// Inject.cpp : 定义控制台应用程序的入口点。 // #include "stdafx.h" #include "Inject.h" #ifdef _DEBUG #define new DEBUG_NEW #endif // 唯一的应用程序对象 CWinApp theApp; using namespace std; int main() { int nRetCode = 0; cout << "查看要注入进程的ID" << endl; ULONG_PTR ProcessID = 0; WinVersion = GetWindowsVersion(); printf("Input ProcessID "); cin >> ProcessID; InjectDll(ProcessID); getchar(); getchar(); return 0; return nRetCode; } VOID InjectDll(ULONG_PTR ProcessID) { CString DllPath32 = L"MessageBox32.dll"; //32位dll注入32位系统 CString DllPath64 = L"MessageBox64.dll"; if (ProcessID == 0) { return; } if (PathFileExists(DllPath32) && PathFileExists(DllPath64)) { WCHAR wzPath[MAX_PATH] = { 0 }; GetCurrentDirectory(260, wzPath); wcsncat_s(wzPath, L"\", 2); wcsncat_s(wzPath, DllPath32.GetBuffer(), DllPath32.GetLength()); DllPath32.ReleaseBuffer(); DllPath64.ReleaseBuffer(); if (!InjectDllByRemoteThread32(wzPath, ProcessID)) { printf("Inject Fail "); } else { printf("Inject Success "); } //switch (WinVersion) //{ // case Windows7: // case Windows8: //这里用的是Win7 x64 sp1 // { // WCHAR wzPath[MAX_PATH] = { 0 }; // GetCurrentDirectory(260, wzPath); // wcsncat_s(wzPath, L"\", 2); // wcsncat_s(wzPath, DllPath64.GetBuffer(), DllPath64.GetLength());//dll完整路径 // DllPath32.ReleaseBuffer(); // DllPath64.ReleaseBuffer(); // if (!InjectDllByRemoteThread64(wzPath, ProcessID)) { // printf("Inject Fail "); // } // else { // printf("Inject Success "); // } // break; // } // case WindowsXP: //WinXp x86 sp3 // { // WCHAR wzPath[MAX_PATH] = { 0 }; // GetCurrentDirectory(260, wzPath); // wcsncat_s(wzPath, L"\", 2); // wcsncat_s(wzPath, DllPath32.GetBuffer(), DllPath32.GetLength()); // DllPath32.ReleaseBuffer(); // DllPath64.ReleaseBuffer(); // if (!InjectDllByRemoteThread32(wzPath, ProcessID)) { // printf("Inject Fail "); // } // else { // printf("Inject Success "); // } // break; // } //} } } /* if ((_access("access.c", 0)) != -1) { printf("file access.c exists "); if ((_access("access.c", 2)) != -1) printf("file access.c has write permission "); if ((_access("access.c", 4)) != -1) printf("file access.c has read permission "); if ((_access("access.c", 6)) != -1) printf("file access.c has read and write permission "); } else { printf("file access.c does not exists "); }*/ BOOL InjectDllByRemoteThread64(const TCHAR* DLLFilePath, ULONG_PTR ProcessId) { if (NULL == DLLFilePath || 0 == ::_tcslen(DLLFilePath) || ProcessId == 0 || -1 == _taccess(DLLFilePath, 0)) { return FALSE; } HANDLE ProcessHandle = NULL; HANDLE ThreadHandle = NULL; DWORD ReturnValue = 0; LPTHREAD_START_ROUTINE FuncAddress = NULL; DWORD FileLength = 0; TCHAR* VirtualAddress = NULL; //预编译,支持Unicode #ifdef _UNICODE FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); #else FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA"); #endif if (FuncAddress == NULL) { return FALSE; } //RtlAdjustPrivilege = (pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")), "RtlAdjustPrivilege"); //if (RtlAdjustPrivilege == NULL) //{ // return FALSE; //} /* .常量 SE_BACKUP_PRIVILEGE, "17", 公开 .常量 SE_RESTORE_PRIVILEGE, "18", 公开 .常量 SE_SHUTDOWN_PRIVILEGE, "19", 公开 .常量 SE_DEBUG_PRIVILEGE, "20", 公开 */ //RtlAdjustPrivilege(20, 1, 0, &ReturnValue); //19 ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId); if (ProcessHandle == NULL) { printf("Open Process Fail "); return FALSE; } // 在目标进程中分配内存空间 FileLength = (DWORD)::_tcslen(DLLFilePath) + 1; VirtualAddress = (TCHAR*)::VirtualAllocEx(ProcessHandle, NULL, FileLength * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE); if (VirtualAddress == NULL) { printf("Virtual Process Memory Fail "); CloseHandle(ProcessHandle); return FALSE; } // 在目标进程的内存空间中写入所需参数(模块名) if (::WriteProcessMemory(ProcessHandle, VirtualAddress, (LPVOID)DLLFilePath, FileLength * sizeof(TCHAR), NULL) == FALSE) { printf("Write Data Fail "); VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ProcessHandle); return FALSE; } ThreadHandle = ::CreateRemoteThread(ProcessHandle, NULL, 0, FuncAddress, VirtualAddress, 0, NULL); if (ThreadHandle == NULL) { printf("CreateRemoteThread Fail "); VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ProcessHandle); return FALSE; } // 等待远程线程结束 WaitForSingleObject(ThreadHandle, INFINITE); // 清理资源 VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ThreadHandle); CloseHandle(ProcessHandle); return TRUE; } BOOL InjectDllByRemoteThread32(const TCHAR* DLLFilePath, ULONG_PTR ProcessId) { // 参数无效 if (NULL == DLLFilePath || 0 == ::_tcslen(DLLFilePath) || ProcessId == 0 || -1 == _taccess(DLLFilePath, 0)) { return FALSE; } HANDLE ProcessHandle = NULL; HANDLE ThreadHandle = NULL; DWORD FileLength = 0; TCHAR* VirtualAddress = NULL; LPTHREAD_START_ROUTINE FuncAddress = NULL; // 获取目标进程句柄 ProcessHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, ProcessId); if (ProcessHandle == NULL) { printf("Open Process Fail "); return FALSE; } // 在目标进程中分配内存空间 FileLength = (DWORD)::_tcslen(DLLFilePath) + 1; VirtualAddress = (TCHAR*)::VirtualAllocEx(ProcessHandle, NULL, FileLength * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE); if (NULL == VirtualAddress) { printf("Virtual Process Memory Fail "); CloseHandle(ProcessHandle); return FALSE; } // 在目标进程的内存空间中写入所需参数(模块名) if (FALSE == ::WriteProcessMemory(ProcessHandle, VirtualAddress, (LPVOID)DLLFilePath, FileLength * sizeof(TCHAR), NULL)) { printf("Write Data Fail "); VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ProcessHandle); return FALSE; } // 从 Kernel32.dll 中获取 LoadLibrary 函数地址 #ifdef _UNICODE FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW"); #else FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA"); #endif if (NULL == FuncAddress) { printf("Get LoadLibrary Fail "); VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ProcessHandle); return false; } // 创建远程线程调用 LoadLibrary ThreadHandle = ::CreateRemoteThread(ProcessHandle, NULL, 0, FuncAddress, VirtualAddress, 0, NULL); if (NULL == ThreadHandle) { printf("CreateRemoteThread Fail "); VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ProcessHandle); return FALSE; } // 等待远程线程结束 WaitForSingleObject(ThreadHandle, INFINITE); // 清理 VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT); CloseHandle(ProcessHandle); CloseHandle(ThreadHandle); return TRUE; } WIN_VERSION GetWindowsVersion() { OSVERSIONINFOEX OsVerInfoEx; OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); GetVersionEx((OSVERSIONINFO*)&OsVerInfoEx); // 注意转换类型 switch (OsVerInfoEx.dwPlatformId) { case VER_PLATFORM_WIN32_NT: { if (OsVerInfoEx.dwMajorVersion <= 4) { return WindowsNT; } if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0) { return Windows2000; } if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1) { return WindowsXP; } if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2) { return Windows2003; } if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0) { return WindowsVista; } if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1) { return Windows7; } if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2) { return Windows8; } break; } default: { return WinUnknown; } } }