1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
|
#include<Windows.h>
#include<TlHelp32.h>
#include<iostream>
using namespace std;
typedef int (WINAPI* msgparam)(HWND,LPCSTR,LPCSTR,UINT);
typedef NTSTATUS (NTAPI* NTSUSPEND)(HANDLE hProcess);
typedef NTSTATUS (NTAPI* NTRESUME)(HANDLE hProcess);
struct _CODE{
DWORD MessageBoxAddr;
char Title[50];
char Text[60];
int Buttons;
};
DWORD getPid(string procName);
int privileges();
static DWORD Injection(_CODE* sp)
{
msgparam msgbox = (msgparam) sp->MessageBoxAddr;
msgbox(0,sp->Text,sp->Title,sp->Buttons);
return 0;
}
static DWORD stub();
int main()
{
char szFirefoxPath[MAX_PATH];
GetEnvironmentVariable("programfiles",szFirefoxPath,sizeof(szFirefoxPath));
strcat(szFirefoxPath,"\\Mozilla Firefox\\firefox.exe");
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si,sizeof(si));
ZeroMemory(&pi,sizeof(pi));
CreateProcess(0,szFirefoxPath,NULL,NULL,false,CREATE_SUSPENDED,NULL,NULL,&si,&pi);
HANDLE hOpenProcess =pi.hProcess;
if(hOpenProcess == 0) return 1;
_CODE CodeStruct = {0};
CodeStruct.MessageBoxAddr = (DWORD) GetProcAddress(GetModuleHandle("User32.dll"),"MessageBoxA");
CodeStruct.Buttons = MB_OK;
strcpy_s(CodeStruct.Text,"I AM INJECTED");
strcpy_s(CodeStruct.Title,"SUCCESS");
DWORD dwFunctionSize = (PBYTE) stub - (PBYTE) Injection;
LPVOID lpAllocFunc = VirtualAllocEx(pi.hProcess,0,dwFunctionSize,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(pi.hProcess,lpAllocFunc,(void*)Injection,dwFunctionSize,0);
LPVOID lpParameterAlloc = VirtualAllocEx(pi.hProcess,0,sizeof(_CODE),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(pi.hProcess,lpParameterAlloc,&CodeStruct,sizeof(_CODE),0);
HANDLE hCreateRemoteThread = CreateRemoteThread(pi.hProcess,0,0,(LPTHREAD_START_ROUTINE)lpAllocFunc,lpParameterAlloc,0,0);
ResumeThread(pi.hThread);
if(hCreateRemoteThreas != 0) MessageBox(0,"Injection into the process was successful","Success",MB_ICONINFORMATION);
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
static DWORD stub()
{
__asm nop;
}
|