#include #include #include #include #define warn(msg, ...) printf("[!] - " msg "\n", ##__VA_ARGS__) #define info(msg, ...) printf("[i] - " msg "\n", ##__VA_ARGS__) #define done(msg, ...) printf("[+] - " msg "\n", ##__VA_ARGS__) BOOL file_exists(const char* filename) { struct stat buffer; return (stat(filename, &buffer) == 0); } int main(int argc, const char* argv[]) { if (argc != 3) { warn("Usage: %s ", argv[0]); return EXIT_FAILURE; } int PID = atoi(argv[1]); const char* dllPath = argv[2]; if (!file_exists(dllPath)) { warn("File %s does not exist. Exiting.", dllPath); return EXIT_FAILURE; } char dllFullPath[MAX_PATH]; int success = GetFullPathName(dllPath, MAX_PATH, dllFullPath, NULL); if (!success) { warn("Error while getting the full path of dll %s. Exiting.", dllPath); return EXIT_FAILURE; } HANDLE hProcess = NULL; HANDLE hThread = NULL; /* --------------- GETTING THE HANDLE WITH RIGHT PERMS ---------------*/ info("Getting handle for PID : %d...", PID); hProcess = OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_CREATE_THREAD, FALSE, PID); if (hProcess == NULL | hProcess == INVALID_HANDLE_VALUE) { warn("Fatal error: Can't get handle of process %d. (Is the PID valid ?).\nError code: %d", PID, GetLastError()); return EXIT_FAILURE; } done("Handle retrieved with correct permissions (VM_OPERATION, VM_WRITE, CREATE_THREAD)"); /* --------------- ALLOCATING SPACE & WRITING OUR PATH --------------*/ SIZE_T bytesWritten = 0; LPVOID addressDllPath = VirtualAllocEx(hProcess, NULL, strlen(dllFullPath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); WriteProcessMemory(hProcess, addressDllPath, dllFullPath, strlen(dllFullPath), &bytesWritten); done("Wrote %d bytes @ 0x%p", bytesWritten, (void*)addressDllPath); /* --------------- STARTING THE REMOTE THREAD WITH OUR DLL PATH ---------------*/ info("LoadLibraryA is @ 0x%p", LoadLibraryA); MessageBox(NULL, "Ready to inject", "Ready", MB_OK); hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), addressDllPath, 0, 0); if (hThread == NULL || hThread == INVALID_HANDLE_VALUE) { warn("Fatal error: Can't create remote thread.\nError code: %d", GetLastError()); return EXIT_FAILURE; } done("Remote thread started, DLL injected successfully"); info("Waiting for DLL to execute..."); WaitForSingleObject(hThread, INFINITE); /* --------------- CLEANUP ---------------*/ info("DLL finished execution, cleaning up and exiting."); CloseHandle(hThread); CloseHandle(hProcess); return EXIT_SUCCESS; }