Results 1 to 1 of 1
  1. #1
    The_USDL
    The_USDL is offline
    Senior Member The_USDL's Avatar
    Join Date
    2011 Oct
    Posts
    201
    Thanks Thanks Given 
    24
    Thanks Thanks Received 
    538
    Thanked in
    47 Posts
    Rep Power
    0

    Post Dll injection - QueueUserAPC

    Very OLD.
    Only works when the thread is in alerted state

    Example:
    Code:
    #define _WIN32_WINNT 0x0500
    #include <windows.h>
    #include <ntdef.h>
     
    DWORD APCInject(PCHAR sProcName,PCHAR sDllName){
      DWORD dRet=0;
      //define type and pointer to function
      typedef NTSTATUS (WINAPI *tNtMapViewOfSection)(HANDLE,HANDLE,LPVOID,ULONG,SIZE_T,LARGE_INTEGER*,SIZE_T*,SECTION_INHERIT,ULONG,ULONG);
      tNtMapViewOfSection NtMapViewOfSection=(tNtMapViewOfSection)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtMapViewOfSection");
      if(!NtMapViewOfSection)return -1;
      //create buffer
      HANDLE hFile=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,strlen(sDllName)+1,NULL);
      if(!hFile)return -2;
      PCHAR hView=MapViewOfFile(hFile,FILE_MAP_ALL_ACCESS,0,0,0);
      if(!hView){
            CloseHandle(hFile);
            return -3;
      }else//set value to buffer
            strcpy(hView,sDllName);
      // Starting target process
      PROCESS_INFORMATION pi;STARTUPINFO st;
      ZeroMemory(&pi,sizeof(pi));
      ZeroMemory(&st,sizeof(st));
      st.cb=sizeof(STARTUPINFO);
      //create suspended process
      if(CreateProcess(sProcName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&st,&pi)){
            LPVOID RemoteString=NULL;ULONG ViewSize=0;
            if(NtMapViewOfSection(hFile,pi.hProcess,&RemoteString,0,0,NULL,&ViewSize,ViewShare,0,PAGE_READONLY)==0){
              LPVOID nLoadLibrary=(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
              if(!QueueUserAPC((PAPCFUNC)nLoadLibrary,pi.hThread,(ULONG_PTR)RemoteString))
                    dRet=-6;
            }else
              dRet=-5;
            ResumeThread(pi.hThread);
            CloseHandle(pi.hThread);
            CloseHandle(pi.hProcess);
      }else
            dRet=-4;
      UnmapViewOfFile(hView);
      CloseHandle(hFile);
      return dRet;
    }
     
    int main(void){
      DWORD dwRet=APCInject("C:\\Games\\Counter-Strike\\hl.exe","C:\\cheat.dll");
      if(!dwRet)
            puts("Injection Ok!");
      else
            printf("Injection fail -> %d!",dwRet);
      system("pause");
      return 0;
    }

Similar Threads

  1. [C++] Dll Injection with CreateRemoteThread
    By Grooguz in forum C/C++
    Replies: 1
    Last Post: 2011-12-25, 07:12 PM
  2. [AutoIt] ASM injection into process
    By pohkak in forum AutoIt
    Replies: 2
    Last Post: 2011-07-30, 10:51 AM
  3. [Dev] DLL Injection Possible
    By Abstract in forum Forsaken World Bots, Hacks, Cheats
    Replies: 0
    Last Post: 2011-05-08, 12:16 AM
  4. [C++] DLL Injection Class
    By Dwar in forum C/C++
    Replies: 1
    Last Post: 2010-11-29, 04:08 PM
  5. Analyzing DLL Injection
    By Dwar in forum Programming Tutorials
    Replies: 2
    Last Post: 2010-11-29, 04:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •