宿主进程 exe.exe
#include <stdio.h>
#include <time.h>
#include <windows.h>
int foo (void)
{
printf("foo\n");
// MessageBox(NULL, "foo", "Notice", MB_OK);
#if 0
HINSTANCE hUser32 = LoadLibrary("User32.dll");
typedef int (*DllFun)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);
DllFun dwMessageBox = (DllFun)GetProcAddress(hUser32, "MessageBoxA");
#endif
// printf("dwMessageBox GetProcAddress:%0p\n", dwMessageBox);
// dwMessageBox(NULL, "foo", "Notice", MB_OK);
HINSTANCE hdll = LoadLibrary("C:\\Downloads\\hookexe\\hookdll\\Debug\\hookdll.dll");
// fnHookfoo对应的函数类型 HOOKDLL_API int fnHookdll(void)
typedef int (*DllFun)(void);
DllFun foo = (DllFun)GetProcAddress(hdll, "fnHookdll");
///printf("%p\n", foo);
foo();
return 0;
}
int main(int argc, char* argv[])
{
while (1)
{
Sleep(1000);
foo ();
}
return 0;
}
远程注入进程hookexe2.exe
// hookexe2.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#pragma once
#include <windows.h>
#include <TlHelp32.h>
#include <stdio.h>
//线程参数结构体定义
typedef struct _RemoteParam {
char szMsg[12]; //MessageBox函数中显示的字符提示
DWORD dwMessageBox;//MessageBox函数的入口地址
} RemoteParam, * PRemoteParam;
//定义MessageBox类型的函数指针
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);
//线程函数定义
DWORD __stdcall threadProc(LPVOID lParam)
{
//只要使用api必须拦截 !!!!!!!!
RemoteParam* pRP = (RemoteParam*)lParam;
typedef int (*DllFun)(void); // 函数指针,注意要和原函数的原型一制
DllFun MyFun = (DllFun)pRP->dwMessageBox;
//就是这句有错!!!!!!!!!
// printf("threadProc GetProcAddress:%0p\n", MyFun);
// printf("szMsg:%s\n", pRP->szMsg);
(DllFun)MyFun();
return 0;
}
//提升进程访问权限
bool enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
CloseHandle(hToken);
return false;
}
return true;
}
//根据进程名称得到进程ID,如果有多个运行实例的话,返回第一个枚举到的进程的ID
DWORD processNameToId(LPCTSTR lpszProcessName)
{
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hSnapshot, &pe)) {
MessageBox(NULL,
"The frist entry of the process list has not been copyied to the buffer",
"Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
while (Process32Next(hSnapshot, &pe)) {
if (!strcmp(lpszProcessName, pe.szExeFile)) {
return pe.th32ProcessID;
}
}
return 0;
}
int main(int argc, char* argv[])
{
//定义线程体的大小
const DWORD dwThreadSize = 4096;
DWORD dwWriteBytes;
//提升进程访问权限
enableDebugPriv();
//等待输入进程名称,注意大小写匹配
char szExeName[MAX_PATH] = { 0 };
//cout<< "Please input the name of target process !" <<endl;
//
// cin >> szExeName;
// cout<<szExeName<<endl;
//strcpy(szExeName,"notepad.exe");
scanf("%s",szExeName);
//cout<<szExeName<<endl;
DWORD dwProcessId = processNameToId(szExeName);
if (dwProcessId == 0) {
MessageBox(NULL, "The target process have not been found !",
"Notice", MB_ICONINFORMATION | MB_OK);
return -1;
}
//根据进程ID得到进程句柄
HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (!hTargetProcess) {
MessageBox(NULL, "Open target process failed !",
"Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
//在宿主进程中为线程体开辟一块存储区域
//在这里需要注意MEM_COMMIT | MEM_RESERVE内存非配类型以及PAGE_EXECUTE_READWRITE内存保护类型
//其具体含义请参考MSDN中关于VirtualAllocEx函数的说明。
void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0,
dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!pRemoteThread) {
MessageBox(NULL, "Alloc memory in target process failed !",
"notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
//将线程体拷贝到宿主进程中
if (!WriteProcessMemory(hTargetProcess,
pRemoteThread, &threadProc, dwThreadSize, 0)) {
MessageBox(NULL, "Write data to target process failed !",
"Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
//定义线程参数结构体变量
RemoteParam remoteData;
ZeroMemory(&remoteData, sizeof(RemoteParam));
//填充结构体变量中的成员
HINSTANCE hdll = LoadLibrary("C:\\Downloads\\hookexe\\hookdll\\Debug\\hookdll.dll");
// fnHookfoo对应的函数类型 HOOKDLL_API int fnHookdll(void)
remoteData.dwMessageBox = (DWORD)GetProcAddress(hdll, "fnHookdll");
strcat(remoteData.szMsg, "Hello\n");
printf("remoteData.dwMessageBox %p\n", remoteData.dwMessageBox);
//为线程参数在宿主进程中开辟存储区域
RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx(
hTargetProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);
if (!pRemoteParam) {
MessageBox(NULL, "Alloc memory failed !",
"Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
//将线程参数拷贝到宿主进程地址空间中
if (!WriteProcessMemory(hTargetProcess ,
pRemoteParam, &remoteData, sizeof(remoteData), 0)) {
MessageBox(NULL, "Write data to target process failed !",
"Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
//在宿主进程中创建线程
HANDLE hRemoteThread = CreateRemoteThread(
hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread,
pRemoteParam, 0, &dwWriteBytes);
if (!hRemoteThread) {
MessageBox(NULL, "Create remote thread failed !", "Notice", MB_ICONINFORMATION | MB_OK);
return 0;
}
CloseHandle(hRemoteThread);
FreeLibrary(hdll);
return 0;
}
对应的DLL文件源码C:\\Downloads\\hookexe\\hookdll\\Debug\\hookdll.dll
// This is an example of an exported function.
HOOKDLL_API int fnHookdll(void)
{
char msg[] = "fnHookdll"; // 常量字符串不可复制到其它进程,因此使用局部变量数组
puts (msg);
return 42;
}
试验步骤
1) 运行宿主进程exe.exe
2) 运行hook进程hookexe2.exe
效果:
hook进程hookexe2.exe 中显示连续的fnHookdll, 意味着hookexe2.exe在宿主进程exe.exe中创建的线程执行成功!
1273
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
