kambala-decapitator · September 7, 2022 14:27
diff --git a/dll.cpp b/dll.cpp
 #include <Windows.h>

 struct Target {
    HWND hwnd;
    WNDPROC wndProc;
    bool isUnicode;
 };

 Target target;

 #pragma comment(lib, "user32")

 LRESULT CALLBACK WindowProc(
    _In_  HWND hwnd,
    _In_  UINT uMsg,
    _In_  WPARAM wParam,
    _In_  LPARAM lParam
 )
 {
    switch (uMsg) {
    case WM_GETMINMAXINFO:
        if (target.isUnicode)
            return DefWindowProcW(hwnd, uMsg, wParam, lParam);
        else
            return DefWindowProcA(hwnd, uMsg, wParam, lParam);

    default:
        break;
    }

    if (target.isUnicode)
        return CallWindowProcW(target.wndProc, hwnd, uMsg, wParam, lParam);
    else
        return CallWindowProcA(target.wndProc, hwnd, uMsg, wParam, lParam);
 }

 BOOL WINAPI DllMain(
    _In_  HINSTANCE hinstDLL,
    _In_  DWORD fdwReason,
    _In_  LPVOID lpvReserved
 )
 {
    UNREFERENCED_PARAMETER(hinstDLL);
    UNREFERENCED_PARAMETER(lpvReserved);

    switch (fdwReason) {
    case DLL_PROCESS_ATTACH:
        target.hwnd = FindWindow(TEXT(lpClassName), TEXT(lpWindowName));
        if (target.hwnd) {
            target.isUnicode = IsWindowUnicode(target.hwnd) == TRUE;
            if (target.isUnicode) {
                target.wndProc = (WNDPROC)GetWindowLongW(target.hwnd, GWL_WNDPROC);
                SetWindowLongW(target.hwnd, GWL_WNDPROC, (LONG)&WindowProc);
            } else {
                target.wndProc = (WNDPROC)GetWindowLongA(target.hwnd, GWL_WNDPROC);
                SetWindowLongA(target.hwnd, GWL_WNDPROC, (LONG)&WindowProc);
            }
        }
        break;

    case DLL_PROCESS_DETACH:
        if (target.hwnd) {
            if (target.isUnicode)
                SetWindowLongW(target.hwnd, GWL_WNDPROC, (LONG)target.wndProc);
            else
                SetWindowLongA(target.hwnd, GWL_WNDPROC, (LONG)target.wndProc);
        }
        break;

    default:
        break;
    }

    return TRUE;
 }
diff --git a/dll.pro b/dll.pro
 TEMPLATE = lib
 CONFIG -= qt

 SOURCES += main.cpp
diff --git a/injector.cpp b/injector.cpp
 #include <iostream>

 #include <Windows.h>

 #pragma comment(lib, "user32")
 #pragma comment(lib, "advapi32")

 using namespace std;

 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa446619%28v=vs.85%29.aspx
 BOOL SetPrivilege(
    HANDLE hToken,          // access token handle
    LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
    BOOL bEnablePrivilege   // to enable or disable privilege
 )
 {
    TOKEN_PRIVILEGES tp;
    LUID luid;

    if ( !LookupPrivilegeValue(
            NULL,            // lookup privilege on local system
            lpszPrivilege,   // privilege to lookup
            &luid ) )        // receives LUID of privilege
    {
        //printf("LookupPrivilegeValue error: %u\n", GetLastError() );
        return FALSE;
    }

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    if (bEnablePrivilege)
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    else
        tp.Privileges[0].Attributes = 0;

    // Enable the privilege or disable all privileges.

    if ( !AdjustTokenPrivileges(
           hToken,
           FALSE,
           &tp,
           sizeof(TOKEN_PRIVILEGES),
           (PTOKEN_PRIVILEGES) NULL,
           (PDWORD) NULL) )
    {
          //printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
          return FALSE;
    }

    if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
    {
          //printf("The token does not have the specified privilege. \n");
          return FALSE;
    }

    return TRUE;
 }

 BOOL injectDll(DWORD ProcessId, const char *dllName)
 {
    BOOL result = FALSE;
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
    if (hProcess) {
        LPVOID hMem = VirtualAllocEx(hProcess, NULL, strlen(dllName) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
        if (hMem) {
            DWORD tmp;
            if (WriteProcessMemory(hProcess, hMem, dllName, strlen(dllName), &tmp)) {
                HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
                     (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA"), hMem, 0, &tmp);

                if (hThread) {
                    WaitForSingleObject(hThread, INFINITE);
                    CloseHandle(hThread);
                    result = TRUE;
                }
            }
            VirtualFreeEx(hProcess, hMem, 0, MEM_RELEASE);
        }
        CloseHandle(hProcess);
    }
    return result;
 }

 int main()
 {
    HANDLE hToken;

    if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
        SetPrivilege(hToken, TEXT("SeDebugPrivilege"), TRUE);
        CloseHandle(hToken);

        HWND hwnd = FindWindow(TEXT(lpClassName), TEXT(lpWindowName));
        if (hwnd) {
            DWORD pid;
            GetWindowThreadProcessId(hwnd, &pid);

            BOOL b = injectDll(pid, path_to_dll);

            cout << "injectDll(): " << b << endl;
            return 0;
        }
    }
    cout << "error" << endl;
    return 0;
 }
diff --git a/injector.pro b/injector.pro
 TEMPLATE = app
 CONFIG += console
 CONFIG -= app_bundle
 CONFIG -= qt

