NullExceptionTSB/dlli.c

## dlli.c
#include <Windows.h>

typedef NTSTATUS(NTAPI* NtCreateThreadExDef) (OUT LPHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer);
typedef NTSTATUS(NTAPI* RtlCreateUserThreadDef) (IN HANDLE hProcess, IN LPVOID lpSecurityDescriptor, IN DWORD dwCreateSuspended, IN DWORD dwStackZeroBits, IN OUT LPDWORD lpStackReserved, IN OUT LPDWORD lpStackCommit, IN LPVOID lpStartAddress, IN LPVOID lpParam, OUT LPHANDLE lpThreadHandle , OUT LPDWORD dwThreadID);

typedef enum {
	DLLI_BASIC_CREATEREMOTETHREAD,
	DLLI_NTCREATETHREADEX,
	DLLI_RTLCREATEUSERTHREAD,
	DLLI_SUSPENDINJECTRESUME
}DLLIMETHOD;

//Does not get SeDebug !! SeDebugPrivilege may be nescessary to inject into some processes
//You also need the PROCESS_CREATE_THREAD, PROCESS_VM_WRITE and PROCESS_VM_OPERATION process access rights
DWORD InjectDLLToProcess(HANDLE hProcess, LPCSTR lpDllPath, DLLIMETHOD dlliMethod) {
	HANDLE hKernel32 = GetModuleHandleW(L"kernel32.dll"),
		hNtdll = GetModuleHandleW(L"ntdll.dll"),
		hLoadLibraryAThread;

	FARPROC lpLoadLib = GetProcAddress(hKernel32, "LoadLibraryA");
	DWORD dwDump, dwDllPathLen = lstrlenA(lpDllPath);
	RtlCreateUserThreadDef RtlCreateUserThread;
	NtCreateThreadExDef NtCreateThreadEx;
	LPVOID lpFarArguments = VirtualAllocEx(hProcess, NULL, dwDllPathLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	WriteProcessMemory(hProcess, lpFarArguments, lpDllPath, dwDllPathLen, NULL);


	switch (dlliMethod) {
		case DLLI_BASIC_CREATEREMOTETHREAD:
			hLoadLibraryAThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpLoadLib, lpFarArguments, 0, NULL);
			if (hLoadLibraryAThread) WaitForSingleObject(hLoadLibraryAThread, 0);
			else return 0;
			GetExitCodeThread(hLoadLibraryAThread, &dwDump);
			return dwDump;
			break;
		case DLLI_NTCREATETHREADEX:
			NtCreateThreadEx = GetProcAddress(hNtdll, "NtCreateThreadEx");
			if (!NtCreateThreadEx) return 0;
			NtCreateThreadEx(&hLoadLibraryAThread, THREAD_TERMINATE | THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION, NULL, hProcess, lpLoadLib, lpFarArguments, 0, NULL, NULL, NULL, NULL);
			if (!hLoadLibraryAThread) return 0;
			else WaitForSingleObject(hLoadLibraryAThread, 0);
			GetExitCodeThread(hLoadLibraryAThread, &dwDump);
			return dwDump;
			break;
		case DLLI_RTLCREATEUSERTHREAD:
			RtlCreateUserThread = GetProcAddress(hNtdll, "RtlCreateUserThread");
			if (!RtlCreateUserThread) return 0;
			RtlCreateUserThread(hProcess, NULL, 0, 0, NULL, NULL, lpLoadLib, lpFarArguments, &hLoadLibraryAThread, NULL);
			if (!hLoadLibraryAThread) return 0;
			else WaitForSingleObject(hLoadLibraryAThread, 0);
			GetExitCodeThread(hLoadLibraryAThread, &dwDump);
			return dwDump;
			break;
		case DLLI_SUSPENDINJECTRESUME:
			return -1; //not implemented currently
		default:
			return 0;
	}

}
	#include <Windows.h>

	typedef NTSTATUS(NTAPI* NtCreateThreadExDef) (OUT LPHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer);
	typedef NTSTATUS(NTAPI* RtlCreateUserThreadDef) (IN HANDLE hProcess, IN LPVOID lpSecurityDescriptor, IN DWORD dwCreateSuspended, IN DWORD dwStackZeroBits, IN OUT LPDWORD lpStackReserved, IN OUT LPDWORD lpStackCommit, IN LPVOID lpStartAddress, IN LPVOID lpParam, OUT LPHANDLE lpThreadHandle , OUT LPDWORD dwThreadID);

	typedef enum {
	DLLI_BASIC_CREATEREMOTETHREAD,
	DLLI_NTCREATETHREADEX,
	DLLI_RTLCREATEUSERTHREAD,
	DLLI_SUSPENDINJECTRESUME
	}DLLIMETHOD;

	//Does not get SeDebug !! SeDebugPrivilege may be nescessary to inject into some processes
	//You also need the PROCESS_CREATE_THREAD, PROCESS_VM_WRITE and PROCESS_VM_OPERATION process access rights
	DWORD InjectDLLToProcess(HANDLE hProcess, LPCSTR lpDllPath, DLLIMETHOD dlliMethod) {
	HANDLE hKernel32 = GetModuleHandleW(L"kernel32.dll"),
	hNtdll = GetModuleHandleW(L"ntdll.dll"),
	hLoadLibraryAThread;

	FARPROC lpLoadLib = GetProcAddress(hKernel32, "LoadLibraryA");
	DWORD dwDump, dwDllPathLen = lstrlenA(lpDllPath);
	RtlCreateUserThreadDef RtlCreateUserThread;
	NtCreateThreadExDef NtCreateThreadEx;
	LPVOID lpFarArguments = VirtualAllocEx(hProcess, NULL, dwDllPathLen, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
	WriteProcessMemory(hProcess, lpFarArguments, lpDllPath, dwDllPathLen, NULL);


	switch (dlliMethod) {
	case DLLI_BASIC_CREATEREMOTETHREAD:
	hLoadLibraryAThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpLoadLib, lpFarArguments, 0, NULL);
	if (hLoadLibraryAThread) WaitForSingleObject(hLoadLibraryAThread, 0);
	else return 0;
	GetExitCodeThread(hLoadLibraryAThread, &dwDump);
	return dwDump;
	break;
	case DLLI_NTCREATETHREADEX:
	NtCreateThreadEx = GetProcAddress(hNtdll, "NtCreateThreadEx");
	if (!NtCreateThreadEx) return 0;
	NtCreateThreadEx(&hLoadLibraryAThread, THREAD_TERMINATE \| THREAD_SUSPEND_RESUME \| THREAD_QUERY_INFORMATION, NULL, hProcess, lpLoadLib, lpFarArguments, 0, NULL, NULL, NULL, NULL);
	if (!hLoadLibraryAThread) return 0;
	else WaitForSingleObject(hLoadLibraryAThread, 0);
	GetExitCodeThread(hLoadLibraryAThread, &dwDump);
	return dwDump;
	break;
	case DLLI_RTLCREATEUSERTHREAD:
	RtlCreateUserThread = GetProcAddress(hNtdll, "RtlCreateUserThread");
	if (!RtlCreateUserThread) return 0;
	RtlCreateUserThread(hProcess, NULL, 0, 0, NULL, NULL, lpLoadLib, lpFarArguments, &hLoadLibraryAThread, NULL);
	if (!hLoadLibraryAThread) return 0;
	else WaitForSingleObject(hLoadLibraryAThread, 0);
	GetExitCodeThread(hLoadLibraryAThread, &dwDump);
	return dwDump;
	break;
	case DLLI_SUSPENDINJECTRESUME:
	return -1; //not implemented currently
	default:
	return 0;
	}

	}