Code:
#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include <tlhelp32.h>
typedef HINSTANCE (__stdcall *fpLoadLibrary)(char*);
typedef LPVOID (__stdcall *fpGetProcAddress)(HINSTANCE, char*);
typedef void (*fpFunktion)(void);
struct INJECTSTRUCT
{
fpLoadLibrary LoadLibrary;
fpGetProcAddress GetProcAddress;
char path[255];
char func[255];
};
DWORD WINAPI threadstart(LPVOID addr)
{
HINSTANCE hDll;
fpFunktion funktion;
INJECTSTRUCT * is = (INJECTSTRUCT*)addr;
hDll = is->LoadLibrary(is->path);
funktion = (fpFunktion)is->GetProcAddress(hDll, is->func);
funktion();
return 0;
}
void threadend()
{
}
DWORD FindProcessId(const std::wstring& processName)
{
PROCESSENTRY32 processInfo;
processInfo.dwSize = sizeof(processInfo);
HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if ( processesSnapshot == INVALID_HANDLE_VALUE )
return 0;
Process32First(processesSnapshot, &processInfo);
if ( !processName.compare(processInfo.szExeFile) )
{
CloseHandle(processesSnapshot);
return processInfo.th32ProcessID;
}
while ( Process32Next(processesSnapshot, &processInfo) )
{
if ( !processName.compare(processInfo.szExeFile) )
{
CloseHandle(processesSnapshot);
return processInfo.th32ProcessID;
}
}
return 0;
}
void EnableDebugPrivilege()
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken );
LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid );
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL );
CloseHandle( hToken );
}
int main()
{
HANDLE hProc;
LPVOID start, thread;
DWORD funcsize;
HINSTANCE hDll;
INJECTSTRUCT is;
DWORD id;
EnableDebugPrivilege();
hDll = LoadLibrary(L"KERNEL32.dll");
is.LoadLibrary = (fpLoadLibrary)GetProcAddress(hDll, "LoadLibraryA");
is.GetProcAddress = (fpGetProcAddress)GetProcAddress(hDll, "GetProcAddress");
strcpy_s(is.path, "DLL.dll");
strcpy_s(is.func, "Funktion");
funcsize = (DWORD)threadend-(DWORD)threadstart;
id = FindProcessId(L"explorer.exe");
hProc = OpenProcess( // Thanks to Cypher
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, id);
printf("Prozess ID: %x\n", id);
printf("Prozess Handle: %x\n", hProc);
start = VirtualAllocEx(hProc, 0, funcsize+sizeof(INJECTSTRUCT), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf("Memory: %x\n", start);
WriteProcessMemory(hProc, start, (LPVOID)&is, sizeof(INJECTSTRUCT), NULL);
thread = (LPVOID)((DWORD)start+sizeof(INJECTSTRUCT));
WriteProcessMemory(hProc, thread, (LPVOID)threadstart, funcsize, NULL);
CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)thread, start, 0, 0); // returns 0 due to wrong handle
//retuns 5 due to wrong handle ?
char c[10];
sprintf(c, "%d", GetLastError());
printf(c);
CloseHandle(hProc);
getchar();
return 0;
}