Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <windows.h>
- #include <tlhelp32.h>
- #include <shlwapi.h>
- #include <conio.h>
- #include <stdio.h>
- #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
- BOOL Inject(DWORD pID, wchar_t * DLL_NAME);
- DWORD GetTargetThreadIDFromProcName(wchar_t * ProcName)
- {
- PROCESSENTRY32 pe;
- HANDLE thSnapShot;
- BOOL retval, ProcFound = false;
- thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if(thSnapShot == INVALID_HANDLE_VALUE)
- {
- printf("Error: Unable to create toolhelp snapshot!");
- return false;
- }
- pe.dwSize = sizeof(PROCESSENTRY32);
- retval = Process32First(thSnapShot, &pe);
- while(retval)
- {
- if(StrStrI(pe.szExeFile, ProcName))
- {
- return pe.th32ProcessID;
- }
- retval = Process32Next(thSnapShot, &pe);
- }
- return 0;
- }
- void SetDebugPrivileges()
- {
- void* tokenHandle;
- OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &tokenHandle);
- TOKEN_PRIVILEGES privilegeToken;
- LookupPrivilegeValue(0, SE_DEBUG_NAME, &privilegeToken.Privileges[0].Luid);
- privilegeToken.PrivilegeCount = 1;
- privilegeToken.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- AdjustTokenPrivileges(tokenHandle, 0, &privilegeToken, sizeof(TOKEN_PRIVILEGES), 0, 0);
- CloseHandle(tokenHandle);
- }
- int main(int argc, char * argv[])
- {
- SetDebugPrivileges();
- wchar_t* procname = L"notepad.exe";
- DWORD pID = GetTargetThreadIDFromProcName(procname);
- wchar_t* dllpath = L"C:\\code\\inject\\Minesweeper\\Debug\\Injection.dll";
- // Inject our main dll
- if(!Inject(pID, dllpath))
- {
- printf("DLL Not Loaded!");
- }else{
- printf("DLL Loaded into pid %i!\n", pID);
- }
- _getch();
- return 0;
- }
- BOOL Inject(DWORD pID, wchar_t * dllpath)
- {
- HANDLE proc;
- wchar_t buf[50] = {0};
- LPVOID remoteString, loadLibraryAddress;
- if(!pID)
- return false;
- proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, pID);
- if(proc) {
- printf("Opened process %i\n", pID);
- }
- else {
- printf("OpenProcess failed: %i\n", GetLastError());
- return false;
- }
- PBOOL is64 = new BOOL();
- *is64 = true;
- IsWow64Process(proc, is64);
- printf("64-bit? %i\n", *is64);
- SIZE_T bytes = (wcslen(dllpath) + 1) * 2, bytesWritten;
- printf("dll path size is %i\n", bytes);
- loadLibraryAddress = GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW");
- // Allocate space in the process for our DLL
- remoteString = VirtualAllocEx(proc, NULL, bytes, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
- if(remoteString)
- printf("%i bytes allocated at %x\n", bytes, remoteString);
- else return false;
- // Write the string name of our DLL in the memory allocated
- if(WriteProcessMemory(proc, remoteString, dllpath, bytes, &bytesWritten))
- printf("%i bytes written at %x\n", bytesWritten, remoteString);
- else return false;
- // Load our DLL
- HANDLE hThread = CreateRemoteThread(proc, NULL, NULL, (LPTHREAD_START_ROUTINE)loadLibraryAddress, remoteString, NULL, NULL);
- if(hThread) {
- printf("Remote thread created at %x\n", hThread);
- }
- else {
- printf("Error creating remote thread: ");
- switch(GetLastError()) {
- case 5:
- printf("access denied");
- break;
- }
- printf("\n");
- return false;
- }
- CloseHandle(proc);
- return true;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement