Code:
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <ntdef.h>
DWORD APCInject(PCHAR sProcName,PCHAR sDllName){
DWORD dRet=0;
//define type and pointer to function
typedef NTSTATUS (WINAPI *tNtMapViewOfSection)(HANDLE,HANDLE,LPVOID,ULONG,SIZE_T,LARGE_INTEGER*,SIZE_T*,SECTION_INHERIT,ULONG,ULONG);
tNtMapViewOfSection NtMapViewOfSection=(tNtMapViewOfSection)GetProcAddress(GetModuleHandle("ntdll.dll"),"NtMapViewOfSection");
if(!NtMapViewOfSection)return -1;
//create buffer
HANDLE hFile=CreateFileMapping(INVALID_HANDLE_VALUE,NULL,PAGE_READWRITE,0,strlen(sDllName)+1,NULL);
if(!hFile)return -2;
PCHAR hView=MapViewOfFile(hFile,FILE_MAP_ALL_ACCESS,0,0,0);
if(!hView){
CloseHandle(hFile);
return -3;
}else//set value to buffer
strcpy(hView,sDllName);
// Starting target process
PROCESS_INFORMATION pi;STARTUPINFO st;
ZeroMemory(&pi,sizeof(pi));
ZeroMemory(&st,sizeof(st));
st.cb=sizeof(STARTUPINFO);
//create suspended process
if(CreateProcess(sProcName,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&st,&pi)){
LPVOID RemoteString=NULL;ULONG ViewSize=0;
if(NtMapViewOfSection(hFile,pi.hProcess,&RemoteString,0,0,NULL,&ViewSize,ViewShare,0,PAGE_READONLY)==0){
LPVOID nLoadLibrary=(LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
if(!QueueUserAPC((PAPCFUNC)nLoadLibrary,pi.hThread,(ULONG_PTR)RemoteString))
dRet=-6;
}else
dRet=-5;
ResumeThread(pi.hThread);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}else
dRet=-4;
UnmapViewOfFile(hView);
CloseHandle(hFile);
return dRet;
}
int main(void){
DWORD dwRet=APCInject("C:\\Games\\Counter-Strike\\hl.exe","C:\\cheat.dll");
if(!dwRet)
puts("Injection Ok!");
else
printf("Injection fail -> %d!",dwRet);
system("pause");
return 0;
}