代碼注入3種方式:
Ⅰ. Windows 鈎子
Ⅱ. CreateRemoteThread 和 LoadLibrary 技術
Ⅲ.CreateRemoteThread和WriteProcessMemory技術
這裡我我們使用第二種方式,通過動态加載dll實作代碼注入。
第一步:建立Dll工程
// Helper.cpp : 定義 DLL 應用程式的導出函數。
//
#include "stdafx.h"
#include "Helper.h"
#pragma data_seg(".Shared") // 聲明共享資料段,并命名該資料段
__volatile int g_Acc =100;
__volatile int g_Value=100;
#pragma data_seg()
#pragma comment(linker, "/Section:.Shared,RWS")
void __stdcall IsRoot()
{
DWORD adr = 0x00460c54;
int tmp =0;
tmp = *(DWORD*)adr + 0x314;
*(DWORD*)tmp += g_Acc;
g_Value = *(DWORD*)tmp;
}
__declspec(naked) void ChangeValue()
{
__asm
{
pushad
pushfd
mov eax,IsRoot
call eax
popfd
popad
mov eax,0x0045C49E
jmp eax
}
}
void HookMyCtrl()
{
LPVOID adr =(LPVOID)0x0045C497;
DWORD offset =(DWORD)ChangeValue - (DWORD)adr -5;
BYTE code[5];
code[0]= 0xe9;//jmp
*PDWORD(code +1) = offset;//ChangeValue的偏移位址
DWORD oldprotect;
if(VirtualProtect(adr,5,PAGE_EXECUTE_READWRITE,&oldprotect))
{
memcpy(adr,code,5);
VirtualProtect(adr,5,oldprotect,&oldprotect);
}
}
HELPER_API int GetValue()
{
return g_Value;
}
HELPER_API void SetACC(int value)
{
g_Acc = value;
}
HELPER_API int GetACC()
{
return g_Acc;
}
HELPER_API int CalcADD(int a,int b)
{
return a+b;
}
第二步:建立MFC對話框工程
HMODULE g_hModule = NULL;
WCHAR srClassName[] =L"TForm2";
WCHAR srWindowName[] =L"Step 2";
typedef int (*PROCTYPDEF)(void);
typedef void (*PROCSETTYPEDEF)(int);
typedef int (*PROCADD)(int a,int b);
PROCTYPDEF proc=NULL;
PROCSETTYPEDEF procSet=NULL;
PROCTYPDEF procGet=NULL;
PROCADD procAdd =NULL;
void CDllInjectDlg::OnBnClickedOk()
{
// TODO: 在此添加控件通知處理程式代碼
//OnOK();
//g_hModule = LoadLibrary(L"Helper.dll");
//FARPROC WINAPI proc= GetProcAddress(g_hModule,"StartHook");
//proc();
DWORD procid =0;
CWnd* pWnd = FindWindow(srClassName,NULL);
if (pWnd)
{
GetWindowThreadProcessId(pWnd->m_hWnd,&procid);
if (procid)
{
UpdataToken();
if(InjectProcess(procid,L"Helper.dll"))
{
MessageBox(L"注入成功!");
g_hModule = LoadLibrary(L"Helper.dll");
if (g_hModule)
{
procGet =(PROCTYPDEF)GetProcAddress(g_hModule,"GetACC");
proc= (PROCTYPDEF)GetProcAddress(g_hModule,"GetValue");
procSet= (PROCSETTYPEDEF)GetProcAddress(g_hModule,"SetACC");
procAdd = (PROCADD)GetProcAddress(g_hModule,"CalcADD");
}
SetTimer(1,100,NULL);
}
}
}
}
void CDllInjectDlg::OnBnClickedCancel()
{
// TODO: 在此添加控件通知處理程式代碼
OnCancel();
}
void CDllInjectDlg::OnTimer(UINT_PTR nIDEvent)
{
// TODO: 在此添加消息處理程式代碼和/或調用預設值
switch(nIDEvent)
{
case 1:
{
if (proc)
{
SetDlgItemInt(IDC_ET_VALUE,proc(),TRUE);
}
if (procGet)
{
SetDlgItemInt(IDC_ET_GetValue,procGet(),TRUE);
}
}
break;
default:
break;
}
CDialog::OnTimer(nIDEvent);
}
void CDllInjectDlg::OnBnClickedBtSet()
{
// TODO: 在此添加控件通知處理程式代碼
if (procSet)
{
int AccValue=0;
MessageBox(L"寫入成功!");
AccValue = GetDlgItemInt(IDC_ET_SValue,NULL,TRUE);
procSet(AccValue );
}
}
![Mysql ODBC 32 位程式驅動 安裝指南[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)