• 无DLL线程注入


    注意要在release方式编译

    //线程函数
    DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
    {
         PDATA pData = (PDATA)lpParam;

         //定义API函数原型
         HMODULE (_stdcall *MyLoadLibrary)(LPCTSTR);
         FARPROC (_stdcall *MyGetProcAddress)(HMODULE,LPCSTR);
         HMODULE (_stdcall *MyGetModuleHandle)(LPCTSTR);
         int (_stdcall *MyMessageBox)(HWND , LPCTSTR , LPCTSTR,UINT);
         DWORD (_stdcall *MyGetModuleFileName)(HMODULE , LPTSTR , DWORD);

         MyLoadLibrary = (HMODULE (_stdcall *) (LPCTSTR)) pData ->dwLoadLibrary;
         MyGetProcAddress = (FARPROC(_stdcall *)(HMODULE,LPCSTR))pData ->dwGetProcAddress;
         MyGetModuleHandle = (HMODULE (_stdcall *)(LPCSTR))pData ->dwGetModuleHandle;
         MyGetModuleFileName = (DWORD (_stdcall *)(HMODULE,LPTSTR,DWORD nSize))pData ->dwGetModuleFileName;

         HMODULE hModule = MyLoadLibrary( pData ->User32Dll);
         MyMessageBox = (int (_stdcall *)(HWND , LPCTSTR ,LPCTSTR,UINT))MyGetProcAddress
              (hModule , pData->MessageBox);
         char szModuleName[MAX_PATH] = {0};
         MyGetModuleFileName(NULL,szModuleName,MAX_PATH);

         MyMessageBox(NULL,pData->Str,szModuleName,MB_OK);
        
         return 0;
    }

    void CNoDllInjectDlg::InjectCode(DWORD dwPid)
    {
         DWORD error = 0;
         //提升权限
         DebugPrivilege();

         HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
         if( hProcess == NULL)
         {
              MessageBox("OpenProcess Error");
              error = GetLastError();
              return ;
         }

         DATA Data = {0};
         Data.dwLoadLibrary = (DWORD)GetProcAddress(
                                  GetModuleHandle("kernel32.dll"),
                                  "LoadLibraryA");
         Data.dwGetProcAddress = (DWORD)GetProcAddress(
                                       GetModuleHandle("kernel32.dll"),
                                       "GetProcAddress");
         Data.dwGetModuleHandle = (DWORD)GetProcAddress(
                                       GetModuleHandle("kernel32.dll"),
                                       "GetModuleHandleA");
         Data.dwGetModuleFileName = (DWORD)GetProcAddress(
                                       GetModuleHandleA("kernel32.dll"),
                                       "GetModuleFileNameA");

         lstrcpy(Data.User32Dll , "user32.dll");
         lstrcpy(Data.MessageBox,"MessageBoxA");
         lstrcpy(Data.Str , "Inject Code !!!");

         LPVOID lpData = VirtualAllocEx(hProcess,
                                       NULL,
                                       sizeof(DATA),
                                       MEM_COMMIT | MEM_RESERVE,
                                       PAGE_READWRITE);
         DWORD dwWriteNum = 0;
         WriteProcessMemory(hProcess , lpData , &Data, sizeof(DATA) , &dwWriteNum);

         DWORD dwFunSize = 0x2000;
         LPVOID lpCode = VirtualAllocEx(hProcess,
                                       NULL,
                                       dwFunSize,
                                       MEM_COMMIT,
                                       PAGE_EXECUTE_READWRITE);
         WriteProcessMemory(hProcess , lpCode , RemoteThreadProc , dwFunSize , &dwWriteNum);

         HANDLE hRemoteThread = CreateRemoteThread(hProcess,
                                                 NULL,
                                                 0,
                                                 (LPTHREAD_START_ROUTINE)lpCode,
                                                 lpData,
                                                 0,
                                                 NULL);
         WaitForSingleObject(hRemoteThread,INFINITE);

         CloseHandle(hRemoteThread);
         CloseHandle(hProcess);

    }


    void CNoDllInjectDlg::OnBtnInject()
    {
         // TODO: Add your control notification handler code here
         CString str;
         GetDlgItemText(IDC_EDIT_INJECT,str);
         InjectCode(atoi(str.GetBuffer(str.GetLength())));
    }

    void CNoDllInjectDlg::DebugPrivilege()
    {
         HANDLE hToken = NULL;
         //打开当前进程的访问令牌
         int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
        
         if( hRet)
         {
              TOKEN_PRIVILEGES tp;
              tp.PrivilegeCount = 1;
              //取得描述权限的LUID
              LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
              tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
              //调整访问令牌的权限
              AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
             
              CloseHandle(hToken);
         }
        
    }
  • 相关阅读:
    Tomcat启动报Error listenerStart错误
    The type javax.xml.rpc.ServiceException cannot be resolved.It is indirectly
    (转)Android之Adapter用法总结
    利用脚本启动java程序
    Android中的基类—抽取出来公共的方法
    关于 Android 中未公开的类(用@hide隐藏的类)
    Android java.lang.RuntimeException: Can't create handler inside thread that has not called Looper.prepare()
    gen already exists but is not a source folder
    如何注册java程序为windows服务
    Android Socket编程
  • 原文地址:https://www.cnblogs.com/mynona/p/3162639.html
Copyright © 2020-2023  润新知