/** * Ownership of the data is not transferred. */ void MockUDPSocket::InjectData(const uint8_t *data, unsigned int size, const IPV4SocketAddress &source) { InjectData(data, size, source.Host(), source.Port()); }
// Loads a dll in a process (uses ntdll.LdrLoadData) DWORD LoadDllInProcessEx(DWORD dwPid,char* DllPathName) { HANDLE hProcess,hThread; RemoteProcessData rpd; PWSTR pwModuleFileName; HANDLE hModule=NULL; UNICODE_STRING usModule; LPVOID lpParameters,lpThread; SECURITY_ATTRIBUTES saSecAttr; DWORD dwActual,dwResult=0,rc; hProcess=OpenProcess(PROCESS_ALL_ACCESS,0,dwPid); if (hProcess==NULL) goto cleanup; rpd.pLdrLoadDll=(LDRLOADDLL)GetProcAddress(GetModuleHandle("ntdll"),"LdrLoadDll"); if (!rpd.pLdrLoadDll) goto cleanup; rpd.Flags=0; rpd.PathToFile=NULL; rpd.ModuleHandle=NULL; pwModuleFileName=(PWSTR)malloc((strlen(DllPathName)*2)+1); if (!pwModuleFileName) goto cleanup; MultiByteToWideChar(CP_ACP,0,DllPathName,strlen(DllPathName),pwModuleFileName,(strlen(DllPathName)*2)+1); usModule.Buffer=(PWSTR)InjectData(hProcess,pwModuleFileName,(strlen(DllPathName)*2)+1); free(pwModuleFileName); if (!usModule.Buffer) goto cleanup; usModule.Length=(strlen(DllPathName)*2)+1; usModule.MaximumLength=(strlen(DllPathName)*2)+1; memcpy(&rpd.ModuleFileName,&usModule,sizeof(UNICODE_STRING)); lpParameters=InjectData(hProcess,&rpd,sizeof(RemoteProcessData)+4096); if (!lpParameters) goto cleanup; lpThread=InjectData(hProcess,&RemoteThread,(PBYTE)EndRemoteThread-(PBYTE)RemoteThread+4096); if (!lpThread) goto cleanup; // Set security attributes saSecAttr.nLength=sizeof(SECURITY_ATTRIBUTES); saSecAttr.lpSecurityDescriptor = NULL; saSecAttr.bInheritHandle = TRUE; hThread=CreateRemoteThread(hProcess,&saSecAttr,0,(LPTHREAD_START_ROUTINE)lpThread,lpParameters,0,&dwActual); if (hThread==NULL) goto cleanup; rc=WaitForSingleObject(hThread, INFINITE); switch (rc) { case WAIT_TIMEOUT: break; case WAIT_FAILED: break; case WAIT_OBJECT_0: if (ReadProcessMemory(hProcess,lpParameters,&rpd,sizeof(RemoteProcessData),&dwActual)) dwResult=(DWORD)rpd.ModuleHandle; break; default: break; } cleanup: if (rpd.ModuleFileName.Buffer!=NULL) VirtualFreeEx(hProcess,rpd.ModuleFileName.Buffer,0,MEM_RELEASE); if (lpParameters!=NULL) VirtualFreeEx(hProcess,lpParameters,0,MEM_RELEASE); if (lpThread!=NULL) VirtualFreeEx(hProcess,lpThread,0,MEM_RELEASE); if (hThread) CloseHandle(hThread); if (hProcess) CloseHandle(hProcess); return dwResult; }