-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDLLInjector.cpp
More file actions
178 lines (147 loc) · 5.64 KB
/
DLLInjector.cpp
File metadata and controls
178 lines (147 loc) · 5.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#include <windows.h>
#include <Shlwapi.h>
#include <algorithm>
#include <iostream>
#include <iomanip>
#include <string>
#include <vector>
#pragma comment(lib, "user32.lib")
#pragma comment(lib, "Shlwapi.lib")
#pragma comment(lib, "kernel32.lib")
HANDLE h_process = nullptr;
HANDLE h_thread = nullptr;
struct AppInfo
{
HWND hwnd{};
DWORD pid{};
std::wstring title;
std::wstring exePath;
};
static std::wstring GetExeDirectory()
{
wchar_t path[MAX_PATH] = {};
DWORD n = GetModuleFileNameW(nullptr, path, MAX_PATH);
if (n == 0 || n >= MAX_PATH) return L"";
PathRemoveFileSpecW(path);
return path;
}
static bool FindFirstWildcardInAppDir(const std::wstring& wildcard, std::wstring& outPath) {
std::wstring base = GetExeDirectory();
if (base.empty()) return false;
wchar_t query[MAX_PATH] = {};
if (!PathCombineW(query, base.c_str(), wildcard.c_str())) return false;
WIN32_FIND_DATAW fd{};
HANDLE h = FindFirstFileW(query, &fd);
if (h == INVALID_HANDLE_VALUE) return false;
wchar_t full[MAX_PATH] = {};
bool ok = false;
if (PathCombineW(full, base.c_str(), fd.cFileName))
{
outPath.assign(full);
ok = true;
}
FindClose(h);
return ok;
}
static std::wstring GetWindowTitle(HWND h)
{
int len = GetWindowTextLengthW(h);
if (len <= 0) return L"";
std::vector<wchar_t> buf(static_cast<size_t>(len) + 1, L'\0');
GetWindowTextW(h, buf.data(), len + 1);
return std::wstring(buf.data());
}
static std::wstring QueryProcessImagePath(DWORD pid)
{
std::wstring result;
HANDLE ph = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, pid);
if (!ph) return result;
DWORD size = 32767;
std::vector<wchar_t> buf(size, L'\0');
if (QueryFullProcessImageNameW(ph, 0, buf.data(), &size)) result.assign(buf.data(), size);
CloseHandle(ph);
return result;
}
static BOOL CALLBACK EnumWindowsProc(HWND hwnd, LPARAM lParam)
{
if (!IsWindowVisible(hwnd)) return TRUE;
if (GetWindow(hwnd, GW_OWNER)) return TRUE;
std::wstring title = GetWindowTitle(hwnd);
if (title.empty()) return TRUE;
DWORD pid = 0;
GetWindowThreadProcessId(hwnd, &pid);
auto list = reinterpret_cast<std::vector<AppInfo>*>(lParam);
AppInfo info;
info.hwnd = hwnd;
info.pid = pid;
info.title = std::move(title);
info.exePath = QueryProcessImagePath(pid);
list->push_back(std::move(info));
return TRUE;
}
void get_proc_id(const wchar_t* window_title, DWORD& process_id)
{
HWND h = FindWindowW(nullptr, window_title);
GetWindowThreadProcessId(h, &process_id);
}
[[noreturn]]
void error(const char* error_title, const char* error_message)
{
MessageBoxA(nullptr, error_message, error_title, MB_ICONERROR);
std::exit(EXIT_FAILURE);
}
int main()
{
char dll_path[MAX_PATH] = {};
std::wstring dllPathW;
if (!FindFirstWildcardInAppDir(L"*.dll", dllPathW)) error("FindExactInAppDir", "*.dll not found next to the EXE");
int ok = WideCharToMultiByte(CP_ACP, 0, dllPathW.c_str(), -1, dll_path, MAX_PATH, nullptr, nullptr);
if (!ok) error("WideCharToMultiByte", "Failed to convert DLL path");
std::wcout << L"\nEnumerating open application windows...\n\n";
std::vector<AppInfo> apps;
apps.reserve(256);
EnumWindows(EnumWindowsProc, reinterpret_cast<LPARAM>(&apps));
if (apps.empty())
{
std::wcerr << L"No visible top-level windows found.\n";
return 1;
}
std::stable_sort(apps.begin(), apps.end(),
[](const AppInfo& a, const AppInfo& b) { return a.title < b.title; });
size_t idx = 1;
for (const auto& a : apps)
{
LPCWSTR fname = a.exePath.empty() ? L"?" : PathFindFileNameW(a.exePath.c_str());
std::wcout << std::setw(3) << idx++ << L") "
<< L"[PID " << a.pid << L"] "
<< L"[HWND 0x" << std::hex << (UINT_PTR)a.hwnd << std::dec << L"] "
<< a.title
<< L" - " << (fname && *fname ? fname : L"?")
<< L"\n";
}
std::wcout << L"\nType the # of the target window and press Enter: ";
size_t choice = 0;
if (!(std::wcin >> choice) || choice == 0 || choice > apps.size())
{
std::wcerr << L"Invalid choice.\n";
return 1;
}
const AppInfo& sel = apps[choice - 1];
DWORD proc_id = sel.pid;
if (proc_id == NULL) error("get_proc_id", "Failed to get process ID");
HANDLE h_process = OpenProcess(PROCESS_ALL_ACCESS, NULL, proc_id);
void* allocated_memory = VirtualAllocEx(h_process, nullptr, MAX_PATH, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
HANDLE h_thread = CreateRemoteThread(h_process, nullptr, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, allocated_memory, 0, nullptr);
if (!h_process) error("OpenProcess", "Failed to open handle to process");
if (!allocated_memory) error("VirtualALlocEx", "Failed to allocate memory");
if (!WriteProcessMemory(h_process, allocated_memory, dll_path, MAX_PATH, nullptr)) error("WriteProcessMemory", "Failed to write process memory");
if (!h_thread) error("CreateRemoteThread", "Failed to create remote thread");
CloseHandle(h_thread);
CloseHandle(h_process); //This should be after VirtualFreeEx, although it's just a warning ;)
VirtualFreeEx(h_process, allocated_memory, NULL, MEM_RELEASE);
MessageBoxA(nullptr, "Successfully Injected!", "Success", 0);
std::wstring selected_title = sel.title;
std::wcout << L"\nSelected:\n Title: " << selected_title << L"\n PID: " << proc_id << L"\n";
return 0;
}