1 #include <stdio.h>
2 #include <stdlib.h>
3 #include <wchar.h>
4 #include <windows.h>
5 #include <shellapi.h>
6 #include <stdbool.h>
7 #include "../obfuscate.h"
8 #include "../inject-library.h"
9 
10 #if defined(_MSC_VER) && !defined(inline)
11 #define inline __inline
12 #endif
13 
load_debug_privilege(void)14 static void load_debug_privilege(void)
15 {
16 	const DWORD flags = TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY;
17 	TOKEN_PRIVILEGES tp;
18 	HANDLE token;
19 	LUID val;
20 
21 	if (!OpenProcessToken(GetCurrentProcess(), flags, &token)) {
22 		return;
23 	}
24 
25 	if (!!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &val)) {
26 		tp.PrivilegeCount = 1;
27 		tp.Privileges[0].Luid = val;
28 		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
29 
30 		AdjustTokenPrivileges(token, false, &tp, sizeof(tp), NULL,
31 				      NULL);
32 	}
33 
34 	CloseHandle(token);
35 }
36 
open_process(DWORD desired_access,bool inherit_handle,DWORD process_id)37 static inline HANDLE open_process(DWORD desired_access, bool inherit_handle,
38 				  DWORD process_id)
39 {
40 	HANDLE(WINAPI * open_process_proc)(DWORD, BOOL, DWORD);
41 	open_process_proc = get_obfuscated_func(GetModuleHandleW(L"KERNEL32"),
42 						"HxjcQrmkb|~",
43 						0xc82efdf78201df87);
44 
45 	return open_process_proc(desired_access, inherit_handle, process_id);
46 }
47 
inject_library(HANDLE process,const wchar_t * dll)48 static inline int inject_library(HANDLE process, const wchar_t *dll)
49 {
50 	return inject_library_obf(process, dll, "E}mo|d[cefubWk~bgk",
51 				  0x7c3371986918e8f6, "Rqbr`T{cnor{Bnlgwz",
52 				  0x81bf81adc9456b35, "]`~wrl`KeghiCt",
53 				  0xadc6a7b9acd73c9b, "Zh}{}agHzfd@{",
54 				  0x57135138eb08ff1c, "DnafGhj}l~sX",
55 				  0x350bfacdf81b2018);
56 }
57 
inject_library_safe(DWORD thread_id,const wchar_t * dll)58 static inline int inject_library_safe(DWORD thread_id, const wchar_t *dll)
59 {
60 	return inject_library_safe_obf(thread_id, dll, "[bs^fbkmwuKfmfOvI",
61 				       0xEAD293602FCF9778ULL);
62 }
63 
inject_library_full(DWORD process_id,const wchar_t * dll)64 static inline int inject_library_full(DWORD process_id, const wchar_t *dll)
65 {
66 	HANDLE process = open_process(PROCESS_ALL_ACCESS, false, process_id);
67 	int ret;
68 
69 	if (process) {
70 		ret = inject_library(process, dll);
71 		CloseHandle(process);
72 	} else {
73 		ret = INJECT_ERROR_OPEN_PROCESS_FAIL;
74 	}
75 
76 	return ret;
77 }
78 
inject_helper(wchar_t * argv[],const wchar_t * dll)79 static int inject_helper(wchar_t *argv[], const wchar_t *dll)
80 {
81 	DWORD id;
82 	DWORD use_safe_inject;
83 
84 	use_safe_inject = wcstol(argv[2], NULL, 10);
85 
86 	id = wcstol(argv[3], NULL, 10);
87 	if (id == 0) {
88 		return INJECT_ERROR_INVALID_PARAMS;
89 	}
90 
91 	return use_safe_inject ? inject_library_safe(id, dll)
92 			       : inject_library_full(id, dll);
93 }
94 
95 #define UNUSED_PARAMETER(x) ((void)(x))
96 
main(int argc,char * argv_ansi[])97 int main(int argc, char *argv_ansi[])
98 {
99 	wchar_t dll_path[MAX_PATH];
100 	LPWSTR pCommandLineW;
101 	LPWSTR *argv;
102 	int ret = INJECT_ERROR_INVALID_PARAMS;
103 
104 	SetErrorMode(SEM_FAILCRITICALERRORS);
105 	load_debug_privilege();
106 
107 	pCommandLineW = GetCommandLineW();
108 	argv = CommandLineToArgvW(pCommandLineW, &argc);
109 	if (argv && argc == 4) {
110 		DWORD size = GetModuleFileNameW(NULL, dll_path, MAX_PATH);
111 		if (size) {
112 			ret = inject_helper(argv, argv[1]);
113 		}
114 	}
115 	LocalFree(argv);
116 
117 	UNUSED_PARAMETER(argv_ansi);
118 	return ret;
119 }
120