Last active
April 1, 2020 17:30
-
-
Save NullExceptionTSB/837fc5e76003974faaa0e11d9ede6d51 to your computer and use it in GitHub Desktop.
3 DLLI implementations (and one that's not implemented yet)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <Windows.h> | |
typedef NTSTATUS(NTAPI* NtCreateThreadExDef) (OUT LPHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN PVOID ObjectAttributes, IN HANDLE ProcessHandle, IN PVOID lpStartAddress, IN PVOID lpParameter, IN ULONG Flags, IN SIZE_T StackZeroBits, IN SIZE_T SizeOfStackCommit, IN SIZE_T SizeOfStackReserve, OUT PVOID lpBytesBuffer); | |
typedef NTSTATUS(NTAPI* RtlCreateUserThreadDef) (IN HANDLE hProcess, IN LPVOID lpSecurityDescriptor, IN DWORD dwCreateSuspended, IN DWORD dwStackZeroBits, IN OUT LPDWORD lpStackReserved, IN OUT LPDWORD lpStackCommit, IN LPVOID lpStartAddress, IN LPVOID lpParam, OUT LPHANDLE lpThreadHandle , OUT LPDWORD dwThreadID); | |
typedef enum { | |
DLLI_BASIC_CREATEREMOTETHREAD, | |
DLLI_NTCREATETHREADEX, | |
DLLI_RTLCREATEUSERTHREAD, | |
DLLI_SUSPENDINJECTRESUME | |
}DLLIMETHOD; | |
//Does not get SeDebug !! SeDebugPrivilege may be nescessary to inject into some processes | |
//You also need the PROCESS_CREATE_THREAD, PROCESS_VM_WRITE and PROCESS_VM_OPERATION process access rights | |
DWORD InjectDLLToProcess(HANDLE hProcess, LPCSTR lpDllPath, DLLIMETHOD dlliMethod) { | |
HANDLE hKernel32 = GetModuleHandleW(L"kernel32.dll"), | |
hNtdll = GetModuleHandleW(L"ntdll.dll"), | |
hLoadLibraryAThread; | |
FARPROC lpLoadLib = GetProcAddress(hKernel32, "LoadLibraryA"); | |
DWORD dwDump, dwDllPathLen = lstrlenA(lpDllPath); | |
RtlCreateUserThreadDef RtlCreateUserThread; | |
NtCreateThreadExDef NtCreateThreadEx; | |
LPVOID lpFarArguments = VirtualAllocEx(hProcess, NULL, dwDllPathLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
WriteProcessMemory(hProcess, lpFarArguments, lpDllPath, dwDllPathLen, NULL); | |
switch (dlliMethod) { | |
case DLLI_BASIC_CREATEREMOTETHREAD: | |
hLoadLibraryAThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpLoadLib, lpFarArguments, 0, NULL); | |
if (hLoadLibraryAThread) WaitForSingleObject(hLoadLibraryAThread, 0); | |
else return 0; | |
GetExitCodeThread(hLoadLibraryAThread, &dwDump); | |
return dwDump; | |
break; | |
case DLLI_NTCREATETHREADEX: | |
NtCreateThreadEx = GetProcAddress(hNtdll, "NtCreateThreadEx"); | |
if (!NtCreateThreadEx) return 0; | |
NtCreateThreadEx(&hLoadLibraryAThread, THREAD_TERMINATE | THREAD_SUSPEND_RESUME | THREAD_QUERY_INFORMATION, NULL, hProcess, lpLoadLib, lpFarArguments, 0, NULL, NULL, NULL, NULL); | |
if (!hLoadLibraryAThread) return 0; | |
else WaitForSingleObject(hLoadLibraryAThread, 0); | |
GetExitCodeThread(hLoadLibraryAThread, &dwDump); | |
return dwDump; | |
break; | |
case DLLI_RTLCREATEUSERTHREAD: | |
RtlCreateUserThread = GetProcAddress(hNtdll, "RtlCreateUserThread"); | |
if (!RtlCreateUserThread) return 0; | |
RtlCreateUserThread(hProcess, NULL, 0, 0, NULL, NULL, lpLoadLib, lpFarArguments, &hLoadLibraryAThread, NULL); | |
if (!hLoadLibraryAThread) return 0; | |
else WaitForSingleObject(hLoadLibraryAThread, 0); | |
GetExitCodeThread(hLoadLibraryAThread, &dwDump); | |
return dwDump; | |
break; | |
case DLLI_SUSPENDINJECTRESUME: | |
return -1; //not implemented currently | |
default: | |
return 0; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment