Inject code with certain technique written in cpp.
- DLL Injection : InjectDll.cpp
- Memory Scanning : MemoryScanInjector.cpp
- DLL Injection with User APC : QueueUserAPC.cpp
Inject dll with CreateRemoteThread and LoadLibrary.
VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written);
HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL);
WaitForSingleObject(hThread, INFINITE);Scan certain instructions and overwrite it.
ScanMemory inspects executable area, finds pattern and store the address to std::vector.
std::vector<LPVOID> list;
BYTE pattern[] = { 0x48, 0x63, 0x4D, 0xC8, 0x89, 0x08, 0x49, 0x63, 0x47, 0x50 }; //target opcode
ScanMemory(hProcess, pattern, sizeof(pattern), list);
BYTE code[] = { 0xC7, 0x00, 0x04, 0x00, 0x00, 0x00 }; // patch opcode
WriteProcessMemory(hProcess, list.back(), code, sizeof(code), NULL);QueueUserAPC adds user-mode Asynchronous Procedure Call (APC).
Many anti-debugging agents watch CreateRemoteThread. In order to bypass this scenario, we can use APC to inject dll.
for (auto dwTid : tids) {
HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, dwTid);
if (hThread) {
QueueUserAPC(pLoadLibrary, hThread, (ULONG_PTR)lpAddress);
CloseHandle(hThread);
}
}