转载来源: http://blog.csdn.net/lostspeed/article/details/53154033
注入DLL
#include "stdafx.h"
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
typedef void (__cdecl* PFN_CalcRegSn)();
DWORD WINAPI ThreadProc(LPVOID lpThreadParameter)
{
BOOL bFindRegSnOkOnce = FALSE;
BOOL bGetTimeCostOnce = FALSE;
DWORD dwTickCostOnce = 0;
DWORD dwTickBegin = 0;
DWORD dwTickEnd = 0;
DWORD dwRetryCnt = 0;
DWORD dwRetryCntToDispMsg = 0;
DWORD dwImageBase = 0;
char* pcMsg_ok = NULL;
PFN_CalcRegSn pfnCalcRegSn = NULL;
int iRc = 0;
DWORD dwUserIn = 0;
DWORD dwIndex = 0;
char szBuf[0x100] = {'\0'};
::MessageBox(NULL, "提示", "穷举开始", MB_OK);
dwImageBase = (DWORD)GetModuleHandle(NULL);
pfnCalcRegSn = (PFN_CalcRegSn)(dwImageBase + 0x1050);
pcMsg_ok = (char*)(dwImageBase + 0x3378);
dwTickBegin = GetTickCount();
for (dwRetryCnt = 0, dwIndex = 0; dwIndex < 0xffffffff; dwIndex++, dwRetryCnt++) {
dwUserIn = 0x22222222;
__asm {
mov ecx, dwIndex
mov eax, dwUserIn
push ecx
};
iRc = 0;
pfnCalcRegSn();
__asm {
mov iRc, eax
add esp, 4h
};
if (!bGetTimeCostOnce) {
bGetTimeCostOnce = TRUE;
dwTickEnd = GetTickCount();
dwTickCostOnce = dwTickEnd - dwTickBegin;
if (dwTickCostOnce > 1) {
if (dwTickCostOnce > 30000) {
dwRetryCntToDispMsg = 1;
} else {
dwRetryCntToDispMsg = (DWORD)(1.0 * 30000 / dwTickCostOnce);
}
} else {
dwRetryCntToDispMsg = 0xfffff;
}
sprintf(szBuf, "dwRetryCntToDispMsg = 0x%8.8X, \r\n", dwRetryCntToDispMsg);
OutputDebugString(szBuf);
}
if ((1 == iRc)
&& ('o' == *pcMsg_ok)
&& ('k' == *(pcMsg_ok + 1))
&& ('\0' == *(pcMsg_ok + 2))) {
bFindRegSnOkOnce = TRUE;
sprintf(szBuf, "找到注册码! => 0x%8.8X\r\n", dwIndex);
OutputDebugString(szBuf);
} else if (bGetTimeCostOnce && (dwRetryCnt > dwRetryCntToDispMsg)) {
dwRetryCnt = 0;
sprintf(szBuf, "Finding 0x%8.8X\r\n", dwIndex);
OutputDebugString(szBuf);
}
}
if (bFindRegSnOkOnce) {
::MessageBox(NULL, "找到注册码!", "穷举成功", MB_OK);
} else {
::MessageBox(NULL, "END", "穷举结束", MB_OK);
}
return 0;
}
BOOL APIENTRY DllMain(HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH: {
OutputDebugString(">> ExhaustiveDll\r\n");
CreateThread(NULL, 0, ThreadProc, NULL, NULL, NULL);
}
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH: {
OutputDebugString("<< ExhaustiveDll\r\n");
}
break;
}
return TRUE;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
管理注入的EXE
#include "stdafx.h"
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <tchar.h>
#include <math.h>
#define INJECT_DLL_NAME _T("ExhaustiveDll.dll")
#define CMD_QUIT "quit"
int main(int argc, char* argv[])
{
DWORD dwProcessID = 0;
HANDLE hObjProcess = NULL;
HANDLE hRemoteThread = NULL;
char szBuf[_MAX_PATH] = {'\0'};
LPVOID lpObjProcessBuf = NULL;
SIZE_T nNumberOfBytesWritten = 0;
DWORD dwThreadID = 0;
do {
printf("请输入要注入进程的PID:");
scanf("%d", &dwProcessID);
printf("您输入的PID = %d\r\n", dwProcessID);
hObjProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
if (NULL == hObjProcess) {
printf("打开进程失败\r\n");
break;
}
lpObjProcessBuf = VirtualAllocEx(hObjProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == lpObjProcessBuf) {
printf("在对方进程分配空间失败\r\n");
break;
}
ZeroMemory(szBuf, sizeof(szBuf));
strcpy(szBuf, INJECT_DLL_NAME);
if (!WriteProcessMemory(hObjProcess,
lpObjProcessBuf,
szBuf,
sizeof(szBuf),
&nNumberOfBytesWritten)) {
printf("写对方进程失败\r\n");
break;
}
hRemoteThread = CreateRemoteThread(hObjProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)LoadLibraryA,
(LPTSTR)(LPCTSTR)lpObjProcessBuf,
0,
&dwThreadID);
if (NULL == hRemoteThread) {
printf("建立远线程失败\r\n");
break;
}
printf("线程注入成功, 请打开debugview, 观察注入DLL的输出\r\n");
do {
printf("\r\n如果要退出程序,请输入%s, 然后回车: ", CMD_QUIT);
ZeroMemory(szBuf, sizeof(szBuf));
scanf("%4s", szBuf);
if (0 == memcmp(szBuf, CMD_QUIT, strlen(CMD_QUIT))) {
printf("收到退出命令\r\n");
break;
}
} while (1);
} while (0);
if (NULL != hRemoteThread) {
CloseHandle(hRemoteThread);
hRemoteThread = NULL;
}
if (NULL != hObjProcess) {
CloseHandle(hObjProcess);
hObjProcess = NULL;
}
printf("END\r\n");
system("pause");
return 0;
}
727
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
