-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcode.c
91 lines (76 loc) · 2.99 KB
/
code.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <stdio.h>
#include <Windows.h>
#include <string.h>
#include <tchar.h>
typedef struct _THREAD_PARAM {
FARPROC pFunc[2];
char pStr[3][100];
}THREAD_PARAM, * PTHREAD_PARAM;
typedef HMODULE(WINAPI* PFLoadLibraryA)(LPCSTR lpLibFileName);
typedef FARPROC(WINAPI* PFGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
typedef UINT(WINAPI* PFWinExec)(LPCSTR lpCmdLine, UINT uCmdShow);
DWORD ThreadProc(LPVOID pParam) {
PTHREAD_PARAM param = (PTHREAD_PARAM)pParam;
HMODULE hMod = NULL;
PFWinExec pFunc = NULL;
hMod = ((PFLoadLibraryA)param->pFunc[0])(param->pStr[0]);
pFunc = (PFWinExec)((PFGetProcAddress)param->pFunc[1])(hMod, param->pStr[1]);
pFunc(param->pStr[2], 0); return 0;
}
BOOL CodeInjection(DWORD dwPID) {
THREAD_PARAM param = { 0, };
DWORD dwSize;
HMODULE hMod = GetModuleHandleA("kernel32.dll");
LPVOID pRemoteBuf[2] = { 0, };
if (hMod) {
param.pFunc[0] = GetProcAddress(hMod, "LoadLibraryA");
param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress");
strcpy_s(param.pStr[0], 100, "user32.dll");
strcpy_s(param.pStr[1], 100, "MessageBoxA");
strcpy_s(param.pStr[2], 100, "Code Injected!");
strcpy_s(param.pStr[3], 100, "Alert");
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
dwSize = sizeof(THREAD_PARAM);
pRemoteBuf[0] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (pRemoteBuf[0]) {
printf("[*] Data Size Allocated!\n");
WriteProcessMemory(hProcess, pRemoteBuf[0], (LPCVOID)¶m, dwSize, NULL);
dwSize = (DWORD)CodeInjection - (DWORD)ThreadProc;
printf("[*] Data was written in Memory!\n");
pRemoteBuf[1] = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pRemoteBuf[1]) {
printf("[*] Code Size Allocated!\n");
WriteProcessMemory(hProcess, pRemoteBuf[1], (LPCVOID)ThreadProc, dwSize, NULL);
printf("[*] Code was written in Memory!\n");
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuf[1], pRemoteBuf[0], 0, NULL);
if (hThread) {
printf("[*] Injected!\n");
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
else {
printf("[-] CreateRemoteThread() Error!\n");
}
}
else {
printf("[-] Writing Data Failed!\n");
}
}
else {
printf("[-] Data Size Allocation Failed!\n");
}
}
return FALSE;
}
int main(int argc, char* argv[]) {
DWORD dwPID = 0;
if (argc != 2) {
printf(" Usage : %s [ PID ]\n", argv[0]);
return -1;
}
dwPID = (DWORD)atol(argv[1]);
CodeInjection(dwPID);
return 0;
}