C/C++ 实现远程代码注入
2023-02-18 16:45:08 时间
#include <windows.h>
#include <iostream>
#define STRLEN 20
typedef struct _DATA
{
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwGetModuleHandle;
DWORD dwGetModuleFileName;
char User32Dll[STRLEN];
char MessageBox[STRLEN];
char Str[STRLEN];
}DATA, *PDATA;
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
PDATA pData = (PDATA)lpParam;
//定义API函数原型
HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);
//对各函数地址进行赋值
MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;
//加载user32.dll
HMODULE hModule = MyLoadLibrary(pData->User32Dll);
//获得MessageBoxA的函数地址
MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
MyGetProcAddress(hModule, pData->MessageBox);
char szModuleFileName[MAX_PATH] = {0};
MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);
MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);
return 0;
}
void InjectCode(DWORD dwPid)
{
//打开进程并获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
if(NULL== hProcess)
return;
DATA Data = {0};
//获取kernel32.dll中相关的导出函数
Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");
//需要的其他dll和导出函数
lstrcpy(Data.User32Dll,"user32.dll");
lstrcpy(Data.MessageBox,"MessageBoxA");
//提示字符串
lstrcpy(Data.Str,"Code Inject !!!");
//在目标进程中申请空间
LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
MEM_COMMIT,PAGE_EXECUTE_READWRITE);
DWORD dwWriteNum = 0;
WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
//在目标进程空间中申请用于保存代码的长度
WORD dwFunSize = 0x4000;
LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
MEM_COMMIT,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
dwFunSize,&dwWriteNum);
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)lpCode,
lpData,0, NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
int GetProcessID(char *Name)
{
HWND Pid=::FindWindow(NULL,Name);
DWORD Retn;
::GetWindowThreadProcessId(Pid,&Retn);
return Retn;
}
int main()
{
int ppid;
ppid = ::GetProcessID("lyshark.exe");
InjectCode(ppid);
return 0;
}
相关文章
- 【经验之谈】Git使用之Windows环境下配置
- git clone开启云上AI开发
- 实践GoF的设计模式:代理模式
- Ubuntu & GitLab CI & Docker & ASP.NET Core 2.0 自动化发布和部署(1)
- 初学开发必看:何为Git,何为SVN
- 实践GoF的设计模式:访问者模式
- 【经验之谈】Git使用之TortoiseGit配置VS详解
- cmder git bash 使用
- 4步教你学会使用Linux-Audit工具
- 10种有用的Linux Bash_Completion 命令示例
- Ubuntu & GitLab CI & Docker & ASP.NET Core 2.0 自动化发布和部署(2)
- 实践GoF的设计模式:迭代器模式
- 【补充】Gitlab 部署 CI 持续集成
- Google Chrome 应用商店上传扩展程序
- 实践GoF的23种设计模式:观察者模式
- Ubuntu Docker 安装和配置 GitLab CI 持续集成
- Ubuntu 简单安装和配置 GitLab
- 二进制SCA指纹提取黑科技:Go语言逆向技术
- 解读Go分布式链路追踪实现原理
- 基于C#的MongoDB数据库开发应用(4)--Redis的安装及使用