├── LICENSE ├── README.md ├── Remote.cpp ├── Remote.h └── example.cpp /LICENSE: -------------------------------------------------------------------------------- 1 | This is free and unencumbered software released into the public domain. 2 | 3 | Anyone is free to copy, modify, publish, use, compile, sell, or 4 | distribute this software, either in source code form or as a compiled 5 | binary, for any purpose, commercial or non-commercial, and by any 6 | means. 7 | 8 | In jurisdictions that recognize copyright laws, the author or authors 9 | of this software dedicate any and all copyright interest in the 10 | software to the public domain. We make this dedication for the benefit 11 | of the public at large and to the detriment of our heirs and 12 | successors. We intend this dedication to be an overt act of 13 | relinquishment in perpetuity of all present and future rights to this 14 | software under copyright law. 15 | 16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 17 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 18 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 19 | IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR 20 | OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | OTHER DEALINGS IN THE SOFTWARE. 23 | 24 | For more information, please refer to 25 | 26 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | RemoteFunctions 2 | =============== 3 | 4 | LoadLibrary, GetModuleHandle and GetProcAddress calls for remote processes 5 | -------------------------------------------------------------------------------- /Remote.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Remote.h" 3 | 4 | namespace Remote 5 | { 6 | namespace Allocate 7 | { 8 | void* Alloc( HANDLE hProcess, size_t Size ) 9 | { 10 | return VirtualAllocEx( hProcess, NULL, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); 11 | } 12 | 13 | void* Commit( HANDLE hProcess, void* Data, size_t Size ) 14 | { 15 | void* AllocatedPointer = Alloc( hProcess, Size ); 16 | 17 | if( AllocatedPointer ) 18 | { 19 | if( WriteProcessMemory( hProcess, AllocatedPointer, Data, Size, NULL ) == TRUE ) 20 | { 21 | return AllocatedPointer; 22 | } 23 | 24 | Free( hProcess, AllocatedPointer, Size ); 25 | } 26 | 27 | return NULL; 28 | } 29 | 30 | void Free( HANDLE hProcess, void* Data, size_t Size ) 31 | { 32 | VirtualFreeEx( hProcess, Data, Size, MEM_RELEASE ); 33 | } 34 | }; 35 | 36 | HANDLE GetRemoteProcessHandleA( char *pszProcessName ) 37 | { 38 | HANDLE tlh = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, NULL ); 39 | 40 | PROCESSENTRY32 proEntry; 41 | 42 | proEntry.dwSize = sizeof( PROCESSENTRY32 ); 43 | 44 | Process32First( tlh, &proEntry ); 45 | do 46 | { 47 | if( _stricmp( pszProcessName, proEntry.szExeFile ) == 0 ) 48 | { 49 | CloseHandle( tlh ); 50 | 51 | return OpenProcess( PROCESS_ALL_ACCESS, FALSE, proEntry.th32ProcessID ); 52 | } 53 | } 54 | while( Process32Next( tlh, &proEntry ) ); 55 | 56 | CloseHandle( tlh ); 57 | 58 | return INVALID_HANDLE_VALUE; 59 | } 60 | 61 | HMODULE GetRemoteModuleHandleA( HANDLE hProcess, const char *szModule ) 62 | { 63 | HANDLE tlh = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetProcessId( hProcess ) ); 64 | 65 | MODULEENTRY32 modEntry; 66 | 67 | modEntry.dwSize = sizeof( MODULEENTRY32 ); 68 | 69 | Module32First( tlh, &modEntry ); 70 | do 71 | { 72 | if( _stricmp( szModule, modEntry.szModule ) == 0 ) 73 | { 74 | CloseHandle( tlh ); 75 | 76 | return modEntry.hModule; 77 | } 78 | } 79 | while( Module32Next( tlh, &modEntry ) ); 80 | 81 | CloseHandle( tlh ); 82 | 83 | return NULL; 84 | } 85 | 86 | HMODULE RemoteLoadLibraryA( HANDLE hProcess, char *pszLibraryPath ) 87 | { 88 | unsigned long ulReturnValue = NULL; 89 | 90 | if( pszLibraryPath ) 91 | { 92 | FARPROC fpLoadLibraryARemote = GetRemoteProcAddress( hProcess, "Kernel32.dll", "LoadLibraryA" ); 93 | 94 | if( fpLoadLibraryARemote ) 95 | { 96 | void* AllocatedResult = Allocate::Alloc( hProcess, sizeof( unsigned long ) ); 97 | void* CommitedLibName = Allocate::Commit( hProcess, pszLibraryPath, strlen( pszLibraryPath ) + 1 ); 98 | 99 | if( CommitedLibName ) 100 | { 101 | unsigned char LoadLibraryAThreadBuffer[ 22 ] = 102 | { 103 | 0x68, 0x00, 0x00, 0x00, 0x00, //push lib name 104 | 0xB8, 0x00, 0x00, 0x00, 0x00, //mov eax, LoadLibraryA 105 | 0xFF, 0xD0, //call eax 106 | 0xA3, 0x00, 0x00, 0x00, 0x00, //mov result, eax 107 | 0x33, 0xC0, //xor eax, eax (eax = 0) 108 | 0xC2, 0x04, 0x00 //retn 4 109 | }; 110 | 111 | *( unsigned long* )( LoadLibraryAThreadBuffer + 0x01 ) = ( unsigned long ) CommitedLibName; 112 | *( unsigned long* )( LoadLibraryAThreadBuffer + 0x06 ) = ( unsigned long ) fpLoadLibraryARemote; 113 | *( unsigned long* )( LoadLibraryAThreadBuffer + 0x0D ) = ( unsigned long ) AllocatedResult; 114 | 115 | void* RemoteBufferToWrite = Allocate::Commit( hProcess, LoadLibraryAThreadBuffer, sizeof( LoadLibraryAThreadBuffer ) ); 116 | 117 | if( RemoteBufferToWrite ) 118 | { 119 | HANDLE hSpawnedThread = CreateRemoteThread( hProcess, 0, 0, ( LPTHREAD_START_ROUTINE ) RemoteBufferToWrite, 0, 0, 0 ); 120 | 121 | WaitForSingleObject( hSpawnedThread, INFINITE ); // Async.. 122 | 123 | ReadProcessMemory( hProcess, AllocatedResult, &ulReturnValue, sizeof( unsigned long ), NULL ); 124 | 125 | Allocate::Free( hProcess, RemoteBufferToWrite, sizeof( LoadLibraryAThreadBuffer ) ); 126 | } 127 | 128 | Allocate::Free( hProcess, CommitedLibName, strlen( pszLibraryPath ) + 1 ); 129 | } 130 | } 131 | } 132 | 133 | return reinterpret_cast< HMODULE >( ulReturnValue ); 134 | } 135 | 136 | FARPROC GetRemoteProcAddress( HANDLE hProcess, char *pszModuleName, char *pszProcName ) 137 | { 138 | FARPROC fpReturnValue = NULL; 139 | 140 | HMODULE hLocalKernel = GetModuleHandleA( "Kernel32.dll" ); 141 | 142 | if( hLocalKernel ) 143 | { 144 | HMODULE hRemoteKernel = GetRemoteModuleHandleA( hProcess, "Kernel32.dll" ); 145 | 146 | if( hRemoteKernel ) 147 | { 148 | unsigned long RemoteGetProcAddress = 149 | ( unsigned long ) hRemoteKernel + ( unsigned long )( ( unsigned long ) GetProcAddress - ( unsigned long ) hLocalKernel ); 150 | 151 | void* ResultOfGetProcAddress = Allocate::Alloc( hProcess, sizeof( unsigned long ) ); 152 | 153 | void* CommitedProcName = Allocate::Commit( hProcess, pszProcName, strlen( pszProcName ) + 1 ); 154 | 155 | if( ResultOfGetProcAddress && CommitedProcName ) 156 | { 157 | unsigned char GetProcAddressThreadBuffer[ 27 ] = 158 | { 159 | 0x68, 0x00, 0x00, 0x00, 0x00, //push proc name 160 | 0x68, 0x00, 0x00, 0x00, 0x00, //push module address 161 | 0xB8, 0x00, 0x00, 0x00, 0x00, //mov eax, GetProcAddress 162 | 0xFF, 0xD0, //call eax 163 | 0xA3, 0x00, 0x00, 0x00, 0x00, //mov result, eax 164 | 0x33, 0xC0, //xor eax, eax (eax = 0) 165 | 0xC2, 0x04, 0x00 //retn 4 166 | }; 167 | 168 | *( unsigned long* )( GetProcAddressThreadBuffer + 0x01 ) = ( unsigned long ) CommitedProcName; 169 | *( unsigned long* )( GetProcAddressThreadBuffer + 0x06 ) = ( unsigned long ) hRemoteKernel; 170 | *( unsigned long* )( GetProcAddressThreadBuffer + 0x0B ) = ( unsigned long ) RemoteGetProcAddress; 171 | *( unsigned long* )( GetProcAddressThreadBuffer + 0x12 ) = ( unsigned long ) ResultOfGetProcAddress; 172 | 173 | void* RemoteBufferToWrite = Allocate::Commit( hProcess, GetProcAddressThreadBuffer, sizeof( GetProcAddressThreadBuffer ) ); 174 | 175 | if( RemoteBufferToWrite ) 176 | { 177 | HANDLE hSpawnedThread = CreateRemoteThread( hProcess, 0, 0, ( LPTHREAD_START_ROUTINE ) RemoteBufferToWrite, 0, 0, 0 ); 178 | 179 | WaitForSingleObject( hSpawnedThread, INFINITE ); // Async.. 180 | 181 | ReadProcessMemory( hProcess, ResultOfGetProcAddress, &fpReturnValue, sizeof( unsigned long ), NULL ); 182 | 183 | Allocate::Free( hProcess, RemoteBufferToWrite, sizeof( GetProcAddressThreadBuffer ) ); 184 | } 185 | } 186 | 187 | if( ResultOfGetProcAddress ) 188 | { 189 | Allocate::Free( hProcess, ResultOfGetProcAddress, sizeof( unsigned long ) ); 190 | } 191 | 192 | if( CommitedProcName ) 193 | { 194 | Allocate::Free( hProcess, CommitedProcName, strlen( pszProcName ) + 1 ); 195 | } 196 | 197 | } 198 | } 199 | 200 | return fpReturnValue; 201 | } 202 | }; 203 | -------------------------------------------------------------------------------- /Remote.h: -------------------------------------------------------------------------------- 1 | #ifndef __REMOTE_HEADER__ 2 | #define __REMOTE_HEADER__ 3 | 4 | namespace Remote 5 | { 6 | namespace Allocate 7 | { 8 | void* Alloc( HANDLE hProcess, size_t Size ); 9 | void* Commit( HANDLE hProcess, void* Data, size_t Size ); 10 | void Free( HANDLE hProcess, void* Data, size_t Size ); 11 | }; 12 | 13 | HANDLE GetRemoteProcessHandleA( char *pszProcessName ); 14 | HMODULE GetRemoteModuleHandleA( HANDLE hProcess, const char *szModule ); 15 | HMODULE RemoteLoadLibraryA( HANDLE hProcess, char *pszLibraryPath ); 16 | FARPROC GetRemoteProcAddress( HANDLE hProcess, char *pszModuleName, char *pszProcName ); 17 | }; 18 | 19 | 20 | #endif //__REMOTE_HEADER__ 21 | -------------------------------------------------------------------------------- /example.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Remote.h" 3 | 4 | DWORD WINAPI lpThreadForSpaceBar( LPVOID lpParam ) 5 | { 6 | while( ( GetAsyncKeyState( VK_SPACE ) & 1 ) == 0 ) 7 | { 8 | Sleep( 100 ); 9 | } 10 | 11 | return 0; 12 | } 13 | 14 | int _tmain(int argc, _TCHAR* argv[]) 15 | { 16 | HANDLE hCalculator = Remote::GetRemoteProcessHandleA( "calc.exe" ); 17 | 18 | if( hCalculator != INVALID_HANDLE_VALUE ) 19 | { 20 | FARPROC RemoteLoadLibraryA = Remote::GetRemoteProcAddress( hCalculator, "Kernel32.dll", "LoadLibraryA" ); 21 | 22 | if( RemoteLoadLibraryA ) 23 | { 24 | printf( "LoadLibraryA Address is [0x%X]\n", RemoteLoadLibraryA ); 25 | } 26 | else 27 | { 28 | printf( "LoadLibraryA Address was not found..\n" ); 29 | } 30 | 31 | HMODULE hRemoteUser32 = Remote::RemoteLoadLibraryA( hCalculator, "User32.dll" ); 32 | 33 | if( hRemoteUser32 ) 34 | { 35 | printf( "USER32.DLL Address is [0x%X][0x%X]\n", hRemoteUser32, GetModuleHandleA( "User32.dll" ) ); 36 | } 37 | else 38 | { 39 | printf( "USER32.DLL was not found..\n" ); 40 | } 41 | 42 | CloseHandle( hCalculator ); // Remember to close the handle from OpenProcess 43 | } 44 | else 45 | { 46 | printf( "Error opening process: INVALID_HANDLE_VALUE\n" ); 47 | } 48 | 49 | printf( "Press the space bar to continue...\n" ); 50 | 51 | WaitForSingleObject( CreateThread( 0, 0, lpThreadForSpaceBar, 0, 0, 0 ), INFINITE ); 52 | 53 | return 0; 54 | } 55 | --------------------------------------------------------------------------------