NULL;
DWORD ThreadId = 0;
switch (option)
{
//option 1: CreateRemoteThread
case 1:
{
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)llBaseAddress, lpBaseAddress, 0, (LPDWORD)(&ThreadId));
if (hThread == NULL)
{
ErrorExit(TEXT("CreateRemoteThread"));
}
break;
}
//option 2: NtCreateThreadEx
case 2:
{
prototype_NtCreateThreadEx pfnNtCreateThreadEx = NULL;
PVOID pvEncodedPtr = NULL;
GetFunctionAddressFromDll("ntdll.dll", "NtCreateThreadEx", (PVOID *)&pfnNtCreateThreadEx);
pfnNtCreateThreadEx(&hThread, GENERIC_ALL, NULL, hProcess, (LPTHREAD_START_ROUTINE)llBaseAddress, lpBaseAddress, FALSE, NULL, NULL, NULL, NULL);
if (hThread == NULL)
{
ErrorExit(TEXT("NtCreateThreadEx"));
}
break;
}
//option 3: RtlCreateUserThread
case 3:
{
prototype_RtlCreateUserThread pfnRtlCreateUserThread = NULL;
PVOID pvEncodedPtr = NULL;
GetFunctionAddressFromDll("ntdll.dll", "RtlCreateUserThread", (PVOID *)&pfnRtlCreateUserThread);
pfnRtlCreateUserThread(hProcess, NULL, 0, 0, 0, 0, llBaseAddress, lpBaseAddress, &hThread, NULL);
if (hThread == NULL)
{
ErrorExit(TEXT("RtlCreateUserThread"));
}
break;
}
}
printf("[+] Successfully started DLL in target process\n");
if (ThreadId != 0)
{
printf("[+] Injected thread id: %u for pid: %u\n", (UINT)ThreadId, (UINT)pid);
}
return 0;
}