#include <windows.h> #include <iostream> #define STRLEN 20 typedef struct _DATA { DWORD dwLoadLibrary; DWORD dwGetProcAddress; DWORD dwGetModuleHandle; DWORD dwGetModuleFileName; char User32Dll[STRLEN]; char MessageBox[STRLEN]; char Str[STRLEN]; }DATA, *PDATA; DWORD WINAPI RemoteThreadProc(LPVOID lpParam) { PDATA pData = (PDATA)lpParam; //定义API函数原型 HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR); FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR); HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR); int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT); DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD); //对各函数地址进行赋值 MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary; MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress; MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle; MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName; //加载user32.dll HMODULE hModule = MyLoadLibrary(pData->User32Dll); //获得MessageBoxA的函数地址 MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT)) MyGetProcAddress(hModule, pData->MessageBox); char szModuleFileName[MAX_PATH] = {0}; MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH); MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK); return 0; } void InjectCode(DWORD dwPid) { //打开进程并获取进程句柄 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid); if(NULL== hProcess) return; DATA Data = {0}; //获取kernel32.dll中相关的导出函数 Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"); Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress"); Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA"); Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA"); //需要的其他dll和导出函数 lstrcpy(Data.User32Dll,"user32.dll"); lstrcpy(Data.MessageBox,"MessageBoxA"); //提示字符串 lstrcpy(Data.Str,"Code Inject !!!"); //在目标进程中申请空间 LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data), MEM_COMMIT,PAGE_EXECUTE_READWRITE); DWORD dwWriteNum = 0; WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum); //在目标进程空间中申请用于保存代码的长度 WORD dwFunSize = 0x4000; LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize, MEM_COMMIT,PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc, dwFunSize,&dwWriteNum); HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpCode, lpData,0, NULL); WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread); CloseHandle(hProcess); } int GetProcessID(char *Name) { HWND Pid=::FindWindow(NULL,Name); DWORD Retn; ::GetWindowThreadProcessId(Pid,&Retn); return Retn; } int main() { int ppid; ppid = ::GetProcessID("lyshark.exe"); InjectCode(ppid); return 0; }