1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135
|
#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT);
using namespace std;
struct PARAMETERS{
DWORD MessageBoxInj;
char text[50];
char caption[25];
int buttons;
// HWND handle;
};
DWORD getPid(string procName);
int privileges();
DWORD myFunc(PARAMETERS * myparam); //(if you use Dev-C++ put static before DWORD)
DWORD Useless(); ////(if you use Dev-C++ put static before DWORD)
int main()
{
privileges();
DWORD pid = getPid("notepad.exe");
if (pid==0) return 1; //error
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (p==NULL) return 1; //error
char * mytext = "Hello by CodeCave!";
char * mycaption = "Injection result";
PARAMETERS data; //let's fill in a PARAMETERS struct
HMODULE user32 = LoadLibrary("User32.dll");
data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA");
strcpy(data.text, mytext);
strcpy(data.caption, mycaption);
data.buttons = MB_OKCANCEL | MB_ICONQUESTION;
DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size
//--------now we are ready to inject
LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL);
LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);
HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
if (thread!=0){
//injection completed, not we can wait it to end and free the memory
WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished
VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
CloseHandle(thread);
CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process
cout<<"Injection completed!"<<endl;
}else{
cout<<"Error!"<<endl;
}
system("PAUSE");
return EXIT_SUCCESS;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
static DWORD myFunc(PARAMETERS * myparam){
MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj;
int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons);
switch(result){
case IDOK:
//your code
break;
case IDCANCEL:
//your code
break;
}
return 0;
}
static DWORD Useless(){
return 0;
}
//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of
//name order from Z to A, so when we try to calculate the size of my func with
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc;
//the result is negative and so when we try the injection the target app crashes.
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler)
|