C/C++实现远程代码注入

发表于 2019-06-21 更新于 2022-12-21 分类于 C++ 黑客编程本文字数： 9.5k
#include <windows.h>
#include <iostream>
#define STRLEN 20

typedef struct _DATA
{
    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwGetModuleHandle;
    DWORD dwGetModuleFileName;
</span><span style="color: #0000ff;">char</span><span style="color: #000000;"> User32Dll[STRLEN];
</span><span style="color: #0000ff;">char</span><span style="color: #000000;"> MessageBox[STRLEN];
</span><span style="color: #0000ff;">char</span><span style="color: #000000;"> Str[STRLEN];

}DATA, *PDATA;
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
    PDATA pData = (PDATA)lpParam;
</span><span style="color: #008000;">//</span><span style="color: #008000;">定义API函数原型</span>
HMODULE (__stdcall *<span style="color: #000000;">MyLoadLibrary)(LPCTSTR);
FARPROC (__stdcall </span>*<span style="color: #000000;">MyGetProcAddress)(HMODULE, LPCSTR);
HMODULE (__stdcall </span>*<span style="color: #000000;">MyGetModuleHandle)(LPCTSTR);
</span><span style="color: #0000ff;">int</span> (__stdcall *<span style="color: #000000;">MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD (__stdcall </span>*<span style="color: #000000;">MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);

</span><span style="color: #008000;">//</span><span style="color: #008000;">对各函数地址进行赋值</span>
MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData-&gt;<span style="color: #000000;">dwLoadLibrary;
MyGetProcAddress </span>= (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData-&gt;<span style="color: #000000;">dwGetProcAddress;
MyGetModuleHandle </span>= (HMODULE (__stdcall *)(LPCTSTR))pData-&gt;<span style="color: #000000;">dwGetModuleHandle;
MyGetModuleFileName </span>= (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData-&gt;<span style="color: #000000;">dwGetModuleFileName;

</span><span style="color: #008000;">//</span><span style="color: #008000;">加载user32.dll</span>
HMODULE hModule = MyLoadLibrary(pData-&gt;<span style="color: #000000;">User32Dll);
</span><span style="color: #008000;">//</span><span style="color: #008000;">获得MessageBoxA的函数地址</span>
MyMessageBox = (<span style="color: #0000ff;">int</span> (__stdcall *<span style="color: #000000;">)(HWND, LPCTSTR, LPCTSTR, UINT))
                    MyGetProcAddress(hModule, pData</span>-&gt;<span style="color: #000000;">MessageBox);
</span><span style="color: #0000ff;">char</span> szModuleFileName[MAX_PATH] = {<span style="color: #800080;">0</span><span style="color: #000000;">};
MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);

MyMessageBox(NULL, pData</span>-&gt;<span style="color: #000000;">Str, szModuleFileName, MB_OK);

</span><span style="color: #0000ff;">return</span> <span style="color: #800080;">0</span><span style="color: #000000;">;

}
void InjectCode(DWORD dwPid)
{
    //打开进程并获取进程句柄
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
</span><span style="color: #0000ff;">if</span>(NULL==<span style="color: #000000;"> hProcess)
   </span><span style="color: #0000ff;">return</span><span style="color: #000000;">;

DATA Data </span>= {<span style="color: #800080;">0</span><span style="color: #000000;">};

