#include <windows.h>
#include <stdio.h>

#define MakePtr(Type, Base, Offset) ((Type)(DWORD(Base) + (DWORD)(Offset)))

typedef HINSTANCE (WINAPI *mytype_LoadLibraryA)(LPCTSTR);
typedef BOOL (WINAPI *mytype_FreeLibrary)(HMODULE);
typedef FARPROC (WINAPI *mytype_GetProcAddress)(HMODULE, LPCSTR);
typedef LONG KPRIORITY;

typedef struct _CLIENT_ID {
    HANDLE UniqueProcess;
    HANDLE UniqueThread;
} CLIENT_ID;
typedef CLIENT_ID *PCLIENT_ID;

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
#ifdef MIDL_PASS
    [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
    PWSTR  Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;
    HANDLE InheritedFromUniqueProcessId;
    ULONG HandleCount;
    ULONG SpareUl2;
    ULONG SpareUl3;
    ULONG PeakVirtualSize;
    ULONG VirtualSize;
    ULONG PageFaultCount;
    ULONG PeakWorkingSetSize;
    ULONG WorkingSetSize;
    ULONG QuotaPeakPagedPoolUsage;
    ULONG QuotaPagedPoolUsage;
    ULONG QuotaPeakNonPagedPoolUsage;
    ULONG QuotaNonPagedPoolUsage;
    ULONG PagefileUsage;
    ULONG PeakPagefileUsage;
    ULONG PrivatePageCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

typedef struct _SYSTEM_THREAD_INFORMATION {
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER CreateTime;
    ULONG WaitTime;
    PVOID StartAddress;
    CLIENT_ID ClientId;
    KPRIORITY Priority;
    LONG BasePriority;
    ULONG ContextSwitches;
    ULONG ThreadState;
    ULONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;

extern "C"
{
NTSYSAPI
NTAPI
NtQuerySystemInformation (
	DWORD i,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
    );
} 


typedef struct _addr_data
{
	LPVOID load_library;
	LPVOID get_address;
	char  lib_name[256];
	char lib_function[256];
} addr_data, *paddr_data;

LPVOID data_pointer;
LPVOID data_pointer1;

mytype_LoadLibraryA my_LoadLibraryA;		//address for LoadLibraryA
mytype_GetProcAddress my_GetProcAddress;	//address for GetProcAddress


DWORD GetProcessIdByName(char * procname)
{
	DWORD id;
	BOOL bo;
	ULONG l,size,shift,interval,k;
	BYTE * buffer;
	SYSTEM_PROCESS_INFORMATION proc;
	char name[256];

	id=0;
	l=0;
	size=20000;
	while(size<=1000000)
	{
		buffer=(BYTE *)malloc(size);
		memset(buffer,0x00,size);
		bo=NtQuerySystemInformation(5,buffer,size,&l);
		if(bo==0) break;
		free(buffer);
		size=size+20000;
	}
	if(l==0)
	{
		printf("Can't get process information\n");
		return 0;
	}
	shift=0;
	interval=1;
	while(shift<l && interval!=0)
	{
		memset(&proc,0x00,sizeof(SYSTEM_PROCESS_INFORMATION));
		memmove(&proc,buffer+shift,sizeof(SYSTEM_PROCESS_INFORMATION));
		memset(name,0x00,256);
		k=WideCharToMultiByte(CP_ACP,0,proc.ImageName.Buffer,(-1),name,256,NULL,NULL);

		if(strcmp(_strupr(name),_strupr(procname))==0)
		{
			id=(DWORD)proc.UniqueProcessId;
			break;
		}

		interval=*(DWORD *)(buffer+shift);
		shift=interval+shift;
	}

	free(buffer);
	return id;
}

int GetProcessThreads(DWORD proc_id, DWORD * th, DWORD * number)
{
	DWORD id;
	BOOL bo;
	ULONG l,size,shift,interval,n;
	BYTE * buffer;
	SYSTEM_PROCESS_INFORMATION proc;
	SYSTEM_THREAD_INFORMATION thread;
	char * p;

	id=0;
	l=0;
	size=20000;
	while(size<=1000000)
	{
		buffer=(BYTE *)malloc(size);
		memset(buffer,0x00,size);
		bo=NtQuerySystemInformation(5,buffer,size,&l);
		if(bo==0) break;
		free(buffer);
		size=size+20000;
	}
	if(l==0)
	{
		printf("Can't get process information\n");
		return 0;
	}
	shift=0;
	interval=1;
	while(shift<l && interval!=0)
	{
		memset(&proc,0x00,sizeof(SYSTEM_PROCESS_INFORMATION));
		memmove(&proc,buffer+shift,sizeof(SYSTEM_PROCESS_INFORMATION));
		if((DWORD)proc.UniqueProcessId==proc_id)
		{
		if(*number<proc.NumberOfThreads)
		{
			return 0;
		} else
		{
		for(n=0;n<proc.NumberOfThreads;n++)
		{
			memset(&thread,0x00,sizeof(SYSTEM_THREAD_INFORMATION));
			p=(char *)(buffer+shift+sizeof(SYSTEM_PROCESS_INFORMATION)+n*sizeof(SYSTEM_THREAD_INFORMATION));
			memmove(&thread,p,sizeof(SYSTEM_THREAD_INFORMATION));
			*((DWORD *)th+n)=(DWORD)thread.ClientId.UniqueThread;
		}//for
		}//else
		}//if
		interval=*(DWORD *)(buffer+shift);
		shift=interval+shift;
	}
	*number=n;
	free(buffer);
	return 1;
}


static void WINAPI my_function(void * address)
{
HINSTANCE hmod;
FARPROC address1;
paddr_data my_addr_data;
mytype_LoadLibraryA my1_LoadLibraryA;
mytype_GetProcAddress my1_GetProcAddress;

my_addr_data=(paddr_data)address;

my1_LoadLibraryA=(mytype_LoadLibraryA)(my_addr_data->load_library);
hmod=my1_LoadLibraryA(my_addr_data->lib_name);
if(hmod!=0)
{
	my1_GetProcAddress=(mytype_GetProcAddress)my_addr_data->get_address;
	address1=my1_GetProcAddress(hmod,my_addr_data->lib_function);
	if(address1!=0)
	{
		address1();
	}
}
}

static void WINAPI my_function_end(void * address)
{
}

int main()
{
HANDLE hmod,handle;
HINSTANCE hint;
addr_data my_data;
ULONG l;
LPVOID pointer;
PVOID intruderaddress;
BOOL bo;
DWORD threadlength,id;

hint=LoadLibrary("kernel32.dll");
l=GetLastError();

memset(my_data.lib_name,0x00,256);
memset(my_data.lib_function,0x00,256);

my_data.load_library=GetProcAddress(hint,"LoadLibraryA");
my_data.get_address=GetProcAddress(hint,"GetProcAddress");

strncpy(my_data.lib_name,"zzz.dll",256);
strncpy(my_data.lib_function,"zzzInit",256);

id=GetProcessIdByName("explorer.exe");

handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,id);
if(handle==NULL)
{
	printf("Can't open process id=%d\n",id);
	return 1;
}

threadlength=(PBYTE)&my_function_end-(PBYTE)&my_function;
pointer=VirtualAllocEx(handle,0,threadlength,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(pointer==NULL)
{
	printf("Can't allocate memory for thread in process space\n");
	return 1;
}

data_pointer=VirtualAllocEx(handle,0,sizeof(addr_data),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(pointer==NULL)
{
	printf("Can't allocate memory for thread data in process space\n");
	return 1;
}

intruderaddress=&my_function;
bo=WriteProcessMemory(handle, pointer,intruderaddress,threadlength,&l);
if(bo==NULL)
{
	printf("Can't write thread in process space\n");
	return 1;
}

bo=WriteProcessMemory(handle, data_pointer,&my_data,sizeof(addr_data),&l);
if(bo==NULL)
{
	printf("Can't write thread data in process space\n");
	return 1;
}

hmod=CreateRemoteThread(handle, NULL, threadlength, (unsigned long (__stdcall *)(void *))pointer, data_pointer, 0, &l);
l=GetLastError();

return 1;

}