Some notes on this code that people should keep in mind:
- On newer versions of Windows (Vista and up) you should avoid using *_ALL_ACCESS flags on any API call that allows it as the flag size has changed and requires more work to properly work. Instead, you should specify the flags you need for the handle.
- There is little cleanup in this code so handles and such are being leaked. Once OpenProcess is successful, any return should cleanup that handle. Same with cleaning up the remote allocated memory, the handle from CreateRemoteThread etc.
- WriteProcessMemory returns a BOOL value, so comparing against NULL is not really correct.
- After CreateRemoteThread you should be using GetExitCodeThread to determine if the thread was successful in loading the DLL remotely. The exit code should be the base address of where the module was loaded. (It'll hold LoadLibrary's return value.) Alternatively, you can scan for the module in the remote process to determine if it is currently loaded after the thread was created. (However, this will require you to wait until the thread has completed its operation and returned to ensure you do not have a race condition. You can use WaitForSingleObject to wait for the thread handle to be finished.)
Afterward you should be cleaning up all the things that were completed successfully in your injection:
- Cleanup the remote allocated block of memory.
- Cleanup the thread handle.
- Cleanup the process handle.
- Cleanup any additional things created etc.
|