LUDIX-BoT Forum
 
HomeHome  CalendarCalendar  FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  Log inLog in  

Share | 
 

 Injector (cmd line/unicode/xp/vista/w7)

Go down 
AuthorMessage
Shagrath



Posts : 57
Join date : 2009-10-10
Location : Istanbul/Turkey

PostSubject: Injector (cmd line/unicode/xp/vista/w7)   Sun Oct 18, 2009 6:06 am

Needed an injector that worked for Vista and Windows 7. You need to literally just paste this into a empty win32 unicode project. The code will create an ini file if it doesn't exist. You can also easily add an old style method of injecting for windows 2000 and below since I didn't bother. It will inject a dll of the same name as the injection exe like OGC injector:
Code:
PathRemoveBlanks(szTargetFile);

        GetPrivateProfileString(L"Target Injection", L"CommandLine", NULL, szTargetCmdLine, sizeof(szTargetCmdLine), szInjectCfg);
    }

    // Prompt for target path if its invalid
    if(PathFileExists(szTargetFile) == false)
    {
        if(PromptForFile(szTargetFile, L"Executables\0*.exe\0\0",  L"Browse to the target executable") == false)
        {
            MessageBox(GetForegroundWindow(), L"You didn't select a target executable!", L"Error", MB_ICONERROR|MB_TOPMOST);
            return 0;
        }
    }

    // Write path to cfg
    WritePrivateProfileString(L"Target Injection", L"Path", szTargetFile, szInjectCfg);

    // Check if dll exists
    if(PathFileExists(szInjectDll) == false)
    {
        wchar_t wcMsg[128];
        wsprintf(wcMsg, L"Could not find %s.dll to inject!\0", szInjectName);
        MessageBox(GetForegroundWindow(), wcMsg, L"Error", MB_ICONERROR|MB_TOPMOST);
        return 0;
    }

    // Create target process
    ZeroMemory(&si, sizeof(si));
    ZeroMemory(&pi, sizeof(pi));
    si.cb = sizeof(si);

    wcscpy_s(wcsTargetPathOnly, szTargetFile);
    RemoveFilenameFromPath(wcsTargetPathOnly, wcslen(wcsTargetPathOnly));

    if(CreateProcess(szTargetFile, szTargetCmdLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, wcsTargetPathOnly, &si, &pi) == false)
    {
        MessageBox(GetForegroundWindow(), L"Failed to create the target process!", L"Error", MB_ICONERROR|MB_TOPMOST);
        return 0;
    }

    // Inject the dll
    if(InjectDll(szInjectDll, wcslen(szInjectDll), &pi) != 0)
    {
        MessageBox(GetForegroundWindow(), L"Failed to inject the dll!", L"Error", MB_ICONERROR|MB_TOPMOST);
        TerminateProcess(pi.hProcess, -1);
        return 0;
    }

    // Allow the target to run
    ResumeThread(pi.hThread);

    // Cleanup
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

    return 0;
}

void RemoveFilenameFromPath(wchar_t *pcwsPath, size_t len)
{
    while(len && *(pcwsPath+len) != '\\') len--;
    if(len) *(pcwsPath+len+1) = '\0';
}

bool PromptForFile(wchar_t *pszSelectedFile, wchar_t *pszFilter, wchar_t *pszTitle)
{
    OPENFILENAMEW ofn;
    memset(&ofn, 0, sizeof(ofn));

    ofn.lStructSize = sizeof(ofn);
    ofn.hInstance = g_hInstance;
    ofn.nFilterIndex = 1;
    ofn.lpstrFile = pszSelectedFile;
    ofn.nMaxFile = MAX_PATH;
    ofn.lpstrFilter = pszFilter;
    ofn.lpstrTitle  = pszTitle;
    ofn.Flags = OFN_FILEMUSTEXIST;

    return (GetOpenFileName(&ofn)!=0);
}

int InjectDll(wchar_t *pszDllPath, size_t len, PROCESS_INFORMATION *ppi)
{
    HANDLE hRemoteThread;
    FARPROC lpLocLoadLibraryW;
    LPVOID lpRemoteMem;
    DWORD dwNumBytesWritten;

    // Get size of path string
    size_t nWriteSize  = (len + 1) * sizeof(wchar_t);

    // Alloc remote mem
    if((lpRemoteMem = VirtualAllocEx(ppi->hProcess, NULL, nWriteSize, MEM_COMMIT, PAGE_READWRITE)) == NULL)
    {
        return 1;
    }

    // Get needed API addresses
    if((lpLocLoadLibraryW = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW")) == NULL)
    {
        VirtualFreeEx(ppi->hProcess, lpRemoteMem, nWriteSize, MEM_RELEASE);
        return 2;
    }

    // Write path to remote mem
    if(WriteProcessMemory(ppi->hProcess, lpRemoteMem, pszDllPath, nWriteSize, &dwNumBytesWritten) == false)
    {
        VirtualFreeEx(ppi->hProcess, lpRemoteMem, nWriteSize, MEM_RELEASE);
        return 3;
    }

