Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <pshpack1.h>
- struct __AsmOp32
- {
- BYTE Op;
- HANDLE Arg;
- };
- #include <poppack.h>
- #define OFFSET(x,y) (HANDLE)((DWORD)x + (DWORD)y)
- #define NOFFSET(x,y) (HANDLE)((DWORD)x - (DWORD)y)
- void WinExecRemoteCall(HANDLE hProcess, TString Cmd, UINT nShow = SW_SHOWNORMAL)
- {
- const unsigned nFuncSize = sizeof(__AsmOp32) * 3 + 1, nArg1Size = Cmd.Length() + 1;
- HANDLE mFunc = VirtualAllocEx(hProcess, NULL, nFuncSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE),
- mArg1 = VirtualAllocEx(hProcess, NULL, nArg1Size, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
- WriteProcessMemory(hProcess, mArg1, Cmd.t_str(), Cmd.Length() + 1, NULL);
- // Пишем функцию:
- __AsmOp32 Push;
- Push.Op = 0x68;
- Push.Arg = (HANDLE)nShow;
- WriteProcessMemory(hProcess, mFunc, &Push, sizeof(__AsmOp32), NULL);
- Push.Arg = mArg1;
- WriteProcessMemory(hProcess, OFFSET(mFunc, sizeof(__AsmOp32)), &Push, sizeof(__AsmOp32), NULL);
- __AsmOp32 Call;
- Call.Op = 0xE8;
- HANDLE WinExec = GetProcAddress(GetModuleHandle("kernel32.dll"), "WinExec");
- Call.Arg = NOFFSET(WinExec, mFunc - (sizeof(__AsmOp32)*3));
- BYTE RetnOp = 0xC3;
- WriteProcessMemory(hProcess, OFFSET(mFunc, (sizeof(__AsmOp32)*2)), &Call, sizeof(__AsmOp32), NULL);
- WriteProcessMemory(hProcess, OFFSET(mFunc, (sizeof(__AsmOp32)*3)), &RetnOp, 1, NULL);
- // Создаем поток:
- HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFunc, NULL, 0, NULL);
- if(HANDLE_VALID(hThread))
- {
- WaitForSingleObject(hThread, INFINITE);
- CloseHandle(hThread);
- }
- VirtualFreeEx(hProcess, mArg1, nArg1Size, MEM_RELEASE);
- VirtualFreeEx(hProcess, mFunc, nFuncSize, MEM_RELEASE);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement