Home

Awesome

Code Injection

Inject code with certain technique written in cpp.

DLL Injection

Inject dll with CreateRemoteThread and LoadLibrary.

VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written);

HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL);
WaitForSingleObject(hThread, INFINITE);

Memory Scanning

Scan certain instructions and overwrite it.

ScanMemory inspects executable area, finds pattern and store the address to std::vector.

std::vector<LPVOID> list;
BYTE pattern[] = { 0x48, 0x63, 0x4D, 0xC8, 0x89, 0x08, 0x49, 0x63, 0x47, 0x50 }; //target opcode
ScanMemory(hProcess, pattern, sizeof(pattern), list);

BYTE code[] = { 0xC7, 0x00, 0x04, 0x00, 0x00, 0x00 }; // patch opcode
WriteProcessMemory(hProcess, list.back(), code, sizeof(code), NULL);

Queue User APC

QueueUserAPC adds user-mode Asynchronous Procedure Call (APC).

Many anti-debugging agents watch CreateRemoteThread. In order to bypass this scenario, we can use APC to inject dll.

for (auto dwTid : tids) {
	HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, dwTid);
	if (hThread) {
		QueueUserAPC(pLoadLibrary, hThread, (ULONG_PTR)lpAddress);
		CloseHandle(hThread);
	}
}