SHARE
TWEET

Untitled

a guest Oct 10th, 2019 70 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. HMODULE hLib = LoadLibraryW(L"test.dll");
  2.     cout << "Lib load address: " << (int)hLib << endl;
  3.  
  4.     PR *procAddr = (PR *)GetProcAddress(hLib, "_testFunc@4");
  5.     cout << "Proc address: " << (int)procAddr << endl;
  6.  
  7.     DWORD delta = (DWORD)procAddr - (DWORD)hLib;
  8.  
  9.     WCHAR libNameBuff[MAX_PATH];
  10.     int len = GetModuleFileName(hLib, libNameBuff, MAX_PATH);
  11.     libNameBuff[len] = 0;
  12.  
  13.     HANDLE hTarget = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, false, 15404);
  14.     if (hTarget == nullptr) {
  15.         cout << "OpenProcess fail" << endl;
  16.     }
  17.  
  18.     LPVOID expLibName = VirtualAllocEx(hTarget, NULL, (len + 1) * sizeof(WCHAR), MEM_COMMIT, PAGE_READWRITE);
  19.     WriteProcessMemory(hTarget, expLibName, libNameBuff, (len + 1) * sizeof(WCHAR), NULL);
  20.  
  21.     HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
  22.     LPTHREAD_START_ROUTINE expLoadLibraryW = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
  23.  
  24.     HANDLE remoteThread = CreateRemoteThread(hTarget, NULL, 0, expLoadLibraryW, expLibName, 0, NULL);
  25.     if (remoteThread == NULL) {
  26.         cout << "CreateRemoteThread1 fail" << endl;
  27.     }
  28.  
  29.     DWORD injAddr = 0;
  30.     WaitForSingleObject(remoteThread, INFINITE);
  31.     GetExitCodeThread(remoteThread, &injAddr);
  32.     CloseHandle(remoteThread);
  33.  
  34.     cout << injAddr << endl;
  35.    
  36.     WCHAR str1[15] = { L"Hello, world!" };
  37.     WCHAR str2[15] = { L"Hello, inject" };
  38.     LPVOID expStr1 = VirtualAllocEx(hTarget, NULL, (15) * sizeof(WCHAR), MEM_COMMIT, PAGE_READWRITE);
  39.     LPVOID expStr2 = VirtualAllocEx(hTarget, NULL, (15) * sizeof(WCHAR), MEM_COMMIT, PAGE_READWRITE);
  40.     WriteProcessMemory(hTarget, expStr1, str1, (15) * sizeof(WCHAR), NULL);
  41.     WriteProcessMemory(hTarget, expStr2, str2, (15) * sizeof(WCHAR), NULL);
  42.  
  43.     PTRS ptrs = { expStr1, expStr2 };
  44.     LPVOID expPtrs = VirtualAllocEx(hTarget, NULL, sizeof(PTRS), MEM_COMMIT, PAGE_READWRITE);
  45.     WriteProcessMemory(hTarget, expPtrs, &ptrs, sizeof(PTRS), NULL);
  46.  
  47.     DWORD expTestFunc = injAddr + delta;
  48.  
  49.     remoteThread = CreateRemoteThread(hTarget, NULL, 0, (LPTHREAD_START_ROUTINE)expTestFunc, (LPVOID)expPtrs, 0, NULL);
  50.     if (remoteThread == NULL) {
  51.         cout << "CreateRemoteThread2 fail" << endl;
  52.     }
  53.  
  54.     DWORD ret = 0;
  55.     WaitForSingleObject(remoteThread, INFINITE);
  56.     GetExitCodeThread(remoteThread, &ret);
  57.     CloseHandle(remoteThread);
  58.  
  59.     cout << ret << endl;
  60.    
  61.     FreeLibrary(hLib);
  62. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top