当前位置:首页 -> AI编程基础 -> windows编程基础

VC++另类实现进程插入(四)

2014-11-23 19:30:42 · 作者: · 浏览: 80
标签: 另类 实现 进程 插入
, pRemoteThreadAddr , pRemoteThreadCodeBuf ,
nRemoteThreadCodeLength , &nWritenNum);

if(!nSuccess)
{
MessageBox("Copy Remote Thread Code Error!");
return;
}





// *******修正远程线程代码*******

// *******首先获取两个关键函数的地址*******

HMODULE hKernel32;
hKernel32 = LoadLibrary("Kernel32.dll");

if(!hKernel32)
{
MessageBox("导入Kernel32.dll错误!");
return;
}

LPVOID pLoadLibrary , pGetProcAddress , pFreeLibrary;

pLoadLibrary = (LPVOID)GetProcAddress(hKernel32 , "LoadLibraryA");

if(!pLoadLibrary)
{
MessageBox("获取LoadLibrary函数地址失败!");
return;
}

pGetProcAddress = (LPVOID)GetProcAddress(hKernel32 , "GetProcAddress");

if(!pGetProcAddress)
{
MessageBox("获取GetProcAddress函数地址失败!");
return;
}

pFreeLibrary = (LPVOID)GetProcAddress(hKernel32 , "FreeLibrary");

if(!pGetProcAddress)
{
MessageBox("获取FreeLibrary函数地址失败!");
return;
}

// *******修正代码*******

PBYTE pRemoteAddrMove;

pRemoteAddrMove = (PBYTE)pRemoteThreadAddr;

// *******修正LoadLibrary地址*******

nSuccess = WriteProcessMemory(hSelectedProcHandle ,
pRemoteAddrMove ,
&pLoadLibrary ,
4 ,
&nWritenNum);

if(!nSuccess)
{
MessageBox("修正LoadLibrary地址错误!");
return;
}

//*******修正FreeLibrary地址*******

pRemoteAddrMove +=4;

nSuccess = WriteProcessMemory(hSelectedProcHandle ,
pRemoteAddrMove ,
&pFreeLibrary ,
4 ,
&nWritenNum);

if(!nSuccess)
{
MessageBox("修正FreeLibrary地址错误!");
return;
}

//*******传递动态链接库名*******

char szDllName[8] = {"Dll.dll"};

pRemoteAddrMove +=4;

nSuccess = WriteProcessMemory(hSelectedProcHandle ,
pRemoteAddrMove ,
szDllName ,
8 ,
&nWritenNum);

if(!nSuccess)
{
MessageBox("修正GetProcAddress地址错误!");
return;
}

//********把指针移动到远程线程代码开始处*******
pRemoteAddrMove +=8;

// *******创建远程线程*******

HANDLE hRemoteThreadHandle;

// *******定义远程线程函数类型*******
typedef unsigned long (WINAPI *stRemoteThreadProc)(LPVOID);

stRemoteThreadProc pRemoteThreadProc;

// *******把入口地址赋给声明的函数*******
pRemoteThreadProc = (stRemoteThreadProc)pRemoteAddrMove;

hRemoteThreadHandle = CreateRemoteThread(hSelectedProcHandle , NULL , 0 ,
pRemoteThreadProc , 0 , 0 , NULL);


//*******测试*******
CString szBuf;
szBuf.Format("开始地址:%x\nLoadLibrary地址:%x\nGetProcAddress地址%x\n代码开始地址:%x" ,
pRemoteThreadAddr , pLoadLibrary , pGetProcAddress , pRemoteAddrMove);
MessageBox(szBuf);


return;
}