} // delete process's executable file, Sleep A Bit and Retry if Required ...? While (! Rd-> deletefileptr (rd-> modulename)) RD-> SleEpptr (1000); // kill host also. Rd-> ExitProcessPtr (0); return 0;} int InjectCode () {int rc = -1; SIZE_T dummy = 0; LPVOID codeAddr = NULL; HANDLE hProcess = NULL, hThread = NULL; _RemoteData rd = {0}; CONTEXT cntxt = { 0}; startupinfo sui = {0}; process_information pi = {0}; sui.cb = sizeof (startupinfo); // Create a host process this will run out. If (! CreateProcess (null, "notepad.exe" , NULL, NULL, TRUE, NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED, NULL, NULL, & sui, & pi)) {rc = 1; goto cleanup;} // luckily, PROCESS_INFORMATION returns to us precious handles ... hProcess = pi.hProcess; hThread = pi.hThread; // Allocate some memory for our thread function to be copied to the host process codeAddr = VirtualAllocEx (hProcess, NULL, MAX_CODE_SIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);. // XRW if (! codeAddr) {rc = 2; goto Cleanup;} // Get Pointers to Required Fun . Ctions rd.OpenProcessPtr = OpenProcess; rd.WaitForSingleObjectPtr = WaitForSingleObject; rd.CloseHandlePtr = CloseHandle; rd.DeleteFilePtr = DeleteFile; rd.SleepPtr = Sleep; rd.ExitProcessPtr = ExitProcess; // Pass our own process ID so the remote thread can wait for us to terminate rd.processID = GetCurrentProcessId ();. // Get our own executable path name so the remote thread can later delete us GetModuleFileName (NULL, rd.moduleName, MAX_PATH);. // Write the CODE into the process ! if (! WriteProcessMemory (HProcess, CodeAddr, (LPVOID) & INJECTEDTHREADPROC, MAX_CODE_SIZE, & DUMMY) {RC = 3; goto cleanup;
} If (! Dummy = MAX_CODE_SIZE) {rc = 4; goto cleanup;} // Get remote thread's context, so we can use it for our needs cntxt.ContextFlags = CONTEXT_FULL;. // We actually need ESP and EIP if (. ! GetThreadContext (hThread, & cntxt)) {rc = 5; goto cleanup;} // Change the EIP to point to the thread procedure we copied earlier // So when we assume running, our code will immediately start running cntxt.Eip.. = (DWORD) codeAddr; // Every thread function gets one argument, this will be a pointer to _RemoteData structure // Put the structure on the stack so the remote thread will be able to use it, make sure it's 4 bytes aligned.! cntxt.Esp - = sizeof (_RemoteData); // Make some room // Write it into the host process' stack space if (WriteProcessMemory (hProcess, (LPVOID) cntxt.Esp, (LPVOID) & rd, sizeof (_RemoteData..! ), & demmy)) {RC = 6; goto cleanup;} if (Dummy! = sizeof (_RemoteData)) {rc = 7; goto cleanup;} // Now push the ESP TO POINT TO The Structure We copied Above. // Just As Pushing a Point Er to rd So The Remote Thread Will Pop (or wherever usage of esp) This Pointer As ITS Argument and use it ... // cntxt.esp Points by Now To out 帖子 帖子 帖子 帖子 帖子 帖子 帖子 帖子The Stack and Writing It. if (! WriteProcessMemory (CNTXT.ESP - SIZEOF (DWORD)), (LPVOID) & CNTXT.ESP, SIZEOF (DWORD), & DUMMY)) {RC = 8; Goto Cleanup; } IF (Dummy! = SIZEOF (DWORD)) {rc = 9; goto cleanup;} // Remember That ESP is Always Advanced by One Dword After a Push, Something Like Atomic: MOV [ESP], DWVAL; SUB ESP, 4 . // advance it twice, because of the last writeprocessmemory. Cntxt.esp - = sizeof (dword) * 2; // after we '
