Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Usermode APC Injection (https://forum.exetools.com/showthread.php?t=17806)

WorldCrackersUnited 07-30-2016 15:49
Usermode APC Injection
 
By: karman
Credits: The owner of the web "kkamagui.springnote.com"

Hi, this is a modification of a code (Code Injection) that uses QueueUserAPC to inject a dll (it also use NtMapViewOfSection because some anticheats hooks NtWriteVirtualMemory)

Code:
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <ntdef.h>

DWORD APCInject(PCHAR sProcName,PCHAR sDllName){
  DWORD dRet=0;
  //define type and pointer to function
  typedef NTSTATUS (WINAPI *tNtMapViewOfSection)(HANDLE,HANDLE,LPVOID,ULONG,SIZE_T,LARGE_INTEGER*,SIZE_T*,SECTION_INHERIT,ULONG,ULONG);
  tNtMapViewOfSection NtMapViewOfSection=(tNtMapViewOfSection)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtMapViewOfSection");
  if(!NtMapViewOfSection)return -1;
  //create buffer
  HANDLE hFile=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,strlen(sDllName)+1,NULL);
  if(!hFile)return -2;
  PCHAR hView=MapViewOfFile(hFile,FILE_MAP_ALL_ACCESS,0,0,0);
  if(!hView){
    CloseHandle(hFile);
    return -3;
  }else//set value to buffer
    strcpy(hView,sDllName);
  // Starting target process
  PROCESS_INFORMATION pi;STARTUPINFO st;
  ZeroMemory(&pi,sizeof(pi));
  ZeroMemory(&st,sizeof(st));
  st.cb=sizeof(STARTUPINFO);
  //create suspended process
  if(CreateProcess(sProcName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&st,&pi)){
    LPVOID RemoteString=NULL;ULONG ViewSize=0;
    if(NtMapViewOfSection(hFile,pi.hProcess,&RemoteString,0,0,NULL,&ViewSize,ViewShare,0,PAGE_READONLY)==0){
      LPVOID nLoadLibrary=(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
      if(!QueueUserAPC((PAPCFUNC)nLoadLibrary,pi.hThread,(ULONG_PTR)RemoteString))
        dRet=-6;
    }else
      dRet=-5;
    ResumeThread(pi.hThread);
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
  }else
    dRet=-4;
  UnmapViewOfFile(hView);
  CloseHandle(hFile);
  return dRet;
}

int main(void){
  DWORD dwRet=APCInject("C:\\Games\\Counter-Strike\\hl.exe","C:\\cheat.dll");
  if(!dwRet)
    puts("Injection Ok!");
  else
    printf("Injection fail -> %d!",dwRet);
  system("pause");
  return 0;
}
my site:
http://www.rompiendocodigo.net/

SLV 12-21-2016 10:54
Fails if process doesn't have alertable threads.

deroko 02-14-2017 21:08
Well int this case code always works as prior to execution of NtContinue there is call for NtTestAlert which will trigger APCs, and also NtContinue how it is called by LdrInitializeThunk always has Alertable set to 1, so APCs will always get executed in this example.

aliali 06-05-2017 06:46
InjectProc explains almost the same idea

https://github.com/secrary/InjectProc

Gladiyator 06-05-2017 15:42
Quote:
Originally Posted by aliali (Post 109455)
InjectProc explains almost the same idea

https://github.com/secrary/InjectProc
Thanks for nice share
I think it's not working on windows 10 x64
any idea to fix it ?


All times are GMT +8. The time now is 09:17.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX