Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- unsigned char codeToInject[] =
- {
- // Placeholder for the return address
- 0x68, 0xAA, 0xAA, 0xAA, 0xAA, // push 0AAAAAAAAh
- // Save the flags
- 0x9c, // pushfq
- // Save the registers
- 0x50, // push rax
- 0x51, // push rcx
- 0x52, // push rdx
- 0x53, // push rbx
- 0x55, // push rbp
- 0x56, // push rsi
- 0x57, // push rdi
- 0x41, 0x50, // push r8
- 0x41, 0x51, // push r9
- 0x41, 0x52, // push r10
- 0x41, 0x53, // push r11
- 0x41, 0x54, // push r12
- 0x41, 0x55, // push r13
- 0x41, 0x56, // push r14
- 0x41, 0x57, // push r15
- // Placeholder for the string address and LoadLibrary
- 0x48, 0xB9, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, 0xBB, // mov rcx, 0BBBBBBBBBBBBBBBBh
- 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, 0CCCCCCCCCCCCCCCCh
- // Call LoadLibrary with the string parameter
- 0xFF, 0xD0, // call rax
- // Restore the registers
- 0x41, 0x5F, // pop r15
- 0x41, 0x5E, // pop r14
- 0x41, 0x5D, // pop r13
- 0x41, 0x5C, // pop r12
- 0x41, 0x5B, // pop r11
- 0x41, 0x5A, // pop r10
- 0x41, 0x59, // pop r9
- 0x41, 0x58, // pop r8
- 0x5F, // pop rdi
- 0x5E, // pop rsi
- 0x5D, // pop rbp
- 0x5B, // pop rbx
- 0x5A, // pop rdx
- 0x59, // pop rcx
- 0x58, // pop rax
- // Restore the flags
- 0x9D, // popfq
- 0xC3 // ret
- };
- bool InjectDLL64(__in const DWORD& dwProcessID, __in const WCHAR* const pwszDLLName)
- {
- HANDLE hProcess = NULL;
- LPVOID pRemoteMemDllName = NULL;
- LPVOID pRemoteMemFunction = NULL;
- SIZE_T nDllNameBuffSize = NULL;
- DWORD64 nFunctionBuffSize = sizeof(codeToInject);
- HANDLE hThread = NULL;
- DWORD dwThreadSuspendCount = -1;
- std::wstring strModuleFilePath = pwszDLLName;
- bool bRet = false;
- // get process handle of the desktop
- hProcess = ::OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, dwProcessID);
- if(!hProcess)
- {
- std::wcout << L"Error : Failed to open process" << std::endl;
- return false;
- }
- // Check if the process is running
- DWORD dwExitCode = 0;
- GetExitCodeProcess(hProcess, &dwExitCode);
- if(dwExitCode != STILL_ACTIVE)
- {
- std::wcout << L"Error : The following process does not exist" << std::endl;
- goto cleanup;
- }
- // Allocate memory on the target process with current DLL path
- nDllNameBuffSize = (strModuleFilePath.size()+1) * sizeof(WCHAR);
- pRemoteMemDllName = ::VirtualAllocEx(hProcess, NULL, nDllNameBuffSize, MEM_COMMIT, PAGE_READWRITE);
- if(!pRemoteMemDllName)
- {
- std::wcout << L"Error: Failed to allocate data on target process" << std::endl;
- goto cleanup;
- }
- SIZE_T nNumBytesWritten = 0;
- ::WriteProcessMemory(hProcess, pRemoteMemDllName, (void*)strModuleFilePath.data(), nDllNameBuffSize, &nNumBytesWritten);
- if(nNumBytesWritten != nDllNameBuffSize)
- {
- std::wcout << L"Error: Failed to write data on target process" << std::endl;
- goto cleanup;
- }
- // Allocate memory for the stub
- pRemoteMemFunction = ::VirtualAllocEx(hProcess, NULL, nFunctionBuffSize, MEM_COMMIT, PAGE_READWRITE);
- // Get proc address of LoadLibrary
- HMODULE hKernel32 = ::GetModuleHandleW(L"Kernel32");
- if(!hKernel32)
- {
- std::wcout << L"Error : Failed to load kernel32" << std::endl;
- goto cleanup;
- }
- DWORD64 fnLocLoadLibrary = (DWORD64)::GetProcAddress(hKernel32, "LoadLibraryW");
- if(!fnLocLoadLibrary)
- {
- std::wcout << L"Error : Failed to get LoadLibraryW proc address" << std::endl;
- goto cleanup;
- }
- DWORD dwThreadID = GetTargetThreadID(dwProcessID);
- hThread = OpenThread(THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME, false, dwThreadID);
- if(!hThread)
- {
- std::wcout << L"Error : Failed to open main thread ID" << std::endl;
- goto cleanup;
- }
- // Suspend the thread
- dwThreadSuspendCount = SuspendThread(hThread);
- if(dwThreadSuspendCount == -1)
- {
- std::wcout << L"Error : Failed to suspend the main thread" << std::endl;
- goto cleanup;
- }
- // Set the instruction pointer to point to our function
- CONTEXT ctx;
- ctx.ContextFlags = CONTEXT_CONTROL;
- if(!GetThreadContext(hThread, &ctx))
- {
- std::wcout << L"Error : Failed to get the thread context" << std::endl;
- goto cleanup;
- }
- DWORD dwOldIP = (DWORD)ctx.Rip;
- ctx.Rip = (DWORD)pRemoteMemFunction;
- ctx.ContextFlags = CONTEXT_CONTROL;
- // Replace placeholders
- memcpy(codeToInject + 1, &dwOldIP, sizeof(dwOldIP));
- memcpy(codeToInject + 31, &pRemoteMemDllName, sizeof(pRemoteMemDllName));
- memcpy(codeToInject + 41, &fnLocLoadLibrary, sizeof(fnLocLoadLibrary));
- if(!WriteProcessMemory(hProcess, pRemoteMemFunction, codeToInject, nFunctionBuffSize, NULL))
- {
- std::wcout << L"Error: Failed to write the code cave" << std::endl;
- goto cleanup;
- }
- if(!SetThreadContext(hThread, &ctx))
- {
- std::wcout << L"Error: Failed to modify the thread context" << std::endl;
- goto cleanup;
- }
- // DLL Injection is successful
- bRet = true;
- cleanup:
- // Cleanup allocated data
- if(dwThreadSuspendCount != -1)
- ResumeThread(hThread);
- // Sleep to allow the process loading the DLL.
- if(bRet)
- Sleep(1000);
- if(pRemoteMemDllName)
- VirtualFreeEx(hProcess, pRemoteMemDllName, nDllNameBuffSize, MEM_RELEASE);
- if(pRemoteMemFunction)
- VirtualFreeEx(hProcess, pRemoteMemFunction, nFunctionBuffSize, MEM_RELEASE);
- ::CloseHandle(hProcess);
- ::CloseHandle(hThread);
- return bRet;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement