├── API32DLL ├── API32DLL.cpp ├── stdafx.cpp ├── targetver.h ├── stdafx.h ├── dllmain.cpp ├── API32DLL.vcxproj.filters ├── ReadMe.txt └── API32DLL.vcxproj ├── AlternativeCreateRemoteThread ├── stdafx.cpp ├── targetver.h ├── stdafx.h ├── AlternativeCreateRemoteThread.vcxproj.filters ├── AlternativeCreateRemoteThread.vcxproj └── AlternativeCreateRemoteThread.cpp ├── README.md ├── .gitattributes ├── AlternativeCreateRemoteThread.sln └── .gitignore /API32DLL/API32DLL.cpp: -------------------------------------------------------------------------------- 1 | // API32DLL.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | 7 | -------------------------------------------------------------------------------- /API32DLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // API32DLL.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /API32DLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // AlternativeCreateRemoteThread.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | 16 | 17 | // TODO: reference additional headers your program requires here 18 | -------------------------------------------------------------------------------- /API32DLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | 14 | 15 | 16 | // TODO: reference additional headers your program requires here 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | What is Alternative Create Remote Thread? 2 | ============ 3 | This project is a example of of creating a remote thread into a process without using WriteProcessMemory like others techniques. We will drop a DLL named "API32.DLL" to "C:\WINDOWS\" and create a new thread to the process where we want to load the DLL. In the remote process we will execute LoadLibraryA with a pointer to the string API32.DLL as the first parameter, by using CreateRemoteThread.. 4 | 5 | If you want to know exactly how it works just check the code out. 6 | 7 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | *.sln merge=union 7 | *.csproj merge=union 8 | *.vbproj merge=union 9 | *.fsproj merge=union 10 | *.dbproj merge=union 11 | 12 | # Standard to msysgit 13 | *.doc diff=astextplain 14 | *.DOC diff=astextplain 15 | *.docx diff=astextplain 16 | *.DOCX diff=astextplain 17 | *.dot diff=astextplain 18 | *.DOT diff=astextplain 19 | *.pdf diff=astextplain 20 | *.PDF diff=astextplain 21 | *.rtf diff=astextplain 22 | *.RTF diff=astextplain 23 | -------------------------------------------------------------------------------- /API32DLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch ( ul_reason_for_call ) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | MessageBoxW( 0, L"Loaded", L"Info", 0 ); 14 | FreeLibrary( GetModuleHandle( NULL ) ); 15 | break; 16 | case DLL_PROCESS_DETACH: 17 | case DLL_THREAD_DETACH: 18 | MessageBoxW( 0, L"Unload", L"Info", 0 ); 19 | break; 20 | default: 21 | MessageBoxW( 0, L"unknown :D", L"Info", 0 ); 22 | } 23 | 24 | return TRUE; 25 | } 26 | 27 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread/AlternativeCreateRemoteThread.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /API32DLL/API32DLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "AlternativeCreateRemoteThread", "AlternativeCreateRemoteThread\AlternativeCreateRemoteThread.vcxproj", "{68CA9141-30D9-4D3A-8247-90CAC2E82E87}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "API32DLL", "API32DLL\API32DLL.vcxproj", "{6C82082B-5A65-40BF-84FB-00FC6F38ACF4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Debug|x64 = Debug|x64 12 | Release|Win32 = Release|Win32 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Debug|Win32.ActiveCfg = Debug|Win32 17 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Debug|Win32.Build.0 = Debug|Win32 18 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Debug|x64.ActiveCfg = Debug|x64 19 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Debug|x64.Build.0 = Debug|x64 20 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Release|Win32.ActiveCfg = Release|Win32 21 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Release|Win32.Build.0 = Release|Win32 22 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Release|x64.ActiveCfg = Release|x64 23 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87}.Release|x64.Build.0 = Release|x64 24 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Debug|Win32.ActiveCfg = Debug|Win32 25 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Debug|Win32.Build.0 = Debug|Win32 26 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Debug|x64.ActiveCfg = Debug|x64 27 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Debug|x64.Build.0 = Debug|x64 28 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Release|Win32.ActiveCfg = Release|Win32 29 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Release|Win32.Build.0 = Release|Win32 30 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Release|x64.ActiveCfg = Release|x64 31 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4}.Release|x64.Build.0 = Release|x64 32 | EndGlobalSection 33 | GlobalSection(SolutionProperties) = preSolution 34 | HideSolutionNode = FALSE 35 | EndGlobalSection 36 | EndGlobal 37 | -------------------------------------------------------------------------------- /API32DLL/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : API32DLL Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this API32DLL DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your API32DLL application. 9 | 10 | 11 | API32DLL.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | API32DLL.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | API32DLL.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named API32DLL.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ################# 2 | ## Eclipse 3 | ################# 4 | 5 | *.pydevproject 6 | .project 7 | .metadata 8 | bin/ 9 | tmp/ 10 | *.tmp 11 | *.bak 12 | *.swp 13 | *~.nib 14 | local.properties 15 | .classpath 16 | .settings/ 17 | .loadpath 18 | 19 | # External tool builders 20 | .externalToolBuilders/ 21 | 22 | # Locally stored "Eclipse launch configurations" 23 | *.launch 24 | 25 | # CDT-specific 26 | .cproject 27 | 28 | # PDT-specific 29 | .buildpath 30 | 31 | 32 | ################# 33 | ## Visual Studio 34 | ################# 35 | 36 | ## Ignore Visual Studio temporary files, build results, and 37 | ## files generated by popular Visual Studio add-ons. 38 | 39 | # User-specific files 40 | *.suo 41 | *.user 42 | *.sln.docstates 43 | 44 | # Build results 45 | 46 | [Dd]ebug/ 47 | [Rr]elease/ 48 | x64/ 49 | build/ 50 | [Bb]in/ 51 | [Oo]bj/ 52 | 53 | # MSTest test Results 54 | [Tt]est[Rr]esult*/ 55 | [Bb]uild[Ll]og.* 56 | 57 | *_i.c 58 | *_p.c 59 | *.ilk 60 | *.meta 61 | *.obj 62 | *.pch 63 | *.pdb 64 | *.pgc 65 | *.pgd 66 | *.rsp 67 | *.sbr 68 | *.tlb 69 | *.tli 70 | *.tlh 71 | *.tmp 72 | *.tmp_proj 73 | *.log 74 | *.vspscc 75 | *.vssscc 76 | .builds 77 | *.pidb 78 | *.log 79 | *.scc 80 | 81 | # Visual C++ cache files 82 | ipch/ 83 | *.aps 84 | *.ncb 85 | *.opensdf 86 | *.sdf 87 | *.cachefile 88 | 89 | # Visual Studio profiler 90 | *.psess 91 | *.vsp 92 | *.vspx 93 | 94 | # Guidance Automation Toolkit 95 | *.gpState 96 | 97 | # ReSharper is a .NET coding add-in 98 | _ReSharper*/ 99 | *.[Rr]e[Ss]harper 100 | 101 | # TeamCity is a build add-in 102 | _TeamCity* 103 | 104 | # DotCover is a Code Coverage Tool 105 | *.dotCover 106 | 107 | # NCrunch 108 | *.ncrunch* 109 | .*crunch*.local.xml 110 | 111 | # Installshield output folder 112 | [Ee]xpress/ 113 | 114 | # DocProject is a documentation generator add-in 115 | DocProject/buildhelp/ 116 | DocProject/Help/*.HxT 117 | DocProject/Help/*.HxC 118 | DocProject/Help/*.hhc 119 | DocProject/Help/*.hhk 120 | DocProject/Help/*.hhp 121 | DocProject/Help/Html2 122 | DocProject/Help/html 123 | 124 | # Click-Once directory 125 | publish/ 126 | 127 | # Publish Web Output 128 | *.Publish.xml 129 | *.pubxml 130 | 131 | # NuGet Packages Directory 132 | ## TODO: If you have NuGet Package Restore enabled, uncomment the next line 133 | #packages/ 134 | 135 | # Windows Azure Build Output 136 | csx 137 | *.build.csdef 138 | 139 | # Windows Store app package directory 140 | AppPackages/ 141 | 142 | # Others 143 | sql/ 144 | *.Cache 145 | ClientBin/ 146 | [Ss]tyle[Cc]op.* 147 | ~$* 148 | *~ 149 | *.dbmdl 150 | *.[Pp]ublish.xml 151 | *.pfx 152 | *.publishsettings 153 | 154 | # RIA/Silverlight projects 155 | Generated_Code/ 156 | 157 | # Backup & report files from converting an old project file to a newer 158 | # Visual Studio version. Backup files are not needed, because we have git ;-) 159 | _UpgradeReport_Files/ 160 | Backup*/ 161 | UpgradeLog*.XML 162 | UpgradeLog*.htm 163 | 164 | # SQL Server files 165 | App_Data/*.mdf 166 | App_Data/*.ldf 167 | 168 | ############# 169 | ## Windows detritus 170 | ############# 171 | 172 | # Windows image file caches 173 | Thumbs.db 174 | ehthumbs.db 175 | 176 | # Folder config file 177 | Desktop.ini 178 | 179 | # Recycle Bin used on file shares 180 | $RECYCLE.BIN/ 181 | 182 | # Mac crap 183 | .DS_Store 184 | 185 | 186 | ############# 187 | ## Python 188 | ############# 189 | 190 | *.py[co] 191 | 192 | # Packages 193 | *.egg 194 | *.egg-info 195 | dist/ 196 | build/ 197 | eggs/ 198 | parts/ 199 | var/ 200 | sdist/ 201 | develop-eggs/ 202 | .installed.cfg 203 | 204 | # Installer logs 205 | pip-log.txt 206 | 207 | # Unit test / coverage reports 208 | .coverage 209 | .tox 210 | 211 | #Translations 212 | *.mo 213 | 214 | #Mr Developer 215 | .mr.developer.cfg 216 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread/AlternativeCreateRemoteThread.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {68CA9141-30D9-4D3A-8247-90CAC2E82E87} 23 | Win32Proj 24 | AlternativeCreateRemoteThread 25 | 26 | 27 | 28 | Application 29 | true 30 | Unicode 31 | 32 | 33 | Application 34 | true 35 | Unicode 36 | 37 | 38 | Application 39 | false 40 | true 41 | Unicode 42 | 43 | 44 | Application 45 | false 46 | true 47 | Unicode 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | true 67 | 68 | 69 | true 70 | 71 | 72 | false 73 | 74 | 75 | false 76 | 77 | 78 | 79 | Use 80 | Level3 81 | Disabled 82 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 83 | MultiThreadedDebug 84 | 85 | 86 | Console 87 | true 88 | 89 | 90 | 91 | 92 | Use 93 | Level3 94 | Disabled 95 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 96 | MultiThreadedDebug 97 | 98 | 99 | Console 100 | true 101 | 102 | 103 | 104 | 105 | Level3 106 | Use 107 | MaxSpeed 108 | true 109 | true 110 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 111 | 112 | 113 | Console 114 | true 115 | true 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | Use 123 | MaxSpeed 124 | true 125 | true 126 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 127 | 128 | 129 | Console 130 | true 131 | true 132 | true 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | Create 146 | Create 147 | Create 148 | Create 149 | 150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /API32DLL/API32DLL.