利用CreateRemoteThread 实现远程代码注入的例子！！

#include "stdafx.h"


#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
void CheckError ( int, int, char *); //出错处理函数
PDWORD pdwThreadId; 
HANDLE hRemoteThread, hRemoteProcess;
DWORD fdwCreate, dwStackSize, dwRemoteProcessId;

PWSTR pszLibFileRemote=NULL;

//需要管理员权限启动 或者自动提权就好！！！

void main(int argc,char **argv)
{
//SendMessage(FindWindow(0,0),WM_SYSCOMMAND,SC_MONITORPOWER,2);//关闭  
//::Sleep(5000);  
//SendMessage(FindWindow(0,0),WM_SYSCOMMAND,SC_MONITORPOWER,-1);//打开  
//return;
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH]={0};
dwRemoteProcessId = 6348; 
strcpy(lpDllFullPathName, "D:\\jdtest\\zhuru\\Debug\\dllTest.dll");
//将DLL文件全路径的ANSI码转换成UNICODE码
iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
lpDllFullPathName, strlen(lpDllFullPathName),
pszLibFileName, MAX_PATH);
CheckError(iReturnCode, 0, "MultByteToWideChar");
//打开远程进程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程 
PROCESS_VM_OPERATION | //允许VM操作
PROCESS_VM_WRITE, //允许VM写
FALSE, dwRemoteProcessId ); 
CheckError( (int) hRemoteProcess, NULL, "Remote Process not Exist or Access Denied!");
//计算DLL路径名需要的内存空间
int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
//将DLL的路径名复制到远程进程的内存空间
iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
CheckError(iReturnCode, false, "WriteProcessMemory");
//计算LoadLibraryW的入口地址 
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
//启动远程线程，通过远程线程调用用户的DLL文件 
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);
CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
getchar();
//等待远程线程退出
WaitForSingleObject(hRemoteThread, INFINITE);
//清场处理
if (pszLibFileRemote != NULL)
{
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
}
if (hRemoteThread != NULL) 
{
CloseHandle(hRemoteThread );
}
if (hRemoteProcess!= NULL) 
{
CloseHandle(hRemoteProcess);
}
}
//错误处理函数CheckError()
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
if(iReturnCode==iErrorCode)
{
printf("%s Error:%d\n\n", pErrorMsg, GetLastError());
//清场处理
if (pszLibFileRemote != NULL)
{
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
}
if (hRemoteThread != NULL) 
{
CloseHandle(hRemoteThread );
}
if (hRemoteProcess!= NULL)
{
CloseHandle(hRemoteProcess);
}
exit(0);
}
}




/*
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
#include <time.h>


// 提升进程访问权限
bool enableDebugPriv()
{
HANDLE  hToken;
LUID    sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if  ( !OpenProcessToken(  GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)
)
{
return false;
}
if( !LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue) )
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( !AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL) )
{
CloseHandle(hToken);
return false;
}
return true;
}


// 根据进程名称得到进程ID,如果有多个运行实例的话，返回第一个枚举到的进程的ID
DWORD processNameToId(LPCTSTR lpszProcessName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
if( !Process32First(hSnapshot, &pe) )
{
MessageBox( NULL,
"The frist entry of the process list has not been copyied to the buffer",
"Notice",
MB_ICONINFORMATION | MB_OK
);
return 0;
}
while( Process32Next(hSnapshot, &pe) )
{
if( !strcmp(lpszProcessName, pe.szExeFile) )
{
return pe.th32ProcessID;
}
}
return 0;
}


int main(int argc, char* argv[])
{
// 定义线程体的大小
const DWORD dwThreadSize = 5 * 1024;
DWORD dwWriteBytes;
// 提升进程访问权限
enableDebugPriv();
// 等待输入进程名称，注意大小写匹配
std::cout << "Please input the name of target process !" << std::endl;
char szExeName[MAX_PATH] = { 0 };
std::cin >> szExeName;
DWORD dwProcessId = processNameToId(szExeName);
if( dwProcessId == 0 )
{
MessageBox( NULL,
"The target process have not been found !",
"Notice",
MB_ICONINFORMATION | MB_OK
);
return -1;
}


// 根据进程ID得到进程句柄
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if( !hTargetProcess )
{
MessageBox( NULL,
"Open target process failed !",
"Notice",
MB_ICONINFORMATION | MB_OK
);
return 0;
}


// 在宿主进程中为线程体开辟一块存储区域
// 在这里需要注意MEM_COMMIT内存非配类型以及PAGE_EXECUTE_READWRITE内存保护类型
// 其具体含义请参考MSDN中关于VirtualAllocEx函数的说明。
void* pRemoteThread = VirtualAllocEx(   hTargetProcess,
0,
dwThreadSize,
MEM_COMMIT , PAGE_EXECUTE_READWRITE);
if( !pRemoteThread )
{
MessageBox( NULL,
"Alloc memory in target process failed !",
"notice",
MB_ICONINFORMATION | MB_OK
);
return 0;
}
// 设置需要注入的DLL名称
char szDll[256];
memset(szDll, 0, 256);
strcpy(szDll, "D:\\jdtest\\zhuru\\Debug\\dllTest.dll");
// 拷贝注入DLL内容到宿主空间
if( !WriteProcessMemory(    hTargetProcess,
pRemoteThread,
(LPVOID)szDll,
dwThreadSize,
0) )
{
MessageBox( NULL,
"Write data to target process failed !",
"Notice",
MB_ICONINFORMATION | MB_OK
);
return 0;
}


LPVOID pFunc = LoadLibraryA;
//在宿主进程中创建线程
HANDLE hRemoteThread = CreateRemoteThread(  hTargetProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)pFunc,
pRemoteThread,
0,
&dwWriteBytes);
if( !hRemoteThread )
{
MessageBox(    NULL,
"Create remote thread failed !",
"Notice",
MB_ICONINFORMATION | MB_OK
);
return 0;
}
// 等待LoadLibraryA加载完毕
WaitForSingleObject(hRemoteThread, INFINITE );
VirtualFreeEx(hTargetProcess, pRemoteThread, dwThreadSize, MEM_COMMIT);
CloseHandle( hRemoteThread );
CloseHandle( hTargetProcess );
return 0;
}*/




资源 https://download.csdn.net/download/jangdong/10521681