View difference between Paste ID: <a href="/92Nzc6pG">92Nzc6pG</a> and <a href="/QVJCW9qv">QVJCW9qv</a>

#include <windows.h>
1		#include <windows.h>
2		#include <TlHelp32.h>
3		#include <Psapi.h>
4		#include <iostream>
5		#include <string>
6
7		using namespace std;
8
9		bool Inject(DWORD pid, LPTHREAD_START_ROUTINE callRoutine)
10		{
11		PIMAGE_DOS_HEADER pIDH;
12		PIMAGE_NT_HEADERS pINH;
13		PIMAGE_BASE_RELOCATION pIBR;
14
15		HANDLE hProcess, hThread;
16		PUSHORT TypeOffset;
17
18		PVOID ImageBase, Buffer, mem;
19		ULONG i, Count, Delta, *p;
20
21		bool result = true;
22
23		printf("\n# Opening target process");
24		hProcess = OpenProcess(
25		PROCESS_CREATE_THREAD \| PROCESS_QUERY_INFORMATION \| PROCESS_VM_OPERATION \| PROCESS_VM_READ \| PROCESS_VM_WRITE,
26		FALSE,
27		pid);
28
29		if (!hProcess)
30		{
31		printf("\n# Error: Unable to open target process (%u)", GetLastError());
32
33		result = false;
34		}
35
36		ImageBase = GetModuleHandle(NULL);
37		printf("\n# Image base in current process: %#x", ImageBase);
38
39		pIDH = (PIMAGE_DOS_HEADER)ImageBase;
40		pINH = (PIMAGE_NT_HEADERS)((PUCHAR)ImageBase + pIDH->e_lfanew);
41
42		printf("\n# Allocating memory in target process");
43		mem = VirtualAllocEx(hProcess, NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE);
44
45		if (!mem)
46		{
47		printf("\n# Error: Unable to allocate memory in target process (%u)", GetLastError());
48
49		CloseHandle(hProcess);
50
51		result = false;
52		}
53
54		printf("\n# Memory allocated at %#x", mem);
55
56		Buffer = VirtualAlloc(NULL, pINH->OptionalHeader.SizeOfImage, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
57		memcpy(Buffer, ImageBase, pINH->OptionalHeader.SizeOfImage);
58
59		printf("\n# Relocating image");
60
61		pIBR = (PIMAGE_BASE_RELOCATION)((PUCHAR)Buffer + pINH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
62		Delta = (ULONG)mem - (ULONG)ImageBase;
63
64		printf("\n# Delta: %#x", Delta);
65
66		while (pIBR->VirtualAddress)
67		{
68		if (pIBR->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))
69		{
70		Count = (pIBR->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(USHORT);
71		TypeOffset = (PUSHORT)(pIBR + 1);
72
73		for (i = 0; i<Count; i++)
74		{
75		if (TypeOffset[i])
76		{
77		p = (PULONG)((PUCHAR)Buffer + pIBR->VirtualAddress + (TypeOffset[i] & 0xFFF));
78		*p += Delta;
79		}
80		}
81		}
82
83		pIBR = (PIMAGE_BASE_RELOCATION)((PUCHAR)pIBR + pIBR->SizeOfBlock);
84		}
85
86		printf("\n# Writing relocated image into target process");
87
88		if (!WriteProcessMemory(hProcess, mem, Buffer, pINH->OptionalHeader.SizeOfImage, NULL))
89		{
90		printf("\n# Error: Unable to write process memory (%u)", GetLastError());
91
92		VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
93		CloseHandle(hProcess);
94
95		result = false;
96		}
97
98		VirtualFree(Buffer, 0, MEM_RELEASE);
99
100		printf("\n# Creating thread in target process");
101		hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)((PUCHAR)callRoutine + Delta), NULL, 0, NULL);
102
103		if (!hThread)
104		{
105		printf("\n# Error: Unable to create thread in target process (%u)", GetLastError());
106
107		VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
108		CloseHandle(hProcess);
109
110		result = false;
111		}
112
113		printf("\n# Waiting for the thread to terminate");
114		WaitForSingleObject(hThread, INFINITE);
115
116		printf("\n# Thread terminated\n# Freeing allocated memory");
117
118		VirtualFreeEx(hProcess, mem, 0, MEM_RELEASE);
119		CloseHandle(hProcess);
120
121		return result;
122		}
123
124		DWORD GetProcessesByName(const char *ProcName)
125		{
126		PROCESSENTRY32 pe32;
127		HANDLE hSnapshot = NULL;
128
129		pe32.dwSize = sizeof(PROCESSENTRY32);
130		hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
131
132		if (Process32First(hSnapshot, &pe32))
133		{
134		do{
135		if (strcmp(pe32.szExeFile, ProcName) == 0)
136		break;
137		} while (Process32Next(hSnapshot, &pe32));
138		}
139
140		if (hSnapshot != INVALID_HANDLE_VALUE)
141		CloseHandle(hSnapshot);
142
143		return pe32.th32ProcessID;
144		}
145
146		string GetProcessPath(DWORD ProcessId)
147		{
148		string path;
149		char buffer[MAX_PATH];
150
151		MessageBox(NULL, "ProcessPath() called", "Error", MB_ICONERROR);
152		HANDLE hProcess;
153
154		hProcess = OpenProcess(PROCESS_QUERY_INFORMATION \| PROCESS_VM_READ, FALSE, ProcessId);
155
156		if (GetModuleFileNameEx(hProcess, NULL, buffer, sizeof(buffer) / sizeof(char)))
157		{
158		path = string(buffer);
159		}
160		else {
161		MessageBox(NULL, "Failed to get process path.", "Error", MB_ICONERROR);
162		}
163
164		return path;
165		}
166
167		DWORD WINAPI MainThread(PVOID p)
168		{
169		MessageBox(NULL, "Main thread called.", "Information", MB_ICONINFORMATION);
170
171		string path = GetProcessPath(GetProcessesByName("Spotify.exe"));
172		MessageBox(NULL, path.c_str(), "Information", MB_ICONINFORMATION);
173		// Calling GetProcessPath() here crashes the slave process cause of using string without runtime library
174
175		bool MAIN_THREAD = true;
176
177		while (MAIN_THREAD)
178		{
179
180		if (GetAsyncKeyState(VK_ESCAPE) & 0x8000)
181		{
182		MessageBox(NULL, "Main thread closed!", "Information", MB_ICONINFORMATION);
183		MAIN_THREAD = false;
184		}
185
186		Sleep(1);
187
188		}
189
190		return 0;
191		}
192
193		int main()
194		{
195		//string path = GetProcessPath(GetProcessesByName("Spotify.exe"));
196		//MessageBox(NULL, path.c_str(), "Information", MB_ICONINFORMATION);
197		// Calling GetProcessPath() here works fine, because of runtime library still valid
198		Inject(GetProcessesByName("Spotify.exe"), MainThread);
199
200		return EXIT_SUCCESS;
201		}