Windows-Rootkits/LoadImageCallBack/inject/Inject/Inject.cpp

// Inject.cpp : <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̨Ӧ<CCA8>ó<EFBFBD><C3B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ڵ㡣
//

#include "stdafx.h"
#include "Inject.h"
#include <Windows.h>
#ifdef _DEBUG
#define new DEBUG_NEW
#endif


// Ψһ<CEA8><D2BB>Ӧ<EFBFBD>ó<EFBFBD><C3B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

CWinApp theApp;

using namespace std;

BOOL EnableDebugPrivilege();

VOID InjectDll(ULONG_PTR ProcessID);
BOOL InjectDllByRemoteThread(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    int nRetCode = 0;
    ULONG_PTR ID = GetCurrentProcessId();
    cout<<"<EFBFBD><EFBFBD>ǰIDΪ:"<<ID<<endl;
    ULONG_PTR ProcessID = 0;

    EnableDebugPrivilege();

    printf("Input Inject ProcessID\r\n");

    cin>>ProcessID;

    InjectDll(ProcessID);

    getchar();
    getchar();

    return nRetCode;
}


VOID InjectDll(ULONG_PTR ProcessID)
{
    CString strPath;
#ifdef  _WIN64
    strPath =  L"Dll.dll";
#else
    strPath = L"Dll.dll";
#endif
    if (ProcessID == 0)
    {
        return;
    }
    if (PathFileExists(strPath))
    {
        WCHAR wzPath[MAX_PATH] = {0};
        GetCurrentDirectory(260,wzPath);
        wcsncat_s(wzPath, L"\\", 2);
        wcsncat_s(wzPath, strPath.GetBuffer(), strPath.GetLength());
        strPath.ReleaseBuffer();

        if (!InjectDllByRemoteThread(wzPath,ProcessID))    //Զ<><D4B6><EFBFBD>߳̽<DFB3><CCBD><EFBFBD>Inject
        {
            printf("Inject Fail\r\n");
        }
        else
        {
            printf("Inject Success\r\n");
        }
    }    
}


BOOL InjectDllByRemoteThread(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
{
    if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
    {
        return FALSE;
    }
    HANDLE                 hProcess = NULL;
    HANDLE                 hThread  = NULL;
    DWORD                  dwRetVal    = 0;
    LPTHREAD_START_ROUTINE FuncAddress = NULL;
    DWORD  dwSize = 0;
    TCHAR* VirtualAddress = NULL;

    //<2F><><EFBFBD><EFBFBD>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD>̾<EFBFBD><CCBE><EFBFBD>
    hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE, ProcessId);

    if (NULL == hProcess)
    {
        printf("Open Process Fail LastError [%d]\r\n", GetLastError());
        return FALSE;
    }

    // <20><>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>з<EFBFBD><D0B7><EFBFBD><EFBFBD>ڴ<EFBFBD><DAB4>ռ<EFBFBD>
    dwSize = (DWORD)::_tcslen(wzDllFile) + 1;
    VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), 
        MEM_COMMIT,PAGE_READWRITE);
    if (NULL == VirtualAddress)
    {

        printf("Virtual Process Memory Fail LastError [%d]\r\n", GetLastError());
        CloseHandle(hProcess);
        return FALSE;
    }

    // <20><>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD>̵<EFBFBD><CCB5>ڴ<EFBFBD><DAB4>ռ<EFBFBD><D5BC><EFBFBD>д<EFBFBD><D0B4><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(ģ<><C4A3><EFBFBD><EFBFBD>)
    if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
    {
        printf("Write Data Fail lastError [%d]\r\n", GetLastError());
        VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
        CloseHandle(hProcess);
        return FALSE;
    }

#ifdef _UNICODE
    FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
    FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif

    //<2F><>Ŀ<EFBFBD><C4BF><EFBFBD><EFBFBD><EFBFBD>̿<EFBFBD><CCBF><EFBFBD>һ<EFBFBD><D2BB><EFBFBD>߳<EFBFBD>  <20><> <20><><EFBFBD><EFBFBD>ִ<EFBFBD><D6B4>LoadLibrary(Address)   Address һ<><D2BB><EFBFBD>ǶԷ<C7B6><D4B7><EFBFBD><EFBFBD>ڴ<EFBFBD><DAB4><EFBFBD>ַ  
    hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);

    //Loadlirbrar(LPPARAMDATA);
    if (NULL == hThread)
    {
        printf("CreateRemoteThread Fail LastError [%d]\r\n", GetLastError());

        VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
        CloseHandle(hProcess);
        return FALSE;
    }

    // <20>ȴ<EFBFBD>Զ<EFBFBD><D4B6><EFBFBD>߳̽<DFB3><CCBD><EFBFBD>
    WaitForSingleObject(hThread, INFINITE);
    // <20><><EFBFBD><EFBFBD>
    VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
    CloseHandle(hThread);
    CloseHandle(hProcess);

    return TRUE;
}




BOOL EnableDebugPrivilege()
{
    HANDLE hToken;   
    TOKEN_PRIVILEGES TokenPrivilege;
    LUID uID;

    if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
    {
        printf("OpenProcessToken is Error\n");

        return FALSE;
    }

    if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
    {
        printf("LookupPrivilegeValue is Error\n");

        return FALSE;
    }

    TokenPrivilege.PrivilegeCount = 1;
    TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    TokenPrivilege.Privileges[0].Luid = uID;

    //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǽ<EFBFBD><C7BD>е<EFBFBD><D0B5><EFBFBD>Ȩ<EFBFBD><C8A8>
    if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
    {
        printf("AdjuestTokenPrivileges is Error\n");
        return  FALSE;
    }
    return TRUE;
}