Created
January 2, 2013 14:11
-
-
Save johnduhart/4434844 to your computer and use it in GitHub Desktop.
Injector
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Injector.cpp : Defines the entry point for the console application. | |
// | |
#include <windows.h> | |
#include <stdio.h> | |
#include <tchar.h> | |
#include <TlHelp32.h> | |
DWORD GetProcessIdForProgram(PCHAR exeName) | |
{ | |
DWORD dwProcessId = 0; | |
DWORD dwCount = 0; | |
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); | |
if (hSnapshot != INVALID_HANDLE_VALUE) | |
{ | |
PROCESSENTRY32 pe = {0}; | |
pe.dwSize = sizeof(PROCESSENTRY32); | |
BOOL bRet = Process32First(hSnapshot, &pe); | |
while (bRet) | |
{ | |
if (!_stricmp(pe.szExeFile, exeName)) | |
{ | |
dwCount++; | |
dwProcessId = pe.th32ProcessID; | |
} | |
bRet = Process32Next(hSnapshot, &pe); | |
} | |
if (dwCount > 1) | |
{ | |
dwProcessId = 0xFFFFFFFF; | |
} | |
CloseHandle(hSnapshot); | |
} | |
return dwProcessId; | |
} | |
int _tmain(int argc, char* argv[]) | |
{ | |
if (argc < 3) | |
{ | |
printf("Usage: Injector <program> <path to dll>\n"); | |
return 1; | |
} | |
// Find the process ID for a program | |
DWORD dwProcessId = GetProcessIdForProgram(argv[1]); | |
if (!dwProcessId) | |
{ | |
fprintf(stderr, "Could not find a pid for %s\n", argv[1]); | |
return 1; | |
} | |
// Get the full path to the DLL | |
char dll[MAX_PATH]; | |
GetFullPathName(argv[2], MAX_PATH, dll, NULL); | |
// Create a handle to a local process object | |
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, dwProcessId); | |
if (hProcess == INVALID_HANDLE_VALUE) | |
{ | |
fprintf(stderr, "Cannot open that pid\n"); | |
return 1; | |
} | |
// Allocate memory inside the process | |
SIZE_T memSize = strlen(argv[2]) + 1; | |
PVOID mem = VirtualAllocEx(hProcess, NULL, strlen(argv[2]) + 1, MEM_COMMIT, PAGE_READWRITE); | |
if (mem == NULL) | |
{ | |
fprintf(stderr, "Can't alloc memory in that process\n"); | |
CloseHandle(hProcess); | |
return 1; | |
} | |
// Write the DLL path to memory | |
if (WriteProcessMemory(hProcess, mem, (void*)argv[2], memSize, NULL) == 0) | |
{ | |
fprintf(stderr, "Can't write to memory in that process\n"); | |
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE); | |
CloseHandle(hProcess); | |
return 1; | |
} | |
// Create a remote thread inside the process | |
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"), mem, 0, NULL); | |
if (hThread == INVALID_HANDLE_VALUE) | |
{ | |
fprintf(stderr, "Can't create a thread inside the process\n"); | |
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE); | |
CloseHandle(hProcess); | |
return 1; | |
} | |
WaitForSingleObject(hThread, INFINITE); | |
HANDLE hLibrary = NULL; | |
if (!GetExitCodeThread(hThread, (LPDWORD)&hLibrary)) | |
{ | |
fprintf(stderr, "Cannot get exit code for thread. GetLastError() = %i.\n", GetLastError()); | |
CloseHandle(hThread); | |
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE); | |
CloseHandle(hProcess); | |
return 1; | |
} | |
CloseHandle(hThread); | |
VirtualFreeEx(hProcess, mem, memSize, MEM_RELEASE); | |
if (hLibrary == NULL) | |
{ | |
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle("KERNEL32.DLL"),"GetLastError"), 0, 0, NULL); | |
if (hThread == INVALID_HANDLE_VALUE) | |
{ | |
fprintf(stderr, "LoadLibraryA returned NULL and can't get last error.\n"); | |
CloseHandle(hProcess); | |
return 1; | |
} | |
WaitForSingleObject(hThread, INFINITE); | |
DWORD error; | |
GetExitCodeThread(hThread, &error); | |
CloseHandle(hThread); | |
printf("LoadLibrary return NULL, GetLastError() is %i\n", error); | |
CloseHandle(hProcess); | |
return 1; | |
} | |
return 0; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment