// Inject.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
#include <string.h>
#include <TlHelp32.h>
BOOL EnableDebugPriv(LPCTSTR name)
{
HANDLE h;
TOKEN_PRIVILEGES tp;
LUID id;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h))
return FALSE;
if (!LookupPrivilegeValue(NULL, name, &id))
return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = id;
if (!AdjustTokenPrivileges(h, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return FALSE;
return TRUE;
}
DWORD getProcessHandle(LPCTSTR lpProcessName)
{
DWORD dwRet = 0;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapShot == INVALID_HANDLE_VALUE)
{
printf("\n获得进程快照失败%d",GetLastError());
return dwRet;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapShot,&pe32);
do
{
if(!lstrcmp(pe32.szExeFile,lpProcessName))
{
dwRet = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot,&pe32));
CloseHandle(hSnapShot);
return dwRet;//返回
}
int _tmain(int argc, _TCHAR* argv[])
{
EnableDebugPriv(TEXT("Inject.exe"));
DWORD PPP = getProcessHandle(TEXT("VICTIM_ij.exe"));
printf("%d\n",PPP);
HANDLE PROC = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PPP);
TCHAR *buf = (TCHAR*)VirtualAllocEx(PROC,NULL,100,MEM_COMMIT,PAGE_READWRITE);
if(buf == NULL){
printf("buf\n");
}
TCHAR P[20] = TEXT("C:\\G_dll.dll");
WriteProcessMemory(PROC,buf,P,sizeof(P)+1,NULL);
PTHREAD_START_ROUTINE FUNC = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
HANDLE Hthread = CreateRemoteThread(PROC,NULL,0,FUNC,buf,0,NULL);
if(Hthread == NULL)
{
printf("\n建立远程线程失败%d\n",GetLastError());
CloseHandle(PROC);
system("pause");
return -1;
}
WaitForSingleObject(Hthread,INFINITE);
CloseHandle(Hthread);
return 0;
}
//
#include "stdafx.h"
#include <windows.h>
#include <string.h>
#include <TlHelp32.h>
BOOL EnableDebugPriv(LPCTSTR name)
{
HANDLE h;
TOKEN_PRIVILEGES tp;
LUID id;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h))
return FALSE;
if (!LookupPrivilegeValue(NULL, name, &id))
return FALSE;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = id;
if (!AdjustTokenPrivileges(h, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
return FALSE;
return TRUE;
}
DWORD getProcessHandle(LPCTSTR lpProcessName)
{
DWORD dwRet = 0;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hSnapShot == INVALID_HANDLE_VALUE)
{
printf("\n获得进程快照失败%d",GetLastError());
return dwRet;
}
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapShot,&pe32);
do
{
if(!lstrcmp(pe32.szExeFile,lpProcessName))
{
dwRet = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot,&pe32));
CloseHandle(hSnapShot);
return dwRet;//返回
}
int _tmain(int argc, _TCHAR* argv[])
{
EnableDebugPriv(TEXT("Inject.exe"));
DWORD PPP = getProcessHandle(TEXT("VICTIM_ij.exe"));
printf("%d\n",PPP);
HANDLE PROC = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PPP);
TCHAR *buf = (TCHAR*)VirtualAllocEx(PROC,NULL,100,MEM_COMMIT,PAGE_READWRITE);
if(buf == NULL){
printf("buf\n");
}
TCHAR P[20] = TEXT("C:\\G_dll.dll");
WriteProcessMemory(PROC,buf,P,sizeof(P)+1,NULL);
PTHREAD_START_ROUTINE FUNC = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
HANDLE Hthread = CreateRemoteThread(PROC,NULL,0,FUNC,buf,0,NULL);
if(Hthread == NULL)
{
printf("\n建立远程线程失败%d\n",GetLastError());
CloseHandle(PROC);
system("pause");
return -1;
}
WaitForSingleObject(Hthread,INFINITE);
CloseHandle(Hthread);
return 0;
}