Ramid/main.cpp at main · BoneheadBreaker/Ramid · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <cstdlib>

uintptr_t GetRemoteModuleBase(DWORD pid, const char* moduleName) {
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, pid);
    if (snapshot == INVALID_HANDLE_VALUE) return 0;

    MODULEENTRY32 me;
    me.dwSize = sizeof(me);

    if (Module32First(snapshot, &me)) {
        do {
            if (_stricmp(me.szModule, moduleName) == 0) {
                CloseHandle(snapshot);
                return (uintptr_t)me.modBaseAddr;
            }
        } while (Module32Next(snapshot, &me));
    }

    CloseHandle(snapshot);
    return 0;
}

int main(int argc, char** argv) {
    if (argc == 1) {
        printf("usage: %s <full-path-to-dll> <PID>\n", argv[0]);

        return 1;
    }

    if (strcmp(argv[1], "--help") == 0) {
      printf("USAGES:\n");
      printf("%s <full-path-to-dll> <PID>\n", argv[0]);
      printf("%s gui\n", argv[0]);

      return 0;
    }

    if (strcmp(argv[1], "gui") == 0) {
      system("GUI\\dist\\main.exe");
      return 0;
    }

    const char* dll_path = argv[1];
    DWORD PID = atoi(argv[2]);

    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
    if (!hProcess) {
        printf("OpenProcess failed: %lu\n", GetLastError());
        return 1;
    }

    LPVOID allocated_mem = VirtualAllocEx(
        hProcess,
        NULL,
        strlen(dll_path) + 1,
        MEM_COMMIT | MEM_RESERVE,
        PAGE_READWRITE
    );

    if (!allocated_mem) {
        printf("VirtualAllocEx failed: %lu\n", GetLastError());
        return 1;
    }

    if (!WriteProcessMemory(
            hProcess,
            allocated_mem,
            dll_path,
            strlen(dll_path) + 1,
            NULL)) {
        printf("WriteProcessMemory failed: %lu\n", GetLastError());
        return 1;
    }

    // Resolve LoadLibraryA safely (ASLR)
    HMODULE hKernel32 = GetModuleHandleA("kernel32.dll");
    uintptr_t localBase = (uintptr_t)hKernel32;
    uintptr_t localFunc = (uintptr_t)GetProcAddress(hKernel32, "LoadLibraryA");

    uintptr_t offset = localFunc - localBase;

    uintptr_t remoteBase = GetRemoteModuleBase(PID, "kernel32.dll");
    if (!remoteBase) {
        printf("Failed to find remote kernel32\n");
        return 1;
    }

    LPVOID loadLibraryAddr = (LPVOID)(remoteBase + offset);

    HANDLE hThread = CreateRemoteThread(
        hProcess,
        NULL,
        0,
        (LPTHREAD_START_ROUTINE)loadLibraryAddr,
        allocated_mem,
        0,
        NULL
    );

    if (!hThread) {
        printf("CreateRemoteThread failed: %lu\n", GetLastError());
        return 1;
    }

    WaitForSingleObject(hThread, INFINITE);

    DWORD exitCode = 0;
    GetExitCodeThread(hThread, &exitCode);

    printf("LoadLibraryA returned: 0x%lx\n", exitCode);

    if (exitCode == 0) {
        printf("DLL failed to load.\n");
    } else {
        printf("DLL successfully loaded!\n");
    }

    CloseHandle(hThread);
    CloseHandle(hProcess);

    return 0;
}