Untitled

#include <SDKDDKVer.h>
#include <cstdio>
#include <windows.h>
#include <cstddef>
#include <Psapi.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")

#define TEMPLATE

typedef
HMODULE
(WINAPI *PFN_LOAD_LIBRARY_A)(
    _In_ LPCSTR lpLibFileName
    );

typedef
DWORD
(WINAPI *PFN_GET_LAST_ERROR)(
    VOID
    );

PFN_LOAD_LIBRARY_A g_LoadLibrary = NULL; //LoadLibraryA
PFN_GET_LAST_ERROR g_GetLastError = NULL; //GetLastError

void Init1()
{
    HMODULE hLibrary = LoadLibraryA("kernel32.dll");
    g_LoadLibrary = (PFN_LOAD_LIBRARY_A)GetProcAddress(hLibrary, "LoadLibraryA");
    g_GetLastError = (PFN_GET_LAST_ERROR)GetProcAddress(hLibrary, "GetLastError");
}

typedef struct _MY_SHELLCODE {
    PFN_LOAD_LIBRARY_A pfn_LoadLibrary;
    PFN_GET_LAST_ERROR pfn_GetLastError;
    CHAR libraryName[MAX_PATH];
    UCHAR shellCode[100]; //100 bytes should be enough
} MY_SHELLCODE, *PMY_SHELLCODE;

const UCHAR myShellcode32[] = {
    0x55,           //push ebp
    0x8b, 0xec,     //mov ebp, esp
    0x56, 0x8b, 0x75, 0x08, 0x8d, 0x46, 0x08,
    0x50, 0x8b, 0x06, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0x8b,
    0x46, 0x04, 0xff, 0xd0, 0x5e, 0x5d, 0xc2, 0x04, 0x00, 0x33,
    0xc0, 0x5e, 0x5d, 0xc2, 0x04, 0x00
};

const UCHAR myShellcode64[] = {
    0x40, 0x53, 0x48, 0x83, 0xec, 0x20, 0x48,
    0x8b, 0xd9, 0x48, 0x83, 0xc1, 0x10, 0xff,
    0x13, 0x48, 0x85, 0xc0, 0x75, 0x0c, 0x48,
    0x8b, 0x43, 0x08, 0x48, 0x83, 0xc4, 0x20,
    0x5b, 0x48, 0xff, 0xe0, 0x33, 0xc0, 0x48,
    0x83, 0xc4, 0x20, 0x5b, 0xc3
    //40 53 48 83 ec 20 48 8b d9 48 83 c1 10 ff 13 48 85 c0 75 0c 48 8b 43 08 48 83 c4 20 5b 48 ff e0 33 c0 48 83 c4 20 5b c3
};

DWORD WINAPI MyThreadProc(PMY_SHELLCODE shellCode)
{
    const auto hLibrary = shellCode->pfn_LoadLibrary(shellCode->libraryName);
    if (nullptr == hLibrary)
    {
#ifndef TEMPLATE
        printf("Failed to load DLL, error %lu \n", GetLastError());
#endif
        return shellCode->pfn_GetLastError();
    }
#ifndef TEMPLATE
    else
    {
        printf("DLL was loaded at %p \n", hLibrary);
    }
#endif
    return 0;
}

void Test1()
{
    DWORD ThreadId;
    const auto LibraryName = "MyDll.dll";
    const auto size = strlen(LibraryName) + 1;

    MY_SHELLCODE shellcode;
    shellcode.pfn_LoadLibrary = g_LoadLibrary;
    shellcode.pfn_GetLastError = g_GetLastError;
    memcpy(shellcode.libraryName, LibraryName, size);

    const auto hThread = CreateThread(
        nullptr,
        0,
        reinterpret_cast<LPTHREAD_START_ROUTINE>(MyThreadProc),
        &shellcode,
        0,
        &ThreadId);
    if (nullptr == hThread)
    {
        printf("CreateThread failed with error %lu \n", GetLastError());
        return;
    }
    WaitForSingleObject(hThread, INFINITE);

    DWORD ExitCode;
    if (GetExitCodeThread(hThread, &ExitCode))
    {
        printf("Thread exited with %d \n", ExitCode);
    }
    else
    {
        printf("GetExitCodeThread failed with error %lu \n", GetLastError());
    }

    CloseHandle(hThread);
}

void Test2()
{
    STARTUPINFO StartupInfo;
    memset(&StartupInfo, 0, sizeof(STARTUPINFO));
    StartupInfo.cb = sizeof(STARTUPINFO);
    PROCESS_INFORMATION ProcessInformation;
    auto Ret = CreateProcess(
        L"C:\\Windows\\system32\\notepad.exe",
        nullptr,
        nullptr,
        nullptr,
        false,
        CREATE_SUSPENDED,
        nullptr,
        nullptr,
        &StartupInfo,
        &ProcessInformation
    );
    if (FALSE == Ret)
    {
        printf("CreateProcess failed with error %lu \n", GetLastError());
        return;
    }
    // here we need to do an infinite loop in notepad's entry point  EB FE - jump to itself @ jmp @

    // process environment block - is undocumented and changing from version to version of Windows

    /*
    Module(0) has entrypoint
    hThread

    GetThreadContext -> context with rip
    NtQueryInformationThread -> ThreadQuerySetWin32Address
    undocumented.ntinternals.com


    a save two bytes
    b patch entrypoint (WriteProcessMemory)
    c resume thread
    d patch imports
    e unpatch entrypoint


    next :
    a catch direct x (sample direct x)
    b task manager (add a column, подменить оконную функцию)
    c explorer comctl32.dll - proxy image list 0 - 15
    */
    PVOID StartAddress;
    ULONG ReturnLength;
    const auto status = NtQueryInformationThread(
        ProcessInformation.hThread,
        (THREADINFOCLASS)9,
        &StartAddress,
        sizeof(StartAddress),
        &ReturnLength
    );
    printf("NtQueryInformationThread returns 0x%08x and %p \n", status, StartAddress);

    WORD ep_word;
    SIZE_T ep_bytes_read;
    auto ep_read_result = ReadProcessMemory(
        ProcessInformation.hProcess,
        StartAddress,
        &ep_word,
        sizeof(ep_word),
        &ep_bytes_read
    );

    if (!ep_read_result) {
        printf("ReadProcessMemory failed with error %lu \n", GetLastError());
        return;
    }
    if (ep_bytes_read != sizeof(ep_word)) {
        printf("Wrong amount of entrypoint bytes is read. Read %u bytes", ep_bytes_read);
        return;
    }

    WORD infinite_jump = 0xFEEB;
    SIZE_T ep_bytes_written;
    auto  ep_write_result = WriteProcessMemory(
        ProcessInformation.hProcess,
        StartAddress,
        &infinite_jump,
        sizeof(infinite_jump),
        &ep_bytes_written
    );
    if (!ep_write_result) {
        printf("WriteProcessMemory failed with error %lu \n", GetLastError());
        return;
    }
    if (ep_bytes_written != sizeof(infinite_jump)) {
        printf("Wrong amount of entrypoint bytes is written. Written %u bytes \n", ep_bytes_written);
        return;
    }

    //  CONTEXT Context;
    //  if (!GetThreadContext(
    //      ProcessInformation.hThread,
    //      &Context
    //  )) {
    //      printf("GetThreadContext failed %lu \n", GetLastError());
    //      return;
    //  }
    //
    //#ifdef _AMD64_
    //  printf("Address %p \n", Context.Rip);
    //#else
    //  printf("Address %p \n", Context.Eip);
    //
    //#endif

