// CommonInject.cpp : Defines the entry point for the console application. // #include "stdafx.h" #include <windows.h> #include <WinUser.h> #include <WinDef.h> #include <iostream> #include <Tlhelp32.h> using namespace std; #include <Psapi.h> #pragma comment(lib,"Psapi.lib") //通用dll 注入器 HANDLE GetProcessWithName(const std::wstring &proc_name){ HANDLE hd = NULL; HANDLE hpross = NULL; int retls = 0; PROCESSENTRY32 pinfo = {0}; wchar_t szFileName[MAX_PATH] = {0}; hpross = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if(INVALID_HANDLE_VALUE == hpross) { return hd; } HANDLE hToken; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken)) { LUID luid; if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { TOKEN_PRIVILEGES TokenPrivileges; TokenPrivileges.PrivilegeCount = 1; TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; TokenPrivileges.Privileges[0].Luid = luid; AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL); } CloseHandle(hToken); } pinfo.dwSize = sizeof(PROCESSENTRY32); retls = Process32First(hpