Thread: Simulating keypress

Process.cpp

Code:

#include "Process.h"

LPCTSTR ProcessPrivileges::Tcb           = SE_TCB_NAME;
LPCTSTR ProcessPrivileges::Debug         = SE_DEBUG_NAME;
LPCTSTR ProcessPrivileges::Backup        = SE_BACKUP_NAME;
LPCTSTR ProcessPrivileges::IncreaseQuota = SE_INCREASE_QUOTA_NAME;

Process::Process(const HANDLE& processHandle)
{
	this->handle       = processHandle;
	this->handleOpened = true;
}

Process::Process(const PROCESSENTRY32& processEntry)
{
	this->processEntry = processEntry;
	this->handleOpened = false;
}

Process::Process()
{
}

Process::~Process()
{
	if (handleOpened) CloseHandle(handle);
}

HANDLE Process::getHandle()
{
	if (!handleOpened) 
	{
		handle       = OpenProcess(PROCESS_ALL_ACCESS, FALSE, getPid());
		handleOpened = true;
	}
	
	return handle;
}

DWORD Process::getPid()
{
	return processEntry.th32ProcessID;
}

DWORD Process::getParentPid()
{
	return processEntry.th32ParentProcessID;
}

DWORD Process::getThreadsCount()
{
	return processEntry.cntThreads;
}

DWORD Process::getModuleId()
{
	return processEntry.th32ModuleID;
}

char* Process::getExeFilename()
{
	return processEntry.szExeFile;
}

bool Process::setPrivilege(LPCTSTR privilege, bool enable)
{
	LUID luid;
	HANDLE token;
	TOKEN_PRIVILEGES tokenPrivileges;

	if (!OpenProcessToken(getHandle(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token)) return false;

	if (!LookupPrivilegeValue(NULL, privilege, &luid)) return false;

	tokenPrivileges.PrivilegeCount = 1;
	tokenPrivileges.Privileges[0].Luid = luid;

	if (enable) tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else        tokenPrivileges.Privileges[0].Attributes = 0;

	AdjustTokenPrivileges(token, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);

	DWORD error;
	if ((error = GetLastError()) != ERROR_SUCCESS)
	{
		std::cout << error;
		return false;
	}

	return true;
}

HANDLE Process::getCurrentProcessHandle()
{
	return OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());
}

DWORD Process::getCurrentProcessId()
{
	return GetCurrentProcessId();
}

Main.cpp:

Code:

#include <iostream>

#include "ProcessEnumerator.h"

int main()
{
	ProcessEnumerator enumerator;
	Process           actual;

	Process myProcess(Process::getCurrentProcessHandle());

	myProcess.setPrivilege(ProcessPrivileges::Debug, true);

	enumerator.getFirst(actual);

	do
	{
		std::cout << "Process Name: " << actual.getExeFilename() << '\n';
		std::cout << "Process ID  : " << actual.getPid()         << '\n';
	} while (enumerator.getNext(actual));

	std::cin.get();

	return 0;
}

Everything just fine, debug level has been seted, now whats the next step? (Do i have to close any handle that i havent or anything else in the actual code? )

Yes, debug privilege require admin. This can be set in the manifest to require your program to run as admin. If you have Visual Studio 2008, you should be able to set this setting via project properties I think.
The next step is a little hush-hush. The easiest way to inject code is via a dll (though your set-up routine needs to be an application). This is a little tricky. First you have to allocate a string in the target process's memory. There are several ways of doing it. I'm not an expert, but VirtualAllocEx might be able to do the trick.
Inside this memory, copy the complete filename to your dll.
Then use CreateRemoteThread to create a remote thread in the target process. As for the start routine, you should use LoadLibrary and the argument should be the remotely allocated memory that points to your dll.
The result is that the target process will load your dll into memory!
From there, you can use the dll's init code to start a chain reaction of executing code inside the target application!

More than this... I don't know. Actually, I haven't tested the above, but it should work, because there are tutorials out there that guides you through how to do it exactly like that.

Originally Posted by Scarvenger

1) Ok, once i have done this what should i do? I mean, i have my code running inside the process, why have i done that? If it is to overwrite somre memory i could have done this by simply using WriteProcessMemory couldn't i? (Correct me if i am wrong).

Because otherwise you need to inject code into the process which is way trickier than forcing it to load a dll from which inside you can execute your own code.
You're actually going to have to re-direct a certain DirectInput function call to return your own device. So you need to overwrite the function address for the function. But the process can only execute code within its own virtual memory space.
Injecting code a little about anywhere is extremely difficult and error prone. An easier way is just to redirect the call to a similar function within a dll within the project's virtual memory space.

2) How could i make the class Process more usefull as Elysia said?

For example, it could enumerate all processes, store them in a vector. It could expose member functions to return properties for a specific process (as opposed to creating a new class and passing arguments around).
Essentially, make a class that is the enumeration itself. It can store a class which is the Process object itself. The process object is the ones you can manipulate, etc. The enumerator allows you to search and find processes easy.

It's stored somewhere in the executable header. Technical details I don't remember 100%, but since Windows can randomly load dlls and such, for performance reasons, it stores all the real function addresses in a header and simply makes the code jump into that area when doing function calls.
So you would have to walk the PE header and find the function you wanted to hook, then overwrite it with your own function address inside the dll. I don't remember how. But there are guides over at codeproject on how to do this. But be careful, this isn't exactly playing nice. Microsoft doesn't like it at all and that's typically why they made the KernelGuard in the first place.
This is a common method to "take over" the system, like many security softwares does.