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | Win32 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | {6C82082B-5A65-40BF-84FB-00FC6F38ACF4} 23 | Win32Proj 24 | API32DLL 25 | 26 | 27 | 28 | DynamicLibrary 29 | true 30 | Unicode 31 | 32 | 33 | DynamicLibrary 34 | true 35 | Unicode 36 | 37 | 38 | DynamicLibrary 39 | false 40 | true 41 | Unicode 42 | 43 | 44 | DynamicLibrary 45 | false 46 | true 47 | Unicode 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | true 67 | 68 | 69 | true 70 | 71 | 72 | false 73 | 74 | 75 | false 76 | 77 | 78 | 79 | Use 80 | Level3 81 | Disabled 82 | WIN32;_DEBUG;_WINDOWS;_USRDLL;API32DLL_EXPORTS;%(PreprocessorDefinitions) 83 | MultiThreadedDebug 84 | 85 | 86 | Windows 87 | true 88 | 89 | 90 | 91 | 92 | Use 93 | Level3 94 | Disabled 95 | WIN32;_DEBUG;_WINDOWS;_USRDLL;API32DLL_EXPORTS;%(PreprocessorDefinitions) 96 | MultiThreadedDebug 97 | 98 | 99 | Windows 100 | true 101 | 102 | 103 | 104 | 105 | Level3 106 | Use 107 | MaxSpeed 108 | true 109 | true 110 | WIN32;NDEBUG;_WINDOWS;_USRDLL;API32DLL_EXPORTS;%(PreprocessorDefinitions) 111 | 112 | 113 | Windows 114 | true 115 | true 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | Use 123 | MaxSpeed 124 | true 125 | true 126 | WIN32;NDEBUG;_WINDOWS;_USRDLL;API32DLL_EXPORTS;%(PreprocessorDefinitions) 127 | 128 | 129 | Windows 130 | true 131 | true 132 | true 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | false 146 | false 147 | 148 | 149 | 150 | 151 | false 152 | false 153 | 154 | 155 | 156 | 157 | 158 | 159 | Create 160 | Create 161 | Create 162 | Create 163 | 164 | 165 | 166 | 167 | 168 | -------------------------------------------------------------------------------- /AlternativeCreateRemoteThread/AlternativeCreateRemoteThread.cpp: -------------------------------------------------------------------------------- 1 | // AlternativeCreateRemoteThread.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | DWORD FindStringAndGetVA( LPWSTR lpszFileName, const char * szASCIIString ) 7 | { 8 | HANDLE hFile = NULL; 9 | DWORD dwSize = 0; 10 | DWORD dwNumberOfBytesRead = 0; 11 | LPBYTE lpBuffer = NULL; 12 | char *szString = NULL; 13 | DWORD dwStringOffset = 0; 14 | DWORD dwStringOffsetVA = 0; 15 | PIMAGE_DOS_HEADER pDosHeader = NULL; 16 | PIMAGE_NT_HEADERS32 pNtHeader = NULL; 17 | PIMAGE_SECTION_HEADER pSection = NULL; 18 | 19 | // 20 | // loads file into the memory and re-calculates the virtual offset for the string 21 | // 22 | hFile = CreateFileW( lpszFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL ); 23 | if ( hFile != INVALID_HANDLE_VALUE ) 24 | { 25 | // 26 | // load file 27 | // 28 | dwSize = GetFileSize( hFile, NULL ); 29 | lpBuffer = new BYTE[ dwSize ]; 30 | if ( ReadFile( hFile, lpBuffer, dwSize, &dwNumberOfBytesRead, NULL ) && dwNumberOfBytesRead == dwSize ) 31 | { 32 | // 33 | // find string 34 | // 35 | for ( DWORD n = 0; n < dwSize; n++ ) 36 | { 37 | // 38 | // search for this string ( yes I know, its not the best but whatever... ) 39 | // 40 | szString = (char*)(lpBuffer + n); 41 | if ( szString && _stricmp( szString, szASCIIString ) == 0 ) 42 | { 43 | dwStringOffset = (DWORD)szString - (DWORD)lpBuffer; 44 | break; 45 | } 46 | } 47 | 48 | // 49 | // recalculate FileOffset to VA 50 | // 51 | if ( dwStringOffset ) 52 | { 53 | dwStringOffsetVA = dwStringOffset; 54 | pDosHeader = (PIMAGE_DOS_HEADER)lpBuffer; 55 | if ( pDosHeader && pDosHeader->e_magic == IMAGE_DOS_SIGNATURE ) 56 | { 57 | pNtHeader = (PIMAGE_NT_HEADERS32) ((DWORD_PTR)lpBuffer + (DWORD_PTR)(pDosHeader->e_lfanew) ); 58 | if ( pNtHeader && pNtHeader->Signature == IMAGE_NT_SIGNATURE ) 59 | { 60 | // 61 | // scan sections 62 | // 63 | for ( WORD n = 0; n < pNtHeader->FileHeader.NumberOfSections; n++ ) 64 | { 65 | pSection = (PIMAGE_SECTION_HEADER)( (DWORD_PTR)lpBuffer + pDosHeader->e_lfanew + sizeof(IMAGE_NT_HEADERS32) + (n * sizeof(IMAGE_SECTION_HEADER) ) ); 66 | if ( pSection && dwStringOffset >= pSection->PointerToRawData && dwStringOffset < (pSection->PointerToRawData + pSection->SizeOfRawData) ) 67 | { 68 | dwStringOffsetVA = dwStringOffset - pSection->PointerToRawData + pSection->VirtualAddress; 69 | break; 70 | } 71 | else if ( n == 0 && dwStringOffset < pSection->PointerToRawData ) 72 | { 73 | // stop if offset is < first section 74 | break; 75 | } 76 | } 77 | } 78 | } 79 | } 80 | } 81 | delete[] lpBuffer; 82 | CloseHandle( hFile ); 83 | } 84 | return dwStringOffsetVA; 85 | } 86 | 87 | BOOL RemoteLoadLibraryUserland( const WCHAR * szProcessName, const char * szDLLName ) 88 | { 89 | BOOL fResult = FALSE; 90 | HANDLE hSnapshot = NULL, hSnapshot2 = NULL; 91 | PROCESSENTRY32W pe = { 0 }; 92 | MODULEENTRY32W me = { 0 }; 93 | HANDLE hProcess = NULL, hThread = NULL; 94 | DWORD dwThreadId = 0; 95 | FARPROC fLoadLibrary = NULL; 96 | DWORD dwOffsetForMyDLLString = 0; 97 | 98 | 99 | // 100 | // find process where we want to inject our DLL 101 | // 102 | 103 | hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 104 | if ( hSnapshot != INVALID_HANDLE_VALUE ) 105 | { 106 | pe.dwSize = sizeof(PROCESSENTRY32W); 107 | if ( Process32FirstW( hSnapshot, &pe ) ) 108 | { 109 | do 110 | { 111 | // 112 | // find process 113 | // 114 | if ( _wcsnicmp( pe.szExeFile, szProcessName, wcslen(pe.szExeFile) ) == 0 ) 115 | { 116 | // 117 | // search as next for one thread in this process and open it 118 | // 119 | hSnapshot2 = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe.th32ProcessID ); 120 | if ( hSnapshot2 != INVALID_HANDLE_VALUE ) 121 | { 122 | me.dwSize = sizeof(MODULEENTRY32W); 123 | if ( Module32First( hSnapshot2, &me ) ) 124 | { 125 | // 126 | // search our DLL string in this module 127 | // 128 | dwOffsetForMyDLLString = FindStringAndGetVA( me.szExePath, szDLLName ); 129 | 130 | if ( dwOffsetForMyDLLString ) 131 | { 132 | // 133 | // add the handle of the module to the offset and open process 134 | // 135 | dwOffsetForMyDLLString += (DWORD)me.hModule; 136 | 137 | hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID ); 138 | if ( hProcess ) 139 | { 140 | // 141 | // and now simply execute the thread 142 | // 143 | fLoadLibrary = GetProcAddress( LoadLibraryW( L"KERNEL32.DLL" ), "LoadLibraryA" ); 144 | if ( fLoadLibrary ) 145 | { 146 | hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)fLoadLibrary, (LPVOID)dwOffsetForMyDLLString, 0, &dwThreadId ); 147 | if ( hThread ) 148 | { 149 | WaitForSingleObject( hThread, INFINITE ); 150 | fResult = TRUE; 151 | CloseHandle( hThread ); 152 | } 153 | } 154 | CloseHandle( hProcess ); 155 | } 156 | } 157 | } 158 | CloseHandle( hSnapshot2 ); 159 | } 160 | break; 161 | } 162 | } while ( Process32NextW( hSnapshot, &pe ) ); 163 | } 164 | CloseHandle( hSnapshot ); 165 | } 166 | return fResult; 167 | } 168 | 169 | BOOL RemoteFreeLibrary( const WCHAR * szProcessName, const WCHAR * szModuleName ) 170 | { 171 | BOOL fResult = FALSE; 172 | HANDLE hSnapshot = NULL, hSnapshot2 = NULL; 173 | PROCESSENTRY32W pe = { 0 }; 174 | MODULEENTRY32W me = { 0 }; 175 | HANDLE hProcess = NULL, hThread = NULL; 176 | HMODULE hFreeModule = NULL; 177 | DWORD dwThreadId = 0; 178 | FARPROC fFreeLibrary = NULL; 179 | 180 | // 181 | // find process where we want to inject our DLL 182 | // 183 | 184 | hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); 185 | if ( hSnapshot != INVALID_HANDLE_VALUE ) 186 | { 187 | pe.dwSize = sizeof(PROCESSENTRY32W); 188 | if ( Process32FirstW( hSnapshot, &pe ) ) 189 | { 190 | do 191 | { 192 | // 193 | // find process 194 | // 195 | if ( _wcsnicmp( pe.szExeFile, szProcessName, wcslen(pe.szExeFile) ) == 0 ) 196 | { 197 | // 198 | // search as next for one thread in this process and open it 199 | // 200 | hSnapshot2 = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, pe.th32ProcessID ); 201 | if ( hSnapshot2 != INVALID_HANDLE_VALUE ) 202 | { 203 | me.dwSize = sizeof(MODULEENTRY32W); 204 | if ( Module32First( hSnapshot2, &me ) ) 205 | { 206 | do 207 | { 208 | if ( _wcsnicmp( me.szModule, szModuleName, wcslen(me.szModule) ) == 0 ) 209 | { 210 | // 211 | // open process 212 | // 213 | hFreeModule = me.hModule; 214 | hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe.th32ProcessID ); 215 | if ( hProcess ) 216 | { 217 | // 218 | // and now simply execute the thread 219 | // 220 | fFreeLibrary = GetProcAddress( LoadLibraryW( L"KERNEL32.DLL" ), "FreeLibrary" ); 221 | if ( fFreeLibrary ) 222 | { 223 | hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)fFreeLibrary, (LPVOID)hFreeModule, 0, &dwThreadId ); 224 | if ( hThread ) 225 | { 226 | WaitForSingleObject( hThread, INFINITE ); 227 | fResult = TRUE; 228 | CloseHandle( hThread ); 229 | } 230 | } 231 | CloseHandle( hProcess ); 232 | } 233 | break; 234 | } 235 | } while ( Module32Next( hSnapshot2, &me ) ); 236 | } 237 | CloseHandle( hSnapshot2 ); 238 | } 239 | break; 240 | } 241 | } while ( Process32NextW( hSnapshot, &pe ) ); 242 | } 243 | CloseHandle( hSnapshot ); 244 | } 245 | return fResult; 246 | } 247 | 248 | BOOL SetDebugPrivileges() 249 | { 250 | HANDLE hToken; 251 | TOKEN_PRIVILEGES tpPriv; 252 | BOOL fResult = FALSE; 253 | 254 | if ( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) 255 | { 256 | if ( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &tpPriv.Privileges[0].Luid ) ) 257 | { 258 | tpPriv.PrivilegeCount = 1; 259 | tpPriv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 260 | if ( AdjustTokenPrivileges( hToken, FALSE, &tpPriv, sizeof(TOKEN_PRIVILEGES), NULL, NULL ) ) 261 | { 262 | fResult = TRUE; 263 | } 264 | } 265 | CloseHandle( hToken ); 266 | } 267 | return fResult; 268 | } 269 | 270 | int _tmain(int argc, _TCHAR* argv[]) 271 | { 272 | // 273 | // API32.DLL is the DLL we will inject. Why API32.DLL? Because this string is already in EXPLORER.EXE ( Windows XP SP3 ): ADVAPI32.DLL 274 | // 275 | // first you must drop your DLL to the right directory, e.g: 276 | // 277 | // DropDLL( "C:\\WINDOWS\\API32.DLL" ); 278 | // 279 | // and later you can run this Code: 280 | // 281 | if ( !SetDebugPrivileges() ) 282 | printf( "Warning: NO DEBUG PRIVILEGES!\n" ); 283 | 284 | printf( "Userland RemoteLoadLibrary: " ); 285 | if ( RemoteLoadLibraryUserland( L"explorer.exe", "API32.DLL" ) ) 286 | { 287 | printf( "INJECTED\n" ); 288 | Sleep( 2 * 1000 ); 289 | 290 | printf( "Unloading DLL: " ); 291 | if ( RemoteFreeLibrary( L"explorer.exe", L"API32.DLL" ) ) 292 | { 293 | Sleep( 2 * 1000 ); 294 | printf( "DLL UNLOADED!\n" ); 295 | } 296 | else 297 | { 298 | printf( "FAILED!\n" ); 299 | } 300 | } 301 | else 302 | { 303 | printf( "FAILED\n" ); 304 | } 305 | 306 | return 0; 307 | } 308 | --------------------------------------------------------------------------------