win7 的GetProAddress地址会变动,所以该代码不适用于win7
// 远程线程注入_调用API.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include "windows.h"
typedef int (_stdcall * Type_MessageBoxA)(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType);
typedef HMODULE (_stdcall * Type_LoadLibraryA)(LPCSTR lpLibFileName);
typedef FARPROC (_stdcall * Type_GetProcAddress) (HMODULE hModule, LPCSTR lpProcName);
typedef struct
{
DWORD Add_LoadLibraryA;
DWORD Add_GetProcAddress;
char DLLname[20];
char APIname[20];
char Param1[20];
} Param_Str;
DWORD GetFunAddress(PUCHAR lpFunStart)
{
DWORD dwFunAddress;
if (*lpFunStart==0xE9)
{
//在Debug版本里VC会做一个跳转
dwFunAddress = (DWORD)lpFunStart+*(DWORD *)(lpFunStart+1)+5;
}
else
{
dwFunAddress = (DWORD)lpFunStart;
}
return dwFunAddress;
}
__declspec (naked) VOID FunFirst(){_asm{nop}};//定义函数结束的位置
int _stdcall romente_true(Param_Str *P_str)
{
Type_LoadLibraryA p_LoadLibraryA;
Type_GetProcAddress p_GetProcAddress;
Type_MessageBoxA p_MessageBoxA;
FARPROC Func_add;
p_LoadLibraryA=(Type_LoadLibraryA)P_str->Add_LoadLibraryA;
p_GetProcAddress=(Type_GetProcAddress)P_str->Add_GetProcAddress;
Func_add=p_GetProcAddress(p_LoadLibraryA(P_str->DLLname),P_str->APIname);//获取该函数的地址
p_MessageBoxA =(Type_MessageBoxA)Func_add;
p_MessageBoxA(NULL,P_str->Param1,P_str->Param1,MB_YESNO|MB_ICONQUESTION|MB_DEFBUTTON1|MB_SYSTEMMODAL);
return 0;
};
__declspec (naked) VOID FunEnd(){_asm{nop}};//定义函数结束的位置
bool InjectFunc()
{
LPVOID ParamAddr;
LPVOID FuncAddr;
HANDLE hProcess;
HWND hWnd;
DWORD Pid;
HANDLE hThread;
Param_Str params;
DWORD ParamSize;
//SIZE_T lpNumberOfBytes;
DWORD FuncAddr_First,FuncAddr_End,FuncAddr_Size;
//1 将函数写入目标程序
hWnd=FindWindowA(NULL,"计算器");
GetWindowThreadProcessId(hWnd, &Pid) ;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, Pid);
FuncAddr_First=GetFunAddress((PUCHAR)romente_true);
FuncAddr_End=GetFunAddress((PUCHAR)FunEnd);
FuncAddr_Size=FuncAddr_End-FuncAddr_First;
FuncAddr = VirtualAllocEx(hProcess, NULL, FuncAddr_Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,FuncAddr,(PVOID)FuncAddr_First, FuncAddr_Size, NULL);
strcpy(params.APIname,"MessageBoxA");
strcpy(params.DLLname,"user32.dll");
strcpy(params.Param1,"asd");
params.Add_LoadLibraryA= (DWORD)GetProcAddress( GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
params.Add_GetProcAddress= (DWORD)GetProcAddress( GetModuleHandleA("KernelBase.dll"), "GetProcAddress");//此处大问题,WIN7的GetProcAddress每个进程的基地址都不同
ParamSize=sizeof(params);
if (ParamSize)
{
ParamAddr = VirtualAllocEx(hProcess,NULL, ParamSize, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, ParamAddr, (LPCVOID)¶ms, ParamSize, NULL);
}
printf("0x%x\n",params.Add_GetProcAddress);
romente_true(¶ms);
hThread = CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)FuncAddr, ParamAddr, 0, NULL);// 创建远程线程
WaitForSingleObject(hThread, INFINITE) ;
return true;
}
int _tmain(int argc, _TCHAR* argv[])
{
InjectFunc();
return 0;
}