STRLCPY/GhostInjector

■ ■ ■ ■ ■ ■

.gitignore

1	+
2	+	.vs/
3	+
4	+	x64/Debug/
5	+
6	+	TestApp/x64/
7	+
8	+	Injector/x64/
9	+
10	+	TestDll/x64/
11	+

■ ■ ■ ■ ■ ■

GhostInjector.sln

1	+
2	+	Microsoft Visual Studio Solution File, Format Version 12.00
3	+	# Visual Studio Version 17
4	+	VisualStudioVersion = 17.9.34714.143
5	+	MinimumVisualStudioVersion = 10.0.40219.1
6	+	Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestApp", "TestApp\TestApp.vcxproj", "{9D76CC14-C3F5-4390-9834-32F3095AB804}"
7	+	EndProject
8	+	Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestDll", "TestDll\TestDll.vcxproj", "{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}"
9	+	EndProject
10	+	Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Injector", "Injector\Injector.vcxproj", "{D38009C3-0E80-40FE-956C-5ADB84617E94}"
11	+	EndProject
12	+	Global
13	+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
14	+	Debug\|x64 = Debug\|x64
15	+	Debug\|x86 = Debug\|x86
16	+	Release\|x64 = Release\|x64
17	+	Release\|x86 = Release\|x86
18	+	EndGlobalSection
19	+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
20	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Debug\|x64.ActiveCfg = Debug\|x64
21	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Debug\|x64.Build.0 = Debug\|x64
22	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Debug\|x86.ActiveCfg = Debug\|Win32
23	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Debug\|x86.Build.0 = Debug\|Win32
24	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Release\|x64.ActiveCfg = Release\|x64
25	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Release\|x64.Build.0 = Release\|x64
26	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Release\|x86.ActiveCfg = Release\|Win32
27	+	{9D76CC14-C3F5-4390-9834-32F3095AB804}.Release\|x86.Build.0 = Release\|Win32
28	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Debug\|x64.ActiveCfg = Debug\|x64
29	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Debug\|x64.Build.0 = Debug\|x64
30	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Debug\|x86.ActiveCfg = Debug\|Win32
31	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Debug\|x86.Build.0 = Debug\|Win32
32	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Release\|x64.ActiveCfg = Release\|x64
33	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Release\|x64.Build.0 = Release\|x64
34	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Release\|x86.ActiveCfg = Release\|Win32
35	+	{C7E93F00-CA10-460E-863F-D6FAFA1ABC4A}.Release\|x86.Build.0 = Release\|Win32
36	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Debug\|x64.ActiveCfg = Debug\|x64
37	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Debug\|x64.Build.0 = Debug\|x64
38	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Debug\|x86.ActiveCfg = Debug\|Win32
39	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Debug\|x86.Build.0 = Debug\|Win32
40	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Release\|x64.ActiveCfg = Release\|x64
41	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Release\|x64.Build.0 = Release\|x64
42	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Release\|x86.ActiveCfg = Release\|Win32
43	+	{D38009C3-0E80-40FE-956C-5ADB84617E94}.Release\|x86.Build.0 = Release\|Win32
44	+	EndGlobalSection
45	+	GlobalSection(SolutionProperties) = preSolution
46	+	HideSolutionNode = FALSE
47	+	EndGlobalSection
48	+	GlobalSection(ExtensibilityGlobals) = postSolution
49	+	SolutionGuid = {DE6027CE-5F36-43FA-B527-6F69F6A137C4}
50	+	EndGlobalSection
51	+	EndGlobal
52	+

■ ■ ■ ■ ■ ■

Injector/Injector.vcxproj

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup Label="ProjectConfigurations">
4	+	<ProjectConfiguration Include="Debug\|Win32">
5	+	<Configuration>Debug</Configuration>
6	+	<Platform>Win32</Platform>
7	+	</ProjectConfiguration>
8	+	<ProjectConfiguration Include="Release\|Win32">
9	+	<Configuration>Release</Configuration>
10	+	<Platform>Win32</Platform>
11	+	</ProjectConfiguration>
12	+	<ProjectConfiguration Include="Debug\|x64">
13	+	<Configuration>Debug</Configuration>
14	+	<Platform>x64</Platform>
15	+	</ProjectConfiguration>
16	+	<ProjectConfiguration Include="Release\|x64">
17	+	<Configuration>Release</Configuration>
18	+	<Platform>x64</Platform>
19	+	</ProjectConfiguration>
20	+	</ItemGroup>
21	+	<PropertyGroup Label="Globals">
22	+	<VCProjectVersion>17.0</VCProjectVersion>
23	+	<Keyword>Win32Proj</Keyword>
24	+	<ProjectGuid>{d38009c3-0e80-40fe-956c-5adb84617e94}</ProjectGuid>
25	+	<RootNamespace>Injector</RootNamespace>
26	+	<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
27	+	</PropertyGroup>
28	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
29	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'" Label="Configuration">
30	+	<ConfigurationType>Application</ConfigurationType>
31	+	<UseDebugLibraries>true</UseDebugLibraries>
32	+	<PlatformToolset>v143</PlatformToolset>
33	+	<CharacterSet>Unicode</CharacterSet>
34	+	</PropertyGroup>
35	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'" Label="Configuration">
36	+	<ConfigurationType>Application</ConfigurationType>
37	+	<UseDebugLibraries>false</UseDebugLibraries>
38	+	<PlatformToolset>v143</PlatformToolset>
39	+	<WholeProgramOptimization>true</WholeProgramOptimization>
40	+	<CharacterSet>Unicode</CharacterSet>
41	+	</PropertyGroup>
42	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'" Label="Configuration">
43	+	<ConfigurationType>Application</ConfigurationType>
44	+	<UseDebugLibraries>true</UseDebugLibraries>
45	+	<PlatformToolset>v143</PlatformToolset>
46	+	<CharacterSet>Unicode</CharacterSet>
47	+	</PropertyGroup>
48	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'" Label="Configuration">
49	+	<ConfigurationType>Application</ConfigurationType>
50	+	<UseDebugLibraries>false</UseDebugLibraries>
51	+	<PlatformToolset>v143</PlatformToolset>
52	+	<WholeProgramOptimization>true</WholeProgramOptimization>
53	+	<CharacterSet>Unicode</CharacterSet>
54	+	</PropertyGroup>
55	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
56	+	<ImportGroup Label="ExtensionSettings">
57	+	</ImportGroup>
58	+	<ImportGroup Label="Shared">
59	+	</ImportGroup>
60	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
61	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
62	+	</ImportGroup>
63	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
64	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
65	+	</ImportGroup>
66	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
67	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
68	+	</ImportGroup>
69	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
70	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71	+	</ImportGroup>
72	+	<PropertyGroup Label="UserMacros" />
73	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
74	+	<ClCompile>
75	+	<WarningLevel>Level3</WarningLevel>
76	+	<SDLCheck>true</SDLCheck>
77	+	<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
78	+	<ConformanceMode>true</ConformanceMode>
79	+	</ClCompile>
80	+	<Link>
81	+	<SubSystem>Console</SubSystem>
82	+	<GenerateDebugInformation>true</GenerateDebugInformation>
83	+	</Link>
84	+	</ItemDefinitionGroup>
85	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
86	+	<ClCompile>
87	+	<WarningLevel>Level3</WarningLevel>
88	+	<FunctionLevelLinking>true</FunctionLevelLinking>
89	+	<IntrinsicFunctions>true</IntrinsicFunctions>
90	+	<SDLCheck>true</SDLCheck>
91	+	<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
92	+	<ConformanceMode>true</ConformanceMode>
93	+	</ClCompile>
94	+	<Link>
95	+	<SubSystem>Console</SubSystem>
96	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
97	+	<OptimizeReferences>true</OptimizeReferences>
98	+	<GenerateDebugInformation>true</GenerateDebugInformation>
99	+	</Link>
100	+	</ItemDefinitionGroup>
101	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
102	+	<ClCompile>
103	+	<WarningLevel>Level3</WarningLevel>
104	+	<SDLCheck>true</SDLCheck>
105	+	<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106	+	<ConformanceMode>true</ConformanceMode>
107	+	<AdditionalIncludeDirectories>
108	+	</AdditionalIncludeDirectories>
109	+	</ClCompile>
110	+	<Link>
111	+	<SubSystem>Console</SubSystem>
112	+	<GenerateDebugInformation>true</GenerateDebugInformation>
113	+	</Link>
114	+	</ItemDefinitionGroup>
115	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
116	+	<ClCompile>
117	+	<WarningLevel>Level3</WarningLevel>
118	+	<FunctionLevelLinking>true</FunctionLevelLinking>
119	+	<IntrinsicFunctions>true</IntrinsicFunctions>
120	+	<SDLCheck>true</SDLCheck>
121	+	<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
122	+	<ConformanceMode>true</ConformanceMode>
123	+	<AdditionalIncludeDirectories>
124	+	</AdditionalIncludeDirectories>
125	+	<LanguageStandard>stdcpp14</LanguageStandard>
126	+	<Optimization>MaxSpeed</Optimization>
127	+	</ClCompile>
128	+	<Link>
129	+	<SubSystem>Console</SubSystem>
130	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
131	+	<OptimizeReferences>true</OptimizeReferences>
132	+	<GenerateDebugInformation>true</GenerateDebugInformation>
133	+	</Link>
134	+	</ItemDefinitionGroup>
135	+	<ItemGroup>
136	+	<ClCompile Include="ghostwrite.cpp" />
137	+	<ClCompile Include="injection.cpp" />
138	+	<ClCompile Include="main.cpp" />
139	+	<ClCompile Include="utils.cpp" />
140	+	</ItemGroup>
141	+	<ItemGroup>
142	+	<ClInclude Include="injection.h" />
143	+	<ClInclude Include="ntapi.h" />
144	+	<ClInclude Include="utils.h" />
145	+	</ItemGroup>
146	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
147	+	<ImportGroup Label="ExtensionTargets">
148	+	</ImportGroup>
149	+	</Project>

■ ■ ■ ■ ■ ■

Injector/Injector.vcxproj.filters

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup>
4	+	<Filter Include="Source Files">
5	+	<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
6	+	<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
7	+	</Filter>
8	+	<Filter Include="Header Files">
9	+	<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10	+	<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11	+	</Filter>
12	+	<Filter Include="Resource Files">
13	+	<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14	+	<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15	+	</Filter>
16	+	</ItemGroup>
17	+	<ItemGroup>
18	+	<ClCompile Include="main.cpp">
19	+	<Filter>Source Files</Filter>
20	+	</ClCompile>
21	+	<ClCompile Include="ghostwrite.cpp">
22	+	<Filter>Source Files</Filter>
23	+	</ClCompile>
24	+	<ClCompile Include="injection.cpp">
25	+	<Filter>Source Files</Filter>
26	+	</ClCompile>
27	+	<ClCompile Include="utils.cpp">
28	+	<Filter>Source Files</Filter>
29	+	</ClCompile>
30	+	</ItemGroup>
31	+	<ItemGroup>
32	+	<ClInclude Include="injection.h">
33	+	<Filter>Header Files</Filter>
34	+	</ClInclude>
35	+	<ClInclude Include="ntapi.h">
36	+	<Filter>Header Files</Filter>
37	+	</ClInclude>
38	+	<ClInclude Include="utils.h">
39	+	<Filter>Header Files</Filter>
40	+	</ClInclude>
41	+	</ItemGroup>
42	+	</Project>

■ ■ ■ ■ ■ ■

Injector/Injector.vcxproj.user

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<PropertyGroup />
4	+	</Project>

■ ■ ■ ■ ■ ■

Injector/ghostwrite.cpp

1	+	#include "injection.h"
2	+
3	+
4	+	bool GhostWrite::Init(uint32_t pid) {
5	+	//
6	+	// open thread
7	+	//
8	+
9	+	std::vector<uint32_t> threadIds = ListProcessThreads(pid);
10	+
11	+	std::printf("Thread Ids:\n");
12	+	for (uint32_t tid : threadIds)
13	+	std::printf(" -> %d\n", tid);
14	+
15	+	if (threadIds.empty())
16	+	return false;
17	+
18	+	if (!(thread.handle = OpenThread(THREAD_ALL_ACCESS, FALSE, threadIds[0])))
19	+	return false;
20	+
21	+	std::printf("opened handle to thread, handle: 0x%p\n", thread.handle);
22	+
23	+	//
24	+	// retreive gadgets
25	+	//
26	+
27	+	uint8_t* ntdll = GetLoadedModule(L"ntdll.dll");
28	+	if (!(writeGadgetAddr = reinterpret_cast<uintptr_t>(PatternScanSect(ntdll, ".text", { 0x48, 0x89, 0x02, 0xC3 }, "xxxx"))))
29	+	return false;
30	+
31	+	if (!(readGadgetAddr = reinterpret_cast<uintptr_t>(PatternScanSect(ntdll, ".text", { 0x48, 0x8B, 0x00, 0xC3 }, "xxxx"))))
32	+	return false;
33	+
34	+	if (!(jmp0GadgetAddr = reinterpret_cast<uintptr_t>(PatternScanSect(ntdll, ".text", { 0xEB, 0xFE }, "xx"))))
35	+	return false;
36	+
37	+	std::printf("->write gadget: 0x%llx\n", writeGadgetAddr);
38	+	std::printf("->read gadget: 0x%llx\n", readGadgetAddr);
39	+	std::printf("->jmp 0 gadget: 0x%llx\n", jmp0GadgetAddr);
40	+
41	+	// save context
42	+	CONTEXT savedCtx = {};
43	+	thread.Suspend();
44	+	thread.GetContext(&savedCtx, CONTEXT_FULL);
45	+
46	+	CONTEXT ctx = {};
47	+	thread.GetContext(&ctx, CONTEXT_FULL);
48	+
49	+	ctx.Rip = jmp0GadgetAddr;
50	+	thread.SetContext(&ctx);
51	+	WaitForAutoLock(&ctx);
52	+
53	+	// set up return address gadget (jmp 0)
54	+	jmp0StackAddr = ctx.Rsp - 0x1500;
55	+	WriteQword(jmp0StackAddr, jmp0GadgetAddr);
56	+
57	+	std::printf("->jmp 0 stack address: 0x%llx\n", jmp0StackAddr);
58	+	}
59	+
60	+	uintptr_t GhostWrite::Allocate(uint64_t size) {
61	+	CONTEXT ctx = {};
62	+	thread.GetContext(&ctx, CONTEXT_FULL);
63	+
64	+	ctx.Rsp = jmp0StackAddr - 0x400;
65	+	uintptr_t remoteMem = Push(&ctx, 0);
66	+	uintptr_t memSize = Push(&ctx, size);
67	+
68	+	std::printf("triggering NtAllocateVirtualMemory\n");
69	+	if (NT_ERROR(TriggerFunction(NtAllocateVirtualMemory, { static_cast<uintptr_t>(-1), remoteMem, 0, memSize, MEM_COMMIT \| MEM_RESERVE, PAGE_EXECUTE_READWRITE })))
70	+	return false;
71	+
72	+	remoteMem = ReadQword(remoteMem);
73	+	std::printf("allocated memory at: 0x%llx\n", remoteMem);
74	+
75	+	return remoteMem;
76	+	}
77	+
78	+	void GhostWrite::LoadLib(std::string name) {
79	+	CONTEXT ctx = {};
80	+	thread.GetContext(&ctx, CONTEXT_FULL);
81	+
82	+	ctx.Rsp = jmp0StackAddr - 0x400;
83	+	ctx.Rsp -= name.size() + 8;
84	+	WriteMemory(ctx.Rsp, std::vector<uint8_t>(name.begin(), name.end()));
85	+
86	+	std::printf("triggering LoadLibrary\n");
87	+	TriggerFunction(LoadLibraryA, { ctx.Rsp });
88	+	}
89	+
90	+	void GhostWrite::WriteMemory(uintptr_t addr, std::vector<uint8_t> data) {
91	+	// add padding
92	+	if (data.size() % 8)
93	+	data.insert(data.end(), data.size() % 8, 0x00);
94	+
95	+	for (int i = 0; i < data.size(); i += 8) {
96	+	WriteQword(addr + i, reinterpret_cast<uint64_t>(data.data() + i));
97	+	std::printf("\rwriting memory (%d/%d)", i, static_cast<int>(data.size()));
98	+	}
99	+	std::fflush(stdout);
100	+	std::printf("\n");
101	+	}
102	+
103	+	uint64_t GhostWrite::TriggerFunction(void* func, std::vector<uint64_t> args) {
104	+	uint64_t result = 0;
105	+	CONTEXT ctx = {};
106	+	thread.GetContext(&ctx, CONTEXT_FULL);
107	+
108	+	// initialize stack
109	+	ctx.Rsp = jmp0StackAddr; // jmp 0 --> infinite loop
110	+
111	+	//
112	+	// initialize args
113	+	//
114	+
115	+	for (int i = 0; i < args.size(); i++) {
116	+	if (i == 0) { ctx.Rcx = args[i]; std::printf("\t->Rcx: 0x%llx\n", args[i]); }
117	+	if (i == 1) { ctx.Rdx = args[i]; std::printf("\t->Rdx: 0x%llx\n", args[i]); }
118	+	if (i == 2) { ctx.R8 = args[i]; std::printf("\t->R8: 0x%llx\n", args[i]); }
119	+	if (i == 3) { ctx.R9 = args[i]; std::printf("\t->R9: 0x%llx\n", args[i]); }
120	+
121	+	if (i > 3) {
122	+	int j = i - 3;
123	+	int offset = j * 8 + 0x20;
124	+	WriteQword(ctx.Rsp + offset, args[i]);
125	+	std::printf("\tpushed arg[%d]: 0x%llx --> rsp: 0x%llx\n", i, args[i], ctx.Rsp + offset);
126	+	}
127	+	}
128	+
129	+	//
130	+	// call function
131	+	//
132	+
133	+	ctx.Rip = reinterpret_cast<uintptr_t>(func);
134	+	thread.SetContext(&ctx);
135	+	WaitForAutoLock(&ctx);
136	+
137	+	std::printf("\ttriggered function\n");
138	+
139	+	//
140	+	// retrieve return value
141	+	//
142	+
143	+	if (thread.GetExitCode() == STILL_ACTIVE) {
144	+	thread.Suspend();
145	+	thread.GetContext(&ctx, CONTEXT_FULL);
146	+	result = ctx.Rax;
147	+	thread.Resume();
148	+	}
149	+
150	+	std::printf("\t->rax: 0x%llx\n", result);
151	+	return result;
152	+	}
153	+
154	+
155	+	void GhostWrite::WaitForAutoLock(CONTEXT* ctx) {
156	+	while (true) {
157	+	thread.Resume();
158	+	thread.Suspend();
159	+	thread.GetContext(ctx, CONTEXT_FULL);
160	+
161	+	if (ctx->Rip == jmp0GadgetAddr)
162	+	break;
163	+
164	+	Sleep(5);
165	+	}
166	+	}
167	+
168	+	void GhostWrite::WriteQword(uintptr_t addr, uint64_t value) {
169	+	CONTEXT ctx = {};
170	+	thread.GetContext(&ctx, CONTEXT_FULL);
171	+
172	+	// mov qword ptr [rdx], rax
173	+	// ret
174	+	ctx.Rdx = addr;
175	+	ctx.Rax = value;
176	+	ctx.Rip = writeGadgetAddr; // IF IT CRASHES, TRY PLACING A BREAKPOINT HERE, AND THEN REMOVE IT AND CONTINUE, IDK HOW TO FIX THIS ITS WEIRD
177	+	ctx.Rsp = jmp0StackAddr; // jmp 0 --> infinite loop
178	+
179	+	assert(ctx.Rax == value && ctx.Rdx == addr);
180	+
181	+	thread.SetContext(&ctx);
182	+	WaitForAutoLock(&ctx);
183	+	}
184	+
185	+	uintptr_t GhostWrite::ReadQword(uintptr_t addr) {
186	+	CONTEXT ctx = {};
187	+	thread.GetContext(&ctx, CONTEXT_FULL);
188	+
189	+	// mov rax, qword ptr [rax]
190	+	// ret
191	+	ctx.Rax = addr;
192	+	ctx.Rip = readGadgetAddr;
193	+	ctx.Rsp = jmp0StackAddr;
194	+
195	+	assert(ctx.Rax == addr);
196	+
197	+	thread.SetContext(&ctx);
198	+	WaitForAutoLock(&ctx);
199	+
200	+	return ctx.Rax;
201	+	}
202	+
203	+	uintptr_t GhostWrite::Push(CONTEXT* ctx, uint64_t value) {
204	+	ctx->Rsp -= 8;
205	+	WriteQword(ctx->Rsp, value);
206	+	return ctx->Rsp;
207	+	}
208	+
209	+	void GhostWrite::Pop(CONTEXT* ctx) {
210	+	WriteQword(ctx->Rsp, 0);
211	+	ctx->Rsp += 8;
212	+	}

■ ■ ■ ■ ■ ■

Injector/injection.cpp

1	+	#include "injection.h"
2	+
3	+	bool InjectDll(std::vector<uint8_t> fileData, uint32_t pid) {
4	+	PeHeader peHdr(fileData.data());
5	+
6	+	uint64_t imgSize = peHdr.ntHdr->OptionalHeader.SizeOfImage;
7	+	uint64_t hdrSize = peHdr.ntHdr->OptionalHeader.SizeOfHeaders;
8	+
9	+	//
10	+	// allocate remote buffer
11	+	//
12	+
13	+	GhostWrite gw;
14	+	gw.Init(pid);
15	+	uintptr_t remoteMem = gw.Allocate(imgSize - hdrSize);
16	+
17	+
18	+	//
19	+	// fix base reloc
20	+	//
21	+
22	+	std::printf("resolving base relocs...\n");
23	+	auto baseReloc = peHdr.RVAToPtr<IMAGE_BASE_RELOCATION*>(peHdr.dataDir[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
24	+	uint64_t delta = (remoteMem - peHdr.ntHdr->OptionalHeader.ImageBase);
25	+
26	+	while (baseReloc->SizeOfBlock) {
27	+	if (baseReloc->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION)) {
28	+	int count = (baseReloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) / sizeof(uint16_t));
29	+	BaseRelocEntry* entries = reinterpret_cast<BaseRelocEntry*>(baseReloc + 1);
30	+
31	+	for (int i = 0; i < count; i++) {
32	+	auto& entry = entries[i];
33	+	assert(entry.type == IMAGE_REL_BASED_DIR64);
34	+
35	+	uint64_t* ptr = peHdr.RVAToPtr<uint64_t*>(baseReloc->VirtualAddress + entry.offset);
36	+	*ptr += delta;
37	+	}
38	+	}
39	+	baseReloc = reinterpret_cast<IMAGE_BASE_RELOCATION>(reinterpret_cast<uint8_t>(baseReloc) + baseReloc->SizeOfBlock);
40	+	}
41	+	std::printf("base relocs resolved\n");
42	+
43	+	//
44	+	// fix imports
45	+	//
46	+
47	+	std::printf("resolving imports ..\n");
48	+
49	+	auto importDesc = peHdr.RVAToPtr<IMAGE_IMPORT_DESCRIPTOR*>(peHdr.dataDir[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
50	+	while (importDesc->Characteristics) {
51	+	std::string libName = std::string(peHdr.RVAToPtr<char*>(importDesc->Name));
52	+
53	+	HMODULE hModule = LoadLibraryA(libName.c_str());
54	+	if (!hModule) return false;
55	+
56	+	gw.LoadLib(libName); // load library in remote process
57	+
58	+	auto origFirstThunk = peHdr.RVAToPtr<IMAGE_THUNK_DATA*>(importDesc->OriginalFirstThunk);
59	+	auto firstThunk = peHdr.RVAToPtr<IMAGE_THUNK_DATA*>(importDesc->FirstThunk);
60	+
61	+	while (origFirstThunk->u1.AddressOfData) {
62	+	void* func = 0;
63	+	char* impName = nullptr;
64	+
65	+	if (origFirstThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
66	+	impName = reinterpret_cast<char*>(origFirstThunk->u1.Ordinal & 0xFFFF);
67	+	else
68	+	impName = (peHdr.RVAToPtr<IMAGE_IMPORT_BY_NAME*>(origFirstThunk->u1.AddressOfData))->Name;
69	+
70	+	if (!(func = GetProcAddress(hModule, impName)))
71	+	return false;
72	+
73	+	firstThunk->u1.Function = reinterpret_cast<uintptr_t>(func);
74	+
75	+	origFirstThunk++;
76	+	firstThunk++;
77	+	}
78	+	importDesc++;
79	+	}
80	+	std::printf("imports resolved\n");
81	+
82	+	//
83	+	// map into memory
84	+	//
85	+
86	+	for (auto sectHdr : peHdr.sectHdrs) {
87	+	uintptr_t writeAddr = remoteMem + sectHdr->VirtualAddress - hdrSize;
88	+	uint8_t* sectStart = fileData.data() + sectHdr->PointerToRawData;
89	+
90	+	std::printf("mapping section, name: %.8s, size: %d, ---> 0x%llx\n", sectHdr->Name, sectHdr->SizeOfRawData, writeAddr);
91	+	gw.WriteMemory(writeAddr, std::vector<uint8_t>(sectStart, sectStart + sectHdr->SizeOfRawData));
92	+	}
93	+
94	+	uintptr_t remoteEntry = remoteMem + peHdr.ntHdr->OptionalHeader.AddressOfEntryPoint - hdrSize;
95	+
96	+	//
97	+	// execute
98	+	//
99	+
100	+	std::printf("triggering dll entrypoint : 0x%llx\n", remoteEntry);
101	+	gw.TriggerFunction(reinterpret_cast<void*>(remoteEntry), { remoteMem, DLL_PROCESS_ATTACH, 0 });
102	+	}

■ ■ ■ ■ ■ ■

Injector/injection.h

1	+	#include <iostream>
2	+	#include <windows.h>
3	+	#include <string>
4	+
5	+	#pragma once
6	+
7	+	#include "utils.h"
8	+
9	+	#pragma comment(lib, "ntdll.lib")
10	+
11	+
12	+	bool InjectDll(std::vector<uint8_t> fileData, uint32_t pid);
13	+
14	+
15	+	class Thread {
16	+	public:
17	+	HANDLE handle = 0;
18	+	bool suspended = false;
19	+
20	+	void Suspend() {
21	+	if (!suspended)
22	+	if (SuspendThread(handle) == ERROR_SUCCESS)
23	+	suspended = true;
24	+	}
25	+
26	+	void Resume() {
27	+	if (suspended)
28	+	if (ResumeThread(handle) == ERROR_SUCCESS)
29	+	suspended = false;
30	+	}
31	+
32	+	void SuspendResume(std::function<void()> func) {
33	+	this->Suspend();
34	+	func();
35	+	this->Resume();
36	+	}
37	+
38	+	void GetContext(CONTEXT* ctx, uint32_t flags) {
39	+	ctx->ContextFlags = flags;
40	+	GetThreadContext(handle, ctx);
41	+	}
42	+
43	+	void SetContext(CONTEXT* ctx) {
44	+	SetThreadContext(handle, ctx);
45	+	}
46	+
47	+	uint32_t GetExitCode() {
48	+	DWORD exitCode = 0;
49	+	GetExitCodeThread(handle, &exitCode);
50	+	return exitCode;
51	+	}
52	+	};
53	+
54	+
55	+	class GhostWrite {
56	+	public:
57	+	CONTEXT savedCtx = {};
58	+	bool Init(uint32_t pid);
59	+
60	+	uintptr_t Allocate(uint64_t size);
61	+	void LoadLib(std::string name);
62	+	void WriteMemory(uintptr_t addr, std::vector<uint8_t> data);
63	+
64	+	uint64_t TriggerFunction(void* func, std::vector<uint64_t> args);
65	+
66	+	private:
67	+	void WaitForAutoLock(CONTEXT* ctx);
68	+	void WriteQword(uintptr_t addr, uint64_t value);
69	+	uintptr_t ReadQword(uintptr_t addr);
70	+
71	+	uintptr_t Push(CONTEXT* ctx, uint64_t value);
72	+	void Pop(CONTEXT* ctx);
73	+
74	+	Thread thread = {};
75	+	uintptr_t writeGadgetAddr = 0;
76	+	uintptr_t readGadgetAddr = 0;
77	+	uintptr_t jmp0GadgetAddr = 0;
78	+	uintptr_t jmp0StackAddr = 0;
79	+	};
80	+

■ ■ ■ ■ ■ ■

Injector/main.cpp

1	+	#include <iostream>
2	+	#include "injection.h"
3	+
4	+	int main() {
5	+	uint32_t pid = FindPidByName(L"TestApp.exe");
6	+	std::printf("TestApp.exe process ID: %d\n", pid);
7	+
8	+	std::printf("enter dll path: ");
9	+	std::string dllPath = "";
10	+	std::cin >> dllPath;
11	+
12	+	InjectDll(FileToBytes(dllPath), pid);
13	+	}
14	+

Injector/ntapi.h

Diff is too large to be displayed.

■ ■ ■ ■ ■ ■

Injector/utils.cpp

1	+	#include "utils.h"
2	+	#include <fstream>
3	+
4	+
5	+	std::vector<uint8_t> FileToBytes(std::string path) {
6	+	std::ifstream file(path, std::ios::binary);
7	+
8	+	if (!file.is_open())
9	+	return {};
10	+
11	+	return std::vector<uint8_t>(std::istreambuf_iterator<char>(file), std::istreambuf_iterator<char>());
12	+	}
13	+
14	+	uint32_t FindPidByName(std::wstring name) {
15	+	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
16	+
17	+	if (hSnapshot == INVALID_HANDLE_VALUE)
18	+	return 0;
19	+
20	+	PROCESSENTRY32 procEntry;
21	+	procEntry.dwSize = sizeof(PROCESSENTRY32);
22	+
23	+	uint32_t pid = 0;
24	+
25	+	if (Process32First(hSnapshot, &procEntry)) {
26	+	do {
27	+	if (std::wstring(procEntry.szExeFile) == name) {
28	+	pid = procEntry.th32ProcessID;
29	+	CloseHandle(hSnapshot);
30	+	break;
31	+	}
32	+	} while (Process32Next(hSnapshot, &procEntry));
33	+	}
34	+
35	+	return pid;
36	+	}
37	+
38	+
39	+	std::vector<uint32_t> ListProcessThreads(uint32_t pid) {
40	+	std::vector<uint32_t> tids = {};
41	+
42	+	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
43	+
44	+	if (hSnapshot == INVALID_HANDLE_VALUE)
45	+	return {};
46	+
47	+	THREADENTRY32 threadEntry;
48	+	threadEntry.dwSize = sizeof(THREADENTRY32);
49	+
50	+	if (Thread32First(hSnapshot, &threadEntry)) {
51	+	do {
52	+	if (threadEntry.th32OwnerProcessID == pid) {
53	+	tids.push_back(threadEntry.th32ThreadID);
54	+	}
55	+	} while (Thread32Next(hSnapshot, &threadEntry));
56	+	}
57	+
58	+	CloseHandle(hSnapshot);
59	+	return tids;
60	+	}
61	+
62	+
63	+	PEB* GetPeb() {
64	+	return reinterpret_cast<PEB*>(__readgsqword(0x60));
65	+	}
66	+
67	+
68	+	uint8_t* GetLoadedModule(std::wstring name) {
69	+	PEB* peb = GetPeb();
70	+
71	+	LIST_ENTRY* head = peb->Ldr->InMemoryOrderModuleList.Flink;
72	+	LIST_ENTRY* curr = head;
73	+
74	+	for (int count = 0;; count++) {
75	+	if (count && curr == head)
76	+	break;
77	+
78	+	auto entry = reinterpret_cast<LDR_DATA_TABLE_ENTRY>(reinterpret_cast<uint8_t>(curr) - sizeof(LIST_ENTRY));
79	+
80	+	if (entry->BaseDllName.Buffer) {
81	+	if (std::wstring(entry->BaseDllName.Buffer) == name)
82	+	return reinterpret_cast<uint8_t*>(entry->DllBase);
83	+	}
84	+	curr = curr->Flink;
85	+	}
86	+	return nullptr;
87	+	}
88	+
89	+
90	+
91	+	uint32_t PeHeader::RVAToFileOffset(uint32_t rva) {
92	+	for (auto sectHdr : sectHdrs) {
93	+	uint32_t sectSize = sectHdr->Misc.VirtualSize ? sectHdr->Misc.VirtualSize : sectHdr->SizeOfRawData;
94	+
95	+	if (rva >= sectHdr->VirtualAddress && rva <= sectHdr->VirtualAddress + sectSize)
96	+	return rva - sectHdr->VirtualAddress + sectHdr->PointerToRawData;
97	+	}
98	+	return 0;
99	+	}
100	+
101	+	void FindSection(uint8_t* image, std::string sectName, uint32_t requiredFlags, uint8_t out_start, uint8_t out_end) {
102	+	PeHeader peHeader(image);
103	+	for (auto sectHdr : peHeader.sectHdrs) {
104	+	uint8_t* start = image + sectHdr->VirtualAddress;
105	+	uint8_t* end = start + sectHdr->Misc.VirtualSize;
106	+
107	+	if ((requiredFlags == NULL \|\| sectHdr->Characteristics & requiredFlags)
108	+	&& (sectName.empty() \|\| !memcmp(sectHdr->Name, sectName.c_str(), sizeof(sectHdr->Name)))) {
109	+	*out_start = start;
110	+	*out_end = end;
111	+	return;
112	+	}
113	+	}
114	+	}
115	+
116	+
117	+	uint8_t* PatternScan(uint8_t* startAddr, uint8_t* endAddr, std::vector<uint8_t> pattern, std::string mask) {
118	+	for (uint8_t* addr = startAddr; addr < (endAddr - mask.size()); addr++) {
119	+	bool found = true;
120	+	for (int i = 0; i < mask.size(); i++) {
121	+	if (mask[i] != '?' && addr[i] != pattern[i]) {
122	+	found = false;
123	+	break;
124	+	}
125	+	}
126	+	if (found) return addr;
127	+	}
128	+
129	+	return nullptr;
130	+	}
131	+
132	+	uint8_t* PatternScanSect(uint8_t* image, std::string sectName, std::vector<uint8_t> pattern, std::string mask) {
133	+	uint8_t* start = 0;
134	+	uint8_t* end = 0;
135	+
136	+	FindSection(image, sectName, NULL, &start, &end);
137	+
138	+	if (!start \|\| !end)
139	+	return nullptr;
140	+
141	+	return PatternScan(start, end, pattern, mask);
142	+	}
143	+
144	+

■ ■ ■ ■ ■ ■

Injector/utils.h

1	+	#include <iostream>
2	+	#include <vector>
3	+	#include <Windows.h>
4	+	#include <TlHelp32.h>
5	+	#include <assert.h>
6	+	#include <functional>
7	+	#include "ntapi.h"
8	+
9	+	#pragma once
10	+
11	+	std::vector<uint8_t> FileToBytes(std::string path);
12	+
13	+	uint32_t FindPidByName(std::wstring name);
14	+	std::vector<uint32_t> ListProcessThreads(uint32_t pid);
15	+
16	+	PEB* GetPeb();
17	+	uint8_t* GetLoadedModule(std::wstring name);
18	+
19	+
20	+	struct PeHeader {
21	+	uint8_t* image;
22	+
23	+	IMAGE_DOS_HEADER* dosHdr;
24	+	IMAGE_NT_HEADERS* ntHdr;
25	+	std::vector<IMAGE_SECTION_HEADER*> sectHdrs;
26	+
27	+	IMAGE_DATA_DIRECTORY* dataDir;
28	+
29	+	PeHeader(uint8_t* _image) {
30	+	image = _image;
31	+	dosHdr = reinterpret_cast<IMAGE_DOS_HEADER*>(image);
32	+	ntHdr = reinterpret_cast<IMAGE_NT_HEADERS*>(image + dosHdr->e_lfanew);
33	+
34	+	IMAGE_SECTION_HEADER* curr = IMAGE_FIRST_SECTION(ntHdr);
35	+	for (int i = 0; i < ntHdr->FileHeader.NumberOfSections; i++) {
36	+	sectHdrs.push_back(curr);
37	+	curr++;
38	+	}
39	+
40	+	dataDir = ntHdr->OptionalHeader.DataDirectory;
41	+	}
42	+
43	+	uint32_t RVAToFileOffset(uint32_t rva);
44	+
45	+	template<typename T>
46	+	T RVAToPtr(uint32_t rva) {
47	+	return reinterpret_cast<T>(image + RVAToFileOffset(rva));
48	+	}
49	+	};
50	+
51	+	struct BaseRelocEntry {
52	+	uint16_t offset : 12;
53	+	uint16_t type : 4;
54	+	};
55	+
56	+	void FindSection(uint8_t* image, std::string sectName, uint32_t requiredFlags, uint8_t out_start, uint8_t out_end);
57	+
58	+	uint8_t* PatternScan(uint8_t* startAddr, uint8_t* endAddr, std::vector<uint8_t> pattern, std::string mask);
59	+	uint8_t* PatternScanSect(uint8_t* image, std::string sectName, std::vector<uint8_t> pattern, std::string mask);
60	+

■ ■ ■ ■ ■ ■

TestApp/TestApp.cpp

1	+	#include <iostream>
2	+	#include <Windows.h>
3	+
4	+	int main() {
5	+	while (true) {
6	+	Sleep(200);
7	+	}
8	+	}
9	+

■ ■ ■ ■ ■ ■

TestApp/TestApp.vcxproj

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup Label="ProjectConfigurations">
4	+	<ProjectConfiguration Include="Debug\|Win32">
5	+	<Configuration>Debug</Configuration>
6	+	<Platform>Win32</Platform>
7	+	</ProjectConfiguration>
8	+	<ProjectConfiguration Include="Release\|Win32">
9	+	<Configuration>Release</Configuration>
10	+	<Platform>Win32</Platform>
11	+	</ProjectConfiguration>
12	+	<ProjectConfiguration Include="Debug\|x64">
13	+	<Configuration>Debug</Configuration>
14	+	<Platform>x64</Platform>
15	+	</ProjectConfiguration>
16	+	<ProjectConfiguration Include="Release\|x64">
17	+	<Configuration>Release</Configuration>
18	+	<Platform>x64</Platform>
19	+	</ProjectConfiguration>
20	+	</ItemGroup>
21	+	<PropertyGroup Label="Globals">
22	+	<VCProjectVersion>17.0</VCProjectVersion>
23	+	<Keyword>Win32Proj</Keyword>
24	+	<ProjectGuid>{9d76cc14-c3f5-4390-9834-32f3095ab804}</ProjectGuid>
25	+	<RootNamespace>TestApp</RootNamespace>
26	+	<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
27	+	</PropertyGroup>
28	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
29	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'" Label="Configuration">
30	+	<ConfigurationType>Application</ConfigurationType>
31	+	<UseDebugLibraries>true</UseDebugLibraries>
32	+	<PlatformToolset>v143</PlatformToolset>
33	+	<CharacterSet>Unicode</CharacterSet>
34	+	</PropertyGroup>
35	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'" Label="Configuration">
36	+	<ConfigurationType>Application</ConfigurationType>
37	+	<UseDebugLibraries>false</UseDebugLibraries>
38	+	<PlatformToolset>v143</PlatformToolset>
39	+	<WholeProgramOptimization>true</WholeProgramOptimization>
40	+	<CharacterSet>Unicode</CharacterSet>
41	+	</PropertyGroup>
42	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'" Label="Configuration">
43	+	<ConfigurationType>Application</ConfigurationType>
44	+	<UseDebugLibraries>true</UseDebugLibraries>
45	+	<PlatformToolset>v143</PlatformToolset>
46	+	<CharacterSet>Unicode</CharacterSet>
47	+	</PropertyGroup>
48	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'" Label="Configuration">
49	+	<ConfigurationType>Application</ConfigurationType>
50	+	<UseDebugLibraries>false</UseDebugLibraries>
51	+	<PlatformToolset>v143</PlatformToolset>
52	+	<WholeProgramOptimization>true</WholeProgramOptimization>
53	+	<CharacterSet>Unicode</CharacterSet>
54	+	</PropertyGroup>
55	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
56	+	<ImportGroup Label="ExtensionSettings">
57	+	</ImportGroup>
58	+	<ImportGroup Label="Shared">
59	+	</ImportGroup>
60	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
61	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
62	+	</ImportGroup>
63	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
64	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
65	+	</ImportGroup>
66	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
67	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
68	+	</ImportGroup>
69	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
70	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71	+	</ImportGroup>
72	+	<PropertyGroup Label="UserMacros" />
73	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
74	+	<ClCompile>
75	+	<WarningLevel>Level3</WarningLevel>
76	+	<SDLCheck>true</SDLCheck>
77	+	<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
78	+	<ConformanceMode>true</ConformanceMode>
79	+	</ClCompile>
80	+	<Link>
81	+	<SubSystem>Console</SubSystem>
82	+	<GenerateDebugInformation>true</GenerateDebugInformation>
83	+	</Link>
84	+	</ItemDefinitionGroup>
85	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
86	+	<ClCompile>
87	+	<WarningLevel>Level3</WarningLevel>
88	+	<FunctionLevelLinking>true</FunctionLevelLinking>
89	+	<IntrinsicFunctions>true</IntrinsicFunctions>
90	+	<SDLCheck>true</SDLCheck>
91	+	<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
92	+	<ConformanceMode>true</ConformanceMode>
93	+	</ClCompile>
94	+	<Link>
95	+	<SubSystem>Console</SubSystem>
96	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
97	+	<OptimizeReferences>true</OptimizeReferences>
98	+	<GenerateDebugInformation>true</GenerateDebugInformation>
99	+	</Link>
100	+	</ItemDefinitionGroup>
101	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
102	+	<ClCompile>
103	+	<WarningLevel>Level3</WarningLevel>
104	+	<SDLCheck>true</SDLCheck>
105	+	<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
106	+	<ConformanceMode>true</ConformanceMode>
107	+	</ClCompile>
108	+	<Link>
109	+	<SubSystem>Console</SubSystem>
110	+	<GenerateDebugInformation>true</GenerateDebugInformation>
111	+	</Link>
112	+	</ItemDefinitionGroup>
113	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
114	+	<ClCompile>
115	+	<WarningLevel>Level3</WarningLevel>
116	+	<FunctionLevelLinking>true</FunctionLevelLinking>
117	+	<IntrinsicFunctions>true</IntrinsicFunctions>
118	+	<SDLCheck>true</SDLCheck>
119	+	<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
120	+	<ConformanceMode>true</ConformanceMode>
121	+	</ClCompile>
122	+	<Link>
123	+	<SubSystem>Console</SubSystem>
124	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
125	+	<OptimizeReferences>true</OptimizeReferences>
126	+	<GenerateDebugInformation>true</GenerateDebugInformation>
127	+	</Link>
128	+	</ItemDefinitionGroup>
129	+	<ItemGroup>
130	+	<ClCompile Include="TestApp.cpp" />
131	+	</ItemGroup>
132	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
133	+	<ImportGroup Label="ExtensionTargets">
134	+	</ImportGroup>
135	+	</Project>

■ ■ ■ ■ ■ ■

TestApp/TestApp.vcxproj.filters

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup>
4	+	<Filter Include="Source Files">
5	+	<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
6	+	<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
7	+	</Filter>
8	+	<Filter Include="Header Files">
9	+	<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10	+	<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11	+	</Filter>
12	+	<Filter Include="Resource Files">
13	+	<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14	+	<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15	+	</Filter>
16	+	</ItemGroup>
17	+	<ItemGroup>
18	+	<ClCompile Include="TestApp.cpp">
19	+	<Filter>Source Files</Filter>
20	+	</ClCompile>
21	+	</ItemGroup>
22	+	</Project>

■ ■ ■ ■ ■ ■

TestApp/TestApp.vcxproj.user

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<PropertyGroup />
4	+	</Project>

■ ■ ■ ■ ■ ■

TestDll/TestDll.vcxproj

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup Label="ProjectConfigurations">
4	+	<ProjectConfiguration Include="Debug\|Win32">
5	+	<Configuration>Debug</Configuration>
6	+	<Platform>Win32</Platform>
7	+	</ProjectConfiguration>
8	+	<ProjectConfiguration Include="Release\|Win32">
9	+	<Configuration>Release</Configuration>
10	+	<Platform>Win32</Platform>
11	+	</ProjectConfiguration>
12	+	<ProjectConfiguration Include="Debug\|x64">
13	+	<Configuration>Debug</Configuration>
14	+	<Platform>x64</Platform>
15	+	</ProjectConfiguration>
16	+	<ProjectConfiguration Include="Release\|x64">
17	+	<Configuration>Release</Configuration>
18	+	<Platform>x64</Platform>
19	+	</ProjectConfiguration>
20	+	</ItemGroup>
21	+	<PropertyGroup Label="Globals">
22	+	<VCProjectVersion>17.0</VCProjectVersion>
23	+	<Keyword>Win32Proj</Keyword>
24	+	<ProjectGuid>{c7e93f00-ca10-460e-863f-d6fafa1abc4a}</ProjectGuid>
25	+	<RootNamespace>TestDll</RootNamespace>
26	+	<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
27	+	</PropertyGroup>
28	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
29	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'" Label="Configuration">
30	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
31	+	<UseDebugLibraries>true</UseDebugLibraries>
32	+	<PlatformToolset>v143</PlatformToolset>
33	+	<CharacterSet>Unicode</CharacterSet>
34	+	</PropertyGroup>
35	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'" Label="Configuration">
36	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
37	+	<UseDebugLibraries>false</UseDebugLibraries>
38	+	<PlatformToolset>v143</PlatformToolset>
39	+	<WholeProgramOptimization>true</WholeProgramOptimization>
40	+	<CharacterSet>Unicode</CharacterSet>
41	+	</PropertyGroup>
42	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'" Label="Configuration">
43	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
44	+	<UseDebugLibraries>true</UseDebugLibraries>
45	+	<PlatformToolset>v143</PlatformToolset>
46	+	<CharacterSet>Unicode</CharacterSet>
47	+	</PropertyGroup>
48	+	<PropertyGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'" Label="Configuration">
49	+	<ConfigurationType>DynamicLibrary</ConfigurationType>
50	+	<UseDebugLibraries>false</UseDebugLibraries>
51	+	<PlatformToolset>v143</PlatformToolset>
52	+	<WholeProgramOptimization>true</WholeProgramOptimization>
53	+	<CharacterSet>Unicode</CharacterSet>
54	+	</PropertyGroup>
55	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
56	+	<ImportGroup Label="ExtensionSettings">
57	+	</ImportGroup>
58	+	<ImportGroup Label="Shared">
59	+	</ImportGroup>
60	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
61	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
62	+	</ImportGroup>
63	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
64	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
65	+	</ImportGroup>
66	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
67	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
68	+	</ImportGroup>
69	+	<ImportGroup Label="PropertySheets" Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
70	+	<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
71	+	</ImportGroup>
72	+	<PropertyGroup Label="UserMacros" />
73	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|Win32'">
74	+	<ClCompile>
75	+	<WarningLevel>Level3</WarningLevel>
76	+	<SDLCheck>true</SDLCheck>
77	+	<PreprocessorDefinitions>WIN32;_DEBUG;TESTDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
78	+	<ConformanceMode>true</ConformanceMode>
79	+	<PrecompiledHeader>Use</PrecompiledHeader>
80	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
81	+	</ClCompile>
82	+	<Link>
83	+	<SubSystem>Windows</SubSystem>
84	+	<GenerateDebugInformation>true</GenerateDebugInformation>
85	+	<EnableUAC>false</EnableUAC>
86	+	</Link>
87	+	</ItemDefinitionGroup>
88	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|Win32'">
89	+	<ClCompile>
90	+	<WarningLevel>Level3</WarningLevel>
91	+	<FunctionLevelLinking>true</FunctionLevelLinking>
92	+	<IntrinsicFunctions>true</IntrinsicFunctions>
93	+	<SDLCheck>true</SDLCheck>
94	+	<PreprocessorDefinitions>WIN32;NDEBUG;TESTDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
95	+	<ConformanceMode>true</ConformanceMode>
96	+	<PrecompiledHeader>Use</PrecompiledHeader>
97	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
98	+	</ClCompile>
99	+	<Link>
100	+	<SubSystem>Windows</SubSystem>
101	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
102	+	<OptimizeReferences>true</OptimizeReferences>
103	+	<GenerateDebugInformation>true</GenerateDebugInformation>
104	+	<EnableUAC>false</EnableUAC>
105	+	</Link>
106	+	</ItemDefinitionGroup>
107	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Debug\|x64'">
108	+	<ClCompile>
109	+	<WarningLevel>Level3</WarningLevel>
110	+	<SDLCheck>true</SDLCheck>
111	+	<PreprocessorDefinitions>_DEBUG;TESTDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
112	+	<ConformanceMode>true</ConformanceMode>
113	+	<PrecompiledHeader>NotUsing</PrecompiledHeader>
114	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
115	+	</ClCompile>
116	+	<Link>
117	+	<SubSystem>Windows</SubSystem>
118	+	<GenerateDebugInformation>true</GenerateDebugInformation>
119	+	<EnableUAC>false</EnableUAC>
120	+	</Link>
121	+	</ItemDefinitionGroup>
122	+	<ItemDefinitionGroup Condition="'$(Configuration)\|$(Platform)'=='Release\|x64'">
123	+	<ClCompile>
124	+	<WarningLevel>Level3</WarningLevel>
125	+	<FunctionLevelLinking>true</FunctionLevelLinking>
126	+	<IntrinsicFunctions>true</IntrinsicFunctions>
127	+	<SDLCheck>true</SDLCheck>
128	+	<PreprocessorDefinitions>NDEBUG;TESTDLL_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
129	+	<ConformanceMode>true</ConformanceMode>
130	+	<PrecompiledHeader>NotUsing</PrecompiledHeader>
131	+	<PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
132	+	</ClCompile>
133	+	<Link>
134	+	<SubSystem>Windows</SubSystem>
135	+	<EnableCOMDATFolding>true</EnableCOMDATFolding>
136	+	<OptimizeReferences>true</OptimizeReferences>
137	+	<GenerateDebugInformation>true</GenerateDebugInformation>
138	+	<EnableUAC>false</EnableUAC>
139	+	</Link>
140	+	</ItemDefinitionGroup>
141	+	<ItemGroup>
142	+	<ClCompile Include="dllmain.cpp" />
143	+	</ItemGroup>
144	+	<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
145	+	<ImportGroup Label="ExtensionTargets">
146	+	</ImportGroup>
147	+	</Project>

■ ■ ■ ■ ■ ■

TestDll/TestDll.vcxproj.filters

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<ItemGroup>
4	+	<Filter Include="Source Files">
5	+	<UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
6	+	<Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
7	+	</Filter>
8	+	<Filter Include="Header Files">
9	+	<UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10	+	<Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11	+	</Filter>
12	+	<Filter Include="Resource Files">
13	+	<UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14	+	<Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15	+	</Filter>
16	+	</ItemGroup>
17	+	<ItemGroup>
18	+	<ClCompile Include="dllmain.cpp">
19	+	<Filter>Source Files</Filter>
20	+	</ClCompile>
21	+	</ItemGroup>
22	+	</Project>

■ ■ ■ ■ ■ ■

TestDll/TestDll.vcxproj.user

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3	+	<PropertyGroup />
4	+	</Project>

■ ■ ■ ■ ■ ■

TestDll/dllmain.cpp

1	+	#include <iostream>
2	+	#include <Windows.h>
3	+
4	+
5	+	void MainFunc() {
6	+	std::printf("Hello from DLL\n");
7	+	}
8	+
9	+
10	+	BOOL APIENTRY DllMain(HMODULE hModule,
11	+	DWORD ul_reason_for_call,
12	+	LPVOID lpReserved
13	+	) {
14	+	switch (ul_reason_for_call) {
15	+	case DLL_PROCESS_ATTACH:
16	+	CreateThread(0, 0, reinterpret_cast<LPTHREAD_START_ROUTINE>(MainFunc), 0, 0, 0);
17	+	case DLL_THREAD_ATTACH:
18	+	case DLL_THREAD_DETACH:
19	+	case DLL_PROCESS_DETACH:
20	+	break;
21	+	}
22	+	return TRUE;
23	+	}
24	+
25	+

x64/Release/Injector.exe

Binary file.

x64/Release/Injector.pdb

Binary file.

x64/Release/TestApp.exe

Binary file.

x64/Release/TestApp.pdb

Binary file.

x64/Release/TestDll.dll

Binary file.

x64/Release/TestDll.pdb

Binary file.

commit