#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#pragma comment(lib, "Advapi32.lib")
BOOL SetPrivilege(HANDLE hToken,LPCTSTR lpszPrivilege,BOOL bEnablePrivilege)//improve a privilege
{
TOKEN_PRIVILEGES tp;
LUID luid;
if(!LookupPrivilegeValue(NULL,lpszPrivilege,&luid))
{
printf("\nLookupPrivilegeValue error:%d", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privilege or disable all privileges.
AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL);
// Call GetLastError to determine whether the function succeeded.
if (GetLastError() != ERROR_SUCCESS)
{
//printf("AdjustTokenPrivileges failed: %u\n", GetLastError() );
return FALSE;
}
return TRUE;
}
int main(int argc,char **argv)
{
HANDLE hToken;
char lpszDll[MAX_PATH];
char szTargetExe[MAX_PATH];
DWORD dwPID;
HANDLE hProcess;
DWORD dwSize, dwWritten;
LPVOID lpBuf;
DWORD dwID;
LPVOID pFunc;
HANDLE hThread;
PROCESS_INFORMATION piProcInfo;
STARTUPINFO siStartInfo;
int ret = 1;
if(argc!=3)
{
printf("Usage:%s ProcessName DllName",argv[0]);
return 1;
}
strcpy(szTargetExe,argv[1]);
strcpy(lpszDll,argv[2]);
ZeroMemory( &piProcInfo, sizeof(PROCESS_INFORMATION) );
ZeroMemory( &siStartInfo, sizeof(STARTUPINFO) );
siStartInfo.cb = sizeof(STARTUPINFO);
if(!CreateProcessA(NULL,
szTargetExe, // command line
NULL, // process security attributes
NULL, // primary thread security attributes
TRUE, // handles are inherited
CREATE_SUSPENDED,// creation flags
NULL, // use parent's environment
NULL, // use parent's current directory
&siStartInfo, // STARTUPINFO pointer
&piProcInfo)) // receives PROCESS_INFORMATION
{
printf("CreateProcessA failed!!!\n");
goto fail1;
}
dwPID = piProcInfo.dwProcessId;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken))
SetPrivilege(hToken,SE_DEBUG_NAME,TRUE);
else
{
printf("OpenProcessToken failed!!!\n");
goto fail1;
}
hProcess = OpenProcess(
PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
FALSE, dwPID );
if(hProcess ==NULL)
{
printf("OpenProcess failed\n");
goto fail1;
}
dwSize = lstrlenA( lpszDll ) + 1;
lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
printf("VirtualAllocEx failed!\n");
goto fail2;
}
if ( !WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten )
|| dwWritten != dwSize)
{
printf("WriteProcessMemory failed!\n");
goto fail3;
}
// 使目標進程調用LoadLibrary,加載DLL
pFunc = LoadLibraryA;
hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
if(hThread == NULL)
{
printf("CreateRemoteThread failed!\n");
goto fail3;
}
ResumeThread(piProcInfo.hThread);
CloseHandle(piProcInfo.hThread);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
ret = 0;
fail3:
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
fail2:
CloseHandle( hProcess );
fail1:
if(ret == 1)
{
printf("Dll Injected Failed!!!\n");
printf("GetLastError : %d\n", GetLastError());
}
else
printf("Dll Injected Successfully!!!\n");
return ret;
}
自己用了很久的線程注入的代碼
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章