一份进程注入的代码

发表于 | 分类于 | | 阅读次数:
字数统计: 304 字 | 阅读时长 ≈ 1 分钟

// Injection.cpp : 定义控制台应用程序的入口点。 //

#include “stdafx.h”

#include “Injection.h”

#ifdef _DEBUG

#define new DEBUG_NEW

#endif

// 唯一的应用程序对象

CWinApp theApp;

using namespace std;

typedef struct _RemotePara{//参数结构 char pMessageBox[12]; DWORD dwMessageBox; }RemotePara; //远程线程 DWORD stdcall ThreadProc (RemotePara *lpPara){ typedef int (stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数 MMessageBoxA myMessageBoxA; myMessageBoxA =(MMessageBoxA) lpPara->dwMessageBox ;//得到函数入口地址 myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call return 0; } void EnableDebugPriv();//提升应用级调试权限

int _tmain(int argc, TCHAR argv[], TCHAR envp[]) { const DWORD THREADSIZE=10244; DWORD byte_write; EnableDebugPriv();//提升权限 HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,760); if(!hWnd)return 0; void pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!pRemoteThread)return 0; if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc;,THREADSIZE,0)) return 0;

//再付值 RemotePara myRemotePara; ::ZeroMemory(&myRemotePara;,sizeof(RemotePara)); HINSTANCE hUser32 = ::LoadLibrary (“user32.dll”); myRemotePara.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , “MessageBoxA”); strcat(myRemotePara.pMessageBox,”hello\0”); //写进目标进程 RemotePara pRemotePara =(RemotePara ) ::VirtualAllocEx (hWnd ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申请空间时的页面属性 if(!pRemotePara)return 0; if(!::WriteProcessMemory (hWnd ,pRemotePara,&myRemotePara;,sizeof myRemotePara,0))return 0;

//启动线程 HANDLE hThread = ::CreateRemoteThread (hWnd ,0,0,(DWORD (__stdcall )(void ))pRemoteThread ,pRemotePara,0,&byte;_write); if(!hThread){ return 0; } return 0; }

void EnableDebugPriv( void ) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken; ) ) return; if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue; ) ){ CloseHandle( hToken ); return; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp;, sizeof tkp, NULL, NULL ) ) CloseHandle( hToken ); }

支持原创技术分享,据说打赏我的人,都找到了女朋友!