Computer Fun: DLL Injector

1 of 3

http://computertricks168.blogspot.com.br/2014/04/dll-inj...

Compartilhar

mais

Prximo blog

Criar um blog

Login

Computer Fun
Sunday, April 27, 2014

DLL Injector
This tool's source codes are mainly copied from the book Windows via C/C++. It has some bugs,
especially the string memory allocation.
here's the code:
#include <Windows.h>
#include <stdio.h>
#include <iostream>
#include <TlHelp32.h>
#include <cstring>

using namespace std;

int main()
{
cout<<"DLL Injectior.....by Gnix\n\n";
char program[30];
cout<<"Enter Process name:\n";
cin>>program;
DWORD pid=GetTargetProcessIdFromProcname(program);
cout<<"Pid:"<<pid;
char path[100];
cout<<"Enter a DLL path:\n";
cin>>path;
BOOL ok=InjectLib(pid,path);
if(ok)
cout<<"Injection success!\n";
else
cout<<"Injection failed!\n";

Google+ Followers
Xing Hua Guan
Add to circles

0 have me in circles

View all

Popular Posts
DLL Injector
This tool's source codes are mainly
copied from the book Windows via
C/C++ . It has some bugs, especially
the string memory allocation....
Reverse Connection Socket
Programming
The codes I posted are for
educational purpose only. I am not a
computer professional, but enjoy
learning computer, especially
compute...

Labels
C programming (2)

About Me
Xing Hua Guan
Follow

View my complete profile

Blog Archive
int i;
cin>>i;

2014 (2)
April (2)
DLL Injector

}
///////////////////////////////////////////////////////
BOOL InjectLib(DWORD dwProcessId,char* pszLibFile)
{
BOOL bOK=FALSE; //assume that function fails
HANDLE hProcess=NULL,hThread=NULL;
PSTR pszLibFileRemote=NULL;

Reverse Connection
Socket Programming

//Adjust token privileges to open system processes

HANDLE hToken;
TOKEN_PRIVILEGES tkp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);

04/28/2014 01:06 PM

Computer Fun: DLL Injector

2 of 3

http://computertricks168.blogspot.com.br/2014/04/dll-inj...

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL);
}

//get a handle for the target process

hProcess=OpenProcess(
PROCESS_QUERY_INFORMATION | //REQUIRE BY ALPHA
PROCESS_CREATE_THREAD | //FOR CreateRemoteThread
PROCESS_VM_OPERATION | //for VirtualAllocEx/ VirtualFreeEx
PROCESS_VM_WRITE,
//for WriteProcessMemorry
FALSE,dwProcessId);
if(hProcess==NULL)
return bOK;
//calculate the number of bytes needed for the DLL's pathname
int cch=1+strlen(pszLibFile);
int cb=cch*sizeof(char);
//allocate space in the remote process for the pathname
pszLibFileRemote=(PSTR)
VirtualAllocEx(hProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
if(pszLibFileRemote==NULL)
return bOK;
//copy the DLL's pathname to the remote process's address space
if(!WriteProcessMemory(hProcess,pszLibFileRemote,
(PVOID)pszLibFile,cb,NULL))
return bOK;
//Get the real address of LoadLibraryW in kernel32.dll
LPTHREAD_START_ROUTINE pfnThreadRtn=(LPTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA");
if(pfnThreadRtn==NULL)
return bOK;
//Create a remote thread that calls LoadLibrary(DllPathname)
hThread=CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,pszLibFileRemote,0,NULL);
if(hThread==NULL)
return bOK;

//wait for the remote thread to terminate

WaitForSingleObject(hThread,INFINITE);
bOK=TRUE;//everything executed successfully
//now we can clean everything up
//free the remote memory that contained the DLL's pathname
if(pszLibFileRemote != NULL)
VirtualFreeEx(hProcess,pszLibFileRemote,0,MEM_RELEASE);
if(hThread != NULL)
CloseHandle(hThread);
if(hProcess != NULL)
CloseHandle(hProcess);

return(bOK);
}
////////////////////////////////////////////////////////////
DWORD GetTargetProcessIdFromProcname(char *procName)
{
DWORD dwRet=0;
HANDLE hsnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

04/28/2014 01:06 PM

Computer Fun: DLL Injector

3 of 3

http://computertricks168.blogspot.com.br/2014/04/dll-inj...

PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(PROCESSENTRY32);
Process32First(hsnapshot,&pe32);
do{
if(lstrcmpi(pe32.szExeFile,procName)==0)
{
dwRet=pe32.th32ProcessID;
break;
}
}while(Process32Next(hsnapshot,&pe32));
CloseHandle(hsnapshot);
return dwRet;
}

Posted by Xing Hua Guan at 10:08 AM

+2 Recommend this on Google

Labels: C programming

No comments:
Post a Comment
Enter your comment...

Comment as:

Publish

Select profile...

Preview

Home

Older Post

Subscribe to: Post Comments (Atom)

Awesome Inc. template. Powered by Blogger.

04/28/2014 01:06 PM