注意要在release方式编译
//线程函数
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
PDATA pData = (PDATA)lpParam;
//定义API函数原型
HMODULE (_stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC (_stdcall *MyGetProcAddress)(HMODULE,LPCSTR);
HMODULE (_stdcall *MyGetModuleHandle)(LPCTSTR);
int (_stdcall *MyMessageBox)(HWND , LPCTSTR , LPCTSTR,UINT);
DWORD (_stdcall *MyGetModuleFileName)(HMODULE , LPTSTR , DWORD);
MyLoadLibrary = (HMODULE (_stdcall *) (LPCTSTR)) pData ->dwLoadLibrary;
MyGetProcAddress = (FARPROC(_stdcall *)(HMODULE,LPCSTR))pData ->dwGetProcAddress;
MyGetModuleHandle = (HMODULE (_stdcall *)(LPCSTR))pData ->dwGetModuleHandle;
MyGetModuleFileName = (DWORD (_stdcall *)(HMODULE,LPTSTR,DWORD nSize))pData ->dwGetModuleFileName;
HMODULE hModule = MyLoadLibrary( pData ->User32Dll);
MyMessageBox = (int (_stdcall *)(HWND , LPCTSTR ,LPCTSTR,UINT))MyGetProcAddress
(hModule , pData->MessageBox);
char szModuleName[MAX_PATH] = {0};
MyGetModuleFileName(NULL,szModuleName,MAX_PATH);
MyMessageBox(NULL,pData->Str,szModuleName,MB_OK);
return 0;
}
void CNoDllInjectDlg::InjectCode(DWORD dwPid)
{
DWORD error = 0;
//提升权限
DebugPrivilege();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
if( hProcess == NULL)
{
MessageBox("OpenProcess Error");
error = GetLastError();
return ;
}
DATA Data = {0};
Data.dwLoadLibrary = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
Data.dwGetProcAddress = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"GetProcAddress");
Data.dwGetModuleHandle = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"GetModuleHandleA");
Data.dwGetModuleFileName = (DWORD)GetProcAddress(
GetModuleHandleA("kernel32.dll"),
"GetModuleFileNameA");
lstrcpy(Data.User32Dll , "user32.dll");
lstrcpy(Data.MessageBox,"MessageBoxA");
lstrcpy(Data.Str , "Inject Code !!!");
LPVOID lpData = VirtualAllocEx(hProcess,
NULL,
sizeof(DATA),
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
DWORD dwWriteNum = 0;
WriteProcessMemory(hProcess , lpData , &Data, sizeof(DATA) , &dwWriteNum);
DWORD dwFunSize = 0x2000;
LPVOID lpCode = VirtualAllocEx(hProcess,
NULL,
dwFunSize,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess , lpCode , RemoteThreadProc , dwFunSize , &dwWriteNum);
HANDLE hRemoteThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)lpCode,
lpData,
0,
NULL);
WaitForSingleObject(hRemoteThread,INFINITE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
}
void CNoDllInjectDlg::OnBtnInject()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText(IDC_EDIT_INJECT,str);
InjectCode(atoi(str.GetBuffer(str.GetLength())));
}
void CNoDllInjectDlg::DebugPrivilege()
{
HANDLE hToken = NULL;
//打开当前进程的访问令牌
int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
if( hRet)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
//取得描述权限的LUID
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//调整访问令牌的权限
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
CloseHandle(hToken);
}
}
DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
PDATA pData = (PDATA)lpParam;
//定义API函数原型
HMODULE (_stdcall *MyLoadLibrary)(LPCTSTR);
FARPROC (_stdcall *MyGetProcAddress)(HMODULE,LPCSTR);
HMODULE (_stdcall *MyGetModuleHandle)(LPCTSTR);
int (_stdcall *MyMessageBox)(HWND , LPCTSTR , LPCTSTR,UINT);
DWORD (_stdcall *MyGetModuleFileName)(HMODULE , LPTSTR , DWORD);
MyLoadLibrary = (HMODULE (_stdcall *) (LPCTSTR)) pData ->dwLoadLibrary;
MyGetProcAddress = (FARPROC(_stdcall *)(HMODULE,LPCSTR))pData ->dwGetProcAddress;
MyGetModuleHandle = (HMODULE (_stdcall *)(LPCSTR))pData ->dwGetModuleHandle;
MyGetModuleFileName = (DWORD (_stdcall *)(HMODULE,LPTSTR,DWORD nSize))pData ->dwGetModuleFileName;
HMODULE hModule = MyLoadLibrary( pData ->User32Dll);
MyMessageBox = (int (_stdcall *)(HWND , LPCTSTR ,LPCTSTR,UINT))MyGetProcAddress
(hModule , pData->MessageBox);
char szModuleName[MAX_PATH] = {0};
MyGetModuleFileName(NULL,szModuleName,MAX_PATH);
MyMessageBox(NULL,pData->Str,szModuleName,MB_OK);
return 0;
}
void CNoDllInjectDlg::InjectCode(DWORD dwPid)
{
DWORD error = 0;
//提升权限
DebugPrivilege();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
if( hProcess == NULL)
{
MessageBox("OpenProcess Error");
error = GetLastError();
return ;
}
DATA Data = {0};
Data.dwLoadLibrary = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"LoadLibraryA");
Data.dwGetProcAddress = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"GetProcAddress");
Data.dwGetModuleHandle = (DWORD)GetProcAddress(
GetModuleHandle("kernel32.dll"),
"GetModuleHandleA");
Data.dwGetModuleFileName = (DWORD)GetProcAddress(
GetModuleHandleA("kernel32.dll"),
"GetModuleFileNameA");
lstrcpy(Data.User32Dll , "user32.dll");
lstrcpy(Data.MessageBox,"MessageBoxA");
lstrcpy(Data.Str , "Inject Code !!!");
LPVOID lpData = VirtualAllocEx(hProcess,
NULL,
sizeof(DATA),
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
DWORD dwWriteNum = 0;
WriteProcessMemory(hProcess , lpData , &Data, sizeof(DATA) , &dwWriteNum);
DWORD dwFunSize = 0x2000;
LPVOID lpCode = VirtualAllocEx(hProcess,
NULL,
dwFunSize,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess , lpCode , RemoteThreadProc , dwFunSize , &dwWriteNum);
HANDLE hRemoteThread = CreateRemoteThread(hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)lpCode,
lpData,
0,
NULL);
WaitForSingleObject(hRemoteThread,INFINITE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
}
void CNoDllInjectDlg::OnBtnInject()
{
// TODO: Add your control notification handler code here
CString str;
GetDlgItemText(IDC_EDIT_INJECT,str);
InjectCode(atoi(str.GetBuffer(str.GetLength())));
}
void CNoDllInjectDlg::DebugPrivilege()
{
HANDLE hToken = NULL;
//打开当前进程的访问令牌
int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
if( hRet)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
//取得描述权限的LUID
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//调整访问令牌的权限
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
CloseHandle(hToken);
}
}