1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91
| #include<iostream> #include<windows.h> #include<tchar.h>
bool modifiedCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf) { FARPROC pNtCreateThreadEx = GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtCreateThreadEx"); if (!pNtCreateThreadEx) { printf("NtCreateThreadEx not found"); return false; } typedef DWORD(WINAPI* PFNTCREATETHREADEX)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, ULONG CreateThreadFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, LPVOID pUnkown ); PFNTCREATETHREADEX crt = reinterpret_cast<PFNTCREATETHREADEX>(pNtCreateThreadEx); HANDLE hThread; crt(&hThread, THREAD_ALL_ACCESS, nullptr, hProcess, pThreadProc, pRemoteBuf, FALSE, NULL, NULL, NULL, nullptr); if (!hThread) { printf("create thread failed"); return false; } WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); CloseHandle(hProcess); return true; }
int inject(DWORD dwPID, LPCTSTR szDllPath) { HANDLE hProcess = 0; bool status = false; if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) { _tprintf(_T("open %d failed\n"), dwPID); return FALSE; } DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR); LPVOID pBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE); if (pBuf == 0) { _tprintf(_T("memory alloc failed\n")); return FALSE; }
WriteProcessMemory(hProcess, pBuf, (LPVOID)szDllPath, dwBufSize, NULL); HMODULE kernel = GetModuleHandle(L"kernel32.dll"); if (kernel == NULL) return FALSE; LPTHREAD_START_ROUTINE pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(kernel, "LoadLibraryW"); status = modifiedCreateRemoteThread(hProcess, pThreadProc, pBuf );
return TRUE; }
int _tmain(int argc, TCHAR* argv[]) { if (argc != 3) { _tprintf(_T("USAGE: %s pid dll_path\n"), argv[0]); return 1; } if (inject((DWORD)_tstol(argv[1]), argv[2])) _tprintf(_T("inject %s success!\n"), argv[2]); else _tprintf(_T("inject %s failed! \n"), argv[2]); return 0; }
|