想将经常用到的功能函数写在一起,花时间精心维护,然后以后就用起来就舒服很多了
目前就写了进程调试权限,远程线程注入,远程线程释放这三个函数.还有很多功能,以后慢慢加
1 // last code by gwsbhqt@163.com at 20150708 2 3 #pragma once 4 5 #ifndef ENHANCEFUNC_H 6 #define ENHANCEFUNC_H 7 8 #include <cstdio> 9 #include <windows.h> 10 11 using namespace std; 12 13 BOOL EnableDebugPrivileges(); 14 15 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId = NULL); 16 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds = INFINITE); 17 18 #endif // def ENHANCEFUNC_H
1 // last code by gwsbhqt@163.com at 20150708 2 3 #include "EnhanceFunc.h" 4 5 BOOL EnableDebugPrivileges() 6 { 7 HANDLE hToken; 8 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) 9 return FALSE; 10 11 LUID luid = {}; 12 if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid)) 13 { 14 CloseHandle(hToken); 15 return FALSE; 16 } 17 18 TOKEN_PRIVILEGES tp = {}; 19 tp.PrivilegeCount = 1; 20 tp.Privileges[0].Luid = luid; 21 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 22 if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL)) 23 { 24 CloseHandle(hToken); 25 return FALSE; 26 } 27 28 CloseHandle(hToken); 29 return TRUE; 30 } 31 32 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId) 33 { 34 int len = strlen(lpLibFilePath) + 1; 35 36 LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 37 if (NULL == lpVir) 38 return ERROR; 39 40 if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL)) 41 { 42 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 43 return ERROR; 44 } 45 46 HMODULE hModule = GetModuleHandleA("Kernel32.dll"); 47 if (NULL == hModule) 48 { 49 hModule = LoadLibraryA("Kernel32.dll"); 50 if (NULL == hModule) 51 { 52 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 53 return ERROR; 54 } 55 } 56 57 FARPROC fpProc = GetProcAddress(hModule, "LoadLibraryA"); 58 if (NULL == fpProc) 59 { 60 FreeLibrary(hModule); 61 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 62 return ERROR; 63 } 64 65 DWORD dwRemoteThreadId; 66 HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, &dwRemoteThreadId); 67 if (NULL == hRemoteThread) 68 { 69 FreeLibrary(hModule); 70 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 71 return ERROR; 72 } 73 74 if (NULL != lpRemoteThreadId) 75 *lpRemoteThreadId = dwRemoteThreadId; 76 77 FreeLibrary(hModule); 78 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 79 return hRemoteThread; 80 } 81 82 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds) 83 { 84 int len = strlen(lpLibFilePath) + 1; 85 86 LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 87 if (NULL == lpVir) 88 return FALSE; 89 90 if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL)) 91 { 92 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 93 return FALSE; 94 } 95 96 HMODULE hModule = GetModuleHandleA("Kernel32.dll"); 97 if (NULL == hModule) 98 { 99 hModule = LoadLibraryA("Kernel32.dll"); 100 if (NULL == hModule) 101 { 102 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 103 return FALSE; 104 } 105 } 106 107 FARPROC fpProc = GetProcAddress(hModule, "GetModuleHandleA"); 108 if (NULL == fpProc) 109 { 110 FreeLibrary(hModule); 111 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 112 return FALSE; 113 } 114 115 HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, NULL); 116 if (NULL == hRemoteThread) 117 { 118 FreeLibrary(hModule); 119 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 120 return FALSE; 121 } 122 123 if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds)) 124 { 125 CloseHandle(hRemoteThread); 126 FreeLibrary(hModule); 127 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 128 return FALSE; 129 } 130 131 DWORD dwExitCode; 132 if (!GetExitCodeThread(hRemoteThread, &dwExitCode)) // dwExitCode is hRemoteLibModule 133 { 134 CloseHandle(hRemoteThread); 135 FreeLibrary(hModule); 136 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 137 return FALSE; 138 } 139 140 CloseHandle(hRemoteThread); 141 VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE); 142 143 // CreateRemoteThread the second times 144 145 fpProc = GetProcAddress(hModule, "FreeLibrary"); 146 if (NULL == fpProc) 147 { 148 FreeLibrary(hModule); 149 return FALSE; 150 } 151 152 hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, (LPVOID)((HMODULE)dwExitCode), NULL, NULL); 153 if (NULL == hRemoteThread) 154 { 155 FreeLibrary(hModule); 156 return FALSE; 157 } 158 159 if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds)) 160 { 161 CloseHandle(hRemoteThread); 162 FreeLibrary(hModule); 163 return FALSE; 164 } 165 166 if (!GetExitCodeThread(hRemoteThread, &dwExitCode)) // dwExitCode is the return value of Remote FreeLibrary 167 { 168 CloseHandle(hRemoteThread); 169 FreeLibrary(hModule); 170 return FALSE; 171 } 172 173 FreeLibrary(hModule); 174 CloseHandle(hRemoteThread); 175 return (BOOL)dwExitCode; 176 }
1 #include <cstdio> 2 #include <windows.h> 3 4 #include "EnhanceFunc.h" 5 6 using namespace std; 7 8 int main() 9 { 10 char cTargetDllPath[MAX_PATH] = "C:\\DLL.dll"; // suppose I have a dll file in this path 11 12 printf("Enable Debug Privilege %s...\n", EnableDebugPrivileges() ? "Succeed" : "Faild"); 13 14 system("pause > nul"); 15 16 STARTUPINFOA si = {}; 17 si.cb = sizeof(si); 18 PROCESS_INFORMATION pi = {}; 19 CreateProcessA(NULL, "C:\\Windows\\System32\\calc.exe", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); 20 21 system("pause > nul"); 22 23 printf("DLL.dll Inject %s...\n", RemoteThreadInjection(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild"); 24 25 system("pause > nul"); 26 27 printf("DLL.dll Freeing %s...\n", RemoteThreadFreeing(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild"); 28 29 system("pause > nul"); 30 31 TerminateProcess(pi.hProcess, NULL); 32 33 system("pause > nul && exit"); 34 return 0; 35 }
