|
, pRemoteThreadAddr , pRemoteThreadCodeBuf ,
nRemoteThreadCodeLength , &nWritenNum);
if(!nSuccess)
{
MessageBox("Copy Remote Thread Code Error!");
return;
}
// *******修正远程线程代码*******
// *******首先获取两个关键函数的地址*******
HMODULE hKernel32;
hKernel32 = LoadLibrary("Kernel32.dll");
if(!hKernel32)
{
MessageBox("导入Kernel32.dll错误!");
return;
}
LPVOID pLoadLibrary , pGetProcAddress , pFreeLibrary;
pLoadLibrary = (LPVOID)GetProcAddress(hKernel32 , "LoadLibraryA");
if(!pLoadLibrary)
{
MessageBox("获取LoadLibrary函数地址失败!");
return;
}
pGetProcAddress = (LPVOID)GetProcAddress(hKernel32 , "GetProcAddress");
if(!pGetProcAddress)
{
MessageBox("获取GetProcAddress函数地址失败!");
return;
}
pFreeLibrary = (LPVOID)GetProcAddress(hKernel32 , "FreeLibrary");
if(!pGetProcAddress)
{
MessageBox("获取FreeLibrary函数地址失败!");
return;
}
// *******修正代码*******
PBYTE pRemoteAddrMove;
pRemoteAddrMove = (PBYTE)pRemoteThreadAddr;
// *******修正LoadLibrary地址*******
nSuccess = WriteProcessMemory(hSelectedProcHandle ,
pRemoteAddrMove ,
&pLoadLibrary ,
4 ,
&nWritenNum);
if(!nSuccess)
{
MessageBox("修正LoadLibrary地址错误!");
return;
}
//*******修正FreeLibrary地址*******
pRemoteAddrMove +=4;
nSuccess = WriteProcessMemory(hSelectedProcHandle ,
pRemoteAddrMove ,
&pFreeLibrary ,
4 ,
&nWritenNum);
if(!nSuccess)
{
MessageBox("修正FreeLibrary地址错误!");
return;
}
//*******传递动态链接库名*******
char szDllName[8] = {"Dll.dll"};
pRemoteAddrMove +=4;
nSuccess = WriteProcessMemory(hSelectedProcHandle ,
pRemoteAddrMove ,
szDllName ,
8 ,
&nWritenNum);
if(!nSuccess)
{
MessageBox("修正GetProcAddress地址错误!");
return;
}
//********把指针移动到远程线程代码开始处*******
pRemoteAddrMove +=8;
// *******创建远程线程*******
HANDLE hRemoteThreadHandle;
// *******定义远程线程函数类型*******
typedef unsigned long (WINAPI *stRemoteThreadProc)(LPVOID);
stRemoteThreadProc pRemoteThreadProc;
// *******把入口地址赋给声明的函数*******
pRemoteThreadProc = (stRemoteThreadProc)pRemoteAddrMove;
hRemoteThreadHandle = CreateRemoteThread(hSelectedProcHandle , NULL , 0 ,
pRemoteThreadProc , 0 , 0 , NULL);
//*******测试*******
CString szBuf;
szBuf.Format("开始地址:%x\nLoadLibrary地址:%x\nGetProcAddress地址%x\n代码开始地址:%x" ,
pRemoteThreadAddr , pLoadLibrary , pGetProcAddress , pRemoteAddrMove);
MessageBox(szBuf);
return;
}
|