/* * $Id: //devel/tools/main/backstealth/injdata.h#1 $ * * written by: Stephen J. Friedl * Software Consultant * Tustin, California USA * steve@unixwiz.net * * INJECTION DATA STRUCTURE * * This is the header that we place at the start of the virtual * memory chunk allocated in the remote process, and it's used by * the trampoline function to do its thing. This can't contain any * real pointers (save for the function entry points to the DLL), * as the memory location of this data structure in *this* program * will be different than in the remote. */ struct injection_data { /*---------------------------------------------------------------- * The trampoline function has no real way to report errors, so * we allocate this struct member to hold the line number of any * error conditions on the hope that it makes debugging a bit * easier. */ DWORD dwErrLine; /*---------------------------------------------------------------- * Each of these function pointers are referencing KERNEL32.DLL, * and we blindly assume that the remote process has not only * loaded this DLL (always ture) but has done so at the same addr * that we have. For KERNEL32 this is probably a safe choice. * * We decided to make each of these functions typed so that we * got the benefit of prototype checking in the trampoline * function. It's a little more work in the GetProcAddress() * department but much easier later. */ HMODULE (WINAPI *fpLoadLibrary)(LPCTSTR); FARPROC (WINAPI *fpGetProcAddress)(HMODULE, LPCSTR); BOOL (WINAPI *fpFreeLibrary)(HMODULE); /*---------------------------------------------------------------- * The "dllpath" is the full path of the "backdll.dll" that we * wish to load into the remote address space. It has to be * either the full path, or it must be in the same dir as the * target process, and since we don't know the latter, we just * use the full path. Why not? */ TCHAR dllpath[256]; /*---------------------------------------------------------------- * The "entrypoint" is the name of the function that we're to use * when we enter the DLL specified by "dllpath". This is a regular * ASCII name, and we use GetProcAddr to find it., * * When this function is called, it's given the single "entryparam" * argument that currently does nothing. But we have room to * grow. * * NOTE: not unicode! */ char entrypoint[256]; /*---------------------------------------------------------------- * where to park the output file */ TCHAR savefile[256]; /*---------------------------------------------------------------- * remote site to contact. use an IP address if you like. And * the URL too. * * NOTE: not unicode! */ char remote_host[64]; char remote_url[64]; DWORD entryparam; int debuglevel; };