| 001 | #include <windows .h> |
| 002 | #include <tlhelp32 .h> |
| 003 | #include <shlwapi .h> |
| 004 | #define PROC_NAME "target.exe" |
| 005 | #define DLL_NAME "injected.dll" |
| 006 | unsigned long GetTargetProcessIdFromProcname(char *procName); |
| 007 | unsigned long GetTargetThreadIdFromProcname(char *procName); |
| 008 | __declspec(naked) loadDll(void) |
| 009 | { |
| 010 | _asm |
| 011 | { |
| 012 | // Placeholder for the return address |
| 013 | push 0xDEADBEEF |
| 014 | // Save the flags and registers |
| 015 | pushfd |
| 016 | pushad |
| 017 | // Placeholder for the string address and LoadLibrary |
| 018 | push 0xDEADBEEF |
| 019 | mov eax, 0xDEADBEEF |
| 020 | // Call LoadLibrary with the string parameter |
| 021 | call eax |
| 022 | // Restore the registers and flags |
| 023 | popad |
| 024 | popfd |
| 025 | // Return control to the hijacked thread |
| 026 | ret |
| 027 | } |
| 028 | } |
| 029 | |
| 030 | __declspec(naked) loadDll_end(void) |
| 031 | { |
| 032 | } |
| 033 | int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) |
| 034 | { |
| 035 | void *dllString; |
| 036 | void *stub; |
| 037 | unsigned long wowID, threadID, stubLen, oldIP, oldprot, loadLibAddy; |
| 038 | HANDLE hProcess, hThread; |
| 039 | CONTEXT ctx; |
| 040 | stubLen = (unsigned long)loadDll_end - (unsigned long)loadDll; |
| 041 | loadLibAddy = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); |
| 042 | wowID = GetTargetProcessIdFromProcname(PROC_NAME); |
| 043 | hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, wowID); |
| 044 | dllString = VirtualAllocEx(hProcess, NULL, (strlen(DLL_NAME) + 1), MEM_COMMIT, PAGE_READWRITE); |
| 045 | stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); |
| 046 | WriteProcessMemory(hProcess, dllString, DLL_NAME, strlen(DLL_NAME), NULL); |
| 047 | threadID = GetTargetThreadIdFromProcname(PROC_NAME); |
| 048 | hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID); |
| 049 | SuspendThread(hThread); |
| 050 | ctx.ContextFlags = CONTEXT_CONTROL; |
| 051 | GetThreadContext(hThread, &ctx); |
| 052 | oldIP = ctx.Eip; |
| 053 | ctx.Eip = (DWORD)stub; |
| 054 | ctx.ContextFlags = CONTEXT_CONTROL; |
| 055 | VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); |
| 056 | memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4); |
| 057 | memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4); |
| 058 | memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4); |
| 059 | WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); |
| 060 | SetThreadContext(hThread, &ctx); |
| 061 | ResumeThread(hThread); |
| 062 | Sleep(8000); |
| 063 | VirtualFreeEx(hProcess, dllString, strlen(DLL_NAME), MEM_DECOMMIT); |
| 064 | VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT); |
| 065 | CloseHandle(hProcess); |
| 066 | CloseHandle(hThread); |
| 067 | return 0; |
| 068 | } |
| 069 | unsigned long GetTargetProcessIdFromProcname(char *procName) |
| 070 | { |
| 071 | PROCESSENTRY32 pe; |
| 072 | HANDLE thSnapshot; |
| 073 | BOOL retval, ProcFound = false; |
| 074 | thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
| 075 | if(thSnapshot == INVALID_HANDLE_VALUE) |
| 076 | { |
| 077 | MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); |
| 078 | return false; |
| 079 | } |
| 080 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 081 | retval = Process32First(thSnapshot, &pe); |
| 082 | while(retval) |
| 083 | { |
| 084 | if(StrStrI(pe.szExeFile, procName) ) |
| 085 | { |
| 086 | ProcFound = true; |
| 087 | break; |
| 088 | } |
| 089 | retval = Process32Next(thSnapshot,&pe); |
| 090 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 091 | } |
| 092 | CloseHandle(thSnapshot); |
| 093 | return pe.th32ProcessID; |
| 094 | } |
| 095 | unsigned long GetTargetThreadIdFromProcname(char *procName) |
| 096 | { |
| 097 | PROCESSENTRY32 pe; |
| 098 | HANDLE thSnapshot, hProcess; |
| 099 | BOOL retval, ProcFound = false; |
| 100 | unsigned long pTID, threadID; |
| 101 | thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
| 102 | if(thSnapshot == INVALID_HANDLE_VALUE) |
| 103 | { |
| 104 | MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); |
| 105 | return false; |
| 106 | } |
| 107 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 108 | retval = Process32First(thSnapshot, &pe); |
| 109 | while(retval) |
| 110 | { |
| 111 | if(StrStrI(pe.szExeFile, procName) ) |
| 112 | { |
| 113 | ProcFound = true; |
| 114 | break; |
| 115 | } |
| 116 | retval = Process32Next(thSnapshot,&pe); |
| 117 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 118 | } |
| 119 | CloseHandle(thSnapshot); |
| 120 | _asm { |
| 121 | mov eax, fs:[0x18] |
| 122 | add eax, 36 |
| 123 | mov [pTID], eax |
| 124 | } |
| 125 | hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); |
| 126 | ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); |
| 127 | CloseHandle(hProcess); |
| 128 | return threadID; |
| 129 | }</shlwapi></tlhelp32></windows> |