PHP Code:
// DLL Injection Method1.cpp : Definiert den Einstiegspunkt für die Konsolenanwendung.
//
#include "stdafx.h"
#include <Windows.h>
void createShellcode(int ret, int str, unsigned char** shellcode, int* shellcodeSize)
{
unsigned char* retChar = (unsigned char*) &ret;
unsigned char* strChar = (unsigned char*) &str;
int api = (int) GetProcAddress(LoadLibraryA("kernel32.dll"), "LoadLibraryA");
unsigned char* apiChar = (unsigned char*) &api;
unsigned char sc[] = {
// Push ret
0x68, retChar[0], retChar[1], retChar[2], retChar[3],
// Push all flags
0x9C,
// Push all register
0x60,
// Push 0x66666666 (later we convert it to the string of "C:\DLLInjectionTest.dll")
0x68, strChar[0], strChar[1], strChar[2], strChar[3],
// Mov eax, 0x66666666 (later we convert it to LoadLibrary adress)
0xB8, apiChar[0], apiChar[1], apiChar[2], apiChar[3],
// Call eax
0xFF, 0xD0,
// Pop all register
0x61,
// Pop all flags
0x9D,
// Ret
0xC3
};
*shellcodeSize = 22;
*shellcode = (unsigned char*) malloc(22);
memcpy(*shellcode, sc, 22);
}
int _tmain(int argc, char* argv[])
{
// Path to the DLL, which you want to inject
char dllPath[] = "C:\\DLLInjectionTest.dll";
unsigned char* shellcode;
int shellcodeLen;
LPVOID remote_dllStringPtr;
LPVOID remote_shellcodePtr;
CONTEXT ctx;
// Create Process SUSPENDED
PROCESS_INFORMATION pi;
STARTUPINFOA Startup;
ZeroMemory(&Startup, sizeof(Startup));
ZeroMemory(&pi, sizeof(pi));
CreateProcessA("game.exe", NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, &Startup, &pi);
ResumeThread(pi.hThread);
Sleep(1000);
SuspendThread(pi.hThread);
printf("Allocating Remote Memory For DLL Path\n");
remote_dllStringPtr = VirtualAllocEx(pi.hProcess, NULL, strlen(dllPath)+1, MEM_COMMIT, PAGE_READWRITE);
printf("DLL Adress: %X\n", remote_dllStringPtr);
printf("Get EIP\n");
ctx.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &ctx);
printf("EIP: %X\n", ctx.Eip);
printf("Build Shellcode\n");
createShellcode(ctx.Eip, (int) remote_dllStringPtr, &shellcode, &shellcodeLen);
printf ("Created Shellcode: \n");
for(int i=0; i<shellcodeLen; i++)
printf ("%X ", shellcode[i]);
printf("\n");
printf("Allocating Remote Memory For Shellcode\n");
remote_shellcodePtr = VirtualAllocEx(pi.hProcess, NULL, shellcodeLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
printf("Shellcode Adress: %X\n", remote_shellcodePtr);
printf("Write DLL Path To Remote Process\n");
WriteProcessMemory(pi.hProcess, remote_dllStringPtr, dllPath, strlen(dllPath)+1, NULL);
printf("Write Shellcode To Remote Process\n");
WriteProcessMemory(pi.hProcess, remote_shellcodePtr, shellcode, shellcodeLen, NULL);
printf("Set EIP\n");
ctx.Eip = (DWORD)remote_shellcodePtr;
ctx.ContextFlags = CONTEXT_CONTROL;
SetThreadContext(pi.hThread, &ctx);
printf("Run The Shellcode\n");
ResumeThread(pi.hThread);
printf("Wait Till Code Was Executed\n");
Sleep(80000);
printf("Free Remote Resources\n");
VirtualFreeEx(pi.hProcess, remote_dllStringPtr, strlen(dllPath)+1, MEM_DECOMMIT);
VirtualFreeEx(pi.hProcess, remote_shellcodePtr, shellcodeLen, MEM_DECOMMIT);
return 0;
}
source: