here is the complete program b
Code:
#include <iostream>
#include <fstream>
#include <string>
#include <windows.h>
#include <Tlhelp32.h>
using namespace std;
#pragma comment(lib, "User32.lib")
#pragma comment(lib, "Advapi32.lib")
void EnableDebugPrivilege()
{
// Open the local process's privilege token
void* Token = nullptr;
TOKEN_PRIVILEGES Privileges;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, reinterpret_cast<void**>(&Token)) == 0)
{
throw exception("Unable to open the local process token.");
}
// Set the value of SeDebugPrivilege to enabled
Privileges.PrivilegeCount = 1;
LookupPrivilegeValue(nullptr, "SeDebugPrivilege", &Privileges.Privileges[0].Luid);
Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(Token, 0, &Privileges, sizeof(Privileges), nullptr, nullptr) == 0)
{
CloseHandle(Token);
throw exception("Unable to enable the debug privilege.");
}
CloseHandle(Token);
}
DWORD GetPID(char* procName)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hProcessSnap == INVALID_HANDLE_VALUE )
return 0;
// Set the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);
// Retrieve information about the first process,
if(!Process32First(hProcessSnap, &pe32))
return 0;
do
{
if(strcmp(pe32.szExeFile, procName) == 0)
{
DWORD pid = pe32.th32ProcessID;
CloseHandle(hProcessSnap);
return pid;
}
} while(Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return 0;
}
DWORD GetBaseAddress(DWORD pid)
{
HANDLE phandle = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
MODULEENTRY32 module;
module.dwSize = sizeof(MODULEENTRY32);
Module32First(phandle, &module);
CloseHandle(phandle);
return reinterpret_cast<unsigned int>(module.modBaseAddr);
}
void InjectModule()
{
try
{
unsigned int ProcessID = GetPID("a.exe");
// Get a handle to the process
void* ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);
if(ProcessHandle == nullptr)
{
throw exception("Module injection failed: Unable to open a handle to the target process.");
}
int parameter = 5;
void* AllocatedMemory = VirtualAllocEx(ProcessHandle, nullptr, sizeof(int), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if(AllocatedMemory == nullptr)
{
CloseHandle(ProcessHandle);
throw exception("Module injection failed: Unable to allocate memory in the target process.");
}
WriteProcessMemory(ProcessHandle, AllocatedMemory, ¶meter, sizeof(int), nullptr);
DWORD base = GetBaseAddress(ProcessID);
DWORD functionptr = base + 0x1000; // function offset may diff for diff compiler
void* ThreadHandle =
CreateRemoteThread(ProcessHandle, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(functionptr), AllocatedMemory, 0, nullptr);
if(ThreadHandle == nullptr)
{
CloseHandle(ProcessHandle);
throw exception("Module injection failed: Unable to create thread in the target process.");
}
PostQuitMessage(0);
}
catch(exception Exception)
{
puts(Exception.what());
}
return;
}
int main ()
{
EnableDebugPrivilege();
InjectModule();
return 0;
}