C++ 远程代码注入

超级=_=,直接附上注入程序以及dll的代码。

 

dll 代码很简单只是弹窗,可以根据需要扩充。

注入程序由于是练手,只是随便写了打开计算器的远程注入。

从注入到卸载都包含,在程序执行完毕后扫尾巴

  1 // InjectExample.cpp : 定义控制台应用程序的入口点。
  2 
  3 
  4 #include "stdafx.h"
  5 
  6 int EnableDebugPriv(const wchar_t *name)
  7 {
  8     HANDLE hToken;
  9     TOKEN_PRIVILEGES tp;
 10     LUID luid;
 11 
 12     //打开进程令牌环
 13     if(NULL == OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
 14         return 1;
 15 
 16     //获得进程本地唯一ID
 17     if(!LookupPrivilegeValue(NULL,name,&luid))
 18         return 1;
 19 
 20     tp.PrivilegeCount = 1;
 21     tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 22     tp.Privileges[0].Luid = luid;
 23     
 24     //调整权限
 25     if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
 26         return 1;
 27     return 0;
 28 }
 29 
 30 BOOL InjectDll(const wchar_t* DllFullPath,const DWORD dwRemoteProcessId)
 31 {
 32     HANDLE hRemoteProcess;
 33     EnableDebugPriv(SE_DEBUG_NAME);
 34     //打开远程线程 
 35     hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId);
 36     if(!hRemoteProcess)
 37     {
 38         printf("OpenProcess Fail,GetLastError: %d",GetLastError());
 39         return FALSE;
 40     }
 41 
 42     void *pszLibFileRemote;
 43     //使用VirtualAllocEx 函数在远程进程的内存地址空间分配DLL文件名空间
 44     pszLibFileRemote = VirtualAllocEx(hRemoteProcess,NULL,(wcslen(DllFullPath)+1)*sizeof(wchar_t),MEM_COMMIT,PAGE_READWRITE);
 45     if(!pszLibFileRemote)
 46     {
 47         printf("VirtualAllocEx Fail,GetLastError: %d",GetLastError());
 48         return FALSE;
 49     }
 50 
 51     //使用WriteProcessMemory 函数将DLL的路径写入到远程进程的内存空间
 52     DWORD dwReceiveSize;
 53     if(0 == WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void*)DllFullPath,wcslen(DllFullPath)*sizeof(wchar_t),NULL))
 54     {
 55         printf("WriteProcessMemory Fail,GetLastError: %d",GetLastError());
 56         return FALSE;
 57     }
 58     printf("WriteProcessMem Success!\r\n");
 59 
 60     //计算LoadLibrary 的入口地址
 61     PTHREAD_START_ROUTINE pfnStartAddr = NULL;
 62 
 63 //#ifdef _UNICODE
 64     pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(::GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
 65 //#else
 66     //pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(::GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
 67 //#endif
 68 
 69 
 70     if(NULL == pfnStartAddr)
 71     {
 72         printf("GetProcAddress Fail,GetLastError: %d",GetLastError());
 73         return FALSE;
 74     }
 75 
 76     //启动远程线程 LoadLibrary,通过远程线程调用创建新的线程
 77     DWORD dwThreadId=0;
 78     HANDLE hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
 79     if(hRemoteThread == NULL)
 80     {
 81         printf("注入线程失败,ErrorCode: %d\r\n",GetLastError());
 82         return FALSE;
 83     }
 84 
 85     printf("Inject Success ,ProcessId : %d\r\n",dwRemoteProcessId);
 86     
 87     WaitForSingleObject(hRemoteThread,INFINITE);
 88     GetExitCodeThread(hRemoteThread,&dwThreadId);
 89 
 90     //卸载 注入dll
 91     pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"FreeLibrary");
 92     hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,(LPVOID)dwThreadId,0,NULL);
 93 
 94     //释放远程进程控件
 95     VirtualFreeEx(hRemoteProcess,pszLibFileRemote,wcslen(DllFullPath)*sizeof(wchar_t)+1,MEM_DECOMMIT);
 96     //释放句柄
 97     CloseHandle(hRemoteThread);
 98     CloseHandle(hRemoteProcess);
 99     return TRUE;
100 }
101 
102 DWORD GetProcessId()
103 {
104     DWORD Pid = -1;
105     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); // 创建系统快照
106 
107     //创建系统快照
108     PROCESSENTRY32 lPrs; //保存进程信息的结构
109     ZeroMemory(&lPrs,sizeof(PROCESSENTRY32));
110 
111     lPrs.dwSize = sizeof(lPrs);
112     wchar_t *targetFile = L"calc.exe";
113     Process32First(hSnap,&lPrs); //取得系统快照中第一个进程信息
114     if(wcsstr(targetFile,lPrs.szExeFile)) // 判断进程信息是否为explore.exe
115     {
116         Pid = lPrs.th32ProcessID;
117         return Pid;
118     }
119     while(1)
120     {
121         ZeroMemory(&lPrs,sizeof(lPrs));
122         lPrs.dwSize = sizeof(lPrs);
123         if(!Process32Next(hSnap,&lPrs))
124         {
125             Pid=-1;
126             break;
127         }
128         if(wcsstr(targetFile,lPrs.szExeFile))
129         {
130             Pid = lPrs.th32ProcessID;
131             break;
132         }
133     }
134     CloseHandle(hSnap);
135     return Pid;
136 
137 }
138 
139 int _tmain(int argc, _TCHAR* argv[])
140 {
141     wchar_t myFILE[MAX_PATH];
142     GetCurrentDirectory(MAX_PATH,myFILE); //获取当前路径
143     wcscat_s(myFILE,L"\\InjectDllExample.dll");
144     InjectDll(myFILE,GetProcessId());
145 
146     return 0;
147 }

 

 

DLL 代码:

 1 // dllmain.cpp : 定义 DLL 应用程序的入口点。
 2 #include "stdafx.h"
 3 #include <malloc.h>
 4 #include <stdlib.h>
 5 
 6 BOOL APIENTRY DllMain( HMODULE hModule,
 7                        DWORD  ul_reason_for_call,
 8                        LPVOID lpReserved
 9                      )
10 {
11     wchar_t *szProcessId = (wchar_t*)malloc(10*sizeof(wchar_t));
12     switch (ul_reason_for_call)
13     {
14     case DLL_PROCESS_ATTACH:
15         MessageBox(NULL,L"远程注入提示",L"RemoteDLL",MB_OK);
16         break;
17     default:
18         return TRUE;
19     //case DLL_THREAD_ATTACH:
20     //case DLL_THREAD_DETACH:
21     //case DLL_PROCESS_DETACH:
22         //break;
23     }
24     return TRUE;
25 }

 

原文链接: https://www.cnblogs.com/emjx/p/11254775.html

欢迎关注

微信关注下方公众号,第一时间获取干货硬货;公众号内回复【pdf】免费获取数百本计算机经典书籍

    C++ 远程代码注入

原创文章受到原创版权保护。转载请注明出处:https://www.ccppcoding.com/archives/299806

非原创文章文中已经注明原地址,如有侵权,联系删除

关注公众号【高性能架构探索】,第一时间获取最新文章

转载文章受原作者版权保护。转载请注明原作者出处!

(0)
上一篇 2023年2月15日 下午8:54
下一篇 2023年2月15日 下午8:54

相关推荐