Mamor's Blog
0%

代码注入

发表于 分类于
本文字数: 2.9k 阅读时长 ≈ 3 分钟 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#include <Windows.h>
#include <stdio.h>
#pragma warning(disable:4996)


typedef struct Data {
	FARPROC func[2];  //loadlibraryA GetProcAddress 地址
	char buffer[4][128];  //二级指针

} _DATA ,*THREAD_PARAM ;

//定义 loadlibraryA函数指针
/*
WINBASEAPI
_Ret_maybenull_
HMODULE
WINAPI
LoadLibraryA(
	_In_ LPCSTR lpLibFileName
);
*/
typedef HMODULE(WINAPI* loadLibraryA)(LPCSTR lpLibFileName);

//定义 GetProcAddress指针
/*
WINBASEAPI
FARPROC
WINAPI
GetProcAddress(
	_In_ HMODULE hModule,
	_In_ LPCSTR lpProcName
	);

*/
typedef HMODULE(WINAPI* getProcAddress)(HMODULE hModule, LPCSTR lpProcName);

// MessageBoxA
/*
WINUSERAPI
int
WINAPI
MessageBoxA(
	_In_opt_ HWND hWnd,
	_In_opt_ LPCSTR lpText,
	_In_opt_ LPCSTR lpCaption,
	_In_ UINT uType);
*/
typedef int (WINAPI* messageBoxA)( 
	HWND hWnd,
	LPCSTR lpText,
	LPCSTR lpCaption,
	UINT uType);


DWORD WINAPI shellCode(LPVOID lparam) {
	THREAD_PARAM param = (THREAD_PARAM)lparam;   //定义成指针类型
	HMODULE hmod = NULL;
	//加载user32.dll 
	// param->func[0]   loadlibraryA
	//param->buffer[0]  user32.dll
	hmod = ((loadLibraryA)param->func[0])(param->buffer[0]); 	// loadlibraryA()

	//获取messageBoxA
	//param->func[1]  GetProcAddress
	//param.buffer[1] "MessageBoxA"
	//param.buffer[2] "title"
	//param.buffer[3] "text"
	FARPROC messageboxfun = (FARPROC)((getProcAddress)param->func[1])(hmod, param->buffer[1]);
	//MessageBoxA弹窗
	((messageBoxA)messageboxfun)(NULL, param->buffer[2], param->buffer[3], 0);

}


void injectCode(int pid) {
	_DATA param = { 0 };
	LPVOID remoteBuf[2] = { 0 };
	HMODULE hmod = GetModuleHandleA("kernel32.dll");
	param.func[0] = GetProcAddress(hmod, "LoadLibraryA");
	param.func[1] = GetProcAddress(hmod, "GetProcAddress");

	strcpy(param.buffer[0], "user32.dll");
	strcpy(param.buffer[1], "MessageBoxA");
	strcpy(param.buffer[2], "title");
	strcpy(param.buffer[3], "text");

	//打开进程
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid );
	if (NULL == hProcess) {
		return;
	}
	//分配Param结构体内存
	int size = sizeof(_DATA);
	remoteBuf[0] = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_READWRITE);
	//把数据写入目标内存
	WriteProcessMemory(hProcess, remoteBuf[0], &param, size, 0);

	//将代码写入到目标内存
	size = (DWORD)injectCode - (DWORD)shellCode; //得到shellcode代码大小
	printf("%d", size);
	remoteBuf[1] = VirtualAllocEx(hProcess, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess, remoteBuf[1], shellCode, size, 0);

	HANDLE thread = CreateRemoteThread(hProcess, NULL, 0, remoteBuf[1], remoteBuf[0], 0, NULL);
	if (NULL == thread) {
		return;
	}
	WaitForSingleObject(thread,INFINITE);
	CloseHandle(thread);
	CloseHandle(hProcess);
}

void main(int argc, char* argv[]) {
	
	/*if (argc != 2)
	{
		printf("请输入pid");
		return;
	}
	int pid = atol(argv[1]);*/
	injectCode(13968);
	system("pause");
	
}

需要在release下生成

img

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------