From c0b55da0156b2e141030e684d48f995b0de5aff6 Mon Sep 17 00:00:00 2001
From: hugy <504650082@qq.com>
Date: Wed, 26 Apr 2023 10:58:00 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E6=B3=A8=E5=85=A5=E5=B7=A5=E5=85=B7?=
 =?UTF-8?q?=E7=AE=80=E5=8D=95=E6=94=AF=E6=8C=81pid=E6=B3=A8=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 source/ConsoleApplication.cc | 198 ++++++++++++++++++++++++++++++++++-
 1 file changed, 197 insertions(+), 1 deletion(-)

diff --git a/source/ConsoleApplication.cc b/source/ConsoleApplication.cc
index f746b94..c86dc6d 100644
--- a/source/ConsoleApplication.cc
+++ b/source/ConsoleApplication.cc
@@ -771,6 +771,128 @@ error:
 	return result;
 }
 
+int  InjectDllAndStartHttpByPid(unsigned int pid, wchar_t* szDllPath, DWORD port)
+{
+	if(!EnableDebugPrivilege()){
+		return 0;
+	}
+	int result = 0;
+	HANDLE hRemoteThread = NULL;
+	LPTHREAD_START_ROUTINE lpSysLibAddr = NULL;
+	HINSTANCE__* hKernelModule = NULL;
+	LPVOID lpRemoteDllBase = NULL;
+	HANDLE hProcess;
+	size_t ulDllLength;
+	wchar_t* dllName = (wchar_t*)L"wxhelper.dll";
+	size_t dllNameLen = wcslen(dllName) * 2 + 2;
+	char* funcName = (char* )"http_start";
+	size_t funcNameLen = strlen(funcName) + 1;
+
+	HANDLE  hStartHttp = NULL;
+	LPVOID portAddr = NULL;
+	HANDLE  getProcThread = NULL;
+
+	LPVOID paramsAddr = NULL;
+	LPVOID param1Addr = NULL;
+	LPVOID param2Addr = NULL;
+	LPVOID  GetProcFuncAddr = NULL;
+
+	DWORD params[2] = { 0 };
+
+	ulDllLength = (wcslen(szDllPath) + 1) * sizeof(wchar_t);
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
+	if (!hProcess) {
+		goto error;
+	}
+
+	lpRemoteDllBase = VirtualAllocEx(hProcess, NULL, ulDllLength, MEM_COMMIT, PAGE_READWRITE);
+	if (lpRemoteDllBase)
+	{
+		if (WriteProcessMemory(hProcess, lpRemoteDllBase, szDllPath, ulDllLength, NULL)
+			&& (hKernelModule = GetModuleHandleW(L"kernel32.dll")) != 0
+			&& (lpSysLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernelModule, "LoadLibraryW")) != 0
+			&& (hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpSysLibAddr, lpRemoteDllBase, 0, NULL)) != 0)
+		{
+			WaitForSingleObject(hRemoteThread, INFINITE);
+			GetProcFuncAddr = FillAsmCode(hProcess);
+			param1Addr = VirtualAllocEx(hProcess, NULL, dllNameLen, MEM_COMMIT, PAGE_READWRITE);
+			if (param1Addr) {
+				SIZE_T dwWriteSize;
+				BOOL  bRet = WriteProcessMemory(hProcess, (LPVOID)param1Addr, dllName, dllNameLen, &dwWriteSize);
+				if (!bRet) {
+					goto error;
+				}
+			}
+			param2Addr = VirtualAllocEx(hProcess, NULL, funcNameLen, MEM_COMMIT, PAGE_READWRITE);
+			if (param2Addr) {
+				SIZE_T dwWriteSize;
+				BOOL  bRet = WriteProcessMemory(hProcess, (LPVOID)param2Addr, funcName, funcNameLen, &dwWriteSize);
+				if (!bRet) {
+					goto error;
+				}
+			}
+
+			params[0] = (DWORD)param1Addr;
+			params[1] = (DWORD)param2Addr;
+
+			paramsAddr = VirtualAllocEx(hProcess, NULL, sizeof(params), MEM_COMMIT, PAGE_READWRITE);
+			if (paramsAddr) {
+				SIZE_T dwWriteSize;
+				BOOL  bRet = WriteProcessMemory(hProcess, (LPVOID)paramsAddr, &params[0], sizeof(params), &dwWriteSize);
+				if (!bRet) {
+					goto error;
+				}
+			}
+
+			DWORD dwRet = 0;
+			getProcThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcFuncAddr, paramsAddr, 0, NULL);
+
+			if (getProcThread)
+			{
+				WaitForSingleObject(getProcThread, INFINITE);
+				GetExitCodeThread(getProcThread, &dwRet);
+				if (dwRet) {
+					hStartHttp = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)dwRet, (LPVOID)port, 0, NULL);
+					WaitForSingleObject(hStartHttp, INFINITE);
+					result = 1;
+				}
+			}
+		}
+	}
+error:
+	if (hRemoteThread) {
+		CloseHandle(hRemoteThread);
+	}
+	if (getProcThread) {
+		CloseHandle(getProcThread);
+	}
+	if (hStartHttp) {
+		CloseHandle(hStartHttp);
+	}
+
+	if (lpRemoteDllBase) {
+		VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
+	}
+	if (param1Addr) {
+		VirtualFreeEx(hProcess, param1Addr, dllNameLen, MEM_DECOMMIT | MEM_RELEASE);
+	}
+
+	if (param2Addr) {
+		VirtualFreeEx(hProcess, param1Addr, funcNameLen, MEM_DECOMMIT | MEM_RELEASE);
+	}
+
+	if (paramsAddr) {
+		VirtualFreeEx(hProcess, param1Addr, sizeof(params), MEM_DECOMMIT | MEM_RELEASE);
+	}
+
+	if (GetProcFuncAddr) {
+		VirtualFreeEx(hProcess, GetProcFuncAddr, sizeof(GetProcAddressAsmCode), MEM_DECOMMIT | MEM_RELEASE);
+	}
+
+	CloseHandle(hProcess);
+	return result;
+}
+
 int  InjectDll(wchar_t* szPName, wchar_t* szDllPath)
 {
 	if(!EnableDebugPrivilege()){
@@ -825,6 +947,58 @@ int  InjectDll(wchar_t* szPName, wchar_t* szDllPath)
 	return result;
 }
 
+int  InjectDllByPid(unsigned int pid, wchar_t* szDllPath)
+{
+	if(!EnableDebugPrivilege()){
+		return 0;
+	}
+	int result = 0;
+	HANDLE hRemoteThread;
+	LPTHREAD_START_ROUTINE lpSysLibAddr;
+	HINSTANCE__* hKernelModule;
+	LPVOID lpRemoteDllBase;
+	HANDLE hProcess;
+	size_t ulDllLength;
+
+	ulDllLength = (wcslen(szDllPath) + 1) * sizeof(wchar_t);
+	hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
+	if (!hProcess) {
+		return 0;
+	}
+
+	lpRemoteDllBase = VirtualAllocEx(hProcess, NULL, ulDllLength, MEM_COMMIT, PAGE_READWRITE);
+	if (lpRemoteDllBase)
+	{
+		if (WriteProcessMemory(hProcess, lpRemoteDllBase, szDllPath, ulDllLength, NULL)
+			&& (hKernelModule = GetModuleHandleW(L"kernel32.dll")) != 0
+			&& (lpSysLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernelModule, "LoadLibraryW")) != 0
+			&& (hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpSysLibAddr, lpRemoteDllBase, 0, NULL)) != 0)
+		{
+			WaitForSingleObject(hRemoteThread, INFINITE);
+			VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
+			CloseHandle(hRemoteThread);
+			CloseHandle(hProcess);
+			OutputDebugStringA("[DBG] dll inject success");
+			printf("dll inject success");
+			printf("dll path : %s ", szDllPath);
+			printf("pid : %d ", pid);
+			result = 1;
+		}
+		else
+		{
+			VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
+			CloseHandle(hProcess);
+			result = 0;
+		}
+	}
+	else
+	{
+		CloseHandle(hProcess);
+		result = 0;
+	}
+	return result;
+}
+
 int  UnInjectDll(wchar_t* szPName, wchar_t* szDName)
 {
 	HMODULE  hDll;
@@ -878,8 +1052,9 @@ int main(int argc, char** argv)
 	int port = 0;
 
 	ULONG pid = 0;
+	unsigned int injectPid =0;
 
-	while ((param = getopt(argc, argv, "i:p:u:d:m:P:h")) != -1)
+	while ((param = getopt(argc, argv, "i:p:u:d:m:P:I:h")) != -1)
 	{
 		switch (param)
 		{
@@ -916,6 +1091,9 @@ int main(int argc, char** argv)
 		case 'P':
 			port = std::atoi(optarg);
 			break;
+		case 'I':
+			injectPid = std::atoi(optarg);
+			break;
 		default:
 			abort();
 			break;
@@ -925,6 +1103,24 @@ int main(int argc, char** argv)
 	if (pid) {
 		FindHandles(pid, (LPSTR)"_WeChat_App_Instance_Identity_Mutex_Name", TRUE, TRUE);
 	}
+	if (injectPid != 0 && cDllPath[0] != 0)
+	{
+		if(cDllPath[0] != '\0')
+		{
+			if (port == 0) {
+				std::wstring wsPath = Utf8ToUnicode(cDllPath);
+				int ret = InjectDllByPid(injectPid, (wchar_t*)wsPath.c_str());
+				printf(" 注入结果：%i \n", ret);
+			}
+			else
+			{
+				std::wstring wsPath = Utf8ToUnicode(cDllPath);
+				int ret = InjectDllAndStartHttpByPid(injectPid, (wchar_t*)wsPath.c_str(), port);
+				printf(" 注入结果：%i \n", ret);
+			}
+		}
+	}
+	
 
 	if (cInjectprogram[0] != 0 && cDllPath[0] != 0)
 	{