Code:
#include <windows.h>
#include <stdio.h>
#include <psapi.h>
#include <tchar.h>
#define WIN32_LEAN_MEAN
int Inject(DWORD, LPCSTR);
DWORD GetProcessByFileName(char* name)
{
DWORD process_id_array[1024];
DWORD bytes_returned;
DWORD num_processes;
HANDLE hProcess;
char image_name[256];
char buffer[256];
int i;
DWORD exitcode;
EnumProcesses(process_id_array, 256*sizeof(DWORD), &bytes_returned);
num_processes = (bytes_returned/sizeof(DWORD));
for (i = 0; i < num_processes; i++) {
hProcess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,process_id_array[i]);
if(GetModuleBaseName(hProcess,0,image_name,256)){
if(!stricmp(image_name,name))
{
CloseHandle(hProcess);
return process_id_array[i];
}
}
CloseHandle(hProcess);
}
return 0;
}
int main()
{
DWORD dwPID;
dwPID = GetProcessByFileName("explorer.exe");
if(dwPID == 0)
{
STARTUPINFO si = {sizeof(STARTUPINFO)};
PROCESS_INFORMATION pi;
CreateProcess(NULL, "C:\\WINDOWS\\explorer.exe", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
Sleep(1500);
dwPID = GetProcessByFileName("explorer.exe");
}
if(dwPID != 0)
Inject(dwPID, "C:\\testdll.dll");
return;
}
int Inject(DWORD ProcID, LPCSTR szDllPath)
{
LPVOID lpRemoteMemory;
HANDLE hRemoteThread;
HWND hOpenProcess;
SIZE_T nSize = strlen(szDllPath);
unsigned long IDProcess = ProcID;
HMODULE hKernel;
// OpenProcess() - retrieve a HANDLE to the remote process
hOpenProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, IDProcess);
if(hOpenProcess == NULL)
{
printf("OpenProcess is NULL");
printf("Error: %d\n", GetLastError());
}
printf("OpenProcess: %d\n", hOpenProcess);
// VirtualAllocEx() - Allocate memory in remote process addres-space
lpRemoteMemory = VirtualAllocEx(hOpenProcess, 0, strlen(szDllPath), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(!lpRemoteMemory)
{
printf("VirtualAlloc() Error: %d\n", GetLastError());
return -1;
}
printf("VirtualAlloc(): 0x%x\n", lpRemoteMemory);
// WriteProcessMemory() - Copy initialised injection data strucuture to allocated memory
if(!WriteProcessMemory(hOpenProcess, lpRemoteMemory, (LPVOID)szDllPath, strlen(szDllPath), NULL))
{
printf("WriteProcessMemory() error: %d\n", GetLastError());
}
printf("WriteProcessMemory() Succeeded :)\n\n");
printf("Size of DLL: %d\n", nSize);
// GetModuleHandle() - kernel32.dll API CALL
hKernel = GetModuleHandle("KERNEL32.DLL");
if(!hKernel)
{
printf("KernelModule Error: %d\n", GetLastError());
}
printf("KernelModule loaded KERNEL32.DLL!\n");
// CreateRemoteThread() - Start the remote copy
hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary(szDllPath), lpRemoteMemory, 0, &IDProcess);
hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel, "LoadLibraryA"), lpRemoteMemory, 0, NULL);
if(!hRemoteThread)
{
printf("CreateRemoteThread Error: %d\n", GetLastError());
return -1;
}
printf("CreateRemoteThread(): %d\n", hRemoteThread);
// No luxury poop, have to clean up
// 1. Close Handle
if(!CloseHandle(hRemoteThread) && !CloseHandle(hOpenProcess))
{
printf("Handle NOT closed!\n");
printf("Error Closeing: %d\n", GetLastError());
}
printf("CloseHandle() finished\n");
// 2. Wait for the thread to complete
if(!WaitForSingleObject(hRemoteThread, INFINITE))
{
printf("WaitThreadObject Failed!\n");
printf("Error Code: %d\n", GetLastError());
}
printf("WaitThreadObject Complete!\n");
// 3. Free memory in remote process
if(!VirtualFreeEx(hOpenProcess, lpRemoteMemory, 0, MEM_RELEASE))
{
printf("VirtualFreeMemory Failed!");
printf("Error Code: %d\n", GetLastError());
}
printf("VirtualFreeMemory Complete!\n");
return 0;
}
And here's my DLL: