#ifndef __REMOTE_H__
#define __REMOTE_H__
#if _MSC_VER > 1000
#pragma once
#endif
#include <windows.h>
#include <tlhelp32.h>
#include "struct.h"
#ifdef DLL_EXPORT
#define DLL_IMP_EXP __declspec(dllexport)
#else
#define DLL_IMP_EXP __declspec(dllimport)
#endif
#ifdef __cplusplus
extern "C" {
#endif
// Ordinal of Kernel32.IsThreadId()
#define ISTHREADID_ORDINAL 0x47 // 71
// Ordinal of Kernel32.GetpWin16Lock()
#define GETPWIN16LOCK_ORDINAL 0x5D // 93
// Ordinal of Kernel32.EnterSysLevel()
#define ENTERSYSLEVEL_ORDINAL 0x61 // 97
// Ordinal of Kernel32.LeaveSysLevel()
#define LEAVESYSLEVEL_ORDINAL 0x62 // 98
// System functions loaded dinamically
typedef ULONG (WINAPI *RTLNTSTATUSTODOSERROR)(NTSTATUS);
typedef NTSTATUS (WINAPI *NTALLOCATEVIRTUALMEMORY)(HANDLE, PVOID*, ULONG, ULONG*, ULONG, ULONG);
typedef NTSTATUS (WINAPI *NTFREEVIRTUALMEMORY)(HANDLE, PVOID*, ULONG*, ULONG);
typedef NTSTATUS (WINAPI *NTOPENTHREAD)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID);
typedef NTSTATUS (WINAPI *NTQUERYINFORMATIONPROCESS)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
typedef NTSTATUS (WINAPI *NTQUERYINFORMATIONTHREAD)(HANDLE,THREADINFOCLASS,PVOID,ULONG,PULONG);
typedef LONG (NTAPI *NTQUERYSYSTEMINFORMATION)(UINT, PVOID, ULONG, PULONG);
typedef HANDLE (WINAPI *CREATETOOLHELP32SNAPSHOT)(DWORD, DWORD);
typedef BOOL (WINAPI *THREAD32FIRST)(HANDLE, LPTHREADENTRY32);
typedef BOOL (WINAPI *THREAD32NEXT)(HANDLE, LPTHREADENTRY32);
typedef HANDLE (WINAPI *OPENTHREAD)(DWORD, BOOL, DWORD);
typedef DWORD (WINAPI *GETPROCESSID)(HANDLE);
typedef DWORD (WINAPI *GETTHREADID)(HANDLE);
typedef LPVOID (WINAPI *VIRTUALALLOCEX)(HANDLE, LPVOID, DWORD, DWORD, DWORD);
typedef BOOL (WINAPI *VIRTUALFREEEX)(HANDLE, LPVOID, DWORD, DWORD);
typedef HANDLE (WINAPI *CREATEREMOTETHREAD)(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
typedef BOOL (WINAPI *ISTHREADID)(DWORD);
typedef VOID (WINAPI *GETPWIN16LOCK)(DWORD *pWin16Lock);
typedef VOID (WINAPI *ENTERSYSLEVEL)(DWORD lock);
typedef VOID (WINAPI *LEAVESYSLEVEL)(DWORD lock);
// Internal Kernel32 functions
typedef PVOID (WINAPI *INTERNALCREATEREMOTETHREAD)(PVOID, DWORD, LPTHREAD_START_ROUTINE, LPVOID, DWORD);
typedef HANDLE (WINAPI *INTERNALOPENTHREAD)(DWORD, BOOL, DWORD);
typedef LONG (WINAPI *SETWINDOWLONG)(HWND, int, LONG);
typedef LRESULT (WINAPI *CALLWINDOWPROC)(WNDPROC, HWND, UINT, WPARAM, LPARAM);
// Pointer to internal data structures
// (must be casted depending on Windows version)
typedef PVOID PTIB;
typedef PVOID PPDB;
typedef PVOID PTDB;
#define CREATE_SILENT 0x80000000 // dwCreationFlags bit for CreateRemoteThread()
// (Signals that Win9x process not initialized)
// Stub code for ContextRemoteExecute()
#pragma pack(1)
typedef struct {
BYTE Push; // 0x68 (push addr)
DWORD PushAddr; // addr
BYTE Call; // 0xE8 (call addr)
DWORD CallAddr; // addr
BYTE Jump[2]; // 0xEB,0xFE (jmp $ = loop forever)
} STUBCODE;
#pragma pack()
/*** Remote subclassing ***/
// User window handler
typedef LRESULT (WINAPI* USERWNDPROC)(PRDATA, HWND, UINT, WPARAM, LPARAM);
// Remote data structure
typedef struct _RDATA {
int Size; // Size of structure
HANDLE hProcess; // Process handle
HWND hWnd; // Window handle
struct RDATA *pRDATA; // Pointer to RDATA structure
WNDPROC pfnNewWndProc; // Address of new window handler
WNDPROC pfnOldWndProc; // Address of old window handler
USERWNDPROC pfnUserWndProc; // Address of user's new window procedure handler
LRESULT Result; // Result from user's new window procedure handler
SETWINDOWLONG pfnSetWindowLong; // Address of SetWindowLong()
CALLWINDOWPROC pfnCallWindowProc; // Address of CallWindowProc()
} RDATA, *PRDATA;
#define DUMMY_ADDR 0x12345678 // Dummy addr of RDATA
// Functions declaration
PTIB DLL_IMP_EXP GetTIB();
PTDB DLL_IMP_EXP GetTDB(DWORD TID);
PPDB DLL_IMP_EXP GetPDB(DWORD PID);
DWORD DLL_IMP_EXP GetObsfucator();
DWORD DLL_IMP_EXP GetObsfucator2();
LPVOID DLL_IMP_EXP _VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, DWORD dwSize, DWORD flAllocationType, DWORD flProtect);
BOOL DLL_IMP_EXP _VirtualFreeEx(HANDLE hProcess, LPVOID lpAddress, DWORD dwSize, DWORD dwFreeType);
HANDLE DLL_IMP_EXP _OpenThread(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId);
DWORD DLL_IMP_EXP _GetProcessId(HANDLE hProcess);
DWORD DLL_IMP_EXP _GetProcessId2(HANDLE hProcess);
DWORD DLL_IMP_EXP _GetThreadId(HANDLE hThread);
HANDLE DLL_IMP_EXP _CreateRemoteThread(HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
DWORD dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId);
int DLL_IMP_EXP RemoteExecute(HANDLE hProcess, LPTHREAD_START_ROUTINE Function, PVOID pParams, DWORD Size);
int DLL_IMP_EXP ContextRemoteExecute(HANDLE hProcess, LPTHREAD_START_ROUTINE Function, PVOID pParams, DWORD Size);
int DLL_IMP_EXP StartRemoteSubclass(PRDATA rd, USERWNDPROC WndProc);
int DLL_IMP_EXP StopRemoteSubclass(PRDATA rd);
/***************************
* Exported functions type *
***************************/
typedef DLL_IMP_EXP PTIB (* GETTIB)();
typedef DLL_IMP_EXP PTDB (* GETTDB)(DWORD);
typedef DLL_IMP_EXP PPDB (* GETPDB)(DWORD);
typedef DLL_IMP_EXP DWORD (* GETOBSFUCATOR)();
typedef DLL_IMP_EXP LPVOID (* _VIRTUALALLOCEX)(HANDLE, LPVOID, DWORD, DWORD, DWORD);
typedef DLL_IMP_EXP BOOL (* _VIRTUALFREEEX)(HANDLE, LPVOID, DWORD, DWORD);
typedef DLL_IMP_EXP HANDLE (* _OPENTHREAD)(DWORD, BOOL, DWORD);
typedef DLL_IMP_EXP DWORD (* _GETPROCESSID)(HANDLE);
typedef DLL_IMP_EXP DWORD (* _GETTHREADID)(HANDLE);
typedef DLL_IMP_EXP HANDLE (* _CREATEREMOTETHREAD)(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD);
typedef DLL_IMP_EXP int (* REMOTEEXECUTE)(HANDLE, LPTHREAD_START_ROUTINE, PVOID, DWORD);
typedef DLL_IMP_EXP int (* STARTREMOTESUBCLASS)(PRDATA, USERWNDPROC);
typedef DLL_IMP_EXP int (* STOPREMOTESUBCLASS)(PRDATA);
#ifdef __cplusplus
}
#endif
#endif
Submit an article or tip