[转]远程线程注入

http://www.vckbase.com/index.php/wv/1653
//为了简化代码，下面程序中去掉了对出错处理的代码，实际应用中应该考虑程序运行时可能的出错：
#include "stdafx.h"
static PIMAGE_NT_HEADERS    nt_header;
#define IMAGESIZE   (nt_header->OptionalHeader.SizeOfImage)
#define EXPORT_TABEL   (nt_header->OptionalHeader.DataDirectory[0].VirtualAddress)
#define RELOC_TABEL    (nt_header->OptionalHeader.DataDirectory[5].VirtualAddress)
static void RelocCode (PBYTE  Image, LPBYTE   InjectBase) // 完成代码的重定位
{    
    DWORD  Rva = 0, RvaCount = 0, RelocOffset=0;
    WORD  *Offset = NULL;
    LPBYTE RelocTable = Image + RELOC_TABEL; //重定位表位置
    PIMAGE_BASE_RELOCATION  basereloc= (PIMAGE_BASE_RELOCATION) RelocTable;
    RelocOffset= (DWORD)InjectBase -  nt_header ->OptionalHeader.ImageBase; //重定位表偏移
    while(basereloc ->VirtualAddress != NULL)// 遍历重定位表，修正需要重定位的代码
    {  
        Offset = (WORD*)(RelocTable + sizeof(IMAGE_BASE_RELOCATION));
        RvaCount = (basereloc ->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / 2;
        for(DWORD i=0; iVirtualAddress + (DWORD)Image;
            *(DWORD*)Rva += RelocOffset;//RVA加上修正量进行修正
        }
        RelocTable += basereloc ->SizeOfBlock;//指向下一页重定位信息处
        basereloc  = (PIMAGE_BASE_RELOCATION) RelocTable;
    }
}
int LoadAPI(LPBYTE InjectBase)// 用于完成API函数的导入，参数为要插入代码处地址
{  
    PIMAGE_DOS_HEADER dos_h = (PIMAGE_DOS_HEADER) InjectBase;
    PIMAGE_NT_HEADERS nt_h = (PIMAGE_NT_HEADERS)(InjectBase + dos_h->e_lfanew);
    PIMAGE_IMPORT_DESCRIPTOR import_d = (PIMAGE_IMPORT_DESCRIPTOR)
       (InjectBase + nt_h->OptionalHeader.DataDirectory[1].VirtualAddress);
    for(  ; import_d->OriginalFirstThunk != 0; import_d++)//遍历导入表
    {   
        HMODULE hDll = LoadLibrary((LPCSTR)(InjectBase + import_d->Name));
           //上面能直接引用LoadLibrary是由于本地和远程进程中该函数地址都是相同的
        if(hDll == NULL)  
            return 0;
        PIMAGE_THUNK_DATA Origin = (PIMAGE_THUNK_DATA)(InjectBase +import_d->OriginalFirstThunk);
        PIMAGE_THUNK_DATA First = (PIMAGE_THUNK_DATA)(InjectBase + import_d->FirstThunk);
        LPCSTR Name = NULL;
        PIMAGE_IMPORT_BY_NAME Import_name = NULL;
        for(; Origin->u1.Ordinal != 0; Origin++, First++)
        {   
            if(Origin->u1.Ordinal & IMAGE_ORDINAL_FLAG)
                Name = (LPCSTR)IMAGE_ORDINAL(Origin->u1.Ordinal);
            else
            {   
                Import_name = (PIMAGE_IMPORT_BY_NAME)(InjectBase + (DWORD)( Origin->u1.AddressOfData));
                Name = (LPCSTR)Import_name->Name; 
            }
            First->u1.Function = (DWORD * )GetProcAddress(hDll, Name);
                //上面能直接引用GetProcAddress是由于本地和远程进程中该函数地址都是相同的
            if(First->u1.Function == NULL)  
                return 0;
        }
    }
    return 1;
}
DWORD RemoteThread_Main(HINSTANCE hInstance) //远程要执行的代码，在这里只演示MessageBox
{  
    ::MessageBox (0,"远程线程插入成功！","远程线程",0);
    return 1;
}
DWORD  ThreadEntry(LPBYTE  ImageBase) /***   远程线程入口  ***/
{    
    if(LoadAPI(ImageBase))//先完成API函数的导入工作
        RemoteThread_Main ((HINSTANCE)ImageBase);  //执行函数RemoteThread_Main中的代码
    return 1;
}
static DWORD GetTargetProcessId() //获取远程进程 PID
{  
    DWORD ProcessId = 0;
    HWND hWnd = FindWindow("Progman", "Program Manager");//获取资源管理器进程PID
    if(hWnd != NULL)
        GetWindowThreadProcessId(hWnd, &ProcessId);
    return ProcessId;
}
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine, int nCmdShow)
{   
    LPBYTE  InjectPoint = NULL, Module = NULL, NewModule = NULL,Param =NULL;
    HANDLE hProcess = NULL, hThread = NULL;
    DWORD ProcessId = 0, ImageSize = 0;
    LPTHREAD_START_ROUTINE    RemoteEntryPoint = NULL;
    Module = (unsigned char *)GetModuleHandle(NULL);//获取自身句柄
    nt_header = (PIMAGE_NT_HEADERS)(Module + ((PIMAGE_DOS_HEADER)Module)->e_lfanew);
    ImageSize = IMAGESIZE ; //得到内存映象大小
    //通过VirtualAllocEx申请存放自身代码的内存空间
    NewModule =( LPBYTE )VirtualAlloc(NULL, ImageSize, MEM_COMMIT | MEM_RESERVE, 
    PAGE_EXECUTE_READWRITE);
    memcpy(NewModule, Module, ImageSize) ; //将自身复制到NewModule处
    nt_header = (PIMAGE_NT_HEADERS)(NewModule + ((PIMAGE_DOS_HEADER)NewModule)->e_lfanew);
    if( ProcessId = GetTargetProcessId() ) //获取远程进程 PID
      if( hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessId)) //打开进程
          //通过VirtualAllocEx在打开的远程进程中申请内存空间
        if( InjectPoint = (LPBYTE)VirtualAllocEx(hProcess, 0, ImageSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE) )
         {   
            RelocCode (NewModule, InjectPoint); //重定位NewModule处的代码
            RemoteEntryPoint = (LPTHREAD_START_ROUTINE)( InjectPoint +(DWORD) &ThreadEntry - Module );//得到ThreadEntry在远程进程中的地址
            Param  = InjectPoint; //将插入点地址作为参数传递给线程函数
           //将重定位好的代码通过WriteProcessMemory写入远程进程的内存空间中
            if(WriteProcessMemory(hProcess, InjectPoint, NewModule, ImageSize, NULL))
               //通过CreateRemoteThread启动刚写入的代码，参数为Param
                CreateRemoteThread(hProcess, NULL, 0, RemoteEntryPoint, Param, 0, NULL);
        }
    return 0;
}