天天看點

C語言實作遠端代碼注入

#include <windows.h>
#include <iostream>
#define STRLEN 20

typedef struct _DATA
{
    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwGetModuleHandle;
    DWORD dwGetModuleFileName;

    char User32Dll[STRLEN];
    char MessageBox[STRLEN];
    char Str[STRLEN];
}DATA, *PDATA;

DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
    PDATA pData = (PDATA)lpParam;

    //定義API函數原型
    HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
    FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
    HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
    int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
    DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);

    //對各函數位址進行指派
    MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
    MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
    MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
    MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;

    //加載user32.dll
    HMODULE hModule = MyLoadLibrary(pData->User32Dll);
    //獲得MessageBoxA的函數位址
    MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
                        MyGetProcAddress(hModule, pData->MessageBox);
    char szModuleFileName[MAX_PATH] = {0};
    MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);

    MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);

    return 0;
}


void InjectCode(DWORD dwPid)
{
    //打開程序并擷取程序句柄
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
 
    if(NULL== hProcess)
       return;
 
    DATA Data = {0};
 
    //擷取kernel32.dll中相關的導出函數
    Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
    Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
    Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
    Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");

    //需要的其他dll和導出函數
    lstrcpy(Data.User32Dll,"user32.dll");
    lstrcpy(Data.MessageBox,"MessageBoxA");
    //提示字元串
    lstrcpy(Data.Str,"Code Inject !!!");
 
    //在目标程序中申請空間
    LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
                     MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    DWORD dwWriteNum = 0;
    WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
 
    //在目标程序空間中申請用于儲存代碼的長度
    WORD dwFunSize = 0x4000;
    LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
                     MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
                     dwFunSize,&dwWriteNum);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
                     (LPTHREAD_START_ROUTINE)lpCode,
                     lpData,0, NULL);
    WaitForSingleObject(hThread,INFINITE);
 
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int GetProcessID(char *Name)
{
    HWND Pid=::FindWindow(NULL,Name);
    DWORD Retn;
    ::GetWindowThreadProcessId(Pid,&Retn);
    return Retn;
}

int main()
{

    int ppid;

    ppid = ::GetProcessID("lyshark.exe");
    InjectCode(ppid);


    return 0;
}      

版權聲明:本部落格文章與代碼均為學習時整理的筆記,文章 [均為原創] 作品,轉載請 [添加出處] ,您添加出處是我創作的動力!