您的位置:首页 > 其它

利用CreateRemoteThread注入

2017-03-09 21:01 465 查看 
// Inject.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "Inject.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 唯一的应用程序对象

CWinApp theApp;

using namespace std;

int main()
{
int nRetCode = 0;

cout << "查看要注入进程的ID" << endl;
ULONG_PTR ProcessID = 0;
WinVersion = GetWindowsVersion();
printf("Input ProcessID\r\n");
cin >> ProcessID;
InjectDll(ProcessID);

getchar();
getchar();
return 0;

return nRetCode;
}

VOID InjectDll(ULONG_PTR ProcessID)
{
CString DllPath32 = L"MessageBox32.dll";   //32位dll注入32位系统
CString DllPath64 = L"MessageBox64.dll";
if (ProcessID == 0)
{
return;
}
if (PathFileExists(DllPath32) && PathFileExists(DllPath64))
{

WCHAR wzPath[MAX_PATH] = { 0 };
GetCurrentDirectory(260, wzPath);
wcsncat_s(wzPath, L"\\", 2);
wcsncat_s(wzPath, DllPath32.GetBuffer(), DllPath32.GetLength());

DllPath32.ReleaseBuffer();
DllPath64.ReleaseBuffer();
if (!InjectDllByRemoteThread32(wzPath, ProcessID)) {
printf("Inject Fail\r\n");
}
else {
printf("Inject Success\r\n");
}

//switch (WinVersion)
//{
//    case Windows7:
//    case Windows8:   //这里用的是Win7 x64 sp1
//    {

//        WCHAR wzPath[MAX_PATH] = { 0 };
//        GetCurrentDirectory(260, wzPath);
//        wcsncat_s(wzPath, L"\\", 2);
//        wcsncat_s(wzPath, DllPath64.GetBuffer(), DllPath64.GetLength());//dll完整路径
//        DllPath32.ReleaseBuffer();
//        DllPath64.ReleaseBuffer();
//        if (!InjectDllByRemoteThread64(wzPath, ProcessID)) {
//            printf("Inject Fail\r\n");
//        }
//        else {
//            printf("Inject Success\r\n");
//        }
//        break;
//    }

//    case WindowsXP:  //WinXp x86 sp3
//    {
//        WCHAR wzPath[MAX_PATH] = { 0 };
//        GetCurrentDirectory(260, wzPath);
//        wcsncat_s(wzPath, L"\\", 2);
//        wcsncat_s(wzPath, DllPath32.GetBuffer(), DllPath32.GetLength());

//        DllPath32.ReleaseBuffer();
//        DllPath64.ReleaseBuffer();
//        if (!InjectDllByRemoteThread32(wzPath, ProcessID)) {
//            printf("Inject Fail\r\n");
//        }
//        else {
//            printf("Inject Success\r\n");
//        }
//        break;
//    }
//}

}
}

/*
if ((_access("access.c", 0)) != -1)
{
printf("file access.c exists\n");
if ((_access("access.c", 2)) != -1)
printf("file access.c has write permission\n");
if ((_access("access.c", 4)) != -1)
printf("file access.c has read permission\n");
if ((_access("access.c", 6)) != -1)
printf("file access.c has read and write permission\n");
}
else
{
printf("file access.c does not exists\n");
}*/
BOOL InjectDllByRemoteThread64(const TCHAR* DLLFilePath, ULONG_PTR ProcessId)
{
if (NULL == DLLFilePath || 0 == ::_tcslen(DLLFilePath)
|| ProcessId == 0 || -1 == _taccess(DLLFilePath, 0))
{
return FALSE;
}
HANDLE                 ProcessHandle = NULL;
HANDLE                 ThreadHandle = NULL;
DWORD                  ReturnValue = 0;
LPTHREAD_START_ROUTINE FuncAddress = NULL;
DWORD  FileLength = 0;
TCHAR* VirtualAddress = NULL;
//预编译,支持Unicode
#ifdef _UNICODE
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif

if (FuncAddress == NULL)
{
return FALSE;
}

//RtlAdjustPrivilege = (pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")), "RtlAdjustPrivilege");

//if (RtlAdjustPrivilege == NULL)
//{
//    return FALSE;
//}
/*
.常量 SE_BACKUP_PRIVILEGE, "17", 公开
.常量 SE_RESTORE_PRIVILEGE, "18", 公开
.常量 SE_SHUTDOWN_PRIVILEGE, "19", 公开
.常量 SE_DEBUG_PRIVILEGE, "20", 公开
*/
//RtlAdjustPrivilege(20, 1, 0, &ReturnValue);  //19

ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);

if (ProcessHandle == NULL)
{
printf("Open Process Fail\r\n");
return FALSE;
}

// 在目标进程中分配内存空间
FileLength = (DWORD)::_tcslen(DLLFilePath) + 1;
VirtualAddress = (TCHAR*)::VirtualAllocEx(ProcessHandle, NULL,
FileLength * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
if (VirtualAddress == NULL)
{
printf("Virtual Process Memory Fail\r\n");
CloseHandle(ProcessHandle);
return FALSE;
}

// 在目标进程的内存空间中写入所需参数(模块名)
if (::WriteProcessMemory(ProcessHandle, VirtualAddress, (LPVOID)DLLFilePath, FileLength * sizeof(TCHAR), NULL) == FALSE)
{
printf("Write Data Fail\r\n");
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ProcessHandle);
return FALSE;
}

ThreadHandle = ::CreateRemoteThread(ProcessHandle, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
if (ThreadHandle == NULL)
{
printf("CreateRemoteThread Fail\r\n");
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ProcessHandle);
return FALSE;
}
// 等待远程线程结束
WaitForSingleObject(ThreadHandle, INFINITE);
// 清理资源
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ThreadHandle);
CloseHandle(ProcessHandle);
return TRUE;

}

BOOL InjectDllByRemoteThread32(const TCHAR* DLLFilePath, ULONG_PTR ProcessId)
{
// 参数无效
if (NULL == DLLFilePath || 0 == ::_tcslen(DLLFilePath) || ProcessId == 0 || -1 == _taccess(DLLFilePath, 0))
{
return FALSE;
}
HANDLE ProcessHandle = NULL;
HANDLE ThreadHandle = NULL;
DWORD FileLength = 0;
TCHAR* VirtualAddress = NULL;
LPTHREAD_START_ROUTINE FuncAddress = NULL;
// 获取目标进程句柄
ProcessHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, ProcessId);
if (ProcessHandle == NULL)
{
printf("Open Process Fail\r\n");
return FALSE;
}
// 在目标进程中分配内存空间
FileLength = (DWORD)::_tcslen(DLLFilePath) + 1;
VirtualAddress = (TCHAR*)::VirtualAllocEx(ProcessHandle, NULL, FileLength * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
if (NULL == VirtualAddress)
{
printf("Virtual Process Memory Fail\r\n");
CloseHandle(ProcessHandle);
return FALSE;
}
// 在目标进程的内存空间中写入所需参数(模块名)
if (FALSE == ::WriteProcessMemory(ProcessHandle, VirtualAddress, (LPVOID)DLLFilePath, FileLength * sizeof(TCHAR), NULL))
{
printf("Write Data Fail\r\n");
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ProcessHandle);
return FALSE;
}
// 从 Kernel32.dll 中获取 LoadLibrary 函数地址
#ifdef _UNICODE
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
#else
FuncAddress = (PTHREAD_START_ROUTINE)::GetProcAddress(::GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
#endif

if (NULL == FuncAddress)
{
printf("Get LoadLibrary Fail\r\n");
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ProcessHandle);
return false;
}

// 创建远程线程调用 LoadLibrary
ThreadHandle = ::CreateRemoteThread(ProcessHandle, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
if (NULL == ThreadHandle)
{
printf("CreateRemoteThread Fail\r\n");
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ProcessHandle);
return FALSE;
}

// 等待远程线程结束
WaitForSingleObject(ThreadHandle, INFINITE);
// 清理
VirtualFreeEx(ProcessHandle, VirtualAddress, FileLength, MEM_DECOMMIT);
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);

return TRUE;
}

WIN_VERSION  GetWindowsVersion()
{
OSVERSIONINFOEX    OsVerInfoEx;
OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((OSVERSIONINFO*)&OsVerInfoEx); // 注意转换类型
switch (OsVerInfoEx.dwPlatformId)
{
case VER_PLATFORM_WIN32_NT:
{
if (OsVerInfoEx.dwMajorVersion <= 4)
{
return WindowsNT;
}
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0)
{
return Windows2000;
}

if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1)
{
return WindowsXP;
}
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2)
{
return Windows2003;
}
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0)
{
return WindowsVista;
}

if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1)
{
return Windows7;
}
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2)
{
return Windows8;
}
break;
}

default:
{
return WinUnknown;
}
}

}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航