vc 无dll注入

// NoDllInjectDlg.cpp : implementation file
//

#include "stdafx.h"
#include "NoDllInject.h"
#include "NoDllInjectDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/
// CAboutDlg dialog used for App About

class CAboutDlg : public CDialog
{
public:
	CAboutDlg();

// Dialog Data
	//{{AFX_DATA(CAboutDlg)
	enum { IDD = IDD_ABOUTBOX };
	//}}AFX_DATA

	// ClassWizard generated virtual function overrides
	//{{AFX_VIRTUAL(CAboutDlg)
	protected:
	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV support
	//}}AFX_VIRTUAL

// Implementation
protected:
	//{{AFX_MSG(CAboutDlg)
	//}}AFX_MSG
	DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
	//{{AFX_DATA_INIT(CAboutDlg)
	//}}AFX_DATA_INIT
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CAboutDlg)
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
	//{{AFX_MSG_MAP(CAboutDlg)
		// No message handlers
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/
// CNoDllInjectDlg dialog

CNoDllInjectDlg::CNoDllInjectDlg(CWnd* pParent /*=NULL*/)
	: CDialog(CNoDllInjectDlg::IDD, pParent)
{
	//{{AFX_DATA_INIT(CNoDllInjectDlg)
		// NOTE: the ClassWizard will add member initialization here
	//}}AFX_DATA_INIT
	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CNoDllInjectDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CNoDllInjectDlg)
		// NOTE: the ClassWizard will add DDX and DDV calls here
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CNoDllInjectDlg, CDialog)
	//{{AFX_MSG_MAP(CNoDllInjectDlg)
	ON_WM_SYSCOMMAND()
	ON_WM_PAINT()
	ON_WM_QUERYDRAGICON()
	ON_BN_CLICKED(IDC_BTN_INJECT, OnBtnInject)
	//}}AFX_MSG_MAP
	ON_BN_CLICKED(IDC_BUTTON1, &CNoDllInjectDlg::OnBnClickedButton1)
END_MESSAGE_MAP()

/
// CNoDllInjectDlg message handlers

BOOL CNoDllInjectDlg::OnInitDialog()
{
	CDialog::OnInitDialog();

	// Add "About..." menu item to system menu.

	// IDM_ABOUTBOX must be in the system command range.
	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
	ASSERT(IDM_ABOUTBOX < 0xF000);

	CMenu* pSysMenu = GetSystemMenu(FALSE);
	if (pSysMenu != NULL)
	{
		CString strAboutMenu;
		strAboutMenu.LoadString(IDS_ABOUTBOX);
		if (!strAboutMenu.IsEmpty())
		{
			pSysMenu->AppendMenu(MF_SEPARATOR);
			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
		}
	}

	// Set the icon for this dialog.  The framework does this automatically
	//  when the application's main window is not a dialog
	SetIcon(m_hIcon, TRUE);			// Set big icon
	SetIcon(m_hIcon, FALSE);		// Set small icon
	
	// TODO: Add extra initialization here
    DebugPrivilege();
	
	return TRUE;  // return TRUE  unless you set the focus to a control
}

void CNoDllInjectDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
	{
		CAboutDlg dlgAbout;
		dlgAbout.DoModal();
	}
	else
	{
		CDialog::OnSysCommand(nID, lParam);
	}
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CNoDllInjectDlg::OnPaint() 
{
	if (IsIconic())
	{
		CPaintDC dc(this); // device context for painting

		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

		// Center icon in client rectangle
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;

		// Draw the icon
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialog::OnPaint();
	}
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CNoDllInjectDlg::OnQueryDragIcon()
{
	return (HCURSOR) m_hIcon;
}

#define STRLEN 20

typedef struct _DATA
{
    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwGetModuleHandle;
    DWORD dwGetModuleFileName;

    char User32Dll[STRLEN];
    char MessageBox[STRLEN];
    char Str[STRLEN];
}DATA, *PDATA;

DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
	//注入后，目标程序会异常关闭，应该是地址空间不对，可以反编译找问题
    PDATA pData = (PDATA)lpParam;

    // 定义API函数原型
    HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
    FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
    HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
    int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
    DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);

    MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
    MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE,LPCSTR))pData->dwGetProcAddress;
    MyGetModuleHandle = (HMODULE (__stdcall *)(LPCSTR))pData->dwGetModuleHandle;
    MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE,LPTSTR,DWORD nSize))pData->dwGetModuleFileName;
    
    HMODULE hModule = MyLoadLibrary(pData->User32Dll);
    MyMessageBox = (int (__stdcall *)(HWND,LPCTSTR,LPCTSTR,UINT))MyGetProcAddress(hModule, pData->MessageBox);
    char szModuleName[MAX_PATH] = { 0 };
    MyGetModuleFileName(NULL, szModuleName, MAX_PATH);

