Thread: Dll injection - QueueUserAPC

Very OLD.
Only works when the thread is in alerted state

Example:

Code:

#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <ntdef.h>
 
DWORD APCInject(PCHAR sProcName,PCHAR sDllName){
  DWORD dRet=0;
  //define type and pointer to function
  typedef NTSTATUS (WINAPI *tNtMapViewOfSection)(HANDLE,HANDLE,LPVOID,ULONG,SIZE_T,LARGE_INTEGER*,SIZE_T*,SECTION_INHERIT,ULONG,ULONG);
  tNtMapViewOfSection NtMapViewOfSection=(tNtMapViewOfSection)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtMapViewOfSection");
  if(!NtMapViewOfSection)return -1;
  //create buffer
  HANDLE hFile=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,strlen(sDllName)+1,NULL);
  if(!hFile)return -2;
  PCHAR hView=MapViewOfFile(hFile,FILE_MAP_ALL_ACCESS,0,0,0);
  if(!hView){
        CloseHandle(hFile);
        return -3;
  }else//set value to buffer
        strcpy(hView,sDllName);
  // Starting target process
  PROCESS_INFORMATION pi;STARTUPINFO st;
  ZeroMemory(&pi,sizeof(pi));
  ZeroMemory(&st,sizeof(st));
  st.cb=sizeof(STARTUPINFO);
  //create suspended process
  if(CreateProcess(sProcName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&st,&pi)){
        LPVOID RemoteString=NULL;ULONG ViewSize=0;
        if(NtMapViewOfSection(hFile,pi.hProcess,&RemoteString,0,0,NULL,&ViewSize,ViewShare,0,PAGE_READONLY)==0){
          LPVOID nLoadLibrary=(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
          if(!QueueUserAPC((PAPCFUNC)nLoadLibrary,pi.hThread,(ULONG_PTR)RemoteString))
                dRet=-6;
        }else
          dRet=-5;
        ResumeThread(pi.hThread);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);
  }else
        dRet=-4;
  UnmapViewOfFile(hView);
  CloseHandle(hFile);
  return dRet;
}
 
int main(void){
  DWORD dwRet=APCInject("C:\\Games\\Counter-Strike\\hl.exe","C:\\cheat.dll");
  if(!dwRet)
        puts("Injection Ok!");
  else
        printf("Injection fail -> %d!",dwRet);
  system("pause");
  return 0;
}