BOOL CALLBACK EWP_DirectInject(HWND hwnd, LPARAM lParam) { CHAR name[500] = {0}; struct INJ_DATA injdata = *(struct INJ_DATA*)lParam; // injection via windowtitle if(injdata.mode == 1) { GetWindowTextA(hwnd, name, 500 * sizeof(CHAR)); if(strncmp((LPCSTR)injdata.name, name, strlen(name) + 1) == 0) { DWORD dwPid = 0; GetWindowThreadProcessId(hwnd, &dwPid); if(dwPid == 0) { PRINT_ERROR_MSGA("Could not get ProcessId from window handle (hwnd: 0x%p).", hwnd); } if(!CHECK_TARGET_PROC(dwPid)) { PRINT_TARGET_PROC_ERROR(dwPid); return TRUE; } if(injdata.inject) { if(injdata.mm) { if(!MapRemoteModuleA(dwPid, injdata.libpath)) { PRINT_ERROR_MSGA("Failed to map the PE file into the remote address space of a process (PID: %x)\n", dwPid); } } else { InjectLibraryA(dwPid, injdata.libpath); } } else { if(injdata.module_address) { EjectLibrary(dwPid, injdata.module_address); } else { EjectLibraryA(dwPid, injdata.libpath); } } } } // injection via windowclass if(injdata.mode == 2) { GetClassNameA(hwnd, name, 500 * sizeof(CHAR)); if(strncmp((LPCSTR)injdata.name, name, strlen(name) + 1) == 0) { DWORD dwPid = 0; GetWindowThreadProcessId(hwnd, &dwPid); if(dwPid == 0) { PRINT_ERROR_MSGA("Could not get ProcessId from window handle (hwnd: 0x%p).", hwnd); } if(!CHECK_TARGET_PROC(dwPid)) { PRINT_TARGET_PROC_ERROR(dwPid); return TRUE; } if(injdata.inject) { if(injdata.mm) { if(!MapRemoteModuleA(dwPid, injdata.libpath)) { PRINT_ERROR_MSGA("Failed to map the PE file into the remote address space of a process (PID: %x)\n", dwPid); } } else { InjectLibraryA(dwPid, injdata.libpath); } } else { if(injdata.module_address) { EjectLibrary(dwPid, injdata.module_address); } else { EjectLibraryA(dwPid, injdata.libpath); } } } } return TRUE; }
BOOL CDisplayAdapterHelper::InjectSpecificDllAndProcessByIdInner(DWORD dwProcessID, LPSTR lpDllName, BOOL bInjectSafeMode) { #if defined _M_X64 && _MSC_VER == 1800 //workaround AVX2 bug in VS2013, http://connect.microsoft.com/VisualStudio/feedback/details/811093 _set_FMA3_enable(0); #endif assert(dwProcessID != 0); if (ISZERO(dwProcessID)) { DOLOG("id of target process can't be zero !"); return FALSE; } assert(ISNOTNULL(lpDllName)); if(ISNULL(lpDllName)) { DOLOG("name of dll can't not be null !"); return FALSE; } CHAR cbDllPath[MAX_PATH] = { 0 }; //if (ISZERO(GetCurrentDirectoryA(dirLen, cbDllPath))) if(ISZERO(GetModuleFileNameA(GetModuleHandle(NULL), cbDllPath, MAX_PATH))) { DOLOG("GetCurrentDirectory Failed ! " + GetLastError()); return FALSE; } CHAR* lpFullPath = strrchr(cbDllPath, '\\'); lpFullPath[1] = '\0'; UINT dirLen = strlen(cbDllPath); const size_t fileNameLen = strlen(lpDllName); size_t len = dirLen + fileNameLen + 1; cbDllPath[dirLen - 1] = '\\'; strncpy_s(cbDllPath + dirLen, len - dirLen, lpDllName, fileNameLen); BOOL result = TRUE; LoadSeDebugPrivilege(); CNameEvent nameEvent; nameEvent.Init(EVENTNAME, TRUE); CNameShareMemory