    MyMessageBox(NULL, pData->Str, szModuleName, MB_OK);

    return 0;
}

void CNoDllInjectDlg::OnBtnInject() 
{
	// TODO: Add your control notification handler code here
	DWORD dwPid = GetDlgItemInt(IDC_EDIT_PID, FALSE, FALSE);
    
    InjectCode(dwPid);
}

VOID CNoDllInjectDlg::DebugPrivilege()
{
    HANDLE hToken = NULL;
    
    BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
    
    if ( bRet == TRUE )
    {
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount = 1;
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
        
        CloseHandle(hToken);
    }
}

VOID CNoDllInjectDlg::InjectCode(DWORD dwPid)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    if ( hProcess == NULL )
    {
        AfxMessageBox("OpenProcess Error");
        return ;
    }

    DATA Data = { 0 };
    Data.dwLoadLibrary = (DWORD)GetProcAddress(
                            GetModuleHandle("kernel32.dll"),
                            "LoadLibraryA");
    Data.dwGetProcAddress = (DWORD)GetProcAddress(
                            GetModuleHandle("kernel32.dll"),
                            "GetProcAddress");
    Data.dwGetModuleHandle = (DWORD)GetProcAddress(
                            GetModuleHandle("kernel32.dll"),
                            "GetModuleHandleA");
    Data.dwGetModuleFileName = (DWORD)GetProcAddress(
                            GetModuleHandleA("kernel32.dll"),
                            "GetModuleFileNameA");

    lstrcpy(Data.User32Dll, "user32.dll");
    lstrcpy(Data.MessageBox, "MessageBoxA");
    lstrcpy(Data.Str, "Inject Code !!!");

    LPVOID lpData = VirtualAllocEx(hProcess,
                            NULL,
                            sizeof(DATA),
                            MEM_COMMIT | MEM_RESERVE,
                            PAGE_READWRITE);
    DWORD dwWriteNum = 0;
    WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum);
    
    DWORD dwFunSize = 0x2000;
    LPVOID lpCode = VirtualAllocEx(hProcess,
                            NULL,
                            dwFunSize,
                            MEM_COMMIT,
                            PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum);

    HANDLE hRemoteThread = CreateRemoteThread(hProcess,
                            NULL,
                            0,
                            (LPTHREAD_START_ROUTINE)lpCode,
                            lpData,
                            0,
                            NULL);
	TCHAR szBuf[1024];  
	LPVOID lpMsgBuf;  
	DWORD dw=GetLastError();  
	FormatMessage(  
		FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,  
		NULL,dw,  
		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),  
		(LPTSTR) &lpMsgBuf,0, NULL );  
	wsprintf(szBuf,_T("信息 (出错码=%d): %s\n"),  
		dw, lpMsgBuf);  
	LocalFree(lpMsgBuf);  
	MessageBoxA(szBuf,"系统提示",0); 

    WaitForSingleObject(hRemoteThread, INFINITE);

    CloseHandle(hRemoteThread);

    CloseHandle(hProcess);
}
//定义输出函数结构体
typedef struct _RemotePara{ 
	PVOID dwMessageBox;         //函数体指针
	char strMessageBox[12];  //参数
}RemotePara; 
// 远程线程执行体
DWORD __stdcall ThreadProc(RemotePara *Para)
{
	typedef int (/*__stdcall*/ *PMessageBox) (HWND ,LPCTSTR ,LPCTSTR,UINT);
	PMessageBox MessageBoxFunc = (PMessageBox)Para->dwMessageBox;
	MessageBoxFunc(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK);
	return 0 ;
}

void CNoDllInjectDlg::OnBnClickedButton1()
{	
	DWORD THREADSIZE=1024;
	DWORD pID;
	DWORD byte_write; 
	HANDLE hRemoteProcess,hThread;
	RemotePara myRemotePara,*pRemotePara; 
	void *pRemoteThread;
	HINSTANCE hUser32 ;

	pID = GetDlgItemInt(IDC_EDIT_PID, FALSE, FALSE);

	hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); 
	if(!hRemoteProcess)
		return ; 
	// 在远程进程地址空间分配虚拟内存
	pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	if(!pRemoteThread)
		return ; 
	// 将线程执行体ThreadProc写入远程进程
	if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0))
		return ;

	ZeroMemory(&myRemotePara,sizeof(RemotePara)); 
	hUser32 = LoadLibrary("user32.dll");
	myRemotePara.dwMessageBox = (PVOID)GetProcAddress(hUser32, "MessageBoxA"); 

	strcat(myRemotePara.strMessageBox,"Hello 你是猪!"); //复制MessageBox函数的参数
	//写进目标进程 
	pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);
	if(!pRemotePara)
		return ; 
	if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof(myRemotePara),0))
		return ; 
	// 启动线程 
	hThread = CreateRemoteThread(hRemoteProcess ,0,0,(LPTHREAD_START_ROUTINE)pRemoteThread ,pRemotePara,0,&byte_write);
	//FreeLibrary(hUser32);
	CloseHandle(hRemoteProcess); 

	AfxMessageBox("ok");

}