bool InjectThread(HANDLE hProcess)
{
CHAR szDllName[MAX_PATH] = HOOK_EXPLORER_DLL_PATHA;
LPVOID lpDllNameAddr = VirtualAllocEx(hProcess, NULL, strlen(szDllName)+1, MEM_COMMIT, PAGE_READWRITE);
if(lpDllNameAddr == NULL)
{
LogMsg("VirtualAllocEx failed %d\n", GetLastError());
return false;
}
DWORD dwRes = 0;
bool bRet = WriteProcessMemory(hProcess, lpDllNameAddr, szDllName, strlen(szDllName), &dwRes);
if(!bRet)
{
LogMsg("WriteProcessMemory failed %d\n", GetLastError());
VirtualFreeEx(hProcess, lpDllNameAddr, strlen(szDllName)+1, MEM_DECOMMIT);
return false;
}
HMODULE hModule = GetModuleHandle(L"kernel32.dll");
LPTHREAD_START_ROUTINE lpLoadLibraryAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA");
if(lpLoadLibraryAddr != NULL)
{
//HANDLE hRemote = CreateRemoteThread(hProcess, NULL, 0, lpLoadLibraryAddr, lpDllNameAddr, 0, NULL);
//if(hRemote != NULL)
//{//TODO: can not make sure WaitForSingleObject is necessary
// if (WAIT_OBJECT_0 != WaitForSingleObject(hRemote, 200))
// {
// LogMsg("Remote Thread Terminated Unnormal %d\n", GetLastError());
// }
// CloseHandle(hRemote);
//}
//else
if( !MyCreateRemoteThread(hProcess, (LPTHREAD_START_ROUTINE)lpLoadLibraryAddr, lpDllNameAddr) )
{
LogMsg("Create Remote Thread Failed %d\n", GetLastError());
CloseHandle(hModule);
return false;
}
}
else
{
LogMsg("GetProcAddress failed %d\n", GetLastError());
CloseHandle(hModule);
return false;
}
return true;
}
BOOL EjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
BOOL bMore = FALSE, bFound = FALSE, bRet = FALSE;
HANDLE hSnapshot = INVALID_HANDLE_VALUE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
MODULEENTRY32 me = { sizeof(me), };
LPTHREAD_START_ROUTINE pThreadProc = NULL;
HMODULE hMod = NULL;
DWORD dwDesiredAccess = 0;
TCHAR szProcName[MAX_PATH] = { 0, };
if (INVALID_HANDLE_VALUE ==
(hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID)))
{
wsprintf(buf, L"EjectDll() : CreateToolhelp32Snapshot(%d) failed!!! [%d]\n",
dwPID, GetLastError());
goto EJECTDLL_EXIT;
}
bMore = Module32First(hSnapshot, &me);
for (; bMore; bMore = Module32Next(hSnapshot, &me))
{
if (!_tcsicmp(me.szModule, szDllPath) ||
!_tcsicmp(me.szExePath, szDllPath))
{
bFound = TRUE;
break;
}
}
if (!bFound)
{
wsprintf(buf, L"EjectDll() : There is not %s module in process(%d) memory!!!\n",
szDllPath, dwPID);
MessageBox(NULL, buf, L"error", MB_OK);
goto EJECTDLL_EXIT;
}
dwDesiredAccess = PROCESS_ALL_ACCESS;
if (!(hProcess = OpenProcess(dwDesiredAccess, FALSE, dwPID)))
{
wsprintf(buf, L"EjectDll() : OpenProcess(%d) failed!!! [%d]\n",
dwPID, GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto EJECTDLL_EXIT;
}
hMod = GetModuleHandle(L"kernel32.dll");
if (hMod == NULL)
{
wsprintf(buf, L"EjectDll() : GetModuleHandle(\"kernel32.dll\") failed!!! [%d]\n",
GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto EJECTDLL_EXIT;
}
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "FreeLibrary");
if (pThreadProc == NULL)
{
wsprintf(buf, L"EjectDll() : GetProcAddress(\"FreeLibrary\") failed!!! [%d]\n",
GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto EJECTDLL_EXIT;
}
if (!MyCreateRemoteThread(hProcess, pThreadProc, me.modBaseAddr))
{
wsprintf(buf, L"EjectDll() : MyCreateRemoteThread() failed!!!\n");
MessageBox(NULL, buf, L"error", MB_OK);
goto EJECTDLL_EXIT;
}
bRet = TRUE;
EJECTDLL_EXIT:
_tcscpy_s(szProcName, GetProcName(dwPID));
wsprintf(buf, L"%s(%d) %s!!! [%d]\n", szProcName, dwPID, bRet ? L"SUCCESS" : L"-->> FAILURE", GetLastError());
OutputDebugStringW(buf);
if (hThread)
CloseHandle(hThread);
if (hProcess)
CloseHandle(hProcess);
if (hSnapshot != INVALID_HANDLE_VALUE)
CloseHandle(hSnapshot);
return bRet;
}
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc = NULL;
BOOL bRet = FALSE;
HMODULE hMod = NULL;
DWORD dwDesiredAccess = 0;
TCHAR szProcName[MAX_PATH] = { 0, };
dwDesiredAccess = PROCESS_ALL_ACCESS;
//dwDesiredAccess = MAXIMUM_ALLOWED;
if (!(hProcess = OpenProcess(dwDesiredAccess, FALSE, dwPID)))
{
wsprintf(buf, L"InjectDll() : OpenProcess(%d) failed!!! [%d]\n",
dwPID, GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto INJECTDLL_EXIT;
}
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,
MEM_COMMIT, PAGE_READWRITE);
if (pRemoteBuf == NULL)
{
wsprintf(buf, L"InjectDll() : VirtualAllocEx() failed!!! [%d]\n",
GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto INJECTDLL_EXIT;
}
if (!WriteProcessMemory(hProcess, pRemoteBuf,
(LPVOID)szDllPath, dwBufSize, NULL))
{
wsprintf(buf, L"InjectDll() : WriteProcessMemory() failed!!! [%d]\n",
GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto INJECTDLL_EXIT;
}
hMod = GetModuleHandle(L"kernel32.dll");
if (hMod == NULL)
{
wsprintf(buf, L"InjectDll() : GetModuleHandle(\"kernel32.dll\") failed!!! [%d]\n",
GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto INJECTDLL_EXIT;
}
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");
if (pThreadProc == NULL)
{
wsprintf(buf, L"InjectDll() : GetProcAddress(\"LoadLibraryW\") failed!!! [%d]\n",
GetLastError());
MessageBox(NULL, buf, L"error", MB_OK);
goto INJECTDLL_EXIT;
}
if (!MyCreateRemoteThread(hProcess, pThreadProc, pRemoteBuf))
{
wsprintf(buf, L"InjectDll() : MyCreateRemoteThread() failed!!!\n");
MessageBox(NULL, buf, L"error", MB_OK);
goto INJECTDLL_EXIT;
}
bRet = TRUE;
// bRet = CheckDllInProcess(dwPID, szDllPath);
INJECTDLL_EXIT:
wsprintf(szProcName, L"%s", GetProcName(dwPID));
if (szProcName[0] == '\0')
_tcscpy_s(szProcName, L"(no_process)");
wsprintf(buf, L"%s(%d) %s!!!\n", szProcName, dwPID);
OutputDebugStringW(buf);
if (pRemoteBuf)
VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);
if (hThread)
CloseHandle(hThread);
if (hProcess)
CloseHandle(hProcess);
return bRet;
}
BOOL InjectDll(DWORD dwPID, char *szDllName)
{
HANDLE hProcess2 = NULL;
LPVOID pRemoteBuf = NULL;
FARPROC pThreadProc = NULL;
PROCESS_INFORMATION pi;
STARTUPINFO si;
BOOL bResult = FALSE;
DWORD dwSessionId = -1;
DWORD winlogonPid = -1;
HANDLE hUserToken,hUserTokenDup,hPToken,hProcess;
DWORD dwCreationFlags;
TCHAR wcQMountPath[256];
TCHAR wcQMountArgs[256];
memset(wcQMountPath,0,sizeof(wcQMountPath));
memset(wcQMountArgs,0,sizeof(wcQMountArgs));
//dwSessionId = WTSGetActiveConsoleSessionId();
HMODULE hModuleKern = LoadLibrary( TEXT("KERNEL32.dll") );
if( hModuleKern != NULL )
{
DWORD (__stdcall *funcWTSGetActiveConsoleSessionId) (void);
funcWTSGetActiveConsoleSessionId = (DWORD (__stdcall *)(void))GetProcAddress( hModuleKern, "WTSGetActiveConsoleSessionId" );
if( funcWTSGetActiveConsoleSessionId != NULL )
{
dwSessionId = funcWTSGetActiveConsoleSessionId();
}
}
if( hModuleKern != NULL )
{
// ¥í©`¥É¤·¤¿DLL¤ò½â·Å
FreeLibrary( hModuleKern );
}
OutputDebugStringA("LaunchAppIntoDifferentSession is called.\n");
//
// Find the winlogon process
//
PROCESSENTRY32 procEntry;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap == INVALID_HANDLE_VALUE){
return FALSE;
}
