Exemple #1
0
BOOL __declspec(dllexport) RemoteFreeLibraryNT(DWORD dwTargetProcessID, HMODULE hModule)
{
	if (!IsWindowsNT())
	{
		::SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
		return FALSE;
	}

	LPTHREAD_START_ROUTINE lpfn = (LPTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandleA("kernel32.dll"), "FreeLibrary");
	if (lpfn == NULL)
		return FALSE;
	
	HANDLE hRemoteProc = OpenProcessForRemoteExecute(dwTargetProcessID);
	if (hRemoteProc == NULL)
		return FALSE;

	DWORD dwExitCode = 0;
	DWORD dwErrorCode = ERROR_SUCCESS;
	BOOL bOK = RemoteExecute(hRemoteProc, lpfn, (LPVOID)hModule, dwExitCode, dwErrorCode);
	::CloseHandle(hRemoteProc);
	if (!bOK)
	{
		::SetLastError(dwErrorCode);
		return FALSE;
	}

	if (dwExitCode == 0)
	{
		::SetLastError(ERROR_MOD_NOT_FOUND);
		return FALSE;
	}

	return TRUE;
}
Exemple #2
0
HMODULE __declspec(dllexport) RemoteLoadLibraryNTA(DWORD dwTargetProcessID, LPCSTR lpszDllPath)
{	
	if (lpszDllPath == NULL || lpszDllPath[0] == 0)
	{
		::SetLastError(ERROR_MOD_NOT_FOUND);
		return NULL;
	}

	if (!IsWindowsNT())
	{
		::SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
		return NULL;
	}

	LPTHREAD_START_ROUTINE lpfn = (LPTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
	if (lpfn == NULL)
		return NULL;

	DWORD dwExitCode = 0;
	DWORD dwErrorCode = ERROR_SUCCESS;
	BOOL bOK = RemoteExecute(dwTargetProcessID, lpfn, (LPCVOID)lpszDllPath, (::strlen(lpszDllPath) + 1) * sizeof(char), dwExitCode, dwErrorCode);
	if (!bOK)
	{
		::SetLastError(dwErrorCode);
		return NULL;
	}

	if (dwExitCode == 0)
	{
		::SetLastError(ERROR_FILE_NOT_FOUND);
		return NULL;
	}

	return (HMODULE)dwExitCode;
}
// this function can give us the command line of any specified 32bit process
void GetProcessCmdLine(HANDLE hProcess, LPTSTR pBuffer)
{
  DWORD dummy;

  // we simply execute "GetCmdLineThread" in the context of the target process
  // if it succeeds, "pBuffer" will contain the command line 
  if (!RemoteExecute(hProcess, (PREMOTE_EXECUTE_ROUTINE) &RemoteGetCmdLine, &dummy, pBuffer, MAX_PATH))
    // if it didn't work we clean the result string
    pBuffer[0] = 0;
}
Exemple #4
0
BOOL RemoteExecute(DWORD dwRemoteProcID, LPTHREAD_START_ROUTINE lpfn, LPCVOID lpszParamString, DWORD dwLen, DWORD& rExitCode, DWORD& rErrorCode)
{
	rExitCode = 0;
	rErrorCode = ERROR_SUCCESS;

	if (lpfn == NULL)
	{
		rErrorCode = ERROR_INVALID_PARAMETER;
		return FALSE;
	}

	HANDLE hRemoteProc = OpenProcessForRemoteExecute(dwRemoteProcID);
	if (hRemoteProc == NULL)
	{
		rErrorCode = ::GetLastError();
		return FALSE;
	}

	BOOL bOK = TRUE;
	LPVOID lpParam = NULL;

	if (lpszParamString && dwLen)
	{
		lpParam = ::VirtualAllocEx(hRemoteProc, NULL, dwLen, MEM_COMMIT, PAGE_READWRITE);
		if (lpParam == NULL)
		{
			rErrorCode = ::GetLastError();
			::CloseHandle(hRemoteProc);
			return FALSE;		
		}

		bOK = WriteProcessBytes(hRemoteProc, lpParam, lpszParamString, dwLen);
	}
	

	if (bOK)
		bOK = RemoteExecute(hRemoteProc, lpfn, lpParam, rExitCode, rErrorCode);
	else
		rErrorCode = ::GetLastError();

	if (lpszParamString)
	{
		::VirtualFreeEx(hRemoteProc, lpParam, 0, MEM_RELEASE);
		::CloseHandle(hRemoteProc);
	}
	
	return bOK;
}
Exemple #5
0
HMODULE __declspec(dllexport) RemoteGetModuleHandleNTW(DWORD dwTargetProcessID, LPCWSTR lpszDllPath)
{
	if (g_kernel32.GetModuleHandleW == NULL)
	{
		::SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
		return NULL;
	}

	if (lpszDllPath && lpszDllPath[0] == 0)
	{
		::SetLastError(ERROR_MOD_NOT_FOUND);
		return NULL;
	}
		
	if (!IsWindowsNT())
	{
		::SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
		return NULL;
	}
	
	DWORD dwExitCode = 0;
	DWORD dwErrorCode = ERROR_SUCCESS;
	BOOL bOK = RemoteExecute(dwTargetProcessID, (LPTHREAD_START_ROUTINE)g_kernel32.GetModuleHandleW, (LPCVOID)lpszDllPath, lpszDllPath ? (::wcslen(lpszDllPath) + 1) * sizeof(wchar_t) : 0, dwExitCode, dwErrorCode);
	if (!bOK)
	{
		::SetLastError(dwErrorCode);
		return NULL;
	}

	if (dwExitCode == 0)
	{
		::SetLastError(ERROR_FILE_NOT_FOUND);
		return NULL;
	}

	return (HMODULE)dwExitCode;
}