</span><span style="color: #008000;">//</span><span style="color: #008000;">获取kernel32.dll中相关的导出函数</span>
Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle(<span style="color: #800000;">"</span><span style="color: #800000;">kernel32.dll</span><span style="color: #800000;">"</span>),<span style="color: #800000;">"</span><span style="color: #800000;">LoadLibraryA</span><span style="color: #800000;">"</span><span style="color: #000000;">);
Data.dwGetProcAddress</span>= (DWORD)GetProcAddress(GetModuleHandle(<span style="color: #800000;">"</span><span style="color: #800000;">kernel32.dll</span><span style="color: #800000;">"</span>),<span style="color: #800000;">"</span><span style="color: #800000;">GetProcAddress</span><span style="color: #800000;">"</span><span style="color: #000000;">);
Data.dwGetModuleHandle</span>= (DWORD)GetProcAddress(GetModuleHandle(<span style="color: #800000;">"</span><span style="color: #800000;">kernel32.dll</span><span style="color: #800000;">"</span>),<span style="color: #800000;">"</span><span style="color: #800000;">GetModuleHandleA</span><span style="color: #800000;">"</span><span style="color: #000000;">);
Data.dwGetModuleFileName</span>= (DWORD)GetProcAddress(GetModuleHandle(<span style="color: #800000;">"</span><span style="color: #800000;">kernel32.dll</span><span style="color: #800000;">"</span>),<span style="color: #800000;">"</span><span style="color: #800000;">GetModuleFileNameA</span><span style="color: #800000;">"</span><span style="color: #000000;">);

</span><span style="color: #008000;">//</span><span style="color: #008000;">需要的其他dll和导出函数</span>
lstrcpy(Data.User32Dll,<span style="color: #800000;">"</span><span style="color: #800000;">user32.dll</span><span style="color: #800000;">"</span><span style="color: #000000;">);
lstrcpy(Data.MessageBox,</span><span style="color: #800000;">"</span><span style="color: #800000;">MessageBoxA</span><span style="color: #800000;">"</span><span style="color: #000000;">);
</span><span style="color: #008000;">//</span><span style="color: #008000;">提示字符串</span>
lstrcpy(Data.Str,<span style="color: #800000;">"</span><span style="color: #800000;">Code Inject !!!</span><span style="color: #800000;">"</span><span style="color: #000000;">);

</span><span style="color: #008000;">//</span><span style="color: #008000;">在目标进程中申请空间</span>
LPVOID lpData = VirtualAllocEx(hProcess, NULL, <span style="color: #0000ff;">sizeof</span><span style="color: #000000;">(Data),
                 MEM_COMMIT,PAGE_EXECUTE_READWRITE);
DWORD dwWriteNum </span>= <span style="color: #800080;">0</span><span style="color: #000000;">;
WriteProcessMemory(hProcess,lpData, </span>&amp;Data,<span style="color: #0000ff;">sizeof</span>(Data), &amp;<span style="color: #000000;">dwWriteNum);

</span><span style="color: #008000;">//</span><span style="color: #008000;">在目标进程空间中申请用于保存代码的长度</span>
WORD dwFunSize = <span style="color: #800080;">0x4000</span><span style="color: #000000;">;
LPVOID lpCode </span>=<span style="color: #000000;"> VirtualAllocEx(hProcess, NULL, dwFunSize,
                 MEM_COMMIT,PAGE_EXECUTE_READWRITE);

WriteProcessMemory(hProcess,lpCode,</span>&amp;<span style="color: #000000;">RemoteThreadProc,
                 dwFunSize,</span>&amp;<span style="color: #000000;">dwWriteNum);
HANDLE hThread </span>= CreateRemoteThread(hProcess, NULL, <span style="color: #800080;">0</span><span style="color: #000000;">,
                 (LPTHREAD_START_ROUTINE)lpCode,
                 lpData,</span><span style="color: #800080;">0</span><span style="color: #000000;">, NULL);
WaitForSingleObject(hThread,INFINITE);

CloseHandle(hThread);
CloseHandle(hProcess);

}
int GetProcessID(char *Name)
{
    HWND Pid=::FindWindow(NULL,Name);
    DWORD Retn;
    ::GetWindowThreadProcessId(Pid,&Retn);
    return Retn;
}

int main()
{
</span><span style="color: #0000ff;">int</span><span style="color: #000000;"> ppid;

ppid </span>= ::GetProcessID(<span style="color: #800000;">"</span><span style="color: #800000;">lyshark.exe</span><span style="color: #800000;">"</span><span style="color: #000000;">);
InjectCode(ppid);


</span><span style="color: #0000ff;">return</span> <span style="color: #800080;">0</span><span style="color: #000000;">;

}