// InjectCode.cpp : 定义控制台应用程序的入口点。 #include "stdafx.h" #include<Windows.h> typedef struct _REMOTE_PARAMETER { CHAR m_msgContent[MAX_PATH]; CHAR m_msgTitle[MAX_PATH]; DWORD m_dwMessageBoxAddr; }RemotePara, * PRemotePara; static DWORD WINAPI MyFun(PRemotePara pRemotePara) { typedef int (WINAPI *MESSAGEBOXA)(HWND, LPCSTR, LPCSTR, UINT); MESSAGEBOXA MessageBoxA; MessageBoxA = (MESSAGEBOXA)pRemotePara->m_dwMessageBoxAddr; //调用 MessageBoxA 来打印消息 MessageBoxA(NULL, pRemotePara->m_msgContent, pRemotePara->m_msgTitle, MB_OK); return 0; } static DWORD WINAPI AfterMyFun(void) { return 0; } //提升当前进程具有权限 BOOL EnableDebugPrivilege(BOOL fEnable) { BOOL fOK = FALSE; HANDLE hToken = NULL; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))//获得进程访问令牌的句柄 { TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid); //查询进程的权限,获取一个权限对应的LUID值 tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); //判断令牌权限,对这个访问令牌进行修改 fOK = (GetLastError()==ERROR_SUCCESS); CloseHandle(hToken); } return fOK; } void GetMessageboxParamter(PRemotePara remotePara) { HMODULE hUser32 = LoadLibrary(L"User32.dll"); remotePara->m_dwMessageBoxAddr = (DWORD)GetProcAddress(hUser32, "MessageBoxA"); strcpy_s(remotePara->m_msgContent, "Hello, hello!\0"); strcpy_s(remotePara->m_msgTitle, "Hello\0"); } void Inject() { //----------------------获取进程ID-------------------------// EnableDebugPrivilege(TRUE); HWND hStart=FindWindow(NULL,L"改键1.0"); DWORD TID,PID; TID=GetWindowThreadProcessId(hStart,&PID); HANDLE hProcess=NULL; hProcess = OpenProcess(PROCESS_ALL_ACCESS ,false,PID); if (hProcess==NULL) { MessageBox(NULL,L"打开失败!",L"提示",NULL); CloseHandle(hProcess); return ; } //-----------------------------写入函数------------------------------// DWORD cbCodeSize =((LPBYTE)AfterMyFun-(LPBYTE)MyFun); LPVOID pCodeRemote=NULL; pCodeRemote = VirtualAllocEx(hProcess,0,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if (pCodeRemote==NULL) { MessageBox(NULL,L"申请内存失败!",L"提示",NULL); CloseHandle(hProcess); return ; } if(!WriteProcessMemory(hProcess,pCodeRemote,MyFun,cbCodeSize,NULL)) { MessageBox(NULL,L"写失败",L"提示 ",NULL); VirtualFreeEx(hProcess,pCodeRemote,cbCodeSize,MEM_RELEASE); CloseHandle(hProcess); return ; } //-----------------------------写入变量------------------------------// RemotePara remotePara; GetMessageboxParamter(&remotePara); PRemotePara pRemotePara = (PRemotePara)VirtualAllocEx(hProcess, NULL, sizeof(RemotePara), MEM_COMMIT, PAGE_EXECUTE_READWRITE); if(NULL == pRemotePara) { MessageBox(NULL,L"main - VirtualAllocEx Failed , Error Code Is %d , Error Message Is %s !",L"",NULL); VirtualFreeEx(hProcess, pRemotePara, 0, MEM_RELEASE); CloseHandle(hProcess); return ; } if(WriteProcessMemory(hProcess, pRemotePara, &remotePara, sizeof(RemotePara), 0) == FALSE) { MessageBox(NULL,L"main - WriteProcessMemory Failed , Error Code Is %d , Error Message Is %s !",L"",NULL); VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE); VirtualFreeEx(hProcess, pRemotePara, 0, MEM_RELEASE); CloseHandle(hProcess); return ; } //------------------------------创建远程线程----------------------------------// DWORD IDThread; HANDLE hThread=CreateRemoteThread(hProcess, NULL, 0, (DWORD (WINAPI *)(LPVOID))pCodeRemote, pRemotePara, 0 , &IDThread); if(hThread==NULL) { DWORD dwError = GetLastError(); MessageBox(NULL,L"创建线程失败!",L"提示 ",NULL); return ; } if (hThread) { WaitForSingleObject( hThread, INFINITE ); CloseHandle( hThread ); VirtualFreeEx( hProcess, pCodeRemote,cbCodeSize,MEM_RELEASE ); VirtualFreeEx(hProcess,pRemotePara,sizeof(RemotePara),MEM_RELEASE); CloseHandle(hProcess); return ; } return ; } int _tmain(int argc, _TCHAR* argv[]) { Inject(); return 0; } 在学习远程注入中多亏我同学的帮忙,这也是他给我解决问题时发表的博客:http://blog.csdn.net/evi10r/article/details/7368658