    ResumeThread(ProcessInformation.hThread);
    HMODULE Modules[1000];
    DWORD cbneeded;
    DWORD cbneeded_before(0);
    while (true) {
        if (!EnumProcessModulesEx(
            ProcessInformation.hProcess,
            Modules,
            sizeof(Modules),
            &cbneeded,
            LIST_MODULES_ALL
        )) {
            auto err = GetLastError();
            if (ERROR_PARTIAL_COPY == err) {
                Sleep(100);
                continue;
            }
            printf("EnumProcessModules failed %lu\n", GetLastError());
            return;
        }
        if (cbneeded > cbneeded_before) {
            cbneeded_before = cbneeded;
            Sleep(100);
            continue;
        }
        break;
    }

    if (!(cbneeded / sizeof(HMODULE))) {
        printf("Zero modules returned \n");
    }

    // do it with PE parsing
    for (int i = 0; i < cbneeded / sizeof(HMODULE); ++i) {
        printf("%d = %p\n", i, Modules[i]);
        WCHAR filename[MAX_PATH];
        if (GetModuleFileNameEx(
            ProcessInformation.hProcess,
            Modules[i],
            filename,
            MAX_PATH
        )) {
            printf("\t%d = %S\n", i, filename);
        }
    }

    const auto LibraryName = "MyDll.dll";
    const auto size = strlen(LibraryName) + 1; //null=terminated character
                                               //(wcslen()+1)*sizeof(wchar_t)
    MY_SHELLCODE shellcode;
    shellcode.pfn_LoadLibrary = g_LoadLibrary;
    shellcode.pfn_GetLastError = g_GetLastError;
    memcpy(shellcode.libraryName, LibraryName, size);
#ifdef _AMD64_
    memcpy(shellcode.shellCode, myShellcode64, sizeof(myShellcode64));
#else
    memcpy(shellcode.shellCode, myShellcode32, sizeof(myShellcode32));
#endif

    const auto Size = sizeof(shellcode);

    const auto ShellcodeRemote = VirtualAllocEx(
        ProcessInformation.hProcess,
        nullptr,
        Size,
        MEM_COMMIT,
        PAGE_EXECUTE_READWRITE);
    if (nullptr == ShellcodeRemote)
    {
        printf("VirtualAllocEx failed with error %lu \n", GetLastError());
        return;
    }
    SIZE_T SizeWritten = 0;
    Ret = WriteProcessMemory(
        ProcessInformation.hProcess,
        ShellcodeRemote,
        &shellcode,
        Size,
        &SizeWritten
    );
    if (!Ret)
    {
        printf("WriteProcessMemory failed with error %lu \n", GetLastError());
        return;
    }
    else if (Size != SizeWritten)
    {
        printf("WriteProcessMemory %lu != %lu \n", Size, SizeWritten);
        return;
    }

    char* ShellcodeRemoteCode =
        ((char*)ShellcodeRemote) +
        offsetof(MY_SHELLCODE, shellCode);

    DWORD ThreadId;
    const auto hThread = CreateRemoteThread(
        ProcessInformation.hProcess,
        nullptr,
        0,
        reinterpret_cast<LPTHREAD_START_ROUTINE>(ShellcodeRemoteCode),
        ShellcodeRemote,
        0,
        &ThreadId);
    if (nullptr == hThread)
    {
        printf("CreateThread failed with error %lu \n", GetLastError());
        return;
    }
    WaitForSingleObject(hThread, INFINITE);

    DWORD ExitCode;
    if (GetExitCodeThread(hThread, &ExitCode))
    {
        printf("Thread exited with 0x%p \n", (void*)ExitCode);
    }
    else
    {
        printf("GetExitCodeThread failed with error %d \n", GetLastError());
    }

    CloseHandle(hThread);
    CloseHandle(ProcessInformation.hProcess);
    CloseHandle(ProcessInformation.hThread);
}

int main(int argc, char* argv[])
{
    Init1();
    //Test1();
    Test2();
    return 0;
}


// DLL


#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(
            NULL,
            L"Attached to process!",
            L"testDLL",
            MB_OK
        );
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        MessageBox(
            NULL,
            L"Detached from process!",
            L"testDLL",
            MB_OK
        );
        break;
    }
    return TRUE;
}