Home > Others

Debuginject (DLL)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Principle:
Injection is implemented using the principle attached to the debugger. 

    bRet = CreateProcess(NULL,        m_strExePath.GetBuffer(0),        NULL,        NULL,        FALSE,        DEBUG_ONLY_THIS_PROCESS,        NULL,        NULL,        &si,        &pi);

DebugInject.h

#pragma once#include "afxwin.h"// DebugInject 对话框class DebugInject : public CDialogEx{    DECLARE_DYNAMIC(DebugInject)public:    DebugInject(CWnd* pParent = NULL);   // 标准构造函数    virtual ~DebugInject();// 对话框数据    enum { IDD = IDD_DIALOG4 };protected:    virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV 支持    DECLARE_MESSAGE_MAP()public:    CString m_strExePath;    CString m_strDllPath;    afx_msg void OnBnClickedInject();    afx_msg void OnBnClickedButton4();    afx_msg void OnBnClickedButton3();};

DebugInject.cpp

DebugInject.cpp: Implement file//#include "stdafx.h" #include "MyInjectTool.h" #include "DebugInject.h" #include "  Afxdialogex.h "//structure must be byte-aligned!          #pragma pack (1) typedef struct _inject_code{BYTE bymov_eax;    mov eax, addr szdllpath DWORD dwmov_eax_value;         BYTE Bypush_eax;          push eax BYTE bymov_ecx;    mov ecx, LoadLibrary DWORD dwmov_ecx_value;          WORD wcall_ecx;             Call ECX BYTE byINT3; int 3 CHAR Szdllpath[max_path];} Inject_code, *pinject_code; #pragma pack ()//Debuginject Dialog implement_dynamic (debuginject, CDialogEx) Debuginject::D Ebuginject (cwnd* pparent/*=null*/): CDialogEx (Debuginject::idd, pparent), M_strexepath (_T ("")), M_strDllPath ( _t ("")) {}debuginject::~debuginject () {}void debuginject::D odataexchange (cdataexchange* pDX) {cdialogex::D    Odataexchange (PDX);    DDX_Text (PDX, idc_edit1, M_strexepath); DDX_Text (PDX, Idc_edit2, M_strdllpath);} Begin_message_map (Debuginject, CDialogEx) on_bn_clicked (idc_injeCT, &debuginject::onbnclickedinject) on_bn_clicked (Idc_button4, &debuginject::onbnclickedbutton4) ON_BN_ CLICKED (Idc_button3, &debuginject::onbnclickedbutton3) End_message_map ()//Debuginject message handler void Debuginject:    : Onbnclickedinject () {//TODO: In this Add control notification handler code BOOL BRet;    DWORD dwprocessid = 0;    LPVOID lpbaseaddress = NULL;    HANDLE hthread = NULL;    HANDLE hprocess = NULL;    Debug_event dbgevent = {0};    CONTEXT ctxold = {Context_full};    CONTEXT ctxnew = {Context_full};    Inject_code IC = {0};    Startupinfo si = {sizeof (SI)};    process_information pi = {0};    hmodule hdll = NULL;    BOOL BISSYSTEMBP = TRUE;    DWORD Dwoldeip = 0; BRet = CreateProcess (null, M_strexepath.getbuffer (0), NULL, NULL, FALSE, Debug_only_thi    S_process, NULL, NULL, &SI, &PI);        if (!bret) {MessageBox ("CreateProcess failed");    Return }//prevents the debug process and debugger from shutting down BRet = DebugsetProcesskillonexit (FALSE); while (Waitfordebugevent (&dbgevent, INFINITE)) {switch (dbgevent.dwdebugeventcode) {case CRE            ate_process_debug_event:hprocess = dbgevent.u.createprocessinfo.hprocess;            Hthread = Dbgevent.u.createprocessinfo.hthread; Allocates memory, fills the injection instruction lpbaseaddress = VirtualAllocEx (hprocess, NULL, sizeof (Inject_code ), Mem_commit |            Mem_reserve, Page_execute_readwrite);                if (NULL = = lpbaseaddress) {MessageBox ("VirtualAllocEx failed");            Return            }//Assign value to Shellcode structure ic.bymov_eax = 0xb8;            Ic.dwmov_eax_value = (DWORD) lpbaseaddress + offsetof (Inject_code, Szdllpath);            Ic.bypush_eax = 0x50;            IC.BYMOV_ECX = 0xb9;            Ic.dwmov_ecx_value = (DWORD) &LoadLibrary;            IC.WCALL_ECX = 0xd1ff;            Ic.byint3 = 0xCC; memcpy(Ic.szdllpath, M_strdllpath.getbuffer (0), m_strdllpath.getlength ());            Write Shellcode BRet = WriteProcessMemory (hprocess, lpbaseaddress, &ic, sizeof (IC), NULL);                if (!bret) {MessageBox ("WriteProcessMemory failed");            Return            }//Gets the current thread context BRet = GetThreadContext (Hthread, &ctxold);                if (!bret) {MessageBox ("GetThreadContext failed");            Return            } ctxnew = Ctxold; #ifdef _win64 Ctxnew.rip = (DWORD) lpbaseaddress;            Dwoldeip = Ctxnew.rip; #else ctxnew.eip = (DWORD) lpbaseaddress;            Dwoldeip = Ctxnew.eip; #endif bRet = SetThreadContext (Hthread, &ctxnew);                if (!bret) {MessageBox ("SetThreadContext failed");            Return        } break; Case Exception_debug_event:if (Dbgevent.u.exception.exceptionrEcord.                Exceptioncode = = Exception_breakpoint) {//Mask off System breakpoint if (BISSYSTEMBP)                    {BISSYSTEMBP = FALSE;                Break                    }//Free memory BRet = VirtualFreeEx (hprocess, Lpbaseaddress,                0, Mem_release);                    if (!bret) {MessageBox ("VirtualFreeEx failed");                Return                }//Revert to the EIP when the program was created BRet = SetThreadContext (Hthread, &ctxold);                    if (!bret) {MessageBox ("SetThreadContext failed");                Return                } BRet = Continuedebugevent (Dbgevent.dwprocessid, Dbgevent.dwthreadid, dbg_continue);                    if (!bret) {MessageBox ("Continuedebugevent failed!!");           Return     }//exit This process, let the debug program run up//exitprocess (0);            Return        } break;        } BRet = Continuedebugevent (Dbgevent.dwprocessid, Dbgevent.dwthreadid, dbg_exception_not_handled);            if (!bret) {MessageBox ("Continuedebugevent failed!!");        Return    }}}void Debuginject::onbnclickedbutton4 () {//TODO: In this Add control notification handler code char szfilter[] = "Dynamic link library |*.dll"; CFileDialog Filedlg (TRUE, "DLL", NULL, Ofn_hidereadonly |    Ofn_overwriteprompt, Szfilter);    UpdateData (TRUE);    if (filedlg.domodal () = = IDOK) {M_strdllpath = Filedlg.getpathname (); } updatedata (FALSE);}    void Debuginject::onbnclickedbutton3 () {//TODO: In this Add control notification handler code char szfilter[] = "executable program |*.exe"; CFileDialog Filedlg (TRUE, "EXE", NULL, Ofn_hidereadonly |    Ofn_overwriteprompt, Szfilter);    UpdateData (TRUE);    if (filedlg.domodal () = = IDOK) {M_strexepath = Filedlg.getpathname (); } updatedata (FALSE);}

Debuginject (DLL)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More