process inject

Process injection in short is to inject code into the running process memory space. Process injection is also a basic knowledge point that must be mastered by PC software development.

Windows allocates 4G memory space for each process, and the code in this 4G space can be accessed and executed by this process. "Patching" the software is actually process injection. If you want to add a small function to the software that has been launched, you don't need to redesign the software, you just need to inject the code you need to add functions into the process.
There are also many hackers using process injection to inject malicious code into the target process for attacks.

Commonly used process injection methods in Windows environment include: CreateRemoteThread, APCInject, SuspendThread, SetWindowHookEX, etc.
In addition, I have learned a relatively unique injection method: reflection injection. Reflection injection is mainly used to implement injection through operations on PE files, with a high injection success rate and the most valuable learning.

• Open the target process ( OpneProcess ).
• Apply space (VirtualAllocEX) within the path to get the target process space ( VirtualAllocEX ).
• Write dll road force into the target process space ( WriteProcessMemory ).
• Create a remote thread ( CreateRemoteThread ). Get the function address of the loadlibrary ( GetProcAddress ) from kenerl32, and pass the dynamic library path written to the target process into the loadlibrary as a parameter.
• Wait for the remote thread to end ( WaitForSingleObejct ), free the memory, and close the handle.

• CreateProcess Set the sixth parameter to suspend.
• Apply for memory for DLL path and shellcode in process address space
• Get the main thread's background text and create shellcode based on the thread's eip.
• Write the dll path and shellcode into the target process. Wake up the suspended thread.

• Apply memory in the target process space and write the dynamic library path to
• Create a snapshot to traverse the thread of the target process
• The thread that opens the target process uses the QueueUserAPC function to add LoadLibrary function as an APC object to the thread's APC queue, and passes the path of the DLL as a parameter. Pay attention to freeing handles and memory.

The overall idea is to implement the loadlibrary function that loads the dynamic library in the dll and load itself into the target process.

• Open the dll file and get the size.
• Apply for memory in your own program and write the dll's data. Improve your own permissions.
• Open the target process and load the dynamic library.

Loadibrary function is implemented by modifying the PE file:
1. Write the dll in the application space of the target process address space.
2. Get the address of the function that loads its own in the file implemented in the dll, create a remote thread, and pass the address of the function in. The function loading itself in the dll is also implemented ingeniously.

• First, get the export function address in the dynamic library. The function of the export function is to pop up the messagebox.
• Get a thread ID of the target process
• Injection using the setWindowsHookEX function.

Windows operating system, VS2015.
Both the tests are passed in the 32-bit Windows system and the 64-bit Windows system. Please modify the target process and Dll path in the source code when performing the test.

 .
|-- APCInject(Ring0)                 // 驱动层的APC注入
|-- APCInject                        // Ring3层的APC注入
|-- CreateSuspend                    // 挂起线程注入
|-- InjectByRegister                 // 注册表注入（未测试）
|-- ReflectDll                       // 反射注入的Dll
|-- ReflectiveInject                 // 反射注入
|-- RemoteThread                     // 远程线程注入
|-- Src                              // 驱动层的APC注入源码
|-- Dll.dll                          // 32位测试Dll
|-- Dll64.dll                        // 64位测试Dll
|-- Process-Inject.sln               // 项目启动文件
|-- README.md                        // 项目说明文件
.

Welcome to Pull Request and welcome to ask for Issue.

When interpreting this work, please sign and share it in the same way.