反恐精英1.6远线程注入器测试型源码(编译即可用)
#include <Windows.h>
#include <iostream>
#include <tlhelp32.h>
#include <WtsApi32.h>
#include <atlconv.h>
#include <stdio.h>
#include <Tlhelp32.h>
#include <tchar.h>
//注入器
BOOL ZwCreateThreadExInjectDll(DWORD dwProcessId, char* pszDllFileName)
{
HANDLE hProcess = NULL;
SIZE_T dwSize = 0;
LPVOID pDllAddr = NULL; //DLL地址
FARPROC pFunProcAddr = NULL; //函数地址
HANDLE hRemoteThread = NULL;//远程线程
DWORD dwStatus = 0;
//打开目标进程 获取句柄
//使用进程PID打开进程,获得句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess == NULL)
{
printf("申请内存失败!\n");
return FALSE;
}
else
{
printf("打开进程成功\r\n");
}
//在注入的进程中申请内存
dwSize = strlen(pszDllFileName) + 1;
//分配空间,存储dll
//使用进程句柄申请内存空间
pDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (pDllAddr == NULL)
{
printf("申请内存失败\r\n");
return FALSE;
}
else
{
printf("申请内存成功\r\n");
}
//向申请的内存中写入数据
//把dll路径写入内存
BOOL bIsSucess = WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL);
if (bIsSucess == FALSE)
{
printf("写入内存失败\r\n");
return FALSE;
}
else
{
printf("写入内存成功\r\n");
}
//获得
//加载ntdll.dll
HMODULE hNtdll = LoadLibraryA("ntdll.dll");
if (hNtdll == NULL)
{
printf("加载ntdll失败\r\n");
return FALSE;
}
else
{
printf("加载ntdll成功\r\n");
}
//获取LoadLibraryA函数地址
//创建远程线程, 调用LoadLibrary
pFunProcAddr = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA");
if (pFunProcAddr == NULL)
{
printf("加载LoadLibraryA函数地址失败\r\n");
return FALSE;
}
else
{
printf("加载LoadLibraryA函数地址成功\r\n");
}
//获取ZwCreateThread函数地址 ZwCreateThread在64位和32位下的函数声明不一样
#ifdef _WIN64
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnkown);
#else
typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle, //线程句柄
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle, //进程句柄
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID pUnkown);
#endif
typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtdll, "ZwCreateThreadEx");
if (ZwCreateThreadEx == NULL)
{
printf("加载ZwCreateThreadEx函数地址失败\r\n");
return FALSE;
}
else
{
printf("加载ZwCreateThreadEx函数地址成功\r\n");
}
//使用ZwCreateThreadEx函数创建远程线程 实现DLL注入
dwStatus = ZwCreateThreadEx(
&hRemoteThread,
THREAD_ALL_ACCESS,
NULL,
hProcess,
(LPTHREAD_START_ROUTINE)pFunProcAddr,
pDllAddr,
0, 0, 0, 0, NULL);
if (hRemoteThread == NULL)
{
printf("远程线程注入失败\r\n");
return FALSE;
}
else
{
printf("远程线程注入成功\r\n");
}
//关闭句柄
CloseHandle(hProcess);
FreeLibrary(hNtdll);
return TRUE;
}
int main() {
std::string name;
int ID;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
return 0;
}
PROCESSENTRY32 pi;
pi.dwSize = sizeof(PROCESSENTRY32); //第一次使用必须初始化成员
BOOL bRet = Process32First(hSnapshot, &pi);
name = "cstrike.exe";
while (bRet)
{
//printf("进程ID = %d ,进程路径 = %s\r\n", pi.th32ProcessID, pi.szExeFile);
bRet = Process32Next(hSnapshot, &pi);
if (name == pi.szExeFile) {
ID = pi.th32ProcessID;
break;
}
}
USES_CONVERSION;
//根据自己要注入的DLL的位置,勿瞎几把复制
char* szDllPath = T2A("D:\\空项目试验场\\Dll1\\Debug\\Dll1.dll");
DWORD dwProcessId = ID;
//远程线程注入
BOOL bIsSuccess = ZwCreateThreadExInjectDll(dwProcessId, szDllPath);
if (bIsSuccess)
{
printf("远程线程注入成功\r\n");
}
else
{
printf("远程线程注入失败\r\n");
}
}
PS:测试用弹窗dll,下面附图