Injection Example

1. #include <windows.h>
2. #include <tlhelp32.h>
3. #include <shlwapi.h>
4. #include <conio.h>
5. #include <stdio.h>
6.  
7. #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
8.  
9. BOOL Inject(DWORD pID, wchar_t * DLL_NAME);
10. DWORD GetTargetThreadIDFromProcName(wchar_t * ProcName)
11. {
12.    PROCESSENTRY32 pe;
13.    HANDLE thSnapShot;
14.    BOOL retval, ProcFound = false;
15.  
16.    thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
17.    if(thSnapShot == INVALID_HANDLE_VALUE)
18.    {
19.       printf("Error: Unable to create toolhelp snapshot!");
20.       return false;
21.    }
22.  
23.    pe.dwSize = sizeof(PROCESSENTRY32);
24.    
25.    retval = Process32First(thSnapShot, &pe);
26.    while(retval)
27.    {
28.       if(StrStrI(pe.szExeFile, ProcName))
29.       {
30.          return pe.th32ProcessID;
31.       }
32.       retval = Process32Next(thSnapShot, &pe);
33.    }
34.    return 0;
35. }
36.  
37. void SetDebugPrivileges()
38. {
39.     void* tokenHandle;
40.     OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &tokenHandle);
41.     TOKEN_PRIVILEGES privilegeToken;
42.     LookupPrivilegeValue(0, SE_DEBUG_NAME, &privilegeToken.Privileges[0].Luid);
43.     privilegeToken.PrivilegeCount = 1;
44.     privilegeToken.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
45.     AdjustTokenPrivileges(tokenHandle, 0, &privilegeToken, sizeof(TOKEN_PRIVILEGES), 0, 0);
46.     CloseHandle(tokenHandle);
47. }
48.  
49. int main(int argc, char * argv[])
50. {
51.     SetDebugPrivileges();
52.     wchar_t* procname = L"notepad.exe";
53.     DWORD pID = GetTargetThreadIDFromProcName(procname);
54.    wchar_t* dllpath = L"C:\\code\\inject\\Minesweeper\\Debug\\Injection.dll";
55.    
56.    // Inject our main dll
57.    if(!Inject(pID, dllpath))
58.    {
59.         printf("DLL Not Loaded!");
60.     }else{
61.         printf("DLL Loaded into pid %i!\n", pID);
62.     }
63.     _getch();
64.    return 0;
65. }
66.  
67. BOOL Inject(DWORD pID, wchar_t * dllpath)
68. {
69.    HANDLE proc;
70.    wchar_t buf[50] = {0};
71.    LPVOID remoteString, loadLibraryAddress;
72.  
73.    if(!pID)
74.       return false;
75.  
76.    proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, pID);
77.    if(proc) {
78.        printf("Opened process %i\n", pID);
79.    }
80.    else {
81.       printf("OpenProcess failed: %i\n", GetLastError());
82.       return false;
83.    }
84.     PBOOL is64 = new BOOL();
85.     *is64 = true;
86.     IsWow64Process(proc, is64);
87.     printf("64-bit? %i\n", *is64);
88.  
89.     SIZE_T bytes = (wcslen(dllpath) + 1) * 2, bytesWritten;
90.  
91.     printf("dll path size is %i\n", bytes);
92.    
93.     loadLibraryAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
94.  
95.     // Allocate space in the process for our DLL
96.     remoteString = VirtualAllocEx(proc, NULL, bytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
97.     if(remoteString)
98.         printf("%i bytes allocated at %x\n", bytes, remoteString);
99.     else return false;
100.  
101.     // Write the string name of our DLL in the memory allocated
102.     if(WriteProcessMemory(proc, remoteString, dllpath, bytes, &bytesWritten))
103.         printf("%i bytes written at %x\n", bytesWritten, remoteString);
104.     else return false;
105.  
106.     // Load our DLL
107.     HANDLE hThread = CreateRemoteThread(proc, NULL, NULL, (LPTHREAD_START_ROUTINE)loadLibraryAddress, remoteString, NULL, NULL);
108.     if(hThread) {
109.         printf("Remote thread created at %x\n", hThread);
110.     }
111.     else {
112.         printf("Error creating remote thread: ");
113.         switch(GetLastError()) {
114.         case 5:
115.             printf("access denied");
116.             break;
117.         }
118.         printf("\n");
119.         return false;
120.     }
121.     CloseHandle(proc);
122.     return true;
123. }