C/C++ 实现远程代码注入
C/C++ 实现远程代码注入
微软技术分享
发布于 2022-12-28 14:47:09
发布于 2022-12-28 14:47:09
#include <windows.h>
#include <iostream>
#define STRLEN 20
typedef struct _DATA
{
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwGetModuleHandle;
DWORD dwGetModuleFileName;
char User32Dll[STRLEN];
char MessageBox[STRLEN];
char Str[STRLEN];
}DATA, *PDATA;
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
PDATA pData = (PDATA)lpParam;
//定义API函数原型
HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);
//对各函数地址进行赋值
MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;
//加载user32.dll
HMODULE hModule = MyLoadLibrary(pData->User32Dll);
//获得MessageBoxA的函数地址
MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
MyGetProcAddress(hModule, pData->MessageBox);
char szModuleFileName[MAX_PATH] = {0};
MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);
MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);
return 0;
}
void InjectCode(DWORD dwPid)
{
//打开进程并获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
if(NULL== hProcess)
return;
DATA Data = {0};
//获取kernel32.dll中相关的导出函数
Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");
//需要的其他dll和导出函数
lstrcpy(Data.User32Dll,"user32.dll");
lstrcpy(Data.MessageBox,"MessageBoxA");
//提示字符串
lstrcpy(Data.Str,"Code Inject !!!");
//在目标进程中申请空间
LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
MEM_COMMIT,PAGE_EXECUTE_READWRITE);
DWORD dwWriteNum = 0;
WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
//在目标进程空间中申请用于保存代码的长度
WORD dwFunSize = 0x4000;
LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
MEM_COMMIT,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
dwFunSize,&dwWriteNum);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)lpCode,
lpData,0, NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
int GetProcessID(char *Name)
{
HWND Pid=::FindWindow(NULL,Name);
DWORD Retn;
::GetWindowThreadProcessId(Pid,&Retn);
return Retn;
}
int main()
{
int ppid;
ppid = ::GetProcessID("lyshark.exe");
InjectCode(ppid);
return 0;
}本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2019-06-21,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
腾讯云开发者
