首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > 其他教程 > 其他相关 >

远道注入执行函数

2013-02-02 
远程注入执行函数最近在看病毒相关内容,看着大部分知识都知道,不知道用起来行不行。下午正好有人问怎么注入

远程注入执行函数

      最近在看病毒相关内容,看着大部分知识都知道,不知道用起来行不行。下午正好有人问怎么注入线程,在公司用《windows核心编程》的注入DLL程序修改了一下,实现了远程注入DLL调用函数。刚才回来,觉得照着别人的程序改,总还是学不到家,自己花了两个小时写了一个。能注入到其他进程中,执行弹出MessageBox框。当然,能注入去弹出这个框,就能干很多坏事了,看你想干什么了。把代码贴上来,也不改了,反正能看懂。有几个细节可能会忽略:

      1. ThreadFunc应该定义成static,不能是全局函数。如果是全局函数,只能取到jmp ThreadFunc这块代码的地址。

      2. 在调试模式会使写函数数据时数据出错。

下午就被这两个东西浪费了一个多小时。

      推荐两篇有用的内容:http://www.cnblogs.com/BoyXiao/archive/2011/08/11/2134367.html

      http://www.vckbase.com/index.php/wv/1580

 

// InjectToRemoteProcess.cpp : 定义应用程序的入口点。//#include "stdafx.h"#include "InjectToRemoteProcess.h"#define MAX_LOADSTRING 100// 全局变量:HINSTANCE hInst;// 当前实例TCHAR szTitle[MAX_LOADSTRING];// 标题栏文本TCHAR szWindowClass[MAX_LOADSTRING];// 主窗口类名// 此代码模块中包含的函数的前向声明:ATOMMyRegisterClass(HINSTANCE hInstance);BOOLInitInstance(HINSTANCE, int);LRESULT CALLBACKWndProc(HWND, UINT, WPARAM, LPARAM);INT_PTR CALLBACKAbout(HWND, UINT, WPARAM, LPARAM);INT_PTR CALLBACKInject(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam);int APIENTRY _tWinMain(HINSTANCE hInstance,                     HINSTANCE hPrevInstance,                     LPTSTR    lpCmdLine,                     int       nCmdShow){UNREFERENCED_PARAMETER(hPrevInstance);UNREFERENCED_PARAMETER(lpCmdLine); // TODO: 在此放置代码。MSG msg;HACCEL hAccelTable;// 初始化全局字符串LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);LoadString(hInstance, IDC_INJECTTOREMOTEPROCESS, szWindowClass, MAX_LOADSTRING);MyRegisterClass(hInstance);// 执行应用程序初始化:if (!InitInstance (hInstance, nCmdShow)){return FALSE;}hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_INJECTTOREMOTEPROCESS));// 主消息循环:while (GetMessage(&msg, NULL, 0, 0)){if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)){TranslateMessage(&msg);DispatchMessage(&msg);}}return (int) msg.wParam;}////  函数: MyRegisterClass()////  目的: 注册窗口类。////  注释:////    仅当希望//    此代码与添加到 Windows 95 中的“RegisterClassEx”//    函数之前的 Win32 系统兼容时,才需要此函数及其用法。调用此函数十分重要,//    这样应用程序就可以获得关联的//    “格式正确的”小图标。//ATOM MyRegisterClass(HINSTANCE hInstance){WNDCLASSEX wcex;wcex.cbSize = sizeof(WNDCLASSEX);wcex.style= CS_HREDRAW | CS_VREDRAW;wcex.lpfnWndProc= WndProc;wcex.cbClsExtra= 0;wcex.cbWndExtra= 0;wcex.hInstance= hInstance;wcex.hIcon= LoadIcon(hInstance, MAKEINTRESOURCE(IDI_INJECTTOREMOTEPROCESS));wcex.hCursor= LoadCursor(NULL, IDC_ARROW);wcex.hbrBackground= (HBRUSH)(COLOR_WINDOW+1);wcex.lpszMenuName= MAKEINTRESOURCE(IDC_INJECTTOREMOTEPROCESS);wcex.lpszClassName= szWindowClass;wcex.hIconSm= LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL));return RegisterClassEx(&wcex);}////   函数: InitInstance(HINSTANCE, int)////   目的: 保存实例句柄并创建主窗口////   注释:////        在此函数中,我们在全局变量中保存实例句柄并//        创建和显示主程序窗口。//BOOL InitInstance(HINSTANCE hInstance, int nCmdShow){   HWND hWnd;   hInst = hInstance; // 将实例句柄存储在全局变量中   hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW,      CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);   if (!hWnd)   {      return FALSE;   }   ShowWindow(hWnd, nCmdShow);   UpdateWindow(hWnd);   return TRUE;}////  函数: WndProc(HWND, UINT, WPARAM, LPARAM)////  目的: 处理主窗口的消息。////  WM_COMMAND- 处理应用程序菜单//  WM_PAINT- 绘制主窗口//  WM_DESTROY- 发送退出消息并返回////LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam){int wmId, wmEvent;PAINTSTRUCT ps;HDC hdc;switch (message){case WM_COMMAND:wmId    = LOWORD(wParam);wmEvent = HIWORD(wParam);// 分析菜单选择:switch (wmId){case IDM_ABOUT:DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);break;case IDM_EXIT:DestroyWindow(hWnd);break;case IDM_INJECT:DialogBox(hInst,MAKEINTRESOURCE(IDD_DLG_INJECT),hWnd,Inject);default:return DefWindowProc(hWnd, message, wParam, lParam);}break;case WM_PAINT:hdc = BeginPaint(hWnd, &ps);// TODO: 在此添加任意绘图代码...EndPaint(hWnd, &ps);break;case WM_DESTROY:PostQuitMessage(0);break;default:return DefWindowProc(hWnd, message, wParam, lParam);}return 0;}// “关于”框的消息处理程序。INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam){UNREFERENCED_PARAMETER(lParam);switch (message){case WM_INITDIALOG:return (INT_PTR)TRUE;case WM_COMMAND:if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL){EndDialog(hDlg, LOWORD(wParam));return (INT_PTR)TRUE;}break;}return (INT_PTR)FALSE;}struct ProcStruct{FARPROC MsgAddr;TCHAR strMsg[24];TCHAR strTitle[24];};static DWORD __stdcall ThreadFunc(ProcStruct * pPS){typedef int (__stdcall *pMsgBox)(HWND,LPCTSTR,LPCTSTR,UINT);pMsgBox MsgBox =(pMsgBox)pPS->MsgAddr;MsgBox(NULL,pPS->strMsg,pPS->strTitle,0);return 0;}static DWORD __stdcall OffsetFunc(LPVOID* pParam){return 0;}bool AdjustProcessTokenPrivilege(){LUID luidTmp;HANDLE hToken;TOKEN_PRIVILEGES tkp;if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)){//OutputDebugString("AdjustProcessTokenPrivilege OpenProcessToken Failed ! \n");return false;}   if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidTmp)){ //OutputDebugString("AdjustProcessTokenPrivilege LookupPrivilegeValue Failed ! \n");CloseHandle(hToken);return FALSE;}tkp.PrivilegeCount = 1;tkp.Privileges[0].Luid = luidTmp;tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)){//OutputDebugString("AdjustProcessTokenPrivilege AdjustTokenPrivileges Failed ! \n");CloseHandle(hToken);return FALSE;}return true;}DWORD InjectFunctionToProcess(DWORD dwProcessId){AdjustProcessTokenPrivilege();try{HANDLE hProcess = OpenProcess(         PROCESS_QUERY_INFORMATION |   // Required by AlphaPROCESS_CREATE_THREAD     |   // For CreateRemoteThreadPROCESS_VM_OPERATION      |   // For VirtualAllocEx/VirtualFreeExPROCESS_VM_WRITE,             // For WriteProcessMemoryFALSE, dwProcessId);if (hProcess == NULL) {return 0;}HMODULE hUser32 = GetModuleHandle(_T("User32.dll"));if (hProcess == NULL){return 0;}FARPROC MsgAddr = GetProcAddress(hUser32,"MessageBoxW");ProcStruct PS;PS.MsgAddr =MsgAddr;_tcscpy(PS.strMsg,_T("This is Message!"));_tcscpy(PS.strTitle,_T("Title"));//开辟存储变量的内存空间void * pMemProcStruct = VirtualAllocEx(hProcess,NULL,sizeof(ProcStruct),MEM_COMMIT,PAGE_READWRITE);if (!pMemProcStruct){return 0;}//复制参数内容if (!WriteProcessMemory(hProcess,pMemProcStruct,&PS,sizeof(ProcStruct),NULL)){return 0;}//开辟存储调用函数的空间DWORD FuncLen = (DWORD)OffsetFunc - (DWORD)ThreadFunc;void * pMemFunction = VirtualAllocEx(hProcess,NULL,FuncLen,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if (!pMemFunction){return 0;}//复制函数内容if (!WriteProcessMemory(hProcess,pMemFunction,ThreadFunc,FuncLen,NULL)){return 0;}//启动线程函数注入进程HANDLE hRemoteThread = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)pMemFunction,pMemProcStruct,NULL,NULL);if (!hRemoteThread){return 0;}//等待线程结束WaitForSingleObject(hRemoteThread,INFINITE);//释放参数内容VirtualFreeEx(hProcess,pMemProcStruct,sizeof(ProcStruct),MEM_RELEASE);//释放函数内容VirtualFreeEx(hProcess,pMemFunction,FuncLen,MEM_RELEASE);}catch (...){return -1;}return 0;}// “注入”框的消息处理程序。INT_PTR CALLBACK Inject(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam){UNREFERENCED_PARAMETER(lParam);switch (message){case WM_INITDIALOG:return (INT_PTR)TRUE;case WM_COMMAND:if (LOWORD(wParam) == IDCANCEL){EndDialog(hDlg, LOWORD(wParam));return (INT_PTR)TRUE;}else if (LOWORD(wParam) == IDOK){DWORD dwProcessId = GetDlgItemInt(hDlg, IDC_INJECTTOREMOTEPROCESS, NULL, FALSE);if (dwProcessId == 0) {// A process ID of 0 causes everything to take place in the // local process; this makes things easier for debugging.dwProcessId = GetCurrentProcessId();}if (!InjectFunctionToProcess(dwProcessId)) {MessageBox(NULL,_T("DLL Injection/Ejection successful."),_T("Title"),0);} else {MessageBox(NULL,_T("DLL Injection/Ejection failed."),_T("Error"),0);}}break;}return (INT_PTR)FALSE;}

 

读书人精选
热点排行