#pragma warning(disable: 4996)
#include <windows.h>
#include <stdio.h>
#include <Tlhelp32.h>
#define RemoteProcessName "notepad++.exe"
HANDLE CreateRemoteThreadProc(char* szProcessName);
DWORD WINAPI WatchThreadProc(LPVOID lParam);
DWORD WINAPI RemoteProc(LPVOID lParam);
DWORD ProcessNameToID(char *szProcessName);
HANDLE MyRemoteThread(HANDLE hProcesHandle, LPTHREAD_START_ROUTINE pThredProc, LPVOID pThreadBuffer);
BOOL EnablePrivileges(const char* szNewPriveliges);
BOOL IsVistaOrLaterVersion();
BOOL ResetWindowsSystem(DWORD dwFlag, BOOL bIsForce);
typedef struct _RemoteParameter
{
DWORD dwWaitForSingleObject; // 地址
DWORD dwOpenProcess;
DWORD dwWinExec;
DWORD dwProcessPID; //本地进程ID
HANDLE hProcessHandle;
char szPath[MAX_PATH]; //本地程序地址
}REMOTEPARAM;
typedef DWORD(WINAPI *PFNTCREATETHREADEX)
(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID lpObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL bCreateSuspended,
DWORD dwStackSize,
DWORD dwFlag1,
DWORD dwFlag2,
LPVOID lpUnknown
);
HANDLE CreateRemoteThreadProc(char* szProcessName)
{
HANDLE hThreadHandle;
char szFilePath[MAX_PATH] = { 0 };
GetModuleFileName(NULL, szFilePath, MAX_PATH);
printf("[%s:%d] FilePath:%s\n", __FUNCTION__, __LINE__, szFilePath);
DWORD dwProcessID = ProcessNameToID(szProcessName);
printf("[%s:%d] ProcessID:%d\n", __FUNCTION__, __LINE__, dwProcessID);
HINSTANCE hKernel32Instance;
HANDLE rpHandle;
char* szRemoteThread;
char* szRemoteParam;
// 写入代码
int size = sizeof(char)* 4 * 1024;
rpHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
if (rpHandle == NULL)
{
printf("[%s:%d] OpenProcess failed\n", __FUNCTION__, __LINE__);
}
szRemoteThread = (PTSTR)VirtualAllocEx(rpHandle, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (szRemoteThread == NULL)
{
printf("[%s:%d] VirtualAllocEx failed\n", __FUNCTION__, __LINE__);
::CloseHandle(rpHandle);
}
if (WriteProcessMemory(rpHandle, szRemoteThread, (LPVOID)RemoteProc, size, NULL) == FALSE)
{
printf("[%s:%d] WriteProcessMemory failed\n", __FUNCTION__, __LINE__);
VirtualFreeEx(rpHandle, szRemoteThread, 0, MEM_RELEASE);
::CloseHandle(rpHandle);
}
// 写入参数
REMOTEPARAM rp;
memset((char*)&rp, 0, sizeof(rp));
hKernel32Instance = GetModuleHandle("kernel32.dll");
if (hKernel32Instance == NULL)
{
printf("[%s:%d] GetModuleHandle failed\n", __FUNCTION__, __LINE__);
VirtualFreeEx(rpHandle, szRemoteThread, 0, MEM_RELEASE);
CloseHandle(rpHandle);
}
rp.dwProcessPID = GetCurrentProcessId();
rp.dwOpenProcess = (DWORD)GetProcAddress(hKernel32Instance, "OpenProcess");
rp.dwWinExec = (DWORD)GetProcAddress(hKernel32Instance, "WinExec");
rp.dwWaitForSingleObject = (DWORD)GetProcAddress(hKernel32Instance, "WaitForSingleObject");
strcpy_s(rp.szPath, szFilePath);
size = sizeof(char) * sizeof(rp);
szRemoteParam = (PTSTR)VirtualAllocEx(rpHandle, NULL, size, MEM_COMMIT, PAGE_READWRITE);
if (szRemoteParam == NULL)
{
printf("[%s:%d] VirtualAllocEx failed\n", __FUNCTION__, __LINE__);
VirtualFreeEx(rpHandle, szRemoteThread, 0, MEM_RELEASE);
::CloseHandle(rpHandle);
}
if (WriteProcessMemory(rpHandle, szRemoteParam, (LPVOID)&rp, size, NULL) == FALSE)
{
printf("[%s:%d] WriteProcessMemory failed\n", __FUNCTION__, __LINE__);
VirtualFreeEx(rpHandle, szRemoteThread, 0, MEM_RELEASE);
VirtualFreeEx(rpHandle, szRemoteParam, 0, MEM_RELEASE);
::CloseHandle(rpHandle);
}
hThreadHandle = MyRemoteThread(rpHandle, (LPTHREAD_START_ROUTINE)szRemoteThread, (LPVOID)szRemoteParam);
if (hThreadHandle == NULL)
{
printf("[%s:%d] MyRemoteThread create failed\n", __FUNCTION__, __LINE__);
VirtualFreeEx(rpHandle, szRemoteThread, 0, MEM_RELEASE);
VirtualFreeEx(rpHandle, szRemoteParam, 0, MEM_RELEASE);
::CloseHandle(rpHandle);
}
return hThreadHandle;
}
DWORD WINAPI WatchThreadProc(LPVOID lParam)
{
HANDLE hRemoteThreadHandle = (HANDLE)lParam;
DWORD dwExitCode = 0;
GetExitCodeThread(hRemoteThreadHandle, &dwExitCode);
while (true)
{
if (dwExitCode != STILL_ACTIVE)
{
printf("[%s:%d] hRemoteThreadHandle is over\n", __FUNCTION__, __LINE__);
hRemoteThreadHandle = CreateRemoteThreadProc(RemoteProcessName);
}
Sleep(1000);
}
return 0;
}
DWORD WINAPI RemoteProc(LPVOID lParam)
{
REMOTEPARAM *rp = (REMOTEPARAM *)lParam;
// 定义函数只争类型
typedef UINT (WINAPI *EWinExec) (LPCSTR, UINT);
typedef HANDLE (WINAPI *EOpenProcess) (DWORD, BOOL, DWORD);
typedef DWORD (WINAPI *EWaitForSingleObject) (HANDLE, DWORD);
EWinExec tWinExec;
EOpenProcess tOpenProcess;
EWaitForSingleObject tWaitForSingleObject;
// 获取参数
tOpenProcess = (EOpenProcess)rp->dwOpenProcess;
tWaitForSingleObject = (EWaitForSingleObject)rp->dwWaitForSingleObject;
tWinExec = (EWinExec)rp->dwWinExec;
rp->hProcessHandle = tOpenProcess(PROCESS_ALL_ACCESS, FALSE, rp->dwProcessPID); //打开自己的进程
tWaitForSingleObject(rp->hProcessHandle, INFINITE); // 无限等待
tWinExec(rp->szPath, SW_SHOW); // 重新执行
return 0;
}
DWORD ProcessNameToID(char *szProcessName)
{
STARTUPINFO startInfo;
PROCESS_INFORMATION proccessInfo;
PROCESSENTRY32 ps;
HANDLE hSnapshot;
DWORD dwProcessID;
memset(&startInfo, 0, sizeof(startInfo));
memset(&proccessInfo, 0, sizeof(proccessInfo));
ps.dwSize = sizeof(PROCESSENTRY32);
hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
printf("[%s:%d] CreateToolhelp32Snapshot failed\n", __FUNCTION__, __LINE__);
return FALSE;
}
if (::Process32First(hSnapshot, &ps) == FALSE)
{
return FALSE;
}
do
{
if (strcmp(ps.szExeFile, szProcessName) == 0)
{
dwProcessID = ps.th32ProcessID;
::CloseHandle(hSnapshot);
return dwProcessID;
}
} while (::Process32Next(hSnapshot, &ps));
::CloseHandle(hSnapshot);
return 0;
}
HANDLE MyRemoteThread(HANDLE hProcesHandle, LPTHREAD_START_ROUTINE pThredProc, LPVOID pThreadBuffer)
{
HANDLE hThread = NULL;
FARPROC pFunc = NULL;
// XP 和XP之前的系统不能使用NtCreateThreadEx函数,win7 64Bit才能使用NtCreateThreadEx
if (IsVistaOrLaterVersion() == TRUE)
{
pFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
if (pFunc == NULL)
{
printf("[%s:%d] GetProcAddress failed, ErrorCode:%d\n", __FUNCTION__, __LINE__, GetLastError());
return FALSE;
}
((PFNTCREATETHREADEX)pFunc)(&hThread, 0x1FFFFF, NULL, hProcesHandle, pThredProc, pThreadBuffer, FALSE, NULL, NULL, NULL, NULL);
//((PFNTCREATETHREADEX)pFunc)(&hThread, GENERIC_ALL, NULL, hProcesHandle, pThredProc, pThreadBuffer, FALSE, NULL, NULL, NULL, NULL);
if (hThread == NULL)
{
printf("[%s:%d] NtCreateThreadEx failed, ErrorCode:%d\n", __FUNCTION__, __LINE__, GetLastError());
return FALSE;
}
}
else
{
hThread = CreateRemoteThread(hProcesHandle, NULL, 0, pThredProc, pThreadBuffer, 0, NULL);
if (hThread == NULL)
{
printf("[%s:%d] CreateRemoteThread failed, ErrorCode:%d\n", __FUNCTION__, __LINE__, GetLastError());
return FALSE;
}
}
if (WAIT_FAILED == WaitForSingleObject(hThread, INFINITE))
{
printf("[%s:%d] WaitForSingleObject failed, ErrorCode:%d\n", __FUNCTION__, __LINE__, GetLastError());
return FALSE;
}
return hThread;
}
/**
* @Function:EnablePrivileges
* @Param1: szNewPrivelige, 进程权限要提升的级别,例如SE_DEBUG_NAME,SE_SHUTDOWN_NAME(关机)
* @Return: 成功返回TRUE,失败返回FALSE
* @Description:
* 提升进程权限
*/
BOOL EnablePrivileges(const char* szNewPriveliges)
{
BOOL bRet = FALSE;
HANDLE tokenHandle = INVALID_HANDLE_VALUE;
TOKEN_PRIVILEGES structTkp = { 0 };
do
{
// 令牌,Token,打开本地进程权限表,提升本地进程权限
if (::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &tokenHandle) == FALSE)
{
break;
}
if (::LookupPrivilegeValue(NULL, szNewPriveliges, &structTkp.Privileges[0].Luid) == FALSE)
{
break;
}
structTkp.PrivilegeCount = 1;
structTkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (::AdjustTokenPrivileges(tokenHandle, FALSE, &structTkp, sizeof(structTkp), NULL, NULL) == FALSE)
{
break;
}
bRet = TRUE;
} while (FALSE);
if (tokenHandle != INVALID_HANDLE_VALUE)
{
::CloseHandle(tokenHandle);
tokenHandle = INVALID_HANDLE_VALUE;
}
return bRet;
}
BOOL IsVistaOrLaterVersion()
{
OSVERSIONINFO osVersion;
ZeroMemory(&osVersion, sizeof(OSVERSIONINFO));
osVersion.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if (GetVersionEx(&osVersion))
{
if (osVersion.dwMajorVersion >= 6) // XP->5,Vista->6.0,Win7->6.1
{
return TRUE;
}
}
return FALSE;
}
/**
* @Function: ResetWindowsSystem
* @Param1: dwFlag EWX_SHUTDOWN(关机) EWX_LOGOFF EWX_REBOOT(重启)
* @Param2: bIsEnforce 是否强制执行,值为TRUE时表示强制,FALSE表示安全模式
* @Return: 成功返回TRUE,失败返回FALSE
* @Description:
* 重置windows系统,重启,注销,关机等操作
*/
BOOL ResetWindowsSystem(DWORD dwFlag, BOOL bIsForce)
{
BOOL bRet = FALSE;
do
{
if (EnablePrivileges(SE_SHUTDOWN_NAME) == FALSE)
{
break;
}
if (bIsForce == TRUE)
{
dwFlag |= EWX_FORCE;
}
if (ExitWindowsEx(dwFlag, 0) == FALSE)
{
SetLastError(GetLastError());
break;
}
bRet = TRUE;
} while (FALSE);
return bRet;
}
int main(int argc, char* argv[])
{
HANDLE hRemoteThreadHandle;
HANDLE hLocalThreadHandle;
if (EnablePrivileges(SE_DEBUG_NAME))
{
hRemoteThreadHandle = CreateRemoteThreadProc(RemoteProcessName);
hLocalThreadHandle = CreateThread(NULL, NULL, WatchThreadProc, (LPVOID)hRemoteThreadHandle, NULL, NULL);
WaitForSingleObject(hLocalThreadHandle, INFINITE);
WaitForSingleObject(hRemoteThreadHandle, INFINITE);
}
return 0;
}
windows下远程线程注入的一个小实例
最新推荐文章于 2024-09-05 16:56:56 发布