远程注入进程-阿里云开发者社区

远程注入进程

2017-11-16 1193

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

简介：

#include <Windows.h>
#include <tchar.h>
#include <TlHelp32.h>
BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName);
DWORD EnablePrivilege (PCSTR name);
BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID);
DWORD EnablePrivilege (PCSTR name)
{
HANDLE hToken;
BOOL rv;
TOKEN_PRIVILEGES priv = { 1, {0, 0, SE_PRIVILEGE_ENABLED} };
LookupPrivilegeValue (
0,
name,
&priv.Privileges[0].Luid
);
OpenProcessToken(
GetCurrentProcess (),
TOKEN_ADJUST_PRIVILEGES,
&hToken
);
AdjustTokenPrivileges (
hToken,
FALSE,
&priv,
sizeof priv,
0,
0
);
rv = GetLastError();
CloseHandle (hToken);
return rv;
}
BOOL GetProcessIdByName(LPSTR szProcessName, LPDWORD lpPID)
{
STARTUPINFO st;
PROCESS_INFORMATION pi;
PROCESSENTRY32 ps;
HANDLE hSnapshot;
ZeroMemory(&st, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
st.cb = sizeof(STARTUPINFO);
ZeroMemory(&ps,sizeof(PROCESSENTRY32));
ps.dwSize = sizeof(PROCESSENTRY32);
hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0);
if(hSnapshot == INVALID_HANDLE_VALUE)
{
return FALSE;
}
if(!Process32First(hSnapshot,&ps))
{
return FALSE;
}
do
{
if(lstrcmpi(ps.szExeFile,"explorer.exe")==0)
{
*lpPID = ps.th32ProcessID;
CloseHandle(hSnapshot);
return TRUE;
}
}
while(Process32Next(hSnapshot,&ps));
CloseHandle(hSnapshot);
return FALSE;
}
BOOL LoadRemoteDll(DWORD dwProcessId,LPTSTR lpszLibName){
BOOL bResult = FALSE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
PSTR pszLibFileRemote = NULL;
DWORD cch;
PTHREAD_START_ROUTINE pfnThreadRtn;
__try{
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessId);
if(hProcess == NULL){
__leave;
}
cch = 1 + lstrlen(lpszLibName);
pszLibFileRemote = (PSTR)VirtualAllocEx(hProcess,NULL,cch,MEM_COMMIT,PAGE_READWRITE);
if(pszLibFileRemote == NULL){
__leave;
}
if(!WriteProcessMemory(hProcess,(LPVOID)pszLibFileRemote,(LPVOID)lpszLibName,cch,NULL)){
__leave;
}
pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),TEXT("LoadLibraryA"));
if(pfnThreadRtn == NULL){
__leave;
}
hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,(PVOID)pszLibFileRemote,0,NULL);
if(hThread == NULL){
__leave;
}
WaitForSingleObject(hThread,INFINITE);
bResult = TRUE;
}__finally{
if(pszLibFileRemote != NULL){
VirtualFreeEx(hProcess,(PVOID)pszLibFileRemote,0,MEM_RELEASE);
}
if(hThread != NULL){
CloseHandle(hThread);
}
if(hProcess != NULL){
CloseHandle(hProcess);
}
}
return bResult;
}
int WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPTSTR lpCmdLine,int nCmdShow){
DWORD dwPID;
if(0!=EnablePrivilege(SE_DEBUG_NAME));
return 0;
if(!GetProcessIdByName("explorer.exe",&dwPID))
return 0;
if(!LoadRemoteDll(dwPID,"msg.dll"))
return 0;
}

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/630125，如需转载请自行联系原作者

远程注入进程

热门文章

最新文章

相关电子书

相关实验场景