Código
#include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <Tlhelp32.h> #include <wchar.h> #include <iostream> using namespace std; void error(char *err); HANDLE myProc = NULL; void error(char *err) { if (myProc != NULL) CloseHandle(myProc); printf("%s", err); exit(0); } int main(int argc, char *argv[]) { HANDLE processList = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pInfo; BOOL st = TRUE; pInfo.dwSize = sizeof(PROCESSENTRY32); Process32First(processList, &pInfo); int myPid = 0; do { std::wstring name(L"taskmgr.exe"); const wchar_t* szName = name.c_str(); if (wcscmp(pInfo.szExeFile, szName) == 0) { myPid = pInfo.th32ProcessID; cout << myPid << endl; break; } Process32Next(processList, &pInfo); } while (st != FALSE); // Abrir el proceso printf("[+] Opening process %i\n", myPid); myProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, myPid); if (myProc == NULL) error("[-] Error abriendo proceso.\n"); else printf("[+] Proceso abierto.\n"); // Reservar memoria para el argumento (ruta de la DLL) char thData[] = "dllmain.dll"; LPVOID dirToArg = VirtualAllocEx(myProc, NULL, strlen(thData), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (dirToArg == NULL) error("[-] Error reservando memoria para argumento.\n"); else printf("[+] Memoria reservada para argumento (%i bytes).\n", strlen(thData)); // Escribir la ruta de la DLL en la memoria reservada SIZE_T written = 0; if (WriteProcessMemory(myProc, dirToArg, (LPVOID)&thData, strlen(thData), &written) == 0) error("[-] Error escribiendo memoria.\n"); else printf("[+] Memoria escrita (arg %i bytes).\n", written); //Lanzar un hilo con LoadLibrary //Load the DLL //Load the DLL HANDLE rThread = CreateRemoteThread(myProc, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary(L"Kernel32.dll"), "LoadLibraryA"), dirToArg, NULL, NULL); if (rThread == NULL) error("[-] Error creando el hilo.\n"); else printf("[+] Hilo creado.\n"); CloseHandle(rThread); }
Este es la .dll:
Código
// dllmain.cpp : Defines the entry point for the DLL application. #include "stdafx.h" #include "C:\Users\Androide\Desktop\minhook\Dynamic\MinHook_133_src\include\MinHook.h"//MHook header #include <iostream> #include <windows.h> #include <Commctrl.h> #include <conio.h> using namespace std; typedef void (*SENDMESSAGEW)();//Typedef for the hooked function static SENDMESSAGEW Basewritefoobar;//Backup of the originak fonction static const wchar_t *pwned=L"PWNED";//PWNED LRESULT WINAPI BSSSendMessageW(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) { if ( msg == LVM_INSERTITEMW || msg == LVM_SETITEMW)//Intercepts LVM_INSERTITEM and LVM_SETITEM messages { ((LVITEMW*)lparam)->pszText=pwned;//Replace the item text with our text. } return baseSendMessage(hwnd, msg, wparam, lparam);//Calls the real SendMessage function. } static bool Hook(); template <typename T> inline MH_STATUS MH_CreateHookEx(void* target, void* const base, T** original) { return MH_CreateHook(target, base, reinterpret_cast<void**>(original)); } extern "C" __declspec (dllexport) void __cdecl SendWrite() { } BOOL WINAPI DllMain(HINSTANCE hInst, ULONG ul_reason_for_call, LPVOID lpReserved) { //Different behaviors depending on the reason why DllMain is called switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: if (!Hook())//Hook "Writefoobar" { cout << "Hook failed" << endl; return 1; } break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; } bool Hook() { if (MH_Initialize() != MH_OK) { return false; } if (MH_CreateHookEx((void*)&SendMessageW, (void*)&BSSSendMessageW, &Basewritefoobar) != MH_OK) { return FALSE; } return MH_EnableHook((void*)&SendMessageW) == MH_OK; }
Cuando lo hago me muestra un hola mundo el cual ni lo incluí en mi codigo:
Que no deberia..