 SOURCES += main.cpp
	#include <Windows.h>

	struct Target {
	HWND hwnd;
	WNDPROC wndProc;
	bool isUnicode;
	};

	Target target;

	#pragma comment(lib, "user32")

	LRESULT CALLBACK WindowProc(
	_In_ HWND hwnd,
	_In_ UINT uMsg,
	_In_ WPARAM wParam,
	_In_ LPARAM lParam
	)
	{
	switch (uMsg) {
	case WM_GETMINMAXINFO:
	if (target.isUnicode)
	return DefWindowProcW(hwnd, uMsg, wParam, lParam);
	else
	return DefWindowProcA(hwnd, uMsg, wParam, lParam);

	default:
	break;
	}

	if (target.isUnicode)
	return CallWindowProcW(target.wndProc, hwnd, uMsg, wParam, lParam);
	else
	return CallWindowProcA(target.wndProc, hwnd, uMsg, wParam, lParam);
	}

	BOOL WINAPI DllMain(
	_In_ HINSTANCE hinstDLL,
	_In_ DWORD fdwReason,
	_In_ LPVOID lpvReserved
	)
	{
	UNREFERENCED_PARAMETER(hinstDLL);
	UNREFERENCED_PARAMETER(lpvReserved);

	switch (fdwReason) {
	case DLL_PROCESS_ATTACH:
	target.hwnd = FindWindow(TEXT(lpClassName), TEXT(lpWindowName));
	if (target.hwnd) {
	target.isUnicode = IsWindowUnicode(target.hwnd) == TRUE;
	if (target.isUnicode) {
	target.wndProc = (WNDPROC)GetWindowLongW(target.hwnd, GWL_WNDPROC);
	SetWindowLongW(target.hwnd, GWL_WNDPROC, (LONG)&WindowProc);
	} else {
	target.wndProc = (WNDPROC)GetWindowLongA(target.hwnd, GWL_WNDPROC);
	SetWindowLongA(target.hwnd, GWL_WNDPROC, (LONG)&WindowProc);
	}
	}
	break;

	case DLL_PROCESS_DETACH:
	if (target.hwnd) {
	if (target.isUnicode)
	SetWindowLongW(target.hwnd, GWL_WNDPROC, (LONG)target.wndProc);
	else
	SetWindowLongA(target.hwnd, GWL_WNDPROC, (LONG)target.wndProc);
	}
	break;

	default:
	break;
	}

	return TRUE;
	}
	#include <iostream>

	#include <Windows.h>

	#pragma comment(lib, "user32")
	#pragma comment(lib, "advapi32")

	using namespace std;

	// http://msdn.microsoft.com/en-us/library/windows/desktop/aa446619%28v=vs.85%29.aspx
	BOOL SetPrivilege(
	HANDLE hToken, // access token handle
	LPCTSTR lpszPrivilege, // name of privilege to enable/disable
	BOOL bEnablePrivilege // to enable or disable privilege
	)
	{
	TOKEN_PRIVILEGES tp;
	LUID luid;

	if ( !LookupPrivilegeValue(
	NULL, // lookup privilege on local system
	lpszPrivilege, // privilege to lookup
	&luid ) ) // receives LUID of privilege
	{
	//printf("LookupPrivilegeValue error: %u\n", GetLastError() );
	return FALSE;
	}

	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnablePrivilege)
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
	tp.Privileges[0].Attributes = 0;

	// Enable the privilege or disable all privileges.

	if ( !AdjustTokenPrivileges(
	hToken,
	FALSE,
	&tp,
	sizeof(TOKEN_PRIVILEGES),
	(PTOKEN_PRIVILEGES) NULL,
	(PDWORD) NULL) )
	{
	//printf("AdjustTokenPrivileges error: %u\n", GetLastError() );
	return FALSE;
	}

	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
	{
	//printf("The token does not have the specified privilege. \n");
	return FALSE;
	}

	return TRUE;
	}

	BOOL injectDll(DWORD ProcessId, const char *dllName)
	{
	BOOL result = FALSE;
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
	if (hProcess) {
	LPVOID hMem = VirtualAllocEx(hProcess, NULL, strlen(dllName) + 1, MEM_COMMIT \| MEM_RESERVE, PAGE_READWRITE);
	if (hMem) {
	DWORD tmp;
	if (WriteProcessMemory(hProcess, hMem, dllName, strlen(dllName), &tmp)) {
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
	(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA"), hMem, 0, &tmp);

	if (hThread) {
	WaitForSingleObject(hThread, INFINITE);
	CloseHandle(hThread);
	result = TRUE;
	}
	}
	VirtualFreeEx(hProcess, hMem, 0, MEM_RELEASE);
	}
	CloseHandle(hProcess);
	}
	return result;
	}

	int main()
	{
	HANDLE hToken;

	if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) {
	SetPrivilege(hToken, TEXT("SeDebugPrivilege"), TRUE);
	CloseHandle(hToken);

	HWND hwnd = FindWindow(TEXT(lpClassName), TEXT(lpWindowName));
	if (hwnd) {
	DWORD pid;
	GetWindowThreadProcessId(hwnd, &pid);

	BOOL b = injectDll(pid, path_to_dll);

	cout << "injectDll(): " << b << endl;
	return 0;
	}
	}
	cout << "error" << endl;
	return 0;
	}
	TEMPLATE = app
	CONFIG += console
	CONFIG -= app_bundle
	CONFIG -= qt

	SOURCES += main.cpp