一个远程注入的例子(让本机的所有程序弹出一个sylar对话框)

1
#include
"stdafx.h"

2
#include
"windows.h"

3
#include
"stdio.h"

4
#include
<Tlhelp32.h.>

5
/*熊健

6
2009.12.23 武汉

7
perfectxiong@gmail.com

8
/////////////////////////////////////////////*/

9
//
========== 定义一个代码结构,本例为一个对话框============

10
struct
MyData

11
{

12
char
sz[64];
//
对话框显示内容

13
DWORD dwMessageBox;
//
对话框的地址

14
};

15

16
//
========== 远程线程的函数 ==============================

17
DWORD __stdcall
RMTFunc(MyData *pData)

18
{

19
typedef
int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);

20
MMessageBox MsgBox
= (MMessageBox)pData->dwMessageBox;

21
MsgBox(NULL, pData->sz,
NULL, MB_OK);

22
return
0;

23
}

24

25
int
inject(DWORD dwProcessId)

26
{

27
HANDLE hProcess
= OpenProcess(

28
PROCESS_ALL_ACCESS,

29
FALSE,

30
dwProcessId);

31

32
//
========= 代码结构 ================================================

33
MyData data;

34
ZeroMemory(&data,
sizeof (MyData));

35
strcat(data.sz,
"sylar");

36
HINSTANCE hUser
= LoadLibrary("user32.dll");

37
if
(! hUser)

38
{

39
printf("Can
not load library.\n");

40
return
0;

41
}

42
data.dwMessageBox
= (DWORD)GetProcAddress(hUser,
"MessageBoxA");

43
FreeLibrary(hUser);

44
if
(! data.dwMessageBox)

45
return
0;

46

47
//
======= 分配空间 ===================================================

48
void
*pRemoteThread

49
=
VirtualAllocEx(hProcess, 0,

50
1024*4,
MEM_COMMIT|MEM_RESERVE,

51
PAGE_EXECUTE_READWRITE);

52
if
(! pRemoteThread)

53
return
0;

54
if
(! WriteProcessMemory(hProcess,
pRemoteThread, &RMTFunc,
1024*4,
0))

55
return
0;

56

57
MyData
*pData

58
=
(MyData*)VirtualAllocEx(hProcess,
0,

59
sizeof
(MyData), MEM_COMMIT,

60
PAGE_READWRITE);

61
if
(!pData)

62
return
0;

63

64
if
(! WriteProcessMemory(hProcess,
pData, &data,
sizeof (MyData),
0))

65
return
0;

66

67
//
=========== 创建远程线程 ===========================================

68
HANDLE hThread

69
=
CreateRemoteThread(hProcess, 0,

70
0,
(LPTHREAD_START_ROUTINE)pRemoteThread,

71
pData,
0,
0);

72
if
(! hThread)

73
{

74
printf("远程线程创建失败");

75
return
0;

76
}

77
CloseHandle(hThread);

78
VirtualFreeEx(hProcess, pRemoteThread,
1024*3,
MEM_RELEASE);

79
VirtualFreeEx(hProcess, pData,
sizeof (MyData),
MEM_RELEASE);

80
CloseHandle(hProcess);

81
printf("Hello
World!\n");

82
return
1;

83
}

84

85
int
main(int argc,
char*
argv[])

86
{

87
//
===== 获得需要创建REMOTETHREAD的进程句柄 ===============================

88
//or

89
HANDLE hSnapshot
= NULL;

90
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);

91
PROCESSENTRY32 pe;

92
pe.dwSize
=
sizeof(PROCESSENTRY32);

93
Process32First(hSnapshot,&pe);

94
do

95
{

96
//if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)

97
//
{

98
inject(pe.th32ProcessID);

99
//
break;

100
//
}

101
}

102
while(Process32Next(hSnapshot,&pe)==TRUE);

103
CloseHandle (hSnapshot);

104
/*

105
HWND hWnd = FindWindow("notepad", NULL); // 以NOTEPAD为例

106
DWORD dwProcessId;

107
::GetWindowThreadProcessId(hWnd, &dwProcessId);

108
inject(dwProcessId);

109
*/

110
return
0;

111
}

112

113