// InjectCode.cpp : 定义控制台应用程序的入口点。
#include "stdafx.h"
#include<Windows.h>
typedef struct _REMOTE_PARAMETER
{
CHAR m_msgContent[MAX_PATH];
CHAR m_msgTitle[MAX_PATH];
DWORD m_dwMessageBoxAddr;
}RemotePara, * PRemotePara;
static DWORD WINAPI MyFun(PRemotePara pRemotePara)
{
typedef int (WINAPI *MESSAGEBOXA)(HWND, LPCSTR, LPCSTR, UINT);
MESSAGEBOXA MessageBoxA;
MessageBoxA = (MESSAGEBOXA)pRemotePara->m_dwMessageBoxAddr;
//调用 MessageBoxA 来打印消息
MessageBoxA(NULL, pRemotePara->m_msgContent, pRemotePara->m_msgTitle, MB_OK);
return 0;
}
static DWORD WINAPI AfterMyFun(void)
{
return 0;
}
//提升当前进程具有权限
BOOL EnableDebugPrivilege(BOOL fEnable)
{
BOOL fOK = FALSE;
HANDLE hToken = NULL;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))//获得进程访问令牌的句柄
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid); //查询进程的权限,获取一个权限对应的LUID值
tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); //判断令牌权限,对这个访问令牌进行修改
fOK = (GetLastError()==ERROR_SUCCESS);
CloseHandle(hToken);
}
return fOK;
}
void GetMessageboxParamter(PRemotePara remotePara)
{
HMODULE hUser32 = LoadLibrary(L"User32.dll");
remotePara->m_dwMessageBoxAddr = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
strcpy_s(remotePara->m_msgContent, "Hello, hello!\0");
strcpy_s(remotePara->m_msgTitle, "Hello\0");
}
void Inject()
{
//----------------------获取进程ID-------------------------//
EnableDebugPrivilege(TRUE);
HWND hStart=FindWindow(NULL,L"改键1.0");
DWORD TID,PID;
TID=GetWindowThreadProcessId(hStart,&PID);
HANDLE hProcess=NULL;
hProcess = OpenProcess(PROCESS_ALL_ACCESS ,false,PID);
if (hProcess==NULL)
{
MessageBox(NULL,L"打开失败!",L"提示",NULL);
CloseHandle(hProcess);
return ;
}
//-----------------------------写入函数------------------------------//
DWORD cbCodeSize =((LPBYTE)AfterMyFun-(LPBYTE)MyFun);
LPVOID pCodeRemote=NULL;
pCodeRemote = VirtualAllocEx(hProcess,0,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if (pCodeRemote==NULL)
{
MessageBox(NULL,L"申请内存失败!",L"提示",NULL);
CloseHandle(hProcess);
return ;
}
if(!WriteProcessMemory(hProcess,pCodeRemote,MyFun,cbCodeSize,NULL))
{
MessageBox(NULL,L"写失败",L"提示 ",NULL);
VirtualFreeEx(hProcess,pCodeRemote,cbCodeSize,MEM_RELEASE);
CloseHandle(hProcess);
return ;
}
//-----------------------------写入变量------------------------------//
RemotePara remotePara;
GetMessageboxParamter(&remotePara);
PRemotePara pRemotePara = (PRemotePara)VirtualAllocEx(hProcess, NULL, sizeof(RemotePara), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(NULL == pRemotePara)
{
MessageBox(NULL,L"main - VirtualAllocEx Failed , Error Code Is %d , Error Message Is %s !",L"",NULL);
VirtualFreeEx(hProcess, pRemotePara, 0, MEM_RELEASE);
CloseHandle(hProcess);
return ;
}
if(WriteProcessMemory(hProcess, pRemotePara, &remotePara, sizeof(RemotePara), 0) == FALSE)
{
MessageBox(NULL,L"main - WriteProcessMemory Failed , Error Code Is %d , Error Message Is %s !",L"",NULL);
VirtualFreeEx(hProcess, pCodeRemote, 0, MEM_RELEASE);
VirtualFreeEx(hProcess, pRemotePara, 0, MEM_RELEASE);
CloseHandle(hProcess);
return ;
}
//------------------------------创建远程线程----------------------------------//
DWORD IDThread;
HANDLE hThread=CreateRemoteThread(hProcess, NULL, 0, (DWORD (WINAPI *)(LPVOID))pCodeRemote, pRemotePara, 0 , &IDThread);
if(hThread==NULL)
{
DWORD dwError = GetLastError();
MessageBox(NULL,L"创建线程失败!",L"提示 ",NULL);
return ;
}
if (hThread)
{
WaitForSingleObject( hThread, INFINITE );
CloseHandle( hThread );
VirtualFreeEx( hProcess, pCodeRemote,cbCodeSize,MEM_RELEASE );
VirtualFreeEx(hProcess,pRemotePara,sizeof(RemotePara),MEM_RELEASE);
CloseHandle(hProcess);
return ;
}
return ;
}
int _tmain(int argc, _TCHAR* argv[])
{
Inject();
return 0;
}
在学习远程注入中多亏我同学的帮忙,这也是他给我解决问题时发表的博客:http://blog.csdn.net/evi10r/article/details/7368658
远程注入代码
最新推荐文章于 2023-04-07 21:57:37 发布