Parsi Coders

نسخه‌ی کامل: [C] Process Injection (MessageBox Example)
شما در حال مشاهده نسخه آرشیو هستید. برای مشاهده نسخه کامل کلیک کنید.
کد:
typedef struct _INJECT
{
    char szCaption[32];
    char szMessage[128];

    FARPROC fMessageBox;
    FARPROC fExitThread;

} INJECT, *PINJECT, *LPINJECT;

void InjectRemoteCode(unsigned long ulProcessId)
{
    /* By: og__ */

    char szShellcode[] = {
        "\x56"                        // PUSH ESI
        "\x8B\x74\x24\x08"            // MOV ESI,DWORD PTR SS:[ESP+8]
        "\x6A\x00"                    // PUSH 0
        "\x8D\x46\x20"                // LEA EAX,DWORD PTR DS:[ESI+20]
        "\x56"                        // PUSH ESI
        "\x50"                        // PUSH EAX
        "\x6A\x00"                    // PUSH 0
        "\xFF\x96\xA0\x00\x00\x00"    // CALL DWORD PTR DS:[ESI+A0]
        "\x6A\x00"                    // PUSH 0
        "\xFF\x96\xA4\x00\x00\x00"    // CALL DWORD PTR DS:[ESI+A4]
        "\x5E"                        // POP ESI
    };

    INJECT *lpInject = NULL;
    HANDLE hProcess, hThread;
    void *lpRemoteInfo = NULL, *lpRemoteCode = NULL;

    __try
    {
        if ((hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, ulProcessId)) == NULL)
            return;

        if ((lpInject = (INJECT *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(INJECT))) == NULL)
            __leave;

        strcpy(lpInject->szCaption, "Message Box");
        strcpy(lpInject->szMessage, "Hello World!");

        lpInject->fMessageBox = GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA");
        lpInject->fExitThread = GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "ExitThread");

        if ((lpRemoteInfo = VirtualAllocEx(hProcess, NULL, sizeof(INJECT), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) == NULL)
            __leave;

        if (WriteProcessMemory(hProcess, lpRemoteInfo, lpInject, sizeof(INJECT),  0) == 0)
            __leave;

        if ((lpRemoteCode = VirtualAllocEx(hProcess, NULL, sizeof(szShellcode) - 1, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL)
            __leave;

        if (WriteProcessMemory(hProcess, lpRemoteCode, szShellcode, sizeof(szShellcode) - 1,  0) == 0)
            __leave;

        hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpRemoteCode, lpRemoteInfo, 0, NULL);
    }

    __finally
    {
        if (hThread != 0)
            CloseHandle(hThread);

        if (lpInject != NULL)
            HeapFree(GetProcessHeap(), 0, lpInject);

        CloseHandle(hProcess);
    }
    return;
}