#include <windows.h>#include <TlHelp32.h>#include <Psapi.h>#include <iostr

1. #include <windows.h>
2. #include <TlHelp32.h>
3. #include <Psapi.h>
4. #include <iostream>
5. #include <string>
6.  
7. using namespace std;
8.  
9. bool Inject(DWORD pid, LPTHREAD_START_ROUTINE callRoutine)
10. {
11. PIMAGE_DOS_HEADER pIDH;
12. PIMAGE_NT_HEADERS pINH;
13. PIMAGE_BASE_RELOCATION pIBR;
14.  
15. HANDLE hProcess, hThread;
16. PUSHORT TypeOffset;
17.  
18. PVOID ImageBase, Buffer, mem;
19. ULONG i, Count, Delta, *p;
20.  
21. bool result = true;
22.  
23. printf("\n# Opening target process");
24. hProcess = OpenProcess(
25. PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE,
26. FALSE,
27. pid);
28.  
29. if (!hProcess)
30. {
31. printf("\n# Error: Unable to open target process (%u)", GetLastError());
32.  
33. result = false;
34. }
35.  
36. ImageBase = GetModuleHandle(NULL);
37. printf("\n# Image base in current process: %#x", ImageBase);
38.  
39. pIDH = (PIMAGE_DOS_HEADER)ImageBase;
40. pINH = (PIMAGE_NT_HEADERS)((PUCHAR)ImageBase + pIDH->e_lfanew);
41.  
42. printf("\n# Allocating memory in target process");
43. mem = VirtualAllocEx(hProcess, NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
44.  
45. if (!mem)
46. {
47. printf("\n# Error: Unable to allocate memory in target process (%u)", GetLastError());
48.  
49. CloseHandle(hProcess);
50.  
51. result = false;
52. }
53.  
54. printf("\n# Memory allocated at %#x", mem);
55.  
56. Buffer = VirtualAlloc(NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
57. memcpy(Buffer, ImageBase, pINH->OptionalHeader.SizeOfImage);
58.  
59. printf("\n# Relocating image");
60.  
61. pIBR = (PIMAGE_BASE_RELOCATION)((PUCHAR)Buffer + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
62. Delta = (ULONG)mem - (ULONG)ImageBase;
63.  
64. printf("\n# Delta: %#x", Delta);
65.  
66. while (pIBR->VirtualAddress)
67. {
68. if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))
69. {
70. Count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(USHORT);
71. TypeOffset = (PUSHORT)(pIBR + 1);
72.  
73. for (i = 0; i<Count; i++)
74. {
75. if (TypeOffset[i])
76. {
77. p = (PULONG)((PUCHAR)Buffer + pIBR->VirtualAddress + (TypeOffset[i] & 0xFFF));
78. *p += Delta;
79. }
80. }
81. }
82.  
83. pIBR = (PIMAGE_BASE_RELOCATION)((PUCHAR)pIBR + pIBR->SizeOfBlock);
84. }
85.  
86. printf("\n# Writing relocated image into target process");
87.  
88. if (!WriteProcessMemory(hProcess, mem, Buffer, pINH->OptionalHeader.SizeOfImage, NULL))
89. {
90. printf("\n# Error: Unable to write process memory (%u)", GetLastError());
91.  
92. VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
93. CloseHandle(hProcess);
94.  
95. result = false;
96. }
97.  
98. VirtualFree(Buffer, 0, MEM_RELEASE);
99.  
100. printf("\n# Creating thread in target process");
101. hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((PUCHAR)callRoutine + Delta), NULL, 0, NULL);
102.  
103. if (!hThread)
104. {
105. printf("\n# Error: Unable to create thread in target process (%u)", GetLastError());
106.  
107. VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
108. CloseHandle(hProcess);
109.  
110. result = false;
111. }
112.  
113. printf("\n# Waiting for the thread to terminate");
114. WaitForSingleObject(hThread, INFINITE);
115.  
116. printf("\n# Thread terminated\n# Freeing allocated memory");
117.  
118. VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
119. CloseHandle(hProcess);
120.  
121. return result;
122. }
123.  
124. DWORD GetProcessesByName(const char *ProcName)
125. {
126. PROCESSENTRY32 pe32;
127. HANDLE hSnapshot = NULL;
128.  
129. pe32.dwSize = sizeof(PROCESSENTRY32);
130. hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
131.  
132. if (Process32First(hSnapshot, &pe32))
133. {
134. do{
135. if (strcmp(pe32.szExeFile, ProcName) == 0)
136. break;
137. } while (Process32Next(hSnapshot, &pe32));
138. }
139.  
140. if (hSnapshot != INVALID_HANDLE_VALUE)
141. CloseHandle(hSnapshot);
142.  
143. return pe32.th32ProcessID;
144. }
145.  
146. string GetProcessPath(DWORD ProcessId)
147. {
148. string path;
149. char buffer[MAX_PATH];
150.  
151. MessageBox(NULL, "ProcessPath() called", "Error", MB_ICONERROR);
152. HANDLE hProcess;
153.  
154. hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessId);
155.  
156. if (GetModuleFileNameEx(hProcess, NULL, buffer, sizeof(buffer) / sizeof(char)))
157. {
158. path = string(buffer);
159. }
160. else {
161. MessageBox(NULL, "Failed to get process path.", "Error", MB_ICONERROR);
162. }
163.  
164. return path;
165. }
166.  
167. DWORD WINAPI MainThread(PVOID p)
168. {
169. MessageBox(NULL, "Main thread called.", "Information", MB_ICONINFORMATION);
170.  
171. string path = GetProcessPath(GetProcessesByName("Spotify.exe"));
172. MessageBox(NULL, path.c_str(), "Information", MB_ICONINFORMATION);
173. // Calling GetProcessPath() here crashes the slave process cause of using string without runtime library
174.  
175. bool MAIN_THREAD = true;
176.  
177. while (MAIN_THREAD)
178. {
179.  
180. if (GetAsyncKeyState(VK_ESCAPE) & 0x8000)
181. {
182. MessageBox(NULL, "Main thread closed!", "Information", MB_ICONINFORMATION);
183. MAIN_THREAD = false;
184. }
185.  
186. Sleep(1);
187.  
188. }
189.  
190. return 0;
191. }
192.  
193. int main()
194. {
195. //string path = GetProcessPath(GetProcessesByName("Spotify.exe"));
196. //MessageBox(NULL, path.c_str(), "Information", MB_ICONINFORMATION);
197. // Calling GetProcessPath() here works fine, because of runtime library still valid
198. Inject(GetProcessesByName("Spotify.exe"), MainThread);
199.  
200. return EXIT_SUCCESS;
201. }