procEntry.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnap, &procEntry)){
return FALSE;
}
do
{
if (stricmp(procEntry.szExeFile, "winlogon.exe") == 0)
{
//
// We found a winlogon process...make sure it's running in the console session
//
DWORD winlogonSessId = 0;
if (ProcessIdToSessionId(procEntry.th32ProcessID, &winlogonSessId) && winlogonSessId == dwSessionId){
winlogonPid = procEntry.th32ProcessID;
break;
}
}
} while (Process32Next(hSnap, &procEntry));
if (-1 == winlogonPid) {
}
//WTSQueryUserToken(dwSessionId,&hUserToken);
BOOL (__stdcall *funcWTSQueryUserToken) (ULONG, PHANDLE);
HMODULE hModuleWTS = LoadLibrary( TEXT("Wtsapi32.dll") );
if( hModuleWTS != NULL )
{
BOOL (__stdcall *funcWTSQueryUserToken) (ULONG, PHANDLE);
funcWTSQueryUserToken = (BOOL (__stdcall *)(ULONG, PHANDLE))GetProcAddress( hModuleWTS, "WTSQueryUserToken" );
if( funcWTSQueryUserToken != NULL )
{
funcWTSQueryUserToken(dwSessionId,&hUserToken);
}
}
if( hModuleWTS != NULL )
{
// ¥í©`¥É¤·¤¿DLL¤ò½â·Å
FreeLibrary( hModuleKern );
}
dwCreationFlags = NORMAL_PRIORITY_CLASS|CREATE_NEW_CONSOLE;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb= sizeof(STARTUPINFO);
si.lpDesktop = "winsta0\\default";
ZeroMemory(&pi, sizeof(pi));
TOKEN_PRIVILEGES tp;
LUID luid;
hProcess = OpenProcess(MAXIMUM_ALLOWED,FALSE,winlogonPid);
if( !::OpenProcessToken(hProcess,
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY|TOKEN_DUPLICATE|
TOKEN_ASSIGN_PRIMARY|TOKEN_ADJUST_SESSIONID|TOKEN_READ|TOKEN_WRITE,
&hPToken))
{
//OutputDebugPrintf("Failed[LaunchAppIntoDifferentSession]: OpenProcessToken(Error=%d)\n",GetLastError());
}
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
{
//OutputDebugPrintf("Failed[LaunchAppIntoDifferentSession]:LookupPrivilegeValue.(Error=%d)\n",GetLastError());
}
tp.PrivilegeCount =1;
tp.Privileges[0].Luid =luid;
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
DuplicateTokenEx(hPToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&hUserTokenDup);
int dup = GetLastError();
//
//Adjust Token privilege
//
SetTokenInformation(hUserTokenDup,TokenSessionId,(void*)dwSessionId,sizeof(DWORD));
if (!AdjustTokenPrivileges(hUserTokenDup,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,NULL))
{
//OutputDebugPrintf("Failed[LaunchAppIntoDifferentSession]: AdjustTokenPrivileges.(Error=%d)\n",GetLastError());
}
if (GetLastError()== ERROR_NOT_ALL_ASSIGNED)
{
//OutputDebugPrintf("Failed[LaunchAppIntoDifferentSession]: Token does not have the provilege\n");
}
LPVOID pEnv =NULL;
if(CreateEnvironmentBlock(&pEnv,hUserTokenDup,TRUE)){
dwCreationFlags |= CREATE_UNICODE_ENVIRONMENT;
}
else
{
pEnv=NULL;
}
DWORD dwBufSize = strlen(szDllName)+1;
if ( !(hProcess2 = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) )
{
printf("[´íÎó] OpenProcess(%d) µ÷ÓÃʧ°Ü£¡´íÎó´úÂë: [%d]/n",
dwPID, GetLastError());
return FALSE;
}
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,
MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName,
dwBufSize, NULL);
pThreadProc = GetProcAddress(GetModuleHandle("kernel32.dl"),
"LoadLibraryA");
if( !MyCreateRemoteThread(hProcess, (LPTHREAD_START_ROUTINE)pThreadProc, pRemoteBuf) )
{
printf("[´íÎó] CreateRemoteThread() µ÷ÓÃʧ°Ü£¡´íÎó´úÂë: [%d]/n", GetLastError());
return FALSE;
}
VirtualFreeEx(hProcess2, pRemoteBuf, 0, MEM_RELEASE);
CloseHandle(hProcess2);
CloseHandle(hProcess);
CloseHandle(hUserToken);
CloseHandle(hUserTokenDup);
CloseHandle(hPToken);
return TRUE;
}