• EnhanceFunc__增强函数集


    想将经常用到的功能函数写在一起,花时间精心维护,然后以后就用起来就舒服很多了

    目前就写了进程调试权限,远程线程注入,远程线程释放这三个函数.还有很多功能,以后慢慢加

     1 // last code by gwsbhqt@163.com at 20150708
     2 
     3 #pragma once
     4 
     5 #ifndef ENHANCEFUNC_H
     6 #define ENHANCEFUNC_H
     7 
     8 #include <cstdio>
     9 #include <windows.h>
    10 
    11 using namespace std;
    12 
    13 BOOL EnableDebugPrivileges();
    14 
    15 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId = NULL);
    16 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds = INFINITE);
    17 
    18 #endif    //    def    ENHANCEFUNC_H
    EnhanceFunc.h
      1 // last code by gwsbhqt@163.com at 20150708
      2 
      3 #include "EnhanceFunc.h"
      4 
      5 BOOL EnableDebugPrivileges()
      6 {
      7     HANDLE hToken;
      8     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
      9         return FALSE;
     10 
     11     LUID luid = {};
     12     if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid))
     13     {
     14         CloseHandle(hToken);
     15         return FALSE;
     16     }
     17 
     18     TOKEN_PRIVILEGES tp = {};
     19     tp.PrivilegeCount = 1;
     20     tp.Privileges[0].Luid = luid;
     21     tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
     22     if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL))
     23     {
     24         CloseHandle(hToken);
     25         return FALSE;
     26     }
     27     
     28     CloseHandle(hToken);
     29     return TRUE;
     30 }
     31 
     32 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId)
     33 {
     34     int len = strlen(lpLibFilePath) + 1;
     35 
     36     LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     37     if (NULL == lpVir)
     38         return ERROR;
     39 
     40     if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL))
     41     {
     42         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
     43         return ERROR;
     44     }
     45 
     46     HMODULE hModule = GetModuleHandleA("Kernel32.dll");
     47     if (NULL == hModule)
     48     {
     49         hModule = LoadLibraryA("Kernel32.dll");
     50         if (NULL == hModule)
     51         {
     52             VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
     53             return ERROR;
     54         }
     55     }
     56 
     57     FARPROC fpProc = GetProcAddress(hModule, "LoadLibraryA");
     58     if (NULL == fpProc)
     59     {
     60         FreeLibrary(hModule);
     61         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
     62         return ERROR;
     63     }
     64 
     65     DWORD dwRemoteThreadId;
     66     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, &dwRemoteThreadId);
     67     if (NULL == hRemoteThread)
     68     {
     69         FreeLibrary(hModule);
     70         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
     71         return ERROR;
     72     }
     73 
     74     if (NULL != lpRemoteThreadId)
     75         *lpRemoteThreadId = dwRemoteThreadId;
     76 
     77     FreeLibrary(hModule);
     78     VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
     79     return hRemoteThread;
     80 }
     81 
     82 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds)
     83 {
     84     int len = strlen(lpLibFilePath) + 1;
     85 
     86     LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     87     if (NULL == lpVir)
     88         return FALSE;
     89 
     90     if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL))
     91     {
     92         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
     93         return FALSE;
     94     }
     95 
     96     HMODULE hModule = GetModuleHandleA("Kernel32.dll");
     97     if (NULL == hModule)
     98     {
     99         hModule = LoadLibraryA("Kernel32.dll");
    100         if (NULL == hModule)
    101         {
    102             VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
    103             return FALSE;
    104         }
    105     }
    106 
    107     FARPROC fpProc = GetProcAddress(hModule, "GetModuleHandleA");
    108     if (NULL == fpProc)
    109     {
    110         FreeLibrary(hModule);
    111         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
    112         return FALSE;
    113     }
    114 
    115     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, NULL);
    116     if (NULL == hRemoteThread)
    117     {
    118         FreeLibrary(hModule);
    119         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
    120         return FALSE;
    121     }
    122 
    123     if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds))
    124     {
    125         CloseHandle(hRemoteThread);
    126         FreeLibrary(hModule);
    127         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
    128         return FALSE;
    129     }
    130     
    131     DWORD dwExitCode;
    132     if (!GetExitCodeThread(hRemoteThread, &dwExitCode))    //    dwExitCode is hRemoteLibModule
    133     {
    134         CloseHandle(hRemoteThread);
    135         FreeLibrary(hModule);
    136         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
    137         return FALSE;
    138     }
    139 
    140     CloseHandle(hRemoteThread);
    141     VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
    142     
    143     //    CreateRemoteThread the second times
    144 
    145     fpProc = GetProcAddress(hModule, "FreeLibrary");
    146     if (NULL == fpProc)
    147     {
    148         FreeLibrary(hModule);
    149         return FALSE;
    150     }
    151 
    152     hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, (LPVOID)((HMODULE)dwExitCode), NULL, NULL);
    153     if (NULL == hRemoteThread)
    154     {
    155         FreeLibrary(hModule);
    156         return FALSE;
    157     }
    158 
    159     if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds))
    160     {
    161         CloseHandle(hRemoteThread);
    162         FreeLibrary(hModule);
    163         return FALSE;
    164     }
    165 
    166     if (!GetExitCodeThread(hRemoteThread, &dwExitCode))    //    dwExitCode is the return value of Remote FreeLibrary
    167     {
    168         CloseHandle(hRemoteThread);
    169         FreeLibrary(hModule);
    170         return FALSE;
    171     }
    172 
    173     FreeLibrary(hModule);
    174     CloseHandle(hRemoteThread);
    175     return (BOOL)dwExitCode;
    176 }
    EnhanceFunc.cpp
     1 #include <cstdio>
     2 #include <windows.h>
     3 
     4 #include "EnhanceFunc.h"
     5 
     6 using namespace std;
     7 
     8 int main()
     9 {
    10     char cTargetDllPath[MAX_PATH] = "C:\\DLL.dll";    //    suppose I have a dll file in this path
    11 
    12     printf("Enable Debug Privilege %s...\n", EnableDebugPrivileges() ? "Succeed" : "Faild");
    13 
    14     system("pause > nul");
    15     
    16     STARTUPINFOA si = {};
    17     si.cb = sizeof(si);
    18     PROCESS_INFORMATION pi = {};
    19     CreateProcessA(NULL, "C:\\Windows\\System32\\calc.exe", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
    20 
    21     system("pause > nul");
    22 
    23     printf("DLL.dll Inject %s...\n", RemoteThreadInjection(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild");
    24 
    25     system("pause > nul");
    26 
    27     printf("DLL.dll Freeing %s...\n", RemoteThreadFreeing(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild");
    28 
    29     system("pause > nul");
    30 
    31     TerminateProcess(pi.hProcess, NULL);
    32 
    33     system("pause > nul && exit");
    34     return 0;
    35 }
    main.cpp
  • 相关阅读:
    排列专题(不定期更新)
    搜索专题(不定期更新)
    Redis 高级面试题
    面试题1
    CentOS7查看开放端口命令及开放端口号
    Union和Union All到底有什么区别
    浅谈MySQL中优化sql语句查询常用的30种方法
    什么是分布式系统,如何学习分布式系统(转)
    浅析分布式系统(转)
    什么是分布式系统(通俗易懂的说法)(转)
  • 原文地址:https://www.cnblogs.com/gwsbhqt/p/4628963.html
Copyright © 2020-2023  润新知