碼上快樂

相關內容    簡體    繁體

C++ 遠程代碼注入

本文轉載自   查看原文   2019-07-27 13:49   663    Inject/ 遠程注入/ C++/ VC++/ Dll/ Vs

超級=_=,直接附上注入程序以及dll的代碼。

 

dll 代碼很簡單只是彈窗,可以根據需要擴充。

注入程序由於是練手,只是隨便寫了打開計算器的遠程注入。

從注入到卸載都包含,在程序執行完畢后掃尾巴

  1 // InjectExample.cpp : 定義控制台應用程序的入口點。
  2 
  3 
  4 #include "stdafx.h"
  5 
  6 int EnableDebugPriv(const wchar_t *name)
  7 {
  8     HANDLE hToken;
  9     TOKEN_PRIVILEGES tp;
 10     LUID luid;
 11 
 12     //打開進程令牌環
 13     if(NULL == OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
 14         return 1;
 15 
 16     //獲得進程本地唯一ID
 17     if(!LookupPrivilegeValue(NULL,name,&luid))
 18         return 1;
 19 
 20     tp.PrivilegeCount = 1;
 21     tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 22     tp.Privileges[0].Luid = luid;
 23     
 24     //調整權限
 25     if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
 26         return 1;
 27     return 0;
 28 }
 29 
 30 BOOL InjectDll(const wchar_t* DllFullPath,const DWORD dwRemoteProcessId)
 31 {
 32     HANDLE hRemoteProcess;
 33     EnableDebugPriv(SE_DEBUG_NAME);
 34     //打開遠程線程 
 35     hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId);
 36     if(!hRemoteProcess)
 37     {
 38         printf("OpenProcess Fail,GetLastError: %d",GetLastError());
 39         return FALSE;
 40     }
 41 
 42     void *pszLibFileRemote;
 43     //使用VirtualAllocEx 函數在遠程進程的內存地址空間分配DLL文件名空間
 44     pszLibFileRemote = VirtualAllocEx(hRemoteProcess,NULL,(wcslen(DllFullPath)+1)*sizeof(wchar_t),MEM_COMMIT,PAGE_READWRITE);
 45     if(!pszLibFileRemote)
 46     {
 47         printf("VirtualAllocEx Fail,GetLastError: %d",GetLastError());
 48         return FALSE;
 49     }
 50 
 51     //使用WriteProcessMemory 函數將DLL的路徑寫入到遠程進程的內存空間
 52     DWORD dwReceiveSize;
 53     if(0 == WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void*)DllFullPath,wcslen(DllFullPath)*sizeof(wchar_t),NULL))
 54     {
 55         printf("WriteProcessMemory Fail,GetLastError: %d",GetLastError());
 56         return FALSE;
 57     }
 58     printf("WriteProcessMem Success!\r\n");
 59 
 60     //計算LoadLibrary 的入口地址
 61     PTHREAD_START_ROUTINE pfnStartAddr = NULL;
 62 
 63 //#ifdef _UNICODE
 64     pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(::GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
 65 //#else
 66     //pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(::GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
 67 //#endif
 68 
 69 
 70     if(NULL == pfnStartAddr)
 71     {
 72         printf("GetProcAddress Fail,GetLastError: %d",GetLastError());
 73         return FALSE;
 74     }
 75 
 76     //啟動遠程線程 LoadLibrary,通過遠程線程調用創建新的線程
 77     DWORD dwThreadId=0;
 78     HANDLE hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL);
 79     if(hRemoteThread == NULL)
 80     {
 81         printf("注入線程失敗,ErrorCode: %d\r\n",GetLastError());
 82         return FALSE;
 83     }
 84 
 85     printf("Inject Success ,ProcessId : %d\r\n",dwRemoteProcessId);
 86     
 87     WaitForSingleObject(hRemoteThread,INFINITE);
 88     GetExitCodeThread(hRemoteThread,&dwThreadId);
 89 
 90     //卸載 注入dll
 91     pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"FreeLibrary");
 92     hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,(LPVOID)dwThreadId,0,NULL);
 93 
 94     //釋放遠程進程控件
 95     VirtualFreeEx(hRemoteProcess,pszLibFileRemote,wcslen(DllFullPath)*sizeof(wchar_t)+1,MEM_DECOMMIT);
 96     //釋放句柄
 97     CloseHandle(hRemoteThread);
 98     CloseHandle(hRemoteProcess);
 99     return TRUE;
100 }
101 
102 DWORD GetProcessId()
103 {
104     DWORD Pid = -1;
105     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); // 創建系統快照
106 
107     //創建系統快照
108     PROCESSENTRY32 lPrs; //保存進程信息的結構
109     ZeroMemory(&lPrs,sizeof(PROCESSENTRY32));
110 
111     lPrs.dwSize = sizeof(lPrs);
112     wchar_t *targetFile = L"calc.exe";
113     Process32First(hSnap,&lPrs); //取得系統快照中第一個進程信息
114     if(wcsstr(targetFile,lPrs.szExeFile)) // 判斷進程信息是否為explore.exe
115     {
116         Pid = lPrs.th32ProcessID;
117         return Pid;
118     }
119     while(1)
120     {
121         ZeroMemory(&lPrs,sizeof(lPrs));
122         lPrs.dwSize = sizeof(lPrs);
123         if(!Process32Next(hSnap,&lPrs))
124         {
125             Pid=-1;
126             break;
127         }
128         if(wcsstr(targetFile,lPrs.szExeFile))
129         {
130             Pid = lPrs.th32ProcessID;
131             break;
132         }
133     }
134     CloseHandle(hSnap);
135     return Pid;
136 
137 }
138 
139 int _tmain(int argc, _TCHAR* argv[])
140 {
141     wchar_t myFILE[MAX_PATH];
142     GetCurrentDirectory(MAX_PATH,myFILE); //獲取當前路徑
143     wcscat_s(myFILE,L"\\InjectDllExample.dll");
144     InjectDll(myFILE,GetProcessId());
145 
146     return 0;
147 }

 

 

DLL 代碼:

 1 // dllmain.cpp : 定義 DLL 應用程序的入口點。
 2 #include "stdafx.h"
 3 #include <malloc.h>
 4 #include <stdlib.h>
 5 
 6 BOOL APIENTRY DllMain( HMODULE hModule,
 7                        DWORD  ul_reason_for_call,
 8                        LPVOID lpReserved
 9                      )
10 {
11     wchar_t *szProcessId = (wchar_t*)malloc(10*sizeof(wchar_t));
12     switch (ul_reason_for_call)
13     {
14     case DLL_PROCESS_ATTACH:
15         MessageBox(NULL,L"遠程注入提示",L"RemoteDLL",MB_OK);
16         break;
17     default:
18         return TRUE;
19     //case DLL_THREAD_ATTACH:
20     //case DLL_THREAD_DETACH:
21     //case DLL_PROCESS_DETACH:
22         //break;
23     }
24     return TRUE;
25 }

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 C/C++ 進程代碼注入與提權/降權 RCE遠程代碼執行-命令注入筆記 CLion遠程同步和遠程調試C++ C++——代碼重用 c++ 游戲代碼(1) C++代碼規范 c++關機代碼 C++ 簡單實現 依賴注入(IOC) C++ DLL注入工具完整源碼 如何區分代碼C還是C++
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM