现在的位置: 首页 > 综合 > 正文

远程注入代码

2013年01月31日 ⁄ 综合 ⁄ 共 3549字 ⁄ 字号 评论关闭
// InjectCode.cpp : 定义控制台应用程序的入口点。
#include "stdafx.h"
#include<Windows.h>
typedef struct _REMOTE_PARAMETER
{
    CHAR m_msgContent[MAX_PATH];
    CHAR m_msgTitle[MAX_PATH];
     DWORD m_dwMessageBoxAddr;
}RemotePara, * PRemotePara;
static DWORD WINAPI MyFun(PRemotePara  pRemotePara)
{
      typedef int (WINAPI *MESSAGEBOXA)(HWND, LPCSTR, LPCSTR, UINT);
 
     MESSAGEBOXA MessageBoxA;
    MessageBoxA = (MESSAGEBOXA)pRemotePara->m_dwMessageBoxAddr;
     //调用 MessageBoxA 来打印消息
    MessageBoxA(NULL, pRemotePara->m_msgContent, pRemotePara->m_msgTitle, MB_OK);
    return 0;
}
static DWORD WINAPI AfterMyFun(void)
{
return 0;
}
//提升当前进程具有权限
BOOL EnableDebugPrivilege(BOOL   fEnable) 
{ 
  BOOL fOK = FALSE; 
   HANDLE hToken = NULL; 


if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))//获得进程访问令牌的句柄
{ 
  TOKEN_PRIVILEGES tp; 
  tp.PrivilegeCount = 1; 
  LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid); //查询进程的权限,获取一个权限对应的LUID值
   tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0; 
   AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); //判断令牌权限,对这个访问令牌进行修改
  fOK = (GetLastError()==ERROR_SUCCESS); 
  CloseHandle(hToken); 
} 
return   fOK; 
} 
void GetMessageboxParamter(PRemotePara remotePara)
{

   HMODULE hUser32 = LoadLibrary(L"User32.dll");   
   remotePara->m_dwMessageBoxAddr = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
   strcpy_s(remotePara->m_msgContent, "Hello, hello!\0");
   strcpy_s(remotePara->m_msgTitle, "Hello\0");
}
void Inject()
{
//----------------------获取进程ID-------------------------//
EnableDebugPrivilege(TRUE);
HWND hStart=FindWindow(NULL,L"改键1.0");
DWORD TID,PID;
TID=GetWindowThreadProcessId(hStart,&PID);
HANDLE hProcess=NULL;
hProcess = OpenProcess(PROCESS_ALL_ACCESS ,false,PID); 
if (hProcess==NULL)
{
MessageBox(NULL,L"打开失败!",L"提示",NULL);
CloseHandle(hProcess);
return ;
}
//-----------------------------写入函数------------------------------//
DWORD cbCodeSize  =((LPBYTE)AfterMyFun-(LPBYTE)MyFun);
LPVOID pCodeRemote=NULL;
pCodeRemote = VirtualAllocEx(hProcess,0,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if (pCodeRemote==NULL)
{
MessageBox(NULL,L"申请内存失败!",L"提示",NULL);
CloseHandle(hProcess);
return ;
}
if(!WriteProcessMemory(hProcess,pCodeRemote,MyFun,cbCodeSize,NULL))
{
MessageBox(NULL,L"写失败",L"提示 ",NULL);
VirtualFreeEx(hProcess,pCodeRemote,cbCodeSize,MEM_RELEASE);
CloseHandle(hProcess);
return ;
}
//-----------------------------写入变量------------------------------//
RemotePara remotePara;
GetMessageboxParamter(&remotePara);
PRemotePara pRemotePara = (PRemotePara)VirtualAllocEx(hProcess, NULL, sizeof(RemotePara), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(NULL == pRemotePara)
    {
      MessageBox(NULL,L"main - VirtualAllocEx Failed , Error Code Is %d , Error Message Is %s !",L"",NULL);
 VirtualFreeEx(hProcess, pRemotePara, 0, MEM_RELEASE);
 CloseHandle(hProcess);
 return ;
     }
if(WriteProcessMemory(hProcess, pRemotePara, &remotePara, sizeof(RemotePara), 0) == FALSE)
    {
 MessageBox(NULL,L"main - WriteProcessMemory Failed , Error Code Is %d , Error Message Is %s !",L"",NULL);
 VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE);
 VirtualFreeEx(hProcess, pRemotePara, 0, MEM_RELEASE);
 CloseHandle(hProcess);
  return ;
}
//------------------------------创建远程线程----------------------------------//
    DWORD IDThread;
HANDLE hThread=CreateRemoteThread(hProcess, NULL, 0, (DWORD (WINAPI *)(LPVOID))pCodeRemote, pRemotePara, 0 , &IDThread);
if(hThread==NULL)
{
DWORD dwError = GetLastError();
MessageBox(NULL,L"创建线程失败!",L"提示 ",NULL);
return ;
}
if (hThread)
{
  WaitForSingleObject( hThread, INFINITE );
  CloseHandle( hThread );
  VirtualFreeEx( hProcess, pCodeRemote,cbCodeSize,MEM_RELEASE );
  VirtualFreeEx(hProcess,pRemotePara,sizeof(RemotePara),MEM_RELEASE);
  CloseHandle(hProcess);
  return ;
}
return ;
}
int _tmain(int argc, _TCHAR* argv[])
{
  Inject();
  return 0;
}

在学习远程注入中多亏我同学的帮忙,这也是他给我解决问题时发表的博客:http://blog.csdn.net/evi10r/article/details/7368658

抱歉!评论已关闭.