// test.cpp : 定義控制檯應用程序的入口點。
//
#include "stdafx.h"
#include "windows.h"
#include <conio.h>
#include <Psapi.h>
#pragma comment(lib, "Psapi.lib")
// ========== 傳給注入線程的參數結構 ============
struct MyData
{
char srcfile[64]; //源文件地址
char destfile[64];//目標文件地址
DWORD dwCopyFile; // CopyFileA()的地址
};
// ========== 遠程線程的函數 ==============================
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*_tCopyFile)(LPCSTR, LPCSTR, bool);
_tCopyFile copyfile = (_tCopyFile)pData->dwCopyFile;
copyfile(pData->srcfile, pData->destfile, true);
return 0;
}
//============空函數,其作用是方便獲取注入線程函數的體積======
static void AfterMyFunc (void) {
}
//根據進程名獲取進程id
DWORD processtopid(char *processname)
{
DWORD lpidprocesses[1024],cbneeded,cprocesses;
HANDLE hprocess;
HMODULE hmodule;
UINT i;
char normalname[MAX_PATH]=_T("UnknownProcess");
if(!EnumProcesses(lpidprocesses,sizeof(lpidprocesses),&cbneeded))
{
OutputDebugString(_T("EnumProcesses Error\n"));
return -1;
}
cprocesses=cbneeded/sizeof(DWORD);
for(i=0;i<cprocesses;i++)
{
hprocess=OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ,FALSE,lpidprocesses[i]);
if(hprocess)
{
if(EnumProcessModules(hprocess,&hmodule,sizeof(hmodule),&cbneeded))
{
GetModuleBaseName(hprocess,hmodule,normalname,sizeof(normalname));
if(!strcmp(normalname,processname))
{
CloseHandle(hprocess);
return (lpidprocesses[i]);
}
}
}
}
CloseHandle(hprocess);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
// ===== 獲得需要創建REMOTETHREAD的進程句柄 ===============================
DWORD dwProcessId = processtopid("notepad.exe");
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
dwProcessId);
// ========= 代碼結構 ================================================
MyData data;
ZeroMemory(&data, sizeof (MyData));
strcpy(data.srcfile, "c:\\aaa.txt");
strcpy(data.destfile, "c:\\bbb.txt");
HINSTANCE hKernel32 = LoadLibrary("kernel32.dll");
if (! hKernel32)
{
printf("Can not load library.\n");
return 0;
}
data.dwCopyFile = (DWORD)GetProcAddress(hKernel32, "CopyFileA");
FreeLibrary(hKernel32);
if (! data.dwCopyFile)
return 0;
// ======= 爲注入線程分配空間 =============================
DWORD cbCodeSize=((LPBYTE) AfterMyFunc - (LPBYTE) RMTFunc);
void *pRemoteThread = VirtualAllocEx(hProcess, 0, cbCodeSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
//if (! pRemoteThread)
// return 0;
//========將線程函數寫入宿主進程===========================
WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, cbCodeSize, 0);
//if (! WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, cbCodeSize, 0))
// return 0;
// ======= 爲參數分配空間 =============================
MyData *pData
= (MyData*)VirtualAllocEx(hProcess, 0,
sizeof (MyData), MEM_COMMIT,
PAGE_READWRITE);
if (!pData)
return 0;
//========將參數寫入宿主進程===========================
if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
return 0;
// =========== 創建遠程線程 ===========================================
HANDLE hThread
= CreateRemoteThread(hProcess, 0,
0, (LPTHREAD_START_ROUTINE)pRemoteThread,
pData, 0, 0);
if (! hThread)
{
printf("遠程線程創建失敗");
return 0;
}
//===========收尾=============================
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
printf("Hello World!\n");
return 0;
}
致注入進程崩潰
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章