    // Inject
    if((hRemoteThread = MyCreateRemoteThread(ppi->hProcess, lpLocLoadLibraryW, lpRemoteMem)) == NULL)
    {
        VirtualFreeEx(ppi->hProcess, lpRemoteMem, nWriteSize, MEM_RELEASE);
        return 4;
    }

    // Wait for handle to have sex with door
    if(WaitForSingleObject(hRemoteThread, 5000) != WAIT_OBJECT_0)
    {
        VirtualFreeEx(ppi->hProcess, lpRemoteMem, nWriteSize, MEM_RELEASE);
        return 5;
    }

    VirtualFreeEx(ppi->hProcess, lpRemoteMem, nWriteSize, MEM_RELEASE);
    return 0;
}

int SetDebugPrivileges()
{
    DWORD err = 0;
    TOKEN_PRIVILEGES Debug_Privileges;
    if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Debug_Privileges.Privileges[0].Luid)) return GetLastError();

    HANDLE hToken = 0;
    if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
    {
        err = GetLastError(); 
        if(hToken) CloseHandle(hToken);
        return err;
    }

    Debug_Privileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    Debug_Privileges.PrivilegeCount = 1;

    if(!AdjustTokenPrivileges(hToken, false, &Debug_Privileges, 0, NULL, NULL))
    {
        err = GetLastError();
        if(hToken) CloseHandle(hToken);
    }

    return err;
}

HANDLE NtCreateThreadEx(HANDLE hProcess, LPVOID lpRemoteThreadStart, LPVOID lpRemoteCallback)
{
        typedef struct
        {
            ULONG Length;
            ULONG Unknown1;
            ULONG Unknown2;
            PULONG Unknown3;
            ULONG Unknown4;
            ULONG Unknown5;
            ULONG Unknown6;
            PULONG Unknown7;
            ULONG Unknown8;

        } UNKNOWN;

        typedef DWORD WINAPI NtCreateThreadEx_PROC(
            PHANDLE ThreadHandle,
            ACCESS_MASK DesiredAccess,
            LPVOID ObjectAttributes,
            HANDLE ProcessHandle,
            LPTHREAD_START_ROUTINE lpStartAddress,
            LPVOID lpParameter,
            BOOL CreateSuspended,
            DWORD dwStackSize,
            DWORD Unknown1,
            DWORD Unknown2,
            LPVOID Unknown3
        );

        UNKNOWN Buffer;
        DWORD dw0 = 0;
        DWORD dw1 = 0;
        memset(&Buffer, 0, sizeof(UNKNOWN));

        Buffer.Length = sizeof (UNKNOWN);
        Buffer.Unknown1 = 0x10003;
        Buffer.Unknown2 = 0x8;
        Buffer.Unknown3 = &dw1;
        Buffer.Unknown4 = 0;
        Buffer.Unknown5 = 0x10004;
        Buffer.Unknown6 = 4;
        Buffer.Unknown7 = &dw0;

        NtCreateThreadEx_PROC* VistaCreateThread = (NtCreateThreadEx_PROC*) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateThreadEx");

        if(VistaCreateThread == NULL)
            return NULL;

        HANDLE hRemoteThread = NULL;
        HRESULT hRes = 0;

        if(!SUCCEEDED(hRes = VistaCreateThread(
                &hRemoteThread,
                0x1FFFFF, // all access
                NULL,
                hProcess,
                (LPTHREAD_START_ROUTINE)lpRemoteThreadStart,
                lpRemoteCallback,
                FALSE,
                NULL,
                NULL,
                NULL,
                &Buffer
                )))
        {
            return NULL;
        }

        return hRemoteThread;
}

HANDLE MyCreateRemoteThread(HANDLE hProcess, LPVOID lpRemoteThreadStart, LPVOID lpRemoteCallback)
{
    if(GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtCreateThreadEx"))
    {
        return NtCreateThreadEx(hProcess, lpRemoteThreadStart, lpRemoteCallback);
    }

    else
    {
        return CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpRemoteThreadStart, lpRemoteCallback, 0, 0);
    }

    return NULL;
}
Thanks to Sinner
Back to top Go down
View user profile
SUXXX
Admin
Admin


Posts : 66
Join date : 2009-10-10

PostSubject: Re: Injector (cmd line/unicode/xp/vista/w7)   Mon Oct 19, 2009 9:43 am

thanks bro!
Back to top Go down
View user profile http://ludix-bot.tk
Shagrath



Posts : 57
Join date : 2009-10-10
Location : Istanbul/Turkey

PostSubject: Re: Injector (cmd line/unicode/xp/vista/w7)   Thu Oct 22, 2009 6:02 am

you're welcome Smile
Back to top Go down
View user profile
Sponsored content




PostSubject: Re: Injector (cmd line/unicode/xp/vista/w7)   

Back to top Go down
 
Injector (cmd line/unicode/xp/vista/w7)
Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
LUDIX-BoT Forum :: Coding :: General Coding-
Jump to: