Advertisement
ZxZ666

Remote WinExec call (cmd from another process)

Feb 21st, 2012
67
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #include <pshpack1.h>
  2. struct __AsmOp32
  3. {
  4.     BYTE Op;
  5.     HANDLE Arg;
  6. };
  7. #include <poppack.h>
  8. #define OFFSET(x,y) (HANDLE)((DWORD)x + (DWORD)y)
  9. #define NOFFSET(x,y) (HANDLE)((DWORD)x - (DWORD)y)
  10. void WinExecRemoteCall(HANDLE hProcess, TString Cmd, UINT nShow = SW_SHOWNORMAL)
  11. {
  12.     const unsigned nFuncSize = sizeof(__AsmOp32) * 3 + 1, nArg1Size = Cmd.Length() + 1;
  13.     HANDLE mFunc = VirtualAllocEx(hProcess, NULL, nFuncSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE),
  14.     mArg1 = VirtualAllocEx(hProcess, NULL, nArg1Size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
  15.     WriteProcessMemory(hProcess, mArg1, Cmd.t_str(), Cmd.Length() + 1, NULL);
  16.     // Пишем функцию:
  17.     __AsmOp32 Push;
  18.     Push.Op = 0x68;
  19.     Push.Arg = (HANDLE)nShow;
  20.     WriteProcessMemory(hProcess, mFunc, &Push, sizeof(__AsmOp32), NULL);
  21.     Push.Arg = mArg1;
  22.     WriteProcessMemory(hProcess, OFFSET(mFunc, sizeof(__AsmOp32)), &Push, sizeof(__AsmOp32), NULL);
  23.     __AsmOp32 Call;
  24.     Call.Op = 0xE8;
  25.     HANDLE WinExec = GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec");
  26.     Call.Arg = NOFFSET(WinExec, mFunc - (sizeof(__AsmOp32)*3));
  27.     BYTE RetnOp = 0xC3;
  28.     WriteProcessMemory(hProcess, OFFSET(mFunc, (sizeof(__AsmOp32)*2)), &Call, sizeof(__AsmOp32), NULL);
  29.     WriteProcessMemory(hProcess, OFFSET(mFunc, (sizeof(__AsmOp32)*3)), &RetnOp, 1, NULL);
  30.     // Создаем поток:
  31.     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFunc, NULL, 0, NULL);
  32.     if(HANDLE_VALID(hThread))
  33.     {
  34.         WaitForSingleObject(hThread, INFINITE);
  35.         CloseHandle(hThread);
  36.     }
  37.     VirtualFreeEx(hProcess, mArg1, nArg1Size, MEM_RELEASE);
  38.     VirtualFreeEx(hProcess, mFunc, nFuncSize, MEM_RELEASE);
  39. }
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement