以下是自己看到比较的讲解关于代码入注博文。
#include "stdafx.h"
#include<windows.h>
#include<stdio.h>
#include <stdlib.h>
#include <iostream>
#include <Tlhelp32.h>
#include <string.h>
#define MAXWAIT 256
typedef struct _INJECT_PARAM
{
DWORD pid;
DWORD tid;
DWORD Hload;
DWORD HgetProc;
char DllPath[256];
char FunName[50];
char LoadDllName[256];
} INJECT_PARAM, *PINJECT_PARAM;
#pragma check_stack(off)
static DWORD WINAPI RemoteThreadProc(LPVOID lpParameter)
{
typedef HMODULE (WINAPI *PFN_LoadLibrary)(LPCTSTR);
typedef FARPROC (WINAPI *PFN_GetPro)(HMODULE ,LPCSTR );
typedef BOOL ( *PFN_CreateOverLay)(DWORD ,DWORD,LPCSTR );
DWORD lfnAddr=0;
PINJECT_PARAM lpParam = (PINJECT_PARAM)lpParameter;
PFN_LoadLibrary PFN_LoadLibraryA = (PFN_LoadLibrary)lpParam->Hload;
PFN_GetPro PFN_GetProA = (PFN_GetPro)lpParam->HgetProc;
HMODULE Hre=PFN_LoadLibraryA((LPCTSTR)lpParam->DllPath);
//lfnAddr=(DWORD)PFN_GetProA(Hre, lpParam->FunName);
PFN_CreateOverLay PFN_CreateOverLayA=(PFN_CreateOverLay)PFN_GetProA(Hre, lpParam->FunName);
PFN_CreateOverLayA(lpParam->pid,lpParam->tid,lpParam->LoadDllName);
return TRUE;
}
static void AfterRemoteThreadProc(void){ return ;}
#pragma check_stack
BOOL EnableDebugPrivilege()
{
HANDLE HToken = NULL;
LUID SaveDebugNameValue;
TOKEN_PRIVILEGES Token_Privilege;
if(0==OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&HToken))
{
return false;
}
if(0==LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&SaveDebugNameValue))
{
CloseHandle(HToken);
return false;
}
Token_Privilege.PrivilegeCount = 1;
Token_Privilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
Token_Privilege.Privileges[0].Luid = SaveDebugNameValue;
if(0==AdjustTokenPrivileges(HToken,false,&Token_Privilege,NULL,NULL,NULL))
{
CloseHandle(HToken);
return false;
}
CloseHandle(HToken);
return true;
}
int insertNew(DWORD pid)
{
HANDLE hThread=NULL;//远线程的句柄
HANDLE hProcess=NULL;//将注入的进程句柄
LPVOID lpDllRemotePath=NULL;//在进程申请得的空间
HMODULE hmodule=NULL;//模块句柄
FARPROC lfnAddr=NULL;//函数的地址
char szDllPathName[]="D:\\work\\RC\\overlay\\xoverlay.new\\Bin.vc7\\overlay_d.dll";
LPVOID lpThreadProc = NULL;
INJECT_PARAM stParam = {0};
//HMODULE st=LoadLibraryA(szDllPathName);
if(!EnableDebugPrivilege())
{
printf("提权失败!\n");
return 0;
}
hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,pid);//打开目标进程
DWORD havewrite,id;
if(hProcess==NULL)
{
printf("OpenProcess error!\n");
return 0;
}
UINT size=sizeof(szDllPathName)*sizeof(WCHAR);
DWORD cbCodeSize=(BYTE *)AfterRemoteThreadProc - (BYTE *)RemoteThreadProc;
lpThreadProc=VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT,PAGE_READWRITE);//向进程中申请空间
if(lpThreadProc==NULL)
{
printf("VirtualAllocEx error!\n");
return 0;
}
if(!WriteProcessMemory(hProcess,lpThreadProc,(LPVOID)RemoteThreadProc,cbCodeSize,NULL))
{
printf("writeprocessmemory error!\n");
return 0;
}
HMODULE hUser32 = LoadLibrary(TEXT("user32.dll"));
hmodule=GetModuleHandle(_T("kernel32.dll"));
lfnAddr=GetProcAddress(hmodule,"LoadLibraryA");
stParam.Hload=(DWORD)lfnAddr;
stParam.HgetProc=(DWORD)GetProcAddress(hmodule, "GetProcAddress");
stParam.pid=pid;
stParam.tid=1;
strcpy(stParam.DllPath, szDllPathName);
strcpy(stParam.FunName,"CreateOverlay");
strcpy(stParam.LoadDllName,"overlay_d.dll");
lpDllRemotePath = VirtualAllocEx(hProcess, NULL, sizeof(INJECT_PARAM),
MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(lpDllRemotePath==NULL)
{
printf("VirtualAllocEx error!\n");
return 0;
}
WriteProcessMemory(hProcess, lpDllRemotePath, (LPVOID)&stParam,
sizeof(stParam), NULL);
hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpThreadProc,lpDllRemotePath,0,NULL);
if(hThread==NULL)
{
printf("CreateRemoteThread error!\n");
return 0;
}
DWORD ret=0;
GetExitCodeThread(hThread, &ret);
if (ret==0)
{
printf("createRemoteThrad maybe fail!\n");
}
::WaitForSingleObject( hThread, INFINITE );
CloseHandle(hThread);
CloseHandle(hProcess);
return 1;
}
int _tmain(int argc, _TCHAR* argv[])
{
int id;
printf("输入进程ID:");
scanf("%d",&id);
//if(!insert((DWORD)id))
if (!insertNew((DWORD )id))
{
printf("注入失败!\n");
}
else
{
printf("注入成功\n");
}
system("pause");
return 1;
}