Skip to content

Instantly share code, notes, and snippets.

@johnduhart

johnduhart/Injector.cpp

Created January 2, 2013 14:11
Show Gist options
  • Save johnduhart/4434844 to your computer and use it in GitHub Desktop.
Save johnduhart/4434844 to your computer and use it in GitHub Desktop.
Download ZIP
Injector
Raw
Injector.cpp
// Injector.cpp : Defines the entry point for the console application.
//
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <TlHelp32.h>
DWORD GetProcessIdForProgram(PCHAR exeName)
{
DWORD dwProcessId = 0;
DWORD dwCount = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe = {0};
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot, &pe);
while (bRet)
{
if (!_stricmp(pe.szExeFile, exeName))
{
dwCount++;
dwProcessId = pe.th32ProcessID;
}
bRet = Process32Next(hSnapshot, &pe);
}
if (dwCount > 1)
{
dwProcessId = 0xFFFFFFFF;
}
CloseHandle(hSnapshot);
}
return dwProcessId;
}
int _tmain(int argc, char* argv[])
{
if (argc < 3)
{
printf("Usage: Injector <program> <path to dll>\n");
return 1;
}
// Find the process ID for a program
DWORD dwProcessId = GetProcessIdForProgram(argv[1]);
if (!dwProcessId)
{
fprintf(stderr, "Could not find a pid for %s\n", argv[1]);
return 1;
}
// Get the full path to the DLL
char dll[MAX_PATH];
GetFullPathName(argv[2], MAX_PATH, dll, NULL);
// Create a handle to a local process object
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, dwProcessId);
if (hProcess == INVALID_HANDLE_VALUE)
{
fprintf(stderr, "Cannot open that pid\n");
return 1;
}
// Allocate memory inside the process
SIZE_T memSize = strlen(argv[2]) + 1;
PVOID mem = VirtualAllocEx(hProcess, NULL, strlen(argv[2]) + 1, MEM_COMMIT, PAGE_READWRITE);
if (mem == NULL)
{
fprintf(stderr, "Can't alloc memory in that process\n");
CloseHandle(hProcess);
return 1;
}
// Write the DLL path to memory
if (WriteProcessMemory(hProcess, mem, (void*)argv[2], memSize, NULL) == 0)
{
fprintf(stderr, "Can't write to memory in that process\n");
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
// Create a remote thread inside the process
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), mem, 0, NULL);
if (hThread == INVALID_HANDLE_VALUE)
{
fprintf(stderr, "Can't create a thread inside the process\n");
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
WaitForSingleObject(hThread, INFINITE);
HANDLE hLibrary = NULL;
if (!GetExitCodeThread(hThread, (LPDWORD)&hLibrary))
{
fprintf(stderr, "Cannot get exit code for thread. GetLastError() = %i.\n", GetLastError());
CloseHandle(hThread);
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE);
CloseHandle(hProcess);
return 1;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE);
if (hLibrary == NULL)
{
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetLastError"), 0, 0, NULL);
if (hThread == INVALID_HANDLE_VALUE)
{
fprintf(stderr, "LoadLibraryA returned NULL and can't get last error.\n");
CloseHandle(hProcess);
return 1;
}
WaitForSingleObject(hThread, INFINITE);
DWORD error;
GetExitCodeThread(hThread, &error);
CloseHandle(hThread);
printf("LoadLibrary return NULL, GetLastError() is %i\n", error);
CloseHandle(hProcess);
return 1;
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment