├── .gitattributes
├── .gitignore
├── Img
├── findKeSuspendThread.PNG
└── pattern.PNG
├── README.MD
├── TestDLL
├── Dllmain.cpp
├── TestDLL.vcxproj
└── TestDLL.vcxproj.filters
├── TestDriver.sln
├── TestDriver
├── ApcInject.cpp
├── ApcInject.h
├── EipInject.cpp
├── EipInject.h
├── PeHelper.cpp
├── PeHelper.h
├── TestDriver.inf
├── TestDriver.vcxproj
├── TestDriver.vcxproj.filters
├── filehelp.cpp
├── filehelp.h
├── main.cpp
├── utils.cpp
└── utils.h
└── TestExE
├── TestExE.cpp
├── TestExE.vcxproj
└── TestExE.vcxproj.filters
/.gitattributes:
--------------------------------------------------------------------------------
1 | ###############################################################################
2 | # Set default behavior to automatically normalize line endings.
3 | ###############################################################################
4 | * text=auto
5 |
6 | ###############################################################################
7 | # Set default behavior for command prompt diff.
8 | #
9 | # This is need for earlier builds of msysgit that does not have it on by
10 | # default for csharp files.
11 | # Note: This is only used by command line
12 | ###############################################################################
13 | #*.cs diff=csharp
14 |
15 | ###############################################################################
16 | # Set the merge driver for project and solution files
17 | #
18 | # Merging from the command prompt will add diff markers to the files if there
19 | # are conflicts (Merging from VS is not affected by the settings below, in VS
20 | # the diff markers are never inserted). Diff markers may cause the following
21 | # file extensions to fail to load in VS. An alternative would be to treat
22 | # these files as binary and thus will always conflict and require user
23 | # intervention with every merge. To do so, just uncomment the entries below
24 | ###############################################################################
25 | #*.sln merge=binary
26 | #*.csproj merge=binary
27 | #*.vbproj merge=binary
28 | #*.vcxproj merge=binary
29 | #*.vcproj merge=binary
30 | #*.dbproj merge=binary
31 | #*.fsproj merge=binary
32 | #*.lsproj merge=binary
33 | #*.wixproj merge=binary
34 | #*.modelproj merge=binary
35 | #*.sqlproj merge=binary
36 | #*.wwaproj merge=binary
37 |
38 | ###############################################################################
39 | # behavior for image files
40 | #
41 | # image files are treated as binary by default.
42 | ###############################################################################
43 | #*.jpg binary
44 | #*.png binary
45 | #*.gif binary
46 |
47 | ###############################################################################
48 | # diff behavior for common document formats
49 | #
50 | # Convert binary document formats to text before diffing them. This feature
51 | # is only available from the command line. Turn it on by uncommenting the
52 | # entries below.
53 | ###############################################################################
54 | #*.doc diff=astextplain
55 | #*.DOC diff=astextplain
56 | #*.docx diff=astextplain
57 | #*.DOCX diff=astextplain
58 | #*.dot diff=astextplain
59 | #*.DOT diff=astextplain
60 | #*.pdf diff=astextplain
61 | #*.PDF diff=astextplain
62 | #*.rtf diff=astextplain
63 | #*.RTF diff=astextplain
64 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Ww][Ii][Nn]32/
27 | [Aa][Rr][Mm]/
28 | [Aa][Rr][Mm]64/
29 | bld/
30 | [Bb]in/
31 | [Oo]bj/
32 | [Oo]ut/
33 | [Ll]og/
34 | [Ll]ogs/
35 |
36 | # Visual Studio 2015/2017 cache/options directory
37 | .vs/
38 | # Uncomment if you have tasks that create the project's static files in wwwroot
39 | #wwwroot/
40 |
41 | # Visual Studio 2017 auto generated files
42 | Generated\ Files/
43 |
44 | # MSTest test Results
45 | [Tt]est[Rr]esult*/
46 | [Bb]uild[Ll]og.*
47 |
48 | # NUnit
49 | *.VisualState.xml
50 | TestResult.xml
51 | nunit-*.xml
52 |
53 | # Build Results of an ATL Project
54 | [Dd]ebugPS/
55 | [Rr]eleasePS/
56 | dlldata.c
57 |
58 | # Benchmark Results
59 | BenchmarkDotNet.Artifacts/
60 |
61 | # .NET Core
62 | project.lock.json
63 | project.fragment.lock.json
64 | artifacts/
65 |
66 | # ASP.NET Scaffolding
67 | ScaffoldingReadMe.txt
68 |
69 | # StyleCop
70 | StyleCopReport.xml
71 |
72 | # Files built by Visual Studio
73 | *_i.c
74 | *_p.c
75 | *_h.h
76 | *.ilk
77 | *.meta
78 | *.obj
79 | *.iobj
80 | *.pch
81 | *.pdb
82 | *.ipdb
83 | *.pgc
84 | *.pgd
85 | *.rsp
86 | *.sbr
87 | *.tlb
88 | *.tli
89 | *.tlh
90 | *.tmp
91 | *.tmp_proj
92 | *_wpftmp.csproj
93 | *.log
94 | *.vspscc
95 | *.vssscc
96 | .builds
97 | *.pidb
98 | *.svclog
99 | *.scc
100 |
101 | # Chutzpah Test files
102 | _Chutzpah*
103 |
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 |
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 |
121 | # Visual Studio Trace Files
122 | *.e2e
123 |
124 | # TFS 2012 Local Workspace
125 | $tf/
126 |
127 | # Guidance Automation Toolkit
128 | *.gpState
129 |
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 |
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 |
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 |
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 |
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 |
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 |
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 |
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 |
163 | # Web workbench (sass)
164 | .sass-cache/
165 |
166 | # Installshield output folder
167 | [Ee]xpress/
168 |
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 |
179 | # Click-Once directory
180 | publish/
181 |
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 |
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 |
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 |
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 |
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 |
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 |
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 |
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 |
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 |
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 |
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 |
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 |
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 |
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 |
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 |
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 |
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 |
288 | # Visual Studio 6 build log
289 | *.plg
290 |
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 |
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 |
297 | # Visual Studio LightSwitch build output
298 | **/*.HTMLClient/GeneratedArtifacts
299 | **/*.DesktopClient/GeneratedArtifacts
300 | **/*.DesktopClient/ModelManifest.xml
301 | **/*.Server/GeneratedArtifacts
302 | **/*.Server/ModelManifest.xml
303 | _Pvt_Extensions
304 |
305 | # Paket dependency manager
306 | .paket/paket.exe
307 | paket-files/
308 |
309 | # FAKE - F# Make
310 | .fake/
311 |
312 | # CodeRush personal settings
313 | .cr/personal
314 |
315 | # Python Tools for Visual Studio (PTVS)
316 | __pycache__/
317 | *.pyc
318 |
319 | # Cake - Uncomment if you are using it
320 | # tools/**
321 | # !tools/packages.config
322 |
323 | # Tabs Studio
324 | *.tss
325 |
326 | # Telerik's JustMock configuration file
327 | *.jmconfig
328 |
329 | # BizTalk build output
330 | *.btp.cs
331 | *.btm.cs
332 | *.odx.cs
333 | *.xsd.cs
334 |
335 | # OpenCover UI analysis results
336 | OpenCover/
337 |
338 | # Azure Stream Analytics local run output
339 | ASALocalRun/
340 |
341 | # MSBuild Binary and Structured Log
342 | *.binlog
343 |
344 | # NVidia Nsight GPU debugger configuration file
345 | *.nvuser
346 |
347 | # MFractors (Xamarin productivity tool) working folder
348 | .mfractor/
349 |
350 | # Local History for Visual Studio
351 | .localhistory/
352 |
353 | # BeatPulse healthcheck temp database
354 | healthchecksdb
355 |
356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
357 | MigrationBackup/
358 |
359 | # Ionide (cross platform F# VS Code tools) working folder
360 | .ionide/
361 |
362 | # Fody - auto-generated XML schema
363 | FodyWeavers.xsd
--------------------------------------------------------------------------------
/Img/findKeSuspendThread.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/Img/findKeSuspendThread.PNG
--------------------------------------------------------------------------------
/Img/pattern.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/Img/pattern.PNG
--------------------------------------------------------------------------------
/README.MD:
--------------------------------------------------------------------------------
1 | # Cinject
2 |
3 | Cinject is a project that executes dll injection in the Windows kernel. It is characterized by no modules and no threads. It uses remote stretching pe to achieve no modules. It uses APC or SupendThread to replace Rip registers to hijack threads to achieve no threads. The running environment was tested in 1909. If you want to run in other versions, you need to modify and find the function signatures of `KeSuspendThread` and `KeResumeThread`. I will tell you how to modify the offset of `OFFSET_KTRAP_FRAME` below. The injected dll also requires attributes ->code generation ->runtime multi-threaded MT. In short, other dll modules in the import table of the dll must also exist in the target process!
4 |
5 |
6 |
7 | ## Objectives
8 |
9 | Temporarily test that the Apex Legends protected by EAC can be injected in 1909 (Os version 18363)
10 |
11 |
12 |
13 | ## How to find KeSuspendThread and KeResumeThread?
14 |
15 | You need to open `windbg` in the target system as an administrator to open `Kernel Debug`, enter `u KeSuspendThread` to view the KeSuspendThread function address and disassembly, and record the characteristic code. The same is true for KeResumeThread, and finally in EipInject Cpp Modify the signature in the `FindKeSuspendThread` and `FindKeResumeThread` functions.
16 |
17 |
18 |
19 | ## How to modify OFFSET_ KTRAP_ FRAME?
20 |
21 | It is in EipInject H 'is the same as above. You also need the windbg administrator to start and enable kernel debugging, and type `dt_ KTHREAD` View `_KTRAP_FRAME` The offset can be modified
22 |
23 |
24 |
25 | ## Switch APC and EIP modes
26 |
27 | In the `injectDll` function, you can use `APCExecuteFunction` or `EipExceptionFunction` to switch between different execution methods
28 |
29 | # Cinject
30 | Cinject 是在windows内核执行dll注入的一个项目,特点是无模块和无线程,使用远程拉伸pe实现无模块,使用APC 或 SupendThread 替换Rip寄存器劫持线程实现无线程,运行环境在1909得到测试,如想在其他版本运行,需要修改寻找 `KeSuspendThread` 和 `KeResumeThread` 函数特征码和 `OFFSET_KTRAP_FRAME` 的偏移,我会在下文告诉大家如何修改。注入的dll也有要求,属性->代码生成->运行库 多线程MT。简单来说就是该dll的导入表里的其他dll模块在目标进程里也必须存在!
31 |
32 | ## 目标
33 | 暂时测试可以注入受EAC 保护的 Apex legends 在 1909(Os version 18363)
34 |
35 | ## 怎样寻找 KeSuspendThread 和 KeResumeThread?
36 | 您需要在目标系统中以管理员方式打开 `windbg` 开启 `Kernel Debug` 输入 ` u KeSuspendThread `即可查看 KeSuspendThread 函数地址和反汇编,记录下特征码即可,KeResumeThread 也是如此 `u KeResumeThread ` ,最后在EipInject.cpp修改`FindKeSuspendThread` 和 `FindKeResumeThread`函数里的特征码即可。
37 |
38 | 根据找到的函数查看反汇编,更新特征码,如图
39 | 
40 |
41 |
42 | ## 怎样修改 OFFSET_KTRAP_FRAME?
43 | 它在` EipInject.h `中 同上,也需要windbg管理员启动并开启内核调试,键入 `dt _KTHREAD` 查看 `_KTRAP_FRAME`的偏移,修改即可
44 |
45 | ## 切换APC 和 EIP 方式
46 | 在` injectDll `函数中,你可以使用 `APCExecuteFunction` 或`EipExcuteFuntion` 切换不同的执行方式
47 |
--------------------------------------------------------------------------------
/TestDLL/Dllmain.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDLL/Dllmain.cpp
--------------------------------------------------------------------------------
/TestDLL/TestDLL.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {d7f5d8a7-b74d-414f-a592-c5bed839cc9d}
25 | TestDLL
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | DynamicLibrary
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | DynamicLibrary
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 | MultiThreaded
134 |
135 |
136 | Console
137 | true
138 | true
139 | true
140 | false
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
--------------------------------------------------------------------------------
/TestDLL/TestDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 资源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------
/TestDriver.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.32802.440
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestDriver", "TestDriver\TestDriver.vcxproj", "{8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestExE", "TestExE\TestExE.vcxproj", "{3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}"
9 | EndProject
10 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestDLL", "TestDLL\TestDLL.vcxproj", "{D7F5D8A7-B74D-414F-A592-C5BED839CC9D}"
11 | EndProject
12 | Global
13 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
14 | Debug|ARM = Debug|ARM
15 | Debug|ARM64 = Debug|ARM64
16 | Debug|x64 = Debug|x64
17 | Debug|x86 = Debug|x86
18 | Release|ARM = Release|ARM
19 | Release|ARM64 = Release|ARM64
20 | Release|x64 = Release|x64
21 | Release|x86 = Release|x86
22 | EndGlobalSection
23 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
24 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|ARM.ActiveCfg = Debug|ARM
25 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|ARM.Build.0 = Debug|ARM
26 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|ARM.Deploy.0 = Debug|ARM
27 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|ARM64.ActiveCfg = Debug|ARM64
28 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|ARM64.Build.0 = Debug|ARM64
29 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|ARM64.Deploy.0 = Debug|ARM64
30 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|x64.ActiveCfg = Debug|x64
31 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|x64.Build.0 = Debug|x64
32 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|x64.Deploy.0 = Debug|x64
33 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|x86.ActiveCfg = Debug|Win32
34 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|x86.Build.0 = Debug|Win32
35 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Debug|x86.Deploy.0 = Debug|Win32
36 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|ARM.ActiveCfg = Release|ARM
37 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|ARM.Build.0 = Release|ARM
38 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|ARM.Deploy.0 = Release|ARM
39 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|ARM64.ActiveCfg = Release|ARM64
40 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|ARM64.Build.0 = Release|ARM64
41 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|ARM64.Deploy.0 = Release|ARM64
42 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|x64.ActiveCfg = Release|x64
43 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|x64.Build.0 = Release|x64
44 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|x64.Deploy.0 = Release|x64
45 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|x86.ActiveCfg = Release|Win32
46 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|x86.Build.0 = Release|Win32
47 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}.Release|x86.Deploy.0 = Release|Win32
48 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Debug|ARM.ActiveCfg = Debug|Win32
49 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Debug|ARM64.ActiveCfg = Debug|Win32
50 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Debug|x64.ActiveCfg = Debug|x64
51 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Debug|x64.Build.0 = Debug|x64
52 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Debug|x86.ActiveCfg = Debug|Win32
53 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Debug|x86.Build.0 = Debug|Win32
54 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Release|ARM.ActiveCfg = Release|Win32
55 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Release|ARM64.ActiveCfg = Release|Win32
56 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Release|x64.ActiveCfg = Release|x64
57 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Release|x64.Build.0 = Release|x64
58 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Release|x86.ActiveCfg = Release|Win32
59 | {3EAC6C78-CD95-4975-91AC-A11D9A1AF1F9}.Release|x86.Build.0 = Release|Win32
60 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Debug|ARM.ActiveCfg = Debug|Win32
61 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Debug|ARM64.ActiveCfg = Debug|Win32
62 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Debug|x64.ActiveCfg = Debug|x64
63 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Debug|x64.Build.0 = Debug|x64
64 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Debug|x86.ActiveCfg = Debug|Win32
65 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Debug|x86.Build.0 = Debug|Win32
66 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Release|ARM.ActiveCfg = Release|Win32
67 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Release|ARM64.ActiveCfg = Release|Win32
68 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Release|x64.ActiveCfg = Release|x64
69 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Release|x64.Build.0 = Release|x64
70 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Release|x86.ActiveCfg = Release|Win32
71 | {D7F5D8A7-B74D-414F-A592-C5BED839CC9D}.Release|x86.Build.0 = Release|Win32
72 | EndGlobalSection
73 | GlobalSection(SolutionProperties) = preSolution
74 | HideSolutionNode = FALSE
75 | EndGlobalSection
76 | GlobalSection(ExtensibilityGlobals) = postSolution
77 | SolutionGuid = {0CA1F6F3-18D6-4AD3-8984-3EDAF0650F55}
78 | EndGlobalSection
79 | EndGlobal
80 |
--------------------------------------------------------------------------------
/TestDriver/ApcInject.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/ApcInject.cpp
--------------------------------------------------------------------------------
/TestDriver/ApcInject.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/ApcInject.h
--------------------------------------------------------------------------------
/TestDriver/EipInject.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/EipInject.cpp
--------------------------------------------------------------------------------
/TestDriver/EipInject.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "ntifs.h"
3 | #include "ntddk.h"
4 | #include "utils.h"
5 | #include "ApcInject.h"
6 |
7 |
8 |
9 | typedef ULONG(*FuncType)(PETHREAD Thread);
10 |
11 | extern FuncType KeSuspendThread;
12 | extern FuncType KeResumeThread;
13 |
14 |
15 |
16 |
17 |
18 | //1909 +0x090 _KTHREAD _KTRAP_FRAME
19 | #define OFFSET_KTRAP_FRAME 0x090
20 |
21 |
22 |
23 | void EipExcuteFuntion(PEPROCESS process, PVOID func, ULONG64 modulebase, LONGLONG cleartimeSecond);
24 | PETHREAD GetFirstThread(PEPROCESS tempep);
25 | bool IsGuiThread(PETHREAD thread);
26 | KTRAP_FRAME MyGetThreadContext(PETHREAD thread);
27 | bool MySetThreadContext(PETHREAD thread, KTRAP_FRAME context);
28 | void initKethreadFunc();
--------------------------------------------------------------------------------
/TestDriver/PeHelper.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/PeHelper.cpp
--------------------------------------------------------------------------------
/TestDriver/PeHelper.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "ntifs.h"
4 | #include "ntddk.h"
5 |
6 | typedef unsigned short WORD;
7 | typedef unsigned long DWORD;
8 | typedef unsigned char BYTE;
9 |
10 | extern "C" {
11 |
12 |
13 | NTKERNELAPI PPEB NTAPI PsGetProcessPeb
14 | (
15 | IN PEPROCESS Process
16 | );
17 | }
18 |
19 | #define IMAGE_SIZEOF_SHORT_NAME 8
20 | #define IMAGE_REL_BASED_DIR64 10
21 | #define IMAGE_REL_BASED_HIGHLOW 3
22 | #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
23 | #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
24 | #define IMAGE_DIRECTORY_ENTRY_EXPORT 0
25 | #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
26 | #define IMAGE_REL_BASED_ABSOLUTE 0
27 |
28 | #define IMAGE_ORDINAL_FLAG64 0x8000000000000000
29 |
30 | typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
31 | WORD e_magic; // Magic number
32 | WORD e_cblp; // Bytes on last page of file
33 | WORD e_cp; // Pages in file
34 | WORD e_crlc; // Relocations
35 | WORD e_cparhdr; // Size of header in paragraphs
36 | WORD e_minalloc; // Minimum extra paragraphs needed
37 | WORD e_maxalloc; // Maximum extra paragraphs needed
38 | WORD e_ss; // Initial (relative) SS value
39 | WORD e_sp; // Initial SP value
40 | WORD e_csum; // Checksum
41 | WORD e_ip; // Initial IP value
42 | WORD e_cs; // Initial (relative) CS value
43 | WORD e_lfarlc; // File address of relocation table
44 | WORD e_ovno; // Overlay number
45 | WORD e_res[4]; // Reserved words
46 | WORD e_oemid; // OEM identifier (for e_oeminfo)
47 | WORD e_oeminfo; // OEM information; e_oemid specific
48 | WORD e_res2[10]; // Reserved words
49 | LONG e_lfanew; // File address of new exe header
50 | } IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER;
51 |
52 | typedef struct _IMAGE_SECTION_HEADER {
53 | BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
54 | union {
55 | DWORD PhysicalAddress;
56 | DWORD VirtualSize;
57 | } Misc;
58 | DWORD VirtualAddress;
59 | DWORD SizeOfRawData;
60 | DWORD PointerToRawData;
61 | DWORD PointerToRelocations;
62 | DWORD PointerToLinenumbers;
63 | WORD NumberOfRelocations;
64 | WORD NumberOfLinenumbers;
65 | DWORD Characteristics;
66 | } IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER;
67 |
68 |
69 |
70 | typedef struct _IMAGE_DATA_DIRECTORY {
71 | DWORD VirtualAddress;
72 | DWORD Size;
73 | } IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY;
74 |
75 | typedef struct _IMAGE_BASE_RELOCATION {
76 | DWORD VirtualAddress;
77 | DWORD SizeOfBlock;
78 | // WORD TypeOffset[1];
79 | } IMAGE_BASE_RELOCATION;
80 | typedef IMAGE_BASE_RELOCATION UNALIGNED* PIMAGE_BASE_RELOCATION;
81 |
82 | typedef struct _IMAGE_FILE_HEADER {
83 | WORD Machine;
84 | WORD NumberOfSections;
85 | DWORD TimeDateStamp;
86 | DWORD PointerToSymbolTable;
87 | DWORD NumberOfSymbols;
88 | WORD SizeOfOptionalHeader;
89 | WORD Characteristics;
90 | } IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER;
91 |
92 | typedef struct _IMAGE_OPTIONAL_HEADER64 {
93 | WORD Magic;
94 | BYTE MajorLinkerVersion;
95 | BYTE MinorLinkerVersion;
96 | DWORD SizeOfCode;
97 | DWORD SizeOfInitializedData;
98 | DWORD SizeOfUninitializedData;
99 | DWORD AddressOfEntryPoint;
100 | DWORD BaseOfCode;
101 | ULONGLONG ImageBase;
102 | DWORD SectionAlignment;
103 | DWORD FileAlignment;
104 | WORD MajorOperatingSystemVersion;
105 | WORD MinorOperatingSystemVersion;
106 | WORD MajorImageVersion;
107 | WORD MinorImageVersion;
108 | WORD MajorSubsystemVersion;
109 | WORD MinorSubsystemVersion;
110 | DWORD Win32VersionValue;
111 | DWORD SizeOfImage;
112 | DWORD SizeOfHeaders;
113 | DWORD CheckSum;
114 | WORD Subsystem;
115 | WORD DllCharacteristics;
116 | ULONGLONG SizeOfStackReserve;
117 | ULONGLONG SizeOfStackCommit;
118 | ULONGLONG SizeOfHeapReserve;
119 | ULONGLONG SizeOfHeapCommit;
120 | DWORD LoaderFlags;
121 | DWORD NumberOfRvaAndSizes;
122 | IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
123 | } IMAGE_OPTIONAL_HEADER64, * PIMAGE_OPTIONAL_HEADER64;
124 |
125 | typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER;
126 | typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER;
127 |
128 | typedef struct _IMAGE_NT_HEADERS64 {
129 | DWORD Signature;
130 | IMAGE_FILE_HEADER FileHeader;
131 | IMAGE_OPTIONAL_HEADER64 OptionalHeader;
132 | } IMAGE_NT_HEADERS64, * PIMAGE_NT_HEADERS64;
133 |
134 | typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS;
135 | typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS;
136 |
137 | #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
138 | ((ULONG_PTR)(ntheader) + \
139 | FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
140 | ((ntheader))->FileHeader.SizeOfOptionalHeader \
141 | ))
142 |
143 | typedef struct _IMAGE_EXPORT_DIRECTORY {
144 | DWORD Characteristics;
145 | DWORD TimeDateStamp;
146 | WORD MajorVersion;
147 | WORD MinorVersion;
148 | DWORD Name;
149 | DWORD Base;
150 | DWORD NumberOfFunctions;
151 | DWORD NumberOfNames;
152 | DWORD AddressOfFunctions; // RVA from base of image
153 | DWORD AddressOfNames; // RVA from base of image
154 | DWORD AddressOfNameOrdinals; // RVA from base of image
155 | } IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY;
156 |
157 |
158 | typedef struct _PEB_LDR_DATA
159 | {
160 | unsigned int Length;
161 | int Initialized;
162 | void* SSHandle;
163 | LIST_ENTRY InLoadOrderLinks;
164 | LIST_ENTRY InMemoryOrderLinks;
165 | LIST_ENTRY InInitializationOrderLinks;
166 | // ...
167 | } PEB_LDR_DATA, * PPEB_LDR_DATA;
168 |
169 | typedef struct _PEB64
170 | {
171 | unsigned char InheritedAddressSpace; // 0x0000
172 | unsigned char ReadImageFileExecOptions; // 0x0001
173 | unsigned char BeingDebugged; // 0x0002
174 | unsigned char BitField; // 0x0003
175 | unsigned char pad_0x0004[0x4]; // 0x0004
176 | PVOID Mutant; // 0x0008
177 | PVOID ImageBaseAddress; // 0x0010
178 | PPEB_LDR_DATA Ldr; // 0x0018
179 | // ...
180 | } PEB64, * PPEB64;
181 |
182 | typedef struct _LDR_DATA_TABLE_ENTRY
183 | {
184 | LIST_ENTRY InLoadOrderLinks;
185 | LIST_ENTRY InMemoryOrderLinks;
186 | LIST_ENTRY InInitializationOrderLinks;
187 | PVOID DllBase;
188 | PVOID EntryPoint;
189 | ULONG SizeOfImage;
190 | UNICODE_STRING FullDllName;
191 | UNICODE_STRING BaseDllName;
192 | // ...
193 | } LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
194 |
195 | typedef struct _IMAGE_IMPORT_DESCRIPTOR {
196 | union {
197 | DWORD Characteristics; // 0 for terminating null import descriptor
198 | DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
199 | } DUMMYUNIONNAME;
200 | DWORD TimeDateStamp; // 0 if not bound,
201 | // -1 if bound, and real date\time stamp
202 | // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
203 | // O.W. date/time stamp of DLL bound to (Old BIND)
204 |
205 | DWORD ForwarderChain; // -1 if no forwarders
206 | DWORD Name;
207 | DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
208 | } IMAGE_IMPORT_DESCRIPTOR;
209 | typedef IMAGE_IMPORT_DESCRIPTOR UNALIGNED* PIMAGE_IMPORT_DESCRIPTOR;
210 |
211 |
212 |
213 |
214 | NTSTATUS GetModelBase(HANDLE pid, LPCWSTR moudelName, PVOID* Dllbase);
215 |
216 | DWORD GetImageSize(PUCHAR fileBuffer);
217 |
218 | bool PELoaderDLL(PUCHAR fileBuffer, PUCHAR virtualBase, PVOID* PEBuffer, PULONG64 size, PVOID* entrypoint, HANDLE pid);
219 |
--------------------------------------------------------------------------------
/TestDriver/TestDriver.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; TestDriver.inf
3 | ;
4 |
5 | [Version]
6 | Signature="$WINDOWS NT$"
7 | Class=Sample ; TODO: edit Class
8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
9 | Provider=%ManufacturerName%
10 | CatalogFile=TestDriver.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 |
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | TestDriver_Device_CoInstaller_CopyFiles = 11
16 |
17 | ; ================= Class section =====================
18 |
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 |
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 |
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 |
29 | [SourceDisksFiles]
30 | TestDriver.sys = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 |
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 |
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 |
40 | [Standard.NT$ARCH$]
41 | %TestDriver.DeviceDesc%=TestDriver_Device, Root\TestDriver ; TODO: edit hw-id
42 |
43 | [TestDriver_Device.NT]
44 | CopyFiles=Drivers_Dir
45 |
46 | [Drivers_Dir]
47 | TestDriver.sys
48 |
49 | ;-------------- Service installation
50 | [TestDriver_Device.NT.Services]
51 | AddService = TestDriver,%SPSVCINST_ASSOCSERVICE%, TestDriver_Service_Inst
52 |
53 | ; -------------- TestDriver driver install sections
54 | [TestDriver_Service_Inst]
55 | DisplayName = %TestDriver.SVCDESC%
56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER
57 | StartType = 3 ; SERVICE_DEMAND_START
58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL
59 | ServiceBinary = %12%\TestDriver.sys
60 |
61 | ;
62 | ;--- TestDriver_Device Coinstaller installation ------
63 | ;
64 |
65 | [TestDriver_Device.NT.CoInstallers]
66 | AddReg=TestDriver_Device_CoInstaller_AddReg
67 | CopyFiles=TestDriver_Device_CoInstaller_CopyFiles
68 |
69 | [TestDriver_Device_CoInstaller_AddReg]
70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
71 |
72 | [TestDriver_Device_CoInstaller_CopyFiles]
73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
74 |
75 | [TestDriver_Device.NT.Wdf]
76 | KmdfService = TestDriver, TestDriver_wdfsect
77 | [TestDriver_wdfsect]
78 | KmdfLibraryVersion = $KMDFVERSION$
79 |
80 | [Strings]
81 | SPSVCINST_ASSOCSERVICE= 0x00000002
82 | ManufacturerName="" ;TODO: Replace with your manufacturer name
83 | ClassName="Samples" ; TODO: edit ClassName
84 | DiskName = "TestDriver Installation Disk"
85 | TestDriver.DeviceDesc = "TestDriver Device"
86 | TestDriver.SVCDESC = "TestDriver Service"
87 |
--------------------------------------------------------------------------------
/TestDriver/TestDriver.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 | Debug
22 | ARM
23 |
24 |
25 | Release
26 | ARM
27 |
28 |
29 | Debug
30 | ARM64
31 |
32 |
33 | Release
34 | ARM64
35 |
36 |
37 |
38 | {8FF6342E-F1FE-4BBE-89A4-B8710DEE567F}
39 | {1bc93793-694f-48fe-9372-81e2b05556fd}
40 | v4.5
41 | 12.0
42 | Debug
43 | Win32
44 | TestDriver
45 |
46 |
47 |
48 | Windows10
49 | true
50 | WindowsKernelModeDriver10.0
51 | Driver
52 | KMDF
53 | Universal
54 |
55 |
56 | Windows10
57 | false
58 | WindowsKernelModeDriver10.0
59 | Driver
60 | KMDF
61 | Universal
62 |
63 |
64 | Windows10
65 | true
66 | WindowsKernelModeDriver10.0
67 | Driver
68 | KMDF
69 | Universal
70 |
71 |
72 | Windows10
73 | false
74 | WindowsKernelModeDriver10.0
75 | Driver
76 | KMDF
77 | Universal
78 |
79 |
80 | Windows10
81 | true
82 | WindowsKernelModeDriver10.0
83 | Driver
84 | KMDF
85 | Universal
86 |
87 |
88 | Windows10
89 | false
90 | WindowsKernelModeDriver10.0
91 | Driver
92 | KMDF
93 | Universal
94 |
95 |
96 | Windows10
97 | true
98 | WindowsKernelModeDriver10.0
99 | Driver
100 | KMDF
101 | Universal
102 |
103 |
104 | Windows10
105 | false
106 | WindowsKernelModeDriver10.0
107 | Driver
108 | KMDF
109 | Universal
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 | DbgengKernelDebugger
121 |
122 |
123 | DbgengKernelDebugger
124 |
125 |
126 | DbgengKernelDebugger
127 | false
128 |
129 |
130 | DbgengKernelDebugger
131 | false
132 |
133 |
134 | DbgengKernelDebugger
135 |
136 |
137 | DbgengKernelDebugger
138 |
139 |
140 | DbgengKernelDebugger
141 |
142 |
143 | DbgengKernelDebugger
144 |
145 |
146 |
147 | TurnOffAllWarnings
148 |
149 |
150 |
151 |
152 | Level2
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
--------------------------------------------------------------------------------
/TestDriver/TestDriver.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 | {8E41214B-6785-4CFE-B992-037D68949A14}
18 | inf;inv;inx;mof;mc;
19 |
20 |
21 | {c30d913e-d1c9-4c05-9a7a-6a67fae81cb8}
22 |
23 |
24 | {96f85b06-3b80-48af-98d1-2b3ca73a7736}
25 |
26 |
27 | {d329df13-1090-4de1-aaac-73f1a59d98f2}
28 |
29 |
30 | {fb2cb5f5-e36d-44a1-9cb7-233ce4950d2a}
31 |
32 |
33 | {e975d4e8-4c96-488b-8c04-5bc022414665}
34 |
35 |
36 |
37 |
38 | Driver Files
39 |
40 |
41 |
42 |
43 | Source Files
44 |
45 |
46 | utils
47 |
48 |
49 | ApcInject
50 |
51 |
52 | utils\file
53 |
54 |
55 | PeHelper
56 |
57 |
58 | EipInject
59 |
60 |
61 |
62 |
63 | utils
64 |
65 |
66 | ApcInject
67 |
68 |
69 | utils\file
70 |
71 |
72 | PeHelper
73 |
74 |
75 | EipInject
76 |
77 |
78 |
--------------------------------------------------------------------------------
/TestDriver/filehelp.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/filehelp.cpp
--------------------------------------------------------------------------------
/TestDriver/filehelp.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | #include "ntifs.h"
4 | #include "ntddk.h"
5 | #include "ntstrsafe.h"
6 |
7 | NTSTATUS ReadFile(const WCHAR* path, PVOID* buffer, PULONG64 size);
8 |
--------------------------------------------------------------------------------
/TestDriver/main.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/main.cpp
--------------------------------------------------------------------------------
/TestDriver/utils.cpp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/utils.cpp
--------------------------------------------------------------------------------
/TestDriver/utils.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ccdescipline/CInject/3f12e270862e5ba23cf9ca2eed34a8b85faf0518/TestDriver/utils.h
--------------------------------------------------------------------------------
/TestExE/TestExE.cpp:
--------------------------------------------------------------------------------
1 | // TestExE.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
2 | //
3 |
4 | #include
5 | #include "Windows.h"
6 | #include
7 | #include
8 |
9 | #define CRLF "\r\n"
10 |
11 | void Function(ULONG64 a,ULONG64 b,ULONG64 c) {
12 | printf_s("%d %d %d \r\n",a,b,c);
13 | printf_s("%d \r\n",GetCurrentThreadId());
14 | }
15 |
16 | int DisplayAllThread()
17 | {
18 | HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, GetCurrentProcessId());
19 | if (h != INVALID_HANDLE_VALUE) {
20 | THREADENTRY32 te;
21 | te.dwSize = sizeof(te);
22 | if (Thread32First(h, &te)) {
23 | do {
24 | if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) +
25 | sizeof(te.th32OwnerProcessID)) {
26 | if (GetCurrentProcessId() == te.th32OwnerProcessID) {
27 | printf("Process %d Thread %d\n",
28 | te.th32OwnerProcessID, te.th32ThreadID);
29 | }
30 |
31 | }
32 | te.dwSize = sizeof(te);
33 | } while (Thread32Next(h, &te));
34 | }
35 | CloseHandle(h);
36 | }
37 | return 0;
38 | }
39 |
40 | void TestWindow() {
41 | std::cout << "Function : " << Function << std::endl;
42 |
43 | DisplayAllThread();
44 | MSG msg = { 0 };
45 | while (GetMessage(&msg, 0, 0, 0))
46 | {
47 | TranslateMessage(&msg);
48 | DispatchMessage(&msg);
49 | }
50 | }
51 |
52 | DWORD GetProcessIdByName(const wchar_t* pName)
53 | {
54 | HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
55 | if (h == INVALID_HANDLE_VALUE)
56 | return 0;
57 | PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
58 | for (BOOL ret = Process32First(h, &pe); ret; ret = Process32Next(h, &pe))
59 | {
60 | if (wcscmp(pe.szExeFile, pName) == 0)
61 | {
62 | CloseHandle(h);
63 | return pe.th32ProcessID;
64 | }
65 | }
66 | CloseHandle(h);
67 | return 0;
68 | }
69 |
70 | void findNotepadWindow() {
71 | //获取pid 和窗口句柄
72 | DWORD pid = GetProcessIdByName(L"mspaint.exe");//Calculator.exe notepad.exe
73 | HWND windowHWND = FindWindow(L"MSPaintApp", NULL);
74 | printf("pid : %d windowHWND : %d" CRLF, pid, windowHWND);
75 |
76 | //获取gui线程,打开
77 | DWORD guiThread = GetWindowThreadProcessId(windowHWND, &pid);
78 | printf("GUI thread: guiThread : %d", guiThread);
79 | }
80 |
81 | int main()
82 | {
83 | findNotepadWindow();
84 |
85 | system("pause");
86 | }
87 |
88 | // 运行程序: Ctrl + F5 或调试 >“开始执行(不调试)”菜单
89 | // 调试程序: F5 或调试 >“开始调试”菜单
90 |
91 | // 入门使用技巧:
92 | // 1. 使用解决方案资源管理器窗口添加/管理文件
93 | // 2. 使用团队资源管理器窗口连接到源代码管理
94 | // 3. 使用输出窗口查看生成输出和其他消息
95 | // 4. 使用错误列表窗口查看错误
96 | // 5. 转到“项目”>“添加新项”以创建新的代码文件,或转到“项目”>“添加现有项”以将现有代码文件添加到项目
97 | // 6. 将来,若要再次打开此项目,请转到“文件”>“打开”>“项目”并选择 .sln 文件
98 |
--------------------------------------------------------------------------------
/TestExE/TestExE.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | Win32Proj
24 | {3eac6c78-cd95-4975-91ac-a11d9a1af1f9}
25 | TestExE
26 | 10.0
27 |
28 |
29 |
30 | Application
31 | true
32 | v142
33 | Unicode
34 |
35 |
36 | Application
37 | false
38 | v142
39 | true
40 | Unicode
41 |
42 |
43 | Application
44 | true
45 | v142
46 | Unicode
47 |
48 |
49 | Application
50 | false
51 | v142
52 | true
53 | Unicode
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 | true
75 |
76 |
77 | false
78 |
79 |
80 | true
81 |
82 |
83 | false
84 |
85 |
86 |
87 | Level3
88 | true
89 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)
90 | true
91 |
92 |
93 | Console
94 | true
95 |
96 |
97 |
98 |
99 | Level3
100 | true
101 | true
102 | true
103 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | true
111 |
112 |
113 |
114 |
115 | Level3
116 | true
117 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions)
118 | true
119 |
120 |
121 | Console
122 | true
123 |
124 |
125 |
126 |
127 | Level3
128 | true
129 | true
130 | true
131 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions)
132 | true
133 | MultiThreaded
134 |
135 |
136 | Console
137 | true
138 | true
139 | true
140 | false
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
--------------------------------------------------------------------------------
/TestExE/TestExE.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | 源文件
20 |
21 |
22 |
--------------------------------------------------------------------------------