Inject code with certain technique written in cpp.
- DLL Injection : InjectDll.cpp
- Memory Scanning : MemoryScanInjector.cpp
- DLL Injection with User APC : QueueUserAPC.cpp
Inject dll with CreateRemoteThread and LoadLibrary.
VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written); HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL); WaitForSingleObject(hThread, INFINITE);
Scan certain instructions and overwrite it.
ScanMemory inspects executable area, finds pattern and store the address to std::vector.
std::vector<LPVOID> list;
BYTE pattern[] = { 0x48, 0x63, 0x4D, 0xC8, 0x89, 0x08, 0x49, 0x63, 0x47, 0x50 }; //target opcode
ScanMemory(hProcess, pattern, sizeof(pattern), list);
BYTE code[] = { 0xC7, 0x00, 0x04, 0x00, 0x00, 0x00 }; // patch opcode
WriteProcessMemory(hProcess, list.back(), code, sizeof(code), NULL);QueueUserAPC adds user-mode Asynchronous Procedure Call (APC).
Many anti-debugging agents watch CreateRemoteThread. In order to bypass this scenario, we can use APC to inject dll.
for (auto dwTid : tids) { HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, dwTid); if (hThread) { QueueUserAPC(pLoadLibrary, hThread, (ULONG_PTR)lpAddress); CloseHandle(hThread); } }