#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
/*
一、OpenProcessToken函数
打开进程令牌环
二、LookupPrivilegeValue函数
获得进程本地唯一ID
三、AdjustTokenPrivileges函数
提升进程的权限
*/
int EnableDebugPriv(const char* name)
{
HANDLE hToken;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
printf("打开指定令牌环失败!\n");
return -1;
} LUID luid;
if( !LookupPrivilegeValue(NULL, name, &luid) )
{
printf("查询LUID失败!\n");
return -1;
} TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if( !AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL) )
{
printf("提升进程权限失败!\n");
return -1;
} printf("提升权限成功!\n");
return 0;
}
/*
一、打开远程进程
OpenProcess函数
二、在远程进程的内存中分配空间
VirtualAllocEx函数
三、远程进程的内存的写入
WriteProcessMemory函数
四、找到LoadLibrary函数在Kernel32中的地址
GetProcAddress函数
五、在远程进程中线程(远程线程)
CreateRemoteThread函数
*/
BOOL InjectDll(const char* DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hRemoteProcess;
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
FALSE, dwRemoteProcessId);
if( hRemoteProcess == NULL )
{
printf("打开远程进程失败!\n");
return FALSE;
} char *pszLibFileRemote ;
pszLibFileRemote = (char*)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);
if( pszLibFileRemote == NULL )
{
printf("分配内存失败!\n");
return FALSE;
} if( !WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (LPVOID)DllFullPath, lstrlen(DllFullPath)+1, NULL) )
{
printf("写入内存失败!\n");
return FALSE;
} PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if( pfnStartAddr == NULL )
{
printf("获取LoadLibrary函数地址失败!\n");
return FALSE;
} if( CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) == NULL)
{
printf("创建远程线程失败!\n");
return FALSE;
} return TRUE;
}
/*
一、系统进程快照
CreateToolhelp32Snapshot函数
二、在快照中搜索指定进程
Process32First函数
Processe32Next函数
*/
unsigned long getprocid(char *pn)
{
HANDLE hnd;
hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if( hnd == NULL )
{
printf("获取系统快照失败!");
return 0;
} PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL b;
b = Process32First(hnd, &pe);
while(b)
{
if( strcmp(pe.szExeFile, pn) == 0 )
return pe.th32ProcessID;
b = Process32Next(hnd, &pe);
}
return 0;
}int main(int argc, char* argv[])
{ EnableDebugPriv(SE_DEBUG_NAME);//提升本进程的权限至DEBUG模式
InjectDll("My.dll", getprocid("NOTEPAD.EXE"));//注入My.dll到NOTEPAD.EXE程序
return 0;
}
![pyinstaller打包exe文件,no found dllpyinstaller打包exe文件,no found dll[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)