C, C++ and VC++ Snippets

[warname]

thanks thanks thanks

[rjcmax]

my brain its starting to explode

[xXdeath]

me too
could some of these people here who understand these explain it in a simple and low way
step by step
pls

[4Rtic]

Obviously if you dont know any c/c++ you wont understand what is being posted here >.<

Snippet Name: from File -> Buffer
Description: Old Old pure C asignment from when i beggan coding xD it Copies a File into a Buffer.
Keywords: Buffer, Asignment, Crap
code:

Code:

void _Fill(char laiA[MAX][MAX])
{

FILE *infile;
char infile_name[15];
char *buffer;
int fchar, i=0, j=0, a=0;

    printf("Input File:    ");
    gets(infile_name);
    printf("Opening file %s ...\n", infile_name);

    if((infile = fopen(infile_name, "r"))== NULL)
        perror(infile);

    while(fchar!=EOF)
    {
        //read a character
        fchar = fgetc(infile);

        if(fchar == '\n' || fchar == EOF)
        {
            i++;
            j=0;
            continue;
        }
        else
        {
            laiA[i][j]=fchar;
            j++;
        }

    };
}

[xXdeath]

I know
this is why I´m asking for an explainiation
could somebody pls explain c++ to me

[4Rtic]

https://www.mpgh.net/forum/31-c-c-pro...resources.html

[megamandos]

Snippet Name: Injected Dll Unload Self and Exit
Keywords: inject, unload, self, asm, c
Description: Some ASM and C to have a DLL unload itself from memory and exit. Ever want to unload yourself without exiting the application? O and this is the 64 bit version. I still gotta write the 32-bit one. But you can find that inside injex.
Code:
C

Code:

extern "C" VOID __fastcall UnloadSelfAndExit(HMODULE hModule);

ASM (NASM syntax)

Code:

BITS 64
DEFAULT REL

%define MEM_COMMIT	 0x1000
%define MEM_RESERVE  0x2000
%define MEM_RESET	0x80000

%define MEM_LARGE_PAGES		0x20000000
%define MEM_PHYSICAL		  0x400000
%define MEM_TOP_DOWN		  0x100000
%define MEM_WRITE_WATCH		  0x200000

%define PAGE_NOACCESS			0x01
%define PAGE_READONLY			0x02
%define PAGE_READWRITE			0x04
%define PAGE_WRITECOPY			0x08
%define PAGE_EXECUTE			0x10
%define PAGE_EXECUTE_READ		0x20
%define	PAGE_EXECUTE_READWRITE	0x40
%define PAGE_EXECUTE_WRITECOPY	0x80

%define PAGE_GUARD				0x100
%define PAGE_NOCACHE			0x200
%define PAGE_WRITECOMBINE		0x400

global UnloadSelfAndExit
extern VirtualAlloc,GetProcAddress,GetModuleHandleA

section .text

;; extern "C" VOID __fastcall UnloadSelfAndExit(HMODULE hModule);
struc UnloadSelfAndExitShadowSpace
	.hModule	resq	1
endstruc

UnloadSelfAndExit:
	mov [rsp+UnloadSelfAndExitShadowSpace.hModule], rcx
	xor rcx, rcx
	mov rdx, unload_self_size+unload_self_config_size
	
	xor r8,r8
	or r8, MEM_COMMIT
	or r8, MEM_RESERVE

	xor r9,r9
	or r9, PAGE_EXECUTE_READWRITE

	sub rsp, 20h
	call VirtualAlloc
	add rsp, 20h

	mov rbx, rax

	mov rdi, rax
	lea rsi, [unload_self]
	mov rcx, unload_self_size
	rep movsb
	mov rbx, rdi

	lea rcx, [cKernel32]
	lea rdx, [cFreeLibrary]

	sub rsp, 20h
	call helperGetProcAddress
	add rsp, 20h

	mov [rbx + unload_self_config.fpFreeLibrary],rax

	lea rcx, [cKernel32]
	lea rdx, [cExitThread]

	sub rsp, 20h
	call helperGetProcAddress
	add rsp, 20h

	mov [rbx + unload_self_config.fpExitThread],rax

	mov rcx, [rsp+UnloadSelfAndExitShadowSpace.hModule]
	mov [rbx + unload_self_config.hModule], rcx

	lea rax, [rbx - unload_self_size]
	jmp rax

;; __fastcall helperGetProcAddress(char *moduleName, char *functionName)
helperGetProcAddress:
	;Stack alignment
	sub rsp, 8h

	mov [rsp], rdx
	sub rsp,20h
	call GetModuleHandleA
	add rsp, 20h

	mov rcx, rax
	mov rdx, [rsp]
	sub rsp, 20h
	call GetProcAddress
	add rsp, 20h

	;Stack alignment
	add rsp, 8h
	ret

cKernel32: db "Kernel32.dll",0
cFreeLibrary: db "FreeLibrary",0
cExitThread: db "ExitThread",0

struc unload_self_config
	.hModule			resq	1
	.fpExitThread		resq	1
	.fpFreeLibrary	resq	1
endstruc

unload_self:
	jmp .a
.b:
	pop rbp
	
	;FreeLibrary(hModule)
	mov rcx, [rbp+unload_self_config.hModule]
	mov rax, [rbp+unload_self_config.fpFreeLibrary]

	sub rsp, 28h
	call rax
	add rsp, 28h

	;ExitThread(0)

	xor rcx,rcx
	mov rax, [rbp+unload_self_config.fpExitThread]
	
	sub rsp, 20h
	call rax ; Never actually returns.
	add rsp, 20h
	
	ret
.a:
	call .b

unload_self_size: equ $-unload_self
; We're pretending there is an unload_self_config struc here...

Basically just creates a code cave, configures some PIC, and performs the unload from there. Don't try and follow it in WinDbg or it'll blow up on you, idk about OllyDbg or w/e tho, proly will too. I went a bit overboard on the %defines at the top, really only used 3 of them lol. This'll be part of Injex. Oh and I know its pretty much all ASM, but the C forum seemed like the place to put this (even though it can't really be written in C/C++) since (for some unknown reason) you don't seem to have an ASM forum.

[Void]

Snippet Name: Injected Dll Unload Self and Exit
Keywords: inject, unload, self, asm, c
Description: Some ASM and C to have a DLL unload itself from memory and exit. Ever want to unload yourself without exiting the application? O and this is the 64 bit version. I still gotta write the 32-bit one. But you can find that inside injex.
Code:
C

Code:

extern "C" VOID __fastcall UnloadSelfAndExit(HMODULE hModule);

ASM (NASM syntax)

Code:

BITS 64
DEFAULT REL

%define MEM_COMMIT	 0x1000
%define MEM_RESERVE  0x2000
%define MEM_RESET	0x80000

%define MEM_LARGE_PAGES		0x20000000
%define MEM_PHYSICAL		  0x400000
%define MEM_TOP_DOWN		  0x100000
%define MEM_WRITE_WATCH		  0x200000

%define PAGE_NOACCESS			0x01
%define PAGE_READONLY			0x02
%define PAGE_READWRITE			0x04
%define PAGE_WRITECOPY			0x08
%define PAGE_EXECUTE			0x10
%define PAGE_EXECUTE_READ		0x20
%define	PAGE_EXECUTE_READWRITE	0x40
%define PAGE_EXECUTE_WRITECOPY	0x80

%define PAGE_GUARD				0x100
%define PAGE_NOCACHE			0x200
%define PAGE_WRITECOMBINE		0x400

global UnloadSelfAndExit
extern VirtualAlloc,GetProcAddress,GetModuleHandleA

section .text

;; extern "C" VOID __fastcall UnloadSelfAndExit(HMODULE hModule);
struc UnloadSelfAndExitShadowSpace
	.hModule	resq	1
endstruc

UnloadSelfAndExit:
	mov [rsp+UnloadSelfAndExitShadowSpace.hModule], rcx
	xor rcx, rcx
	mov rdx, unload_self_size+unload_self_config_size
	
	xor r8,r8
	or r8, MEM_COMMIT
	or r8, MEM_RESERVE

	xor r9,r9
	or r9, PAGE_EXECUTE_READWRITE

	sub rsp, 20h
	call VirtualAlloc
	add rsp, 20h

	mov rbx, rax

	mov rdi, rax
	lea rsi, [unload_self]
	mov rcx, unload_self_size
	rep movsb
	mov rbx, rdi

	lea rcx, [cKernel32]
	lea rdx, [cFreeLibrary]

	sub rsp, 20h
	call helperGetProcAddress
	add rsp, 20h

	mov [rbx + unload_self_config.fpFreeLibrary],rax

	lea rcx, [cKernel32]
	lea rdx, [cExitThread]

	sub rsp, 20h
	call helperGetProcAddress
	add rsp, 20h

	mov [rbx + unload_self_config.fpExitThread],rax

	mov rcx, [rsp+UnloadSelfAndExitShadowSpace.hModule]
	mov [rbx + unload_self_config.hModule], rcx

	lea rax, [rbx - unload_self_size]
	jmp rax

;; __fastcall helperGetProcAddress(char *moduleName, char *functionName)
helperGetProcAddress:
	;Stack alignment
	sub rsp, 8h