shareMemInst; shareMemInst.Init(SHAREMEMNAME, MAX_PATH, TRUE); char* lpInfo = shareMemInst.GetBuffer(); ZeroMemory(lpInfo, MAX_PATH); if (!bInjectSafeMode) { OPPROC pOpenProcess; HANDLE hProcess; char pOPStr[12]; int i; memcpy(pOPStr, "NpflUvhel{x", 12); //OpenProcess obfuscated for (i = 0; i<11; i++) pOPStr[i] ^= i ^ 1; pOpenProcess = (OPPROC)GetProcAddress(GetModuleHandle(TEXT("KERNEL32")), pOPStr); if (ISNULL(pOpenProcess)) { DOLOG("GetProcAddress failed ! " + GetLastError()); return FALSE; } hProcess = (*pOpenProcess)(PROCESS_ALL_ACCESS, FALSE, dwProcessID); if (ISNULL(hProcess)) { DOLOG("OpenProcess Failed ! " + GetLastError()); return FALSE; } if (ISFALSE(AdjustDllforProcess(hProcess, cbDllPath))) { DOLOG("AdjustDllforProcess Failed ! " + GetLastError()); return FALSE; } if (ISNOTTRUE(InjectLibraryA(hProcess, cbDllPath, (DWORD)(len - 1)))) { result = FALSE; DOLOG("Inject Library failed ! " + GetLastError()); } CloseHandle(hProcess); } else { #ifdef _WIN64 CHAR cbTempDllPath[MAX_PATH] = { 0 }; if (ISTRUE(AdjustDllfor64bit(cbTempDllPath, MAX_PATH, cbDllPath))) { memcpy(cbDllPath, cbTempDllPath, strlen(cbTempDllPath) + 1); } #endif if (!InjectLibrarySafeA(dwProcessID, cbDllPath, (DWORD)(len - 1))) { DOLOG("InjectLibrarySafeA failed ! "+ GetLastError()); result = FALSE; } } if(ISTRUE(nameEvent.Wait())) { lpInfo = shareMemInst.GetBuffer(); if (ISNOTNULL(lpInfo)) { DOLOG(" 得到的信息是>>>>>>" + lpInfo); strcpy(m_cbVideoAdapterName, lpInfo); } } nameEvent.Close(); shareMemInst.Close(); return result ; }
BOOL InjectEjectToProcessNameA(LPCSTR lpProcName, LPCSTR lpLibPath, LPVOID lpModule, BOOL inject, BOOL mm) { PROCESSENTRY32 pe32 = { sizeof(PROCESSENTRY32) }; HANDLE hProcSnap = 0; BOOL bFound = FALSE; hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcSnap == INVALID_HANDLE_VALUE) { PRINT_ERROR_MSGA("Could not get process snapshot."); return FALSE; } if(Process32First(hProcSnap, &pe32)) { do { if(!strncmp(lpProcName, pe32.szExeFile, strlen(lpProcName))) { if(!CHECK_TARGET_PROC(pe32.th32ProcessID)) { PRINT_TARGET_PROC_ERROR(pe32.th32ProcessID); continue; } bFound = TRUE; if(inject) { if(mm) { if(!MapRemoteModuleA(pe32.th32ProcessID, lpLibPath)) { PRINT_ERROR_MSGA("Failed to map the PE file into the remote address space of a process (PID: %x)\n", pe32.th32ProcessID); } } else { if(!InjectLibraryA(pe32.th32ProcessID, lpLibPath)) { PRINT_ERROR_MSGA("Injection failed. (PID: %x)", pe32.th32ProcessID); } } } else { if(lpModule) { if(!EjectLibrary(pe32.th32ProcessID, lpModule)) { PRINT_ERROR_MSGA("Ejection failed. (PID: %x)", pe32.th32ProcessID); } } else { if(!EjectLibraryA(pe32.th32ProcessID, lpLibPath)) { PRINT_ERROR_MSGA("Ejection failed. (PID: %x)", pe32.th32ProcessID); } } } } } while(Process32Next(hProcSnap, &pe32)); } CloseHandle(hProcSnap); if(!bFound) { PRINT_ERROR_MSGA("Could not find process (%s).", lpProcName); } return bFound; }