CreateRemoteThread注入NOTEPAD

 
#include <cstdlib>
#include <iostream>
#include <windows.h> 
#include "tlhelp32.h"
using namespace std;
typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);
typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
//
typedef struct tagHYPINJECT {
       ProcLoadLibrary    fnLoad;
       ProcGetProcAddress fnGetProc;
       char MsgStr [MAX_PATH];
       char DLLName [MAX_PATH];
       char ProcName [MAX_PATH];
} HYPINJECT;
//
static DWORD WINAPI ThreadProc (LPVOID lpParameter)
{
       HYPINJECT* p = (HYPINJECT*)lpParameter;                                   //初始化一个结构体 Initialize a struct 
       HMODULE hDLL = p->fnLoad (p->DLLName);                                    //hDll is a parameter of GerProcAddress,fnLoad is a func pointer---LoadLibrary
       ProcMessageBox MsgBox = (ProcMessageBox)p->fnGetProc(hDLL,p->ProcName);   //get the address of messagebox
       MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK);                                   //then we can use msgbox
       return 0;
}
static void AfterThreadProc (void) { }                                           //用来计算要写入代码的大小,所以两者都定义成static 
HYPINJECT hypInject;                                                              //pData写入的结构体 
BOOL InjectFunc(DWORD PID)
{
       HMODULE hk = LoadLibrary ("kernel32.dll");
       hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");
       hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");
       strcpy(hypInject.MsgStr, " hyp's Knowledge Base");
       strcpy (hypInject.DLLName, "user32.dll");
       strcpy (hypInject.ProcName, "MessageBoxA");                                //pData要写入的是一个结构体,所以把信息都保存在结构体中,执行的是ThreadProc 
       PVOID pCode = NULL;
       PVOID pData = NULL;
       BOOL bc = FALSE;
       DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;
       HANDLE hProc = OpenProcess(
              PROCESS_QUERY_INFORMATION |  
              PROCESS_CREATE_THREAD     |
              PROCESS_VM_OPERATION      |
              PROCESS_VM_WRITE,           
              FALSE, PID);
       if (hProc == NULL)
       {
              return FALSE;
       }
      
       pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
       bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);
       pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
       bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);
       HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);
       CloseHandle(hProc);
       return TRUE;
}
int main()
{
       HANDLE hSnapshot = NULL;
       hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
       PROCESSENTRY32 pe;
       pe.dwSize = sizeof(PROCESSENTRY32);
       Process32First(hSnapshot,&pe);
       
	   do
       {
              if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)
              {
                     InjectFunc(pe.th32ProcessID);
                     break;
              }
       }
       while(Process32Next(hSnapshot,&pe)==TRUE);
       
       CloseHandle (hSnapshot);    
       system("pause");
       return 0;
}

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值