#include <cstdlib>
#include <iostream>
#include <windows.h>
#include "tlhelp32.h"
using namespace std;
typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);
typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
//
typedef struct tagHYPINJECT {
ProcLoadLibrary fnLoad;
ProcGetProcAddress fnGetProc;
char MsgStr [MAX_PATH];
char DLLName [MAX_PATH];
char ProcName [MAX_PATH];
} HYPINJECT;
//
static DWORD WINAPI ThreadProc (LPVOID lpParameter)
{
HYPINJECT* p = (HYPINJECT*)lpParameter; //初始化一个结构体 Initialize a struct
HMODULE hDLL = p->fnLoad (p->DLLName); //hDll is a parameter of GerProcAddress,fnLoad is a func pointer---LoadLibrary
ProcMessageBox MsgBox = (ProcMessageBox)p->fnGetProc(hDLL,p->ProcName); //get the address of messagebox
MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK); //then we can use msgbox
return 0;
}
static void AfterThreadProc (void) { } //用来计算要写入代码的大小,所以两者都定义成static
HYPINJECT hypInject; //pData写入的结构体
BOOL InjectFunc(DWORD PID)
{
HMODULE hk = LoadLibrary ("kernel32.dll");
hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");
hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");
strcpy(hypInject.MsgStr, " hyp's Knowledge Base");
strcpy (hypInject.DLLName, "user32.dll");
strcpy (hypInject.ProcName, "MessageBoxA"); //pData要写入的是一个结构体,所以把信息都保存在结构体中,执行的是ThreadProc
PVOID pCode = NULL;
PVOID pData = NULL;
BOOL bc = FALSE;
DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;
HANDLE hProc = OpenProcess(
PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,
FALSE, PID);
if (hProc == NULL)
{
return FALSE;
}
pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);
pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);
HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);
CloseHandle(hProc);
return TRUE;
}
int main()
{
HANDLE hSnapshot = NULL;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)
{
InjectFunc(pe.th32ProcessID);
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle (hSnapshot);
system("pause");
return 0;
}
CreateRemoteThread注入NOTEPAD
最新推荐文章于 2022-07-21 17:25:41 发布