#define STRLEN 100
typedef struct _DATA {
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwGetModuleHandle;
DWORD dwGetModuleFileName;
char User32Dll[STRLEN];
char MessageBox1[STRLEN];
char Text[STRLEN];
char Caption[STRLEN];
}DATA, *PDATA;
DWORD WINAPI RemoteThreadProc(LPVOID lpParam);
void InjectCode1(DWORD dwPid) {
//利用PID值,獲取欲注入的行程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess == NULL) {
AfxMessageBox("行程打開失敗!"); return;
}
DATA Data = { 0 }; //獲取欲使用的API函式的句柄
Data.dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
Data.dwGetProcAddress = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"), "GetProcAddress");
Data.dwGetModuleHandle = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),
"GetModuleHandleA"); Data.dwGetModuleFileName = (DWORD)GetProcAddress(
GetModuleHandleA("kernel32.dll"), "GetModuleFileNameA");
//對話框定義
lstrcpy(Data.User32Dll, "user32.dll");
lstrcpy(Data.MessageBox1, "MessageBoxA");
lstrcpy(Data.Text, "You have been hacked! (by J.Y.)");
lstrcpy(Data.Caption, "Warning"); //申請資料結構的記憶體空間
LPVOID lpData = VirtualAllocEx(hProcess, //process to allocate memory
NULL, //desired starting address
sizeof(DATA), //size of region to allocate
MEM_COMMIT | MEM_RESERVE, //type of allocation
PAGE_READWRITE); //type of access protection
if(lpData == NULL)
{ AfxMessageBox("申請資料區域失敗!");
CloseHandle(hProcess); return;
}
DWORD dwWriteNum = 0; if (!WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum))
{
AfxMessageBox("資料結構寫入行程失敗!");
//失敗就釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
CloseHandle(hProcess); return;
}
//申請執行緒函式的記憶體空間
DWORD dwFunSize = 0x6000;
LPVOID lpCode = VirtualAllocEx(hProcess, NULL,
dwFunSize, MEM_COMMIT,
PAGE_EXECUTE_READWRITE); if (lpCode == NULL)
{
AfxMessageBox("申請函式區域失敗!");
//失敗就釋放原先申請的記憶體區域 撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT);
CloseHandle(hProcess); return;
} if (!WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum))
{
AfxMessageBox("執行緒函式寫入行程失敗!");
//失敗就釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT); CloseHandle(hProcess);
return;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL,
0, (LPTHREAD_START_ROUTINE)lpCode,
lpData, 0,
NULL); if (hRemoteThread == NULL)
{
AfxMessageBox("創建遠程執行緒失敗!");
//釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT); CloseHandle(hProcess);
return;
}
AfxMessageBox("成功注入!");
//等待執行緒退出
WaitForSingleObject(hRemoteThread, INFINITE);
//釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT);
CloseHandle(hRemoteThread); CloseHandle(hProcess);
}
DWORD WINAPI RemoteThreadProc(LPVOID lpParam) {
PDATA pData = (PDATA)lpParam;
// 定義API函式原型
HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC(__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
HMODULE(__stdcall *MyGetModuleHandle)(LPCTSTR);
int(__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD(__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);
MyLoadLibrary = (HMODULE(__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
MyGetProcAddress = (FARPROC(__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
MyGetModuleHandle = (HMODULE(__stdcall *)(LPCSTR))pData->dwGetModuleHandle;
MyGetModuleFileName = (DWORD(__stdcall *)(HMODULE, LPTSTR, DWORD nSize))pData->dwGetModuleFileName;
HMODULE hModule = MyLoadLibrary(pData->User32Dll);
MyMessageBox = (int(__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))MyGetProcAddress(hModule, pData->MessageBox1);
char szModuleName[MAX_PATH] = { 0 };
MyGetModuleFileName(NULL, szModuleName, MAX_PATH);
MyMessageBox(0, pData->Text, pData->Caption, 0);
return 0;
}
最后呼叫InjectCode1(dwPid);
遠程程式崩潰了。
uj5u.com熱心網友回復:
把程式去掉AfxMessageBox在VC6.0下能成功 在vs2015下就失敗了 這跟編譯器有關么?// aasd.cpp : Defines the entry point for the console application.
//
// DllTest1.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include"windows.h"
#include<stdio.h>
//extern "C" void MsgBox(char *szMsg);
//#pragma comment (lib,"FirstDll")
#define STRLEN 100
typedef struct _DATA {
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwGetModuleHandle;
DWORD dwGetModuleFileName;
char User32Dll[STRLEN];
char MessageBox1[STRLEN];
char Text[STRLEN];
}DATA, *PDATA;
DWORD WINAPI RemoteThreadProc(LPVOID lpParam);
void InjectCode1(DWORD dwPid) {
//利用PID值,獲取欲注入的行程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess == NULL) {
return;
}
DATA Data = { 0 }; //獲取欲使用的API函式的句柄
Data.dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
Data.dwGetProcAddress = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"), "GetProcAddress");
Data.dwGetModuleHandle = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),
"GetModuleHandleA"); Data.dwGetModuleFileName = (DWORD)GetProcAddress(
GetModuleHandleA("kernel32.dll"), "GetModuleFileNameA");
//對話框定義
lstrcpy(Data.User32Dll, "user32.dll");
lstrcpy(Data.MessageBox1, "MessageBoxA");
lstrcpy(Data.Text, "You have been hacked! (by J.Y.)");
//申請資料結構的記憶體空間
LPVOID lpData = VirtualAllocEx(hProcess, //process to allocate memory
NULL, //desired starting address
sizeof(DATA), //size of region to allocate
MEM_COMMIT | MEM_RESERVE, //type of allocation
PAGE_READWRITE); //type of access protection
if(lpData == NULL)
{
CloseHandle(hProcess); return;
}
DWORD dwWriteNum = 0; if (!WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum))
{
//失敗就釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
CloseHandle(hProcess); return;
}
//申請執行緒函式的記憶體空間
DWORD dwFunSize = 0x6000;
LPVOID lpCode = VirtualAllocEx(hProcess, NULL,
dwFunSize, MEM_COMMIT,
PAGE_EXECUTE_READWRITE); if (lpCode == NULL)
{
//失敗就釋放原先申請的記憶體區域 撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT);
CloseHandle(hProcess); return;
} if (!WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum))
{
//失敗就釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT); CloseHandle(hProcess);
return;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL,
0, (LPTHREAD_START_ROUTINE)lpCode,
lpData, 0,
NULL); if (hRemoteThread == NULL)
{
//釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
VirtualFreeEx(hProcess, lpData, sizeof(DATA), MEM_DECOMMIT);
VirtualFreeEx(hProcess, lpCode, dwFunSize, MEM_DECOMMIT); CloseHandle(hProcess);
return;
}
//等待執行緒退出
//釋放原先申請的記憶體區域,撤銷記憶體頁的提交狀態
CloseHandle(hRemoteThread); CloseHandle(hProcess);
}
DWORD WINAPI RemoteThreadProc(LPVOID lpParam) {
PDATA pData = (PDATA)lpParam;
// 定義API函式原型
HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC(__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
HMODULE(__stdcall *MyGetModuleHandle)(LPCTSTR);
int(__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD(__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);
MyLoadLibrary = (HMODULE(__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
MyGetProcAddress = (FARPROC(__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
MyGetModuleHandle = (HMODULE(__stdcall *)(LPCSTR))pData->dwGetModuleHandle;
MyGetModuleFileName = (DWORD(__stdcall *)(HMODULE, LPTSTR, DWORD nSize))pData->dwGetModuleFileName;
HMODULE hModule = MyLoadLibrary(pData->User32Dll);
MyMessageBox = (int(__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))MyGetProcAddress(hModule, pData->MessageBox1);
char szModuleName[MAX_PATH] = { 0 };
MyGetModuleFileName(NULL, szModuleName, MAX_PATH);
MyMessageBox(0, pData->Text, szModuleName, 0);
return 0;
}
int main(int argc, char* argv[])
{
int c=getchar();
InjectCode1(8612);
return 0;
}
uj5u.com熱心網友回復:
WinAPIOverridehttp://jacquelin.potier.free.fr/winapioverride32/uj5u.com熱心網友回復:
行程需要提權,使用下面四個函式GetCurrentProcess()
OpenProcessToken()
LookupPrivilegeValue()
AdjustTokenPrivileges()
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/153471.html
標籤:進程/線程/DLL
上一篇:用opencv如何把一張足球比賽視頻的影像的球場提取出來,最好附程式
下一篇:求助,關于音頻視頻編碼