#ifndef _REMOTE_DATA_ #define _REMOTE_DATA_ #include <windows.h> #include <TLHELP32.h> #include <list> using namespace std; #ifndef FUN_END_FLAG #define F_E_F 0xAABBCCDD //默认标记值 //在函数结尾在return 前增加此标记, 用在NewFun函数的自动计算函数长度 #define FUN_END_FLAG(X) __asm MOV EDX,X; // 局部变量的宏定义 // VAR_LOCAL(PINJDATA,pData,0x00000000); #define VAR_LOCAL(TYPE,NAME,VALUE) TYPE NAME; __asm{MOV NAME,VALUE}; #endif //远程注入类 class CRemoteData { public: CRemoteData() { _dwDataLen=0; _pData=NULL; } ~CRemoteData() { if (_hProcess) CloseHandle(_hProcess); } // 在远程进程分配内存 // pid 进程ID // 远程内存初始化数据 // 远程内存长度 // bExeCode是否可执行内存 BOOL Alloc(DWORD pid, LPVOID pData, DWORD dwDataLen, BOOL bExeCode=FALSE) { if (dwDataLen==0) return FALSE; HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | // Required by Alpha PROCESS_CREATE_THREAD | // For CreateRemoteThread PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx PROCESS_VM_READ | // For ReadProcessMemory PROCESS_VM_WRITE, // For WriteProcessMemory FALSE, pid); if (NULL==hProcess) return FALSE; LPVOID pBuffer = VirtualAllocEx( hProcess, 0, dwDataLen, MEM_COMMIT, bExeCode?PAGE_EXECUTE_READWRITE:PAGE_READWRITE ); if (pBuffer) { //如果初始化数据!=NULL, 则复制初始化数据到远程内存 if (pData) { DWORD dwWriteBytes; WriteProcessMemory( hProcess, pBuffer, pData, dwDataLen, &dwWriteBytes ); } _hProcess=hProcess; _dwDataLen=dwDataLen; _pData=pBuffer; } return _pData!=NULL; } //拷贝一个函数, 辅助结束标记 BOOL NewFun(DWORD pid, LPVOID pTemplateFun, unsigned int FunEndFlag=F_E_F) { if (!pTemplateFun) return FALSE; unsigned char *ptr=(unsigned char *)pTemplateFun; while ( *ptr == 0xE9 ) { int add=*(int *)(ptr+1); ptr+=5; ptr+=add; pTemplateFun=(void *)ptr; } size_t i=0; // 记录代码字节个数 unsigned int iFlag=0; // 保存找到结束标记的位置 //以RETRUN 为结束 while(1) //C2 C3 CB CA { if (iFlag || FunEndFlag==0) { if ( ptr[i]==0xC3 || ptr[i]==0xCB ) { i++; break; } else if ( ptr[i]==0xC2 ) { i+=3; break; } else if ( ptr[i]==0xCA ) { i+=5; break; } }else if ( ptr[i] == 0xBA && *(unsigned int *)(ptr+i+1)==F_E_F ){ iFlag=i; i+=4; } i++; } if (i==0) return FALSE; BOOL ret=FALSE; if (iFlag) { unsigned char *nptr=new unsigned char[i]; if (nptr) { memcpy(nptr,pTemplateFun,i); for (int j=0;j<5;j++) { nptr[iFlag+j]=0x90; } ret=Alloc(pid,nptr,i,TRUE); delete nptr; } }else{ ret=Alloc(pid,pTemplateFun,i,TRUE); } return ret; } // 设置函数内局部变量的值,在编译后期动态设置函数局部变量的值 // old_val 原op后面的操作数 // new_val op后面的操作数新值 // MOV [EBP-n], imm32; C745FnXXXXXXXX ) // bSetAll 修改所有的 void SetLocalVar(unsigned int old_val, unsigned int new_val, bool bSetAll=false) { if ( _pData==NULL ) return; unsigned char *ptr=new unsigned char[_dwDataLen]; //取出 DWORD dwReadBytes; if (ReadProcessMemory( _hProcess, _pData, ptr, _dwDataLen, &dwReadBytes)) { for (unsigned int i=0;i<_dwDataLen-4;i++) { if ( ptr[i]==0xC7 && ptr[i+1]==0x45 ) { if ( *(unsigned int*)(ptr+i+3)==old_val ) { *(unsigned int*)(ptr+i+3)=new_val; //设为新值 if (!bSetAll) break; i+=6; } } } //写回 DWORD dwWriteBytes; WriteProcessMemory( _hProcess, _pData, ptr, _dwDataLen, &dwWriteBytes ); } delete ptr; } // 以当前远程内存数据作为可执行代码,运行线程 // pRemoteParam 远程内存指针,作为参数将传递到线程 // lpThreadId 返回的线程ID; // 返回线程句柄 HANDLE RunThread(LPVOID pRemoteParam, LPDWORD lpThreadId=NULL) { _hThread=CreateRemoteThread(_hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)_pData, pRemoteParam, 0 , lpThreadId); return _hThread; } //获取远程内存指针 LPVOID GetData() { return _pData; } //获取远程内存大小 DWORD GetLength() { return _dwDataLen; } //获取远程内存大小 size_t Size() { return _dwDataLen; } //类型转换 operator unsigned int() { return (unsigned int)_pData; } operator bool() { return (_pData!=NULL); } operator void*() const { return _pData; } operator unsigned char*() const { return (unsigned char *)_pData; } operator char*() const { return (char *)_pData; } private: HANDLE _hProcess; LPVOID _pData; DWORD _dwDataLen; HANDLE _hThread; }; #endif //(_REMOTE_DATA_) void GetProcessList(list<PROCESSENTRY32> &Processlist, LPCTSTR lpProcessName=NULL) { Processlist.clear(); HANDLE hSnapshot = NULL; hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); PROCESSENTRY32 pe; pe.dwSize = sizeof(PROCESSENTRY32); Process32First(hSnapshot,&pe); if (lpProcessName && strlen(lpProcessName)) { do { if ( stricmp(pe.szExeFile,lpProcessName)==0) { Processlist.push_back(pe); } } while(Process32Next(hSnapshot,&pe)==TRUE); }else{ do { Processlist.push_back(pe); } while(Process32Next(hSnapshot,&pe)==TRUE); } CloseHandle(hSnapshot); } BOOL FindProcess(list<PROCESSENTRY32> &Processlist, DWORD PID) { list<PROCESSENTRY32>::iterator i; for (i=Processlist.begin();i!=Processlist.end();i++) { if ( (*i).th32ProcessID == PID ) { return TRUE; } } return FALSE; } 测试代码: CRemoteData rd_fun, rd_pam; if (rd_fun.NewFun(dwPID,ThreadFunc)) { if (rd_pam.Alloc(dwPID, &DataLocal,sizeof(INJDATA))) { rd_winproc.SetLocalVar(0x00000000, rd_pam); if (rd_fun.RunThread(rd_pam)) { printf("注入成功!/n"); }else{ printf("注入失败!/n"); } } }