	mov [rsp], rdx
	sub rsp,20h
	call GetModuleHandleA
	add rsp, 20h

	mov rcx, rax
	mov rdx, [rsp]
	sub rsp, 20h
	call GetProcAddress
	add rsp, 20h

	;Stack alignment
	add rsp, 8h
	ret

cKernel32: db "Kernel32.dll",0
cFreeLibrary: db "FreeLibrary",0
cExitThread: db "ExitThread",0

struc unload_self_config
	.hModule			resq	1
	.fpExitThread		resq	1
	.fpFreeLibrary	resq	1
endstruc

unload_self:
	jmp .a
.b:
	pop rbp
	
	;FreeLibrary(hModule)
	mov rcx, [rbp+unload_self_config.hModule]
	mov rax, [rbp+unload_self_config.fpFreeLibrary]

	sub rsp, 28h
	call rax
	add rsp, 28h

	;ExitThread(0)

	xor rcx,rcx
	mov rax, [rbp+unload_self_config.fpExitThread]
	
	sub rsp, 20h
	call rax ; Never actually returns.
	add rsp, 20h
	
	ret
.a:
	call .b

unload_self_size: equ $-unload_self
; We're pretending there is an unload_self_config struc here...

Basically just creates a code cave, configures some PIC, and performs the unload from there. Don't try and follow it in WinDbg or it'll blow up on you, idk about OllyDbg or w/e tho, proly will too. I went a bit overboard on the %defines at the top, really only used 3 of them lol. This'll be part of Injex. Oh and I know its pretty much all ASM, but the C forum seemed like the place to put this (even though it can't really be written in C/C++) since (for some unknown reason) you don't seem to have an ASM forum.

Why can't this be written in C/C++?

[megamandos]

The code cave can't be written in C++... its PIC. Unless there is something I am missing and people write Position Independent Code in c++ instead of ASM... But ofc the part where it just does VirtualAlloc, memcopy, and GetProcAddress can be written in C++, just not the PIC part at the bottom.

---------- Post added at 09:13 PM ---------- Previous post was at 09:06 PM ----------

Or by "this" do you mean a function that a DLL can call within itself to unload itself? Because I don't know of a way that a DLL can call FreeLibrary on itself and not cause an access violation when it returns to a point in the DLL it just freed.

I mean sure, you can set up the stack in 32 bit to basically call the functions while unwinding the stack (so the EIP doesn't return to a point in the DLL you just unloaded). But x64 uses all fast-call, so you can't* just put the variables on the stack and call it good, they have to be in there registers...

Oh an btw, i love your avatar lol.

[_Coder.]

Hey guys these are the some diffrent types and the size in bytes that they hold.

Code:

long - 4bytes

unsigned long - 4bytes 
long long - 8bytes
unsigned long long - 4bytes
float - 4bytes 
double - 8bytes
long double - 8bytes.

I know its quite simple, but in case people are interested to know and are using some of them.

[megamandos]

Snippet Name: Dll Unload Self and Exit
Keywords: unload, self, asm, c, dll, x86
Description: 32-bit ASM w/ PIC for DLL Self Unloading.
Code:
C

Code:

extern "C" VOID __stdcall UnloadSelfAndExit(HMODULE hModule);

ASM - Assemble with YASM/NASM

Code:

BITS 32

%define MEM_COMMIT	 0x1000
%define MEM_RESERVE  0x2000
%define MEM_RESET	0x80000

%define MEM_LARGE_PAGES		0x20000000
%define MEM_PHYSICAL		  0x400000
%define MEM_TOP_DOWN		  0x100000
%define MEM_WRITE_WATCH		  0x200000

%define PAGE_NOACCESS			0x01
%define PAGE_READONLY			0x02
%define PAGE_READWRITE			0x04
%define PAGE_WRITECOPY			0x08
%define PAGE_EXECUTE			0x10
%define PAGE_EXECUTE_READ		0x20
%define	PAGE_EXECUTE_READWRITE	0x40
%define PAGE_EXECUTE_WRITECOPY	0x80

%define PAGE_GUARD				0x100
%define PAGE_NOCACHE			0x200
%define PAGE_WRITECOMBINE		0x400

global _UnloadSelfAndExit@4
extern _VirtualAlloc@16,_GetProcAddress@8,_GetModuleHandleA@4

section .text

struc UnloadSelfAndExitArgs
	.SavedEBP		resd	1
	.returnPointer	resd	1
	.hModule		resd	1
endstruc

_UnloadSelfAndExit@4:
	push ebp
	mov ebp, esp

	mov eax, PAGE_EXECUTE_READWRITE
	push eax

	xor eax,eax
	or eax, MEM_COMMIT
	or eax, MEM_RESERVE
	push eax

	mov eax, unload_self_size + unload_self_config_size
	push eax

	push 0

	call _VirtualAlloc@16

	mov edi, eax
	lea esi, [unload_self]
	mov ecx, unload_self_size
	rep movsb
	
	mov ebx, edi ; We aren't coming back from this, so we might as well clobber ebx :)

	lea eax, [cFreeLibrary]
	push eax
	lea eax, [cKernel32]
	push eax
	call _HelpGetProcAddress@8

	mov [ebx+unload_self_config.fpFreeLibrary], eax

	lea eax, [cExitThread]
	push eax
	lea eax, [cKernel32]
	push eax
	call _HelpGetProcAddress@8

	mov [ebx+unload_self_config.fpExitThread], eax

	mov eax, [ebp + UnloadSelfAndExitArgs.hModule]
	mov [ebx + unload_self_config.hModule], eax

	lea eax, [ebx - unload_self_size]
	jmp eax

	pop ebp
	ret 4

struc HelpGetProcAddressArgs
	.SavedEBP		resd	1
	.returnPointer	resd	1
	.lpModuleName	resd	1
	.lpFunctionName	resd	1
endstruc

_HelpGetProcAddress@8:
	push ebp
	mov ebp, esp

	mov eax, [ebp + HelpGetProcAddressArgs.lpModuleName]
	push eax ; Module Name
	call _GetModuleHandleA@4

	mov ecx, [ebp + HelpGetProcAddressArgs.lpFunctionName]
	push ecx ; Function Name
	push eax ; The module base address.
	call _GetProcAddress@8

	pop ebp
	ret 8
	
cKernel32: db "Kernel32.dll",0
cFreeLibrary: db "FreeLibrary",0
cExitThread: db "ExitThread",0

struc unload_self_config
	.hModule			resd	1
	.fpExitThread		resd	1
	.fpFreeLibrary		resd	1
endstruc

unload_self:
	jmp .a
.b:
	pop ebp

	mov eax, [ebp + unload_self_config.hModule]
	push eax

	mov eax, [ebp + unload_self_config.fpFreeLibrary]
	call eax

	push 0
	mov eax, [ebp + unload_self_config.fpExitThread]
	call eax

.a:
	call .b

unload_self_size: equ $-unload_self
; We're pretending there is an unload_self_config struc here...

I just completed the 32-bit version of the function that allows a DLL to unload itself from memory. You can quite easily alter this to allow the DLL to reload itself, so you can reload your injected DLL without having to restart the target application between test runs.

[.::SCHiM::.]

Perhaps you should also mention that the code needs to be assembled with nasm?

[Jason]

Snippet Name: Dll Unload Self and Exit
Keywords: unload, self, asm, c, dll, x86
Description: 32-bit ASM w/ PIC for DLL Self Unloading.
Code:
C

Code:

extern "C" VOID __stdcall UnloadSelfAndExit(HMODULE hModule);

ASM

Code:

BITS 32

%define MEM_COMMIT	 0x1000
%define MEM_RESERVE  0x2000
%define MEM_RESET	0x80000

%define MEM_LARGE_PAGES		0x20000000
%define MEM_PHYSICAL		  0x400000
%define MEM_TOP_DOWN		  0x100000
%define MEM_WRITE_WATCH		  0x200000

%define PAGE_NOACCESS			0x01
%define PAGE_READONLY			0x02
%define PAGE_READWRITE			0x04
%define PAGE_WRITECOPY			0x08
%define PAGE_EXECUTE			0x10
%define PAGE_EXECUTE_READ		0x20
%define	PAGE_EXECUTE_READWRITE	0x40
%define PAGE_EXECUTE_WRITECOPY	0x80

%define PAGE_GUARD				0x100
%define PAGE_NOCACHE			0x200
%define PAGE_WRITECOMBINE		0x400

global _UnloadSelfAndExit@4
extern _VirtualAlloc@16,_GetProcAddress@8,_GetModuleHandleA@4

section .text

struc UnloadSelfAndExitArgs
	.SavedEBP		resd	1
	.returnPointer	resd	1
	.hModule		resd	1
endstruc

_UnloadSelfAndExit@4:
	push ebp
	mov ebp, esp

	mov eax, PAGE_EXECUTE_READWRITE
	push eax

	xor eax,eax
	or eax, MEM_COMMIT
	or eax, MEM_RESERVE
	push eax

	mov eax, unload_self_size + unload_self_config_size
	push eax

	push 0

	call _VirtualAlloc@16

	mov edi, eax
	lea esi, [unload_self]
	mov ecx, unload_self_size
	rep movsb
	
	mov ebx, edi ; We aren't coming back from this, so we might as well clobber ebx :)

	lea eax, [cFreeLibrary]
	push eax
	lea eax, [cKernel32]
	push eax
	call _HelpGetProcAddress@8

	mov [ebx+unload_self_config.fpFreeLibrary], eax

	lea eax, [cExitThread]
	push eax
	lea eax, [cKernel32]
	push eax
	call _HelpGetProcAddress@8

	mov [ebx+unload_self_config.fpExitThread], eax

	mov eax, [ebp + UnloadSelfAndExitArgs.hModule]
	mov [ebx + unload_self_config.hModule], eax

	lea eax, [ebx - unload_self_size]
	jmp eax

	pop ebp
	ret 4

struc HelpGetProcAddressArgs
	.SavedEBP		resd	1
	.returnPointer	resd	1
	.lpModuleName	resd	1
	.lpFunctionName	resd	1
endstruc

_HelpGetProcAddress@8:
	push ebp
	mov ebp, esp

	mov eax, [ebp + HelpGetProcAddressArgs.lpModuleName]
	push eax ; Module Name
	call _GetModuleHandleA@4

	mov ecx, [ebp + HelpGetProcAddressArgs.lpFunctionName]
	push ecx ; Function Name
	push eax ; The module base address.
	call _GetProcAddress@8

	pop ebp
	ret 8
	
cKernel32: db "Kernel32.dll",0
cFreeLibrary: db "FreeLibrary",0
cExitThread: db "ExitThread",0

struc unload_self_config
	.hModule			resd	1
	.fpExitThread		resd	1
	.fpFreeLibrary		resd	1
endstruc

unload_self:
	jmp .a
.b:
	pop ebp

	mov eax, [ebp + unload_self_config.hModule]
	push eax

	mov eax, [ebp + unload_self_config.fpFreeLibrary]
	call eax

	push 0
	mov eax, [ebp + unload_self_config.fpExitThread]
	call eax

.a:
	call .b

unload_self_size: equ $-unload_self
; We're pretending there is an unload_self_config struc here...

I just completed the 32-bit version of the function that allows a DLL to unload itself from memory. You can quite easily alter this to allow the DLL to reload itself, so you can reload your injected DLL without having to restart the target application between test runs.

This is more of an ASM snippet than a C++ snippet. Perhaps if you condensed it into inline assembly in C++ you'd have better results

[megamandos]

This is more of an ASM snippet than a C++ snippet. Perhaps if you condensed it into inline assembly in C++ you'd have better results

I have no idea how you would get the size of a function with inline assembly so you could copy the PIC, and I am NOT going to hard-code something like that.

Perhaps you should also mention that the code needs to be assembled with nasm?

A valid point, thanks! Done.

[megamandos]

Snippet Name: Injex Dll Inject and Hide
Keywords: c, dll, injection, inject, hide
Description: Call this to inject a DLL into a process and remove it from the PEB LDR data, so it wont be located by other stuff looking for loaded DLLs. Attach windbg with symbols loaded and type "!peb" to see that it isn't in the PEB->LdrData lists at all.
Code:

Code:

typedef struct _RTL_USER_PROCESS_PARAMETERS {
	ULONG                   MaximumLength;
	ULONG                   Length;
	ULONG                   Flags;
	ULONG                   DebugFlags;
	PVOID                   ConsoleHandle;
	ULONG                   ConsoleFlags;
	HANDLE                  StdInputHandle;
	HANDLE                  StdOutputHandle;
	HANDLE                  StdErrorHandle;
	UNICODE_STRING          CurrentDirectoryPath;
	HANDLE                  CurrentDirectoryHandle;
	UNICODE_STRING          DllPath;
	UNICODE_STRING          ImagePathName;
	UNICODE_STRING          CommandLine;
	PVOID                   Environment;
	ULONG                   StartingPositionLeft;
	ULONG                   StartingPositionTop;
	ULONG                   Width;
	ULONG                   Height;
	ULONG                   CharWidth;
	ULONG                   CharHeight;
	ULONG                   ConsoleTextAttributes;
	ULONG                   WindowFlags;
	ULONG                   ShowWindowFlags;
	UNICODE_STRING          WindowTitle;
	UNICODE_STRING          DesktopName;
	UNICODE_STRING          ShellInfo;
	UNICODE_STRING          RuntimeData;
	RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB_FREE_BLOCK {
     _PEB_FREE_BLOCK *Next;
     ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;

typedef struct _PEB_LDR_DATA {
	ULONG                   Length;
	BOOLEAN                 Initialized;
	PVOID                   SsHandle;
	LIST_ENTRY              InLoadOrderModuleList;
	LIST_ENTRY              InMemoryOrderModuleList;
	LIST_ENTRY              InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
typedef PVOID *PPVOID;

typedef struct _PEB {
	BOOLEAN                 InheritedAddressSpace;
	BOOLEAN                 ReadImageFileExecOptions;
	BOOLEAN                 BeingDebugged;
	BOOLEAN                 Spare;
	HANDLE                  Mutant;
	PVOID                   ImageBaseAddress;
	PPEB_LDR_DATA           LoaderData;
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
	PVOID                   SubSystemData;
	PVOID                   ProcessHeap;
	PVOID                   FastPebLock;
	PPEBLOCKROUTINE         FastPebLockRoutine;
	PPEBLOCKROUTINE         FastPebUnlockRoutine;
	ULONG                   EnvironmentUpdateCount;
	PPVOID                  KernelCallbackTable;
	PVOID                   EventLogSection;
	PVOID                   EventLog;
	PPEB_FREE_BLOCK         FreeList;
	ULONG                   TlsExpansionCounter;
	PVOID                   TlsBitmap;
	ULONG                   TlsBitmapBits[0x2];
	PVOID                   ReadOnlySharedMemoryBase;
	PVOID                   ReadOnlySharedMemoryHeap;
	PPVOID                  ReadOnlyStaticServerData;
	PVOID                   AnsiCodePageData;
	PVOID                   OemCodePageData;
	PVOID                   UnicodeCaseTableData;
	ULONG                   NumberOfProcessors;
	ULONG                   NtGlobalFlag;
	BYTE                    Spare2[0x4];
	LARGE_INTEGER           CriticalSectionTimeout;
	ULONG                   HeapSegmentReserve;
	ULONG                   HeapSegmentCommit;
	ULONG                   HeapDeCommitTotalFreeThreshold;
	ULONG                   HeapDeCommitFreeBlockThreshold;
	ULONG                   NumberOfHeaps;
	ULONG                   MaximumNumberOfHeaps;
	PPVOID                  *ProcessHeaps;
	PVOID                   GdiSharedHandleTable;
	PVOID                   ProcessStarterHelper;
	PVOID                   GdiDCAttributeList;
	PVOID                   LoaderLock;
	ULONG                   OSMajorVersion;
	ULONG                   OSMinorVersion;
	ULONG                   OSBuildNumber;
	ULONG                   OSPlatformId;
	ULONG                   ImageSubSystem;
	ULONG                   ImageSubSystemMajorVersion;
	ULONG                   ImageSubSystemMinorVersion;
	ULONG                   GdiHandleBuffer[0x22];
	ULONG                   PostProcessInitRoutine;
	ULONG                   TlsExpansionBitmap;
	BYTE                    TlsExpansionBitmapBits[0x80];
	ULONG                   SessionId;
} PEB, *PPEB;

typedef struct _PROCESS_BASIC_INFORMATION {
    PVOID Reserved1;
    PPEB PebBaseAddress;
    PVOID Reserved2[2];
    ULONG_PTR UniqueProcessId;
    PVOID Reserved3;
} PROCESS_BASIC_INFORMATION;

typedef enum _PROCESSINFOCLASS {
    ProcessBasicInformation = 0,
    ProcessWow64Information = 26
} PROCESSINFOCLASS;

typedef struct _LDR_MODULE {
	LIST_ENTRY              InLoadOrderModuleList;
	LIST_ENTRY              InMemoryOrderModuleList;
	LIST_ENTRY              InInitializationOrderModuleList;
	PVOID                   BaseAddress;
	PVOID                   EntryPoint;
	ULONG                   SizeOfImage;
	UNICODE_STRING          FullDllName;
	UNICODE_STRING          BaseDllName;
	ULONG                   Flags;
	SHORT                   LoadCount;
	SHORT                   TlsIndex;
	LIST_ENTRY              HashTableEntry;
	ULONG                   TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;

SIZE_T ReadProcessUnicodeString(HANDLE hProcess, UNICODE_STRING *inString, UNICODE_STRING *outString){
	SIZE_T dwRead;

	outString->Length = inString->Length;
	outString->MaximumLength = inString->MaximumLength;
	outString->Buffer = (PWSTR)malloc(inString->MaximumLength);

	ReadProcessMemory(hProcess, inString->Buffer, outString->Buffer, inString->MaximumLength, &dwRead);

	return dwRead;
}
DWORD LoadLibraryInjection(HANDLE proc, PCHAR dllName){
	LPVOID RemoteString, LoadLibAddy;
	LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");

	RemoteString = (LPVOID)VirtualAllocEx(proc, NULL, strlen(dllName), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
	if(RemoteString == NULL){
		CloseHandle(proc); // Close the process handle.
		ErrorExit(TEXT("VirtualAllocEx"), NULL);
	}

	if(WriteProcessMemory(proc, (LPVOID)RemoteString, dllName,strlen(dllName), NULL) == 0){
		VirtualFreeEx(proc, RemoteString, 0, MEM_RELEASE); // Free the memory we were going to use.
		CloseHandle(proc); // Close the process handle.
		ErrorExit(TEXT("WriteProcessMemory"), NULL);
	}
	
	HANDLE hThread;

	if((hThread = CreateRemoteThread(proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL)) == NULL){
		VirtualFreeEx(proc, RemoteString, 0, MEM_RELEASE); // Free the memory we were going to use.
		CloseHandle(proc); // Close the process handle.
		ErrorExit(TEXT("CreateRemoteThread"), NULL);
	}
	DWORD dwThreadExitCode=0;

	// Lets wait for the thread to finish 10 seconds is our limit.
	// During this wait, DllMain is running in the injected DLL, so
	// DllMain has 10 seconds to run.
	WaitForSingleObject(hThread, 10000);

	// Lets see what it says...
	GetExitCodeThread(hThread,  &dwThreadExitCode);

	// No need for this handle anymore, lets get rid of it.
	CloseHandle(hThread);

	// Lets clear up that memory we allocated earlier.
	VirtualFreeEx(proc, RemoteString, 0, MEM_RELEASE);

	// Alright lets remove this DLL from the loaded DLL list!

	WCHAR dllNameW[MAX_PATH];
	MultiByteToWideChar(CP_UTF8, 0, dllName, strlen(dllName)+1, dllNameW, MAX_PATH);

	typedef NTSTATUS (WINAPI *fpNtQueryInformationProcess)(
	  __in       HANDLE ProcessHandle,
	  __in       PROCESSINFOCLASS ProcessInformationClass,
	  __out      PVOID ProcessInformation,
	  __in       ULONG ProcessInformationLength,
	  __out_opt  PULONG ReturnLength
	);
	
	fpNtQueryInformationProcess NtQueryInformationProcess = (fpNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess");

	PROCESS_BASIC_INFORMATION procinfo;
	NtQueryInformationProcess(proc, ProcessBasicInformation, &procinfo, sizeof(procinfo), NULL);

	PEB peb;
	PEB_LDR_DATA ldrData;

	SIZE_T dwRead;
	ReadProcessMemory(proc, procinfo.PebBaseAddress, &peb, sizeof(peb), &dwRead);
	ReadProcessMemory(proc, peb.LoaderData, &ldrData, sizeof(ldrData), &dwRead);

	LDR_MODULE ldrModuleA = {0};
	LDR_MODULE ldrModuleOfInterest = {0};
	
	
	LIST_ENTRY *Flink=ldrData.InInitializationOrderModuleList.Flink;
	LIST_ENTRY *Start=Flink;
	LIST_ENTRY *Blink = 0;

	do{
		// Lets find the entry in the InInitializationOrderModuleList first.
		ReadProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InInitializationOrderModuleList), &ldrModuleA, sizeof(ldrModuleA), &dwRead);
		Blink = ldrModuleA.InInitializationOrderModuleList.Blink;
		Flink = ldrModuleA.InInitializationOrderModuleList.Flink;

		if(ldrModuleA.InInitializationOrderModuleList.Flink == Start)
			break;

		UNICODE_STRING FullDllName;
		ReadProcessUnicodeString(proc, &ldrModuleA.FullDllName, &FullDllName);
		if(wcscmp(FullDllName.Buffer, dllNameW)==0){
			// BINGO!
			printf("FullDllName: %wZ\n", FullDllName);
			
			// Lets remove this list entry.

			LDR_MODULE Previous;
			LDR_MODULE Next;

			// Overwriting the entry at Flink, so it points to the one behind us.
			ReadProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InInitializationOrderModuleList), &Next, sizeof(Next), &dwRead);
			Next.InInitializationOrderModuleList.Blink = Blink;
			WriteProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InInitializationOrderModuleList), &Next, sizeof(Next), NULL);

			// Overwriting the entry at Blink, so it points to the one in front of us.
			ReadProcessMemory(proc, CONTAINING_RECORD(Blink, LDR_MODULE, InInitializationOrderModuleList), &Previous, sizeof(Previous), &dwRead);
			Previous.InInitializationOrderModuleList.Flink = Flink;
			WriteProcessMemory(proc, CONTAINING_RECORD(Blink, LDR_MODULE, InInitializationOrderModuleList), &Previous, sizeof(Previous), NULL);

			// Break out, to continue on to the next list...
			break;
		}
		free(FullDllName.Buffer);

	}while(TRUE);
	

	
	Flink=ldrData.InLoadOrderModuleList.Flink;
	Start=Flink;
	Blink = 0;

	do{
		// Lets find the entry in the InInitializationOrderModuleList first.
		ReadProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InLoadOrderModuleList), &ldrModuleA, sizeof(ldrModuleA), &dwRead);
		Blink = ldrModuleA.InLoadOrderModuleList.Blink;
		Flink = ldrModuleA.InLoadOrderModuleList.Flink;

		if(ldrModuleA.InLoadOrderModuleList.Flink == Start)
			break;

		UNICODE_STRING FullDllName;
		ReadProcessUnicodeString(proc, &ldrModuleA.FullDllName, &FullDllName);
		if(wcscmp(FullDllName.Buffer, dllNameW)==0){
			// BINGO!
			printf("FullDllName: %wZ\n", FullDllName);
			
			// Lets remove this list entry.

			LDR_MODULE Previous;
			LDR_MODULE Next;

			// Overwriting the entry at Flink, so it points to the one behind us.
			ReadProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InLoadOrderModuleList), &Next, sizeof(Next), &dwRead);
			Next.InLoadOrderModuleList.Blink = Blink;
			WriteProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InLoadOrderModuleList), &Next, sizeof(Next), NULL);

			// Overwriting the entry at Blink, so it points to the one in front of us.
			ReadProcessMemory(proc, CONTAINING_RECORD(Blink, LDR_MODULE, InLoadOrderModuleList), &Previous, sizeof(Previous), &dwRead);
			Previous.InLoadOrderModuleList.Flink = Flink;
			WriteProcessMemory(proc, CONTAINING_RECORD(Blink, LDR_MODULE, InLoadOrderModuleList), &Previous, sizeof(Previous), NULL);

			// Break out, to continue on to the next list...
			break;
		}
		free(FullDllName.Buffer);

	}while(TRUE);
	
	
	Flink=ldrData.InMemoryOrderModuleList.Flink;
	Start=Flink;
	Blink = 0;

	do{
		// Lets find the entry in the InInitializationOrderModuleList first.
		ReadProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InMemoryOrderModuleList), &ldrModuleA, sizeof(ldrModuleA), &dwRead);
		Blink = ldrModuleA.InMemoryOrderModuleList.Blink;
		Flink = ldrModuleA.InMemoryOrderModuleList.Flink;

		if(ldrModuleA.InMemoryOrderModuleList.Flink == Start)
			break;

		UNICODE_STRING FullDllName;
		ReadProcessUnicodeString(proc, &ldrModuleA.FullDllName, &FullDllName);
		if(wcscmp(FullDllName.Buffer, dllNameW)==0){
			// BINGO!
			printf("FullDllName: %wZ\n", FullDllName);
			
			// Lets remove this list entry.

			LDR_MODULE Previous;
			LDR_MODULE Next;

			// Overwriting the entry at Flink, so it points to the one behind us.
			ReadProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InMemoryOrderModuleList), &Next, sizeof(Next), &dwRead);
			Next.InMemoryOrderModuleList.Blink = Blink;
			WriteProcessMemory(proc, CONTAINING_RECORD(Flink, LDR_MODULE, InMemoryOrderModuleList), &Next, sizeof(Next), NULL);

			// Overwriting the entry at Blink, so it points to the one in front of us.
			ReadProcessMemory(proc, CONTAINING_RECORD(Blink, LDR_MODULE, InMemoryOrderModuleList), &Previous, sizeof(Previous), &dwRead);
			Previous.InMemoryOrderModuleList.Flink = Flink;
			WriteProcessMemory(proc, CONTAINING_RECORD(Blink, LDR_MODULE, InMemoryOrderModuleList), &Previous, sizeof(Previous), NULL);

			// Break out, to continue on to the next list...
			break;
		}
		free(FullDllName.Buffer);

	}while(TRUE);

	return dwThreadExitCode;
}

Please note that when running on WoW64, there are actually TWO process environment blocks, this only clear out the 32 bit one, and on normal 64-bit it clears out the ONLY one (which is the 64-bit one). Sorry if that is confusing... (I'm proud of my code )

For the two PEBs look at the first user post here: https://msdn.microsof*****m/en-us/libr...(v=vs.85).aspx