Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- HMODULE hLib = LoadLibraryW(L"test.dll");
- cout << "Lib load address: " << (int)hLib << endl;
- PR *procAddr = (PR *)GetProcAddress(hLib, "_testFunc@4");
- cout << "Proc address: " << (int)procAddr << endl;
- DWORD delta = (DWORD)procAddr - (DWORD)hLib;
- WCHAR libNameBuff[MAX_PATH];
- int len = GetModuleFileName(hLib, libNameBuff, MAX_PATH);
- libNameBuff[len] = 0;
- HANDLE hTarget = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, false, 15404);
- if (hTarget == nullptr) {
- cout << "OpenProcess fail" << endl;
- }
- LPVOID expLibName = VirtualAllocEx(hTarget, NULL, (len + 1) * sizeof(WCHAR), MEM_COMMIT, PAGE_READWRITE);
- WriteProcessMemory(hTarget, expLibName, libNameBuff, (len + 1) * sizeof(WCHAR), NULL);
- HMODULE hKernel32 = GetModuleHandle(L"kernel32.dll");
- LPTHREAD_START_ROUTINE expLoadLibraryW = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
- HANDLE remoteThread = CreateRemoteThread(hTarget, NULL, 0, expLoadLibraryW, expLibName, 0, NULL);
- if (remoteThread == NULL) {
- cout << "CreateRemoteThread1 fail" << endl;
- }
- DWORD injAddr = 0;
- WaitForSingleObject(remoteThread, INFINITE);
- GetExitCodeThread(remoteThread, &injAddr);
- CloseHandle(remoteThread);
- cout << injAddr << endl;
- WCHAR str1[15] = { L"Hello, world!" };
- WCHAR str2[15] = { L"Hello, inject" };
- LPVOID expStr1 = VirtualAllocEx(hTarget, NULL, (15) * sizeof(WCHAR), MEM_COMMIT, PAGE_READWRITE);
- LPVOID expStr2 = VirtualAllocEx(hTarget, NULL, (15) * sizeof(WCHAR), MEM_COMMIT, PAGE_READWRITE);
- WriteProcessMemory(hTarget, expStr1, str1, (15) * sizeof(WCHAR), NULL);
- WriteProcessMemory(hTarget, expStr2, str2, (15) * sizeof(WCHAR), NULL);
- PTRS ptrs = { expStr1, expStr2 };
- LPVOID expPtrs = VirtualAllocEx(hTarget, NULL, sizeof(PTRS), MEM_COMMIT, PAGE_READWRITE);
- WriteProcessMemory(hTarget, expPtrs, &ptrs, sizeof(PTRS), NULL);
- DWORD expTestFunc = injAddr + delta;
- remoteThread = CreateRemoteThread(hTarget, NULL, 0, (LPTHREAD_START_ROUTINE)expTestFunc, (LPVOID)expPtrs, 0, NULL);
- if (remoteThread == NULL) {
- cout << "CreateRemoteThread2 fail" << endl;
- }
- DWORD ret = 0;
- WaitForSingleObject(remoteThread, INFINITE);
- GetExitCodeThread(remoteThread, &ret);
- CloseHandle(remoteThread);
- cout << ret << endl;
- FreeLibrary(hLib);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement