#include "stdafx.h"
#include "windows.h"
#include <TlHelp32.h>
#include "stdio.h"
// ========== 定义一个代码结构,本例为一个对话框============
struct MyData
{
int can1;
char sz[64]; // 对话框显示内容
DWORD dwMessageBox; // 对话框的地址
};
// ========== 远程线程的函数 ==============================
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
MMessageBox MsgBox = (MMessageBox)pData->dwMessageBox;
pData->can1=101010101;
MsgBox(NULL,_itoa(pData->can1,pData->sz,10), NULL, MB_OK);
return 0;
}
DWORD processNameToId(LPCTSTR lpszProcessName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnapshot, &pe)) {
MessageBox(NULL,
"The frist entry of the process list has not been copyied to the buffer",
"Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
while (Process32Next(hSnapshot, &pe)) {
if (!strcmp(lpszProcessName, pe.szExeFile)) {
return pe.th32ProcessID;
}
}
return 0;
}
//提升进程访问权限
bool enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
CloseHandle(hToken);
return false;
}
return true;
}
int main(int argc, char* argv[])
{
//提升进程访问权限
enableDebugPriv();
char szExeName[MAX_PATH] = { 0 };
printf("输入要插入的进程名字/n");
gets(szExeName);
printf("%c/n",szExeName);
//上面填写进程名字
DWORD dwProcessId = processNameToId(szExeName);
if (dwProcessId == 0) {
MessageBox(NULL, "The target process have not been found !",
"Notice", MB_ICONINFORMATION | MB_OK);
return -1;
}
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (!hProcess) {
MessageBox(NULL, "Open target process failed !", "Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
// ===== 获得需要创建REMOTETHREAD的进程句柄 ===============================
// ========= 代码结构 ================================================
MyData data;
ZeroMemory(&data, sizeof (MyData));
strcat(data.sz, "伙终于成功了 呵呵!!");
HINSTANCE hUser = LoadLibrary("user32.dll");
if (! hUser)
{
printf("Can not load library./n");
return 0;
}
data.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
FreeLibrary(hUser);
if (! data.dwMessageBox)
return 0;
// ======= 分配空间 ===================================================
void *pRemoteThread
= VirtualAllocEx(hProcess, 0,
1024*4, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (! pRemoteThread)
return 0;
if (! WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, 1024*4, 0))
return 0;
MyData *pData
= (MyData*)VirtualAllocEx(hProcess, 0,
sizeof (MyData), MEM_COMMIT,
PAGE_READWRITE);
if (!pData)
return 0;
if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
return 0;
// =========== 创建远程线程 ===========================================
HANDLE hThread
= CreateRemoteThread(hProcess, 0,
0, (LPTHREAD_START_ROUTINE)pRemoteThread,
pData, 0, 0);
if (! hThread)
{
printf("远程线程创建失败");
return 0;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
printf("Hello World!/n");
printf("插入%c进程成功/n输入回车退出程序。/n",szExeName);
gets(szExeName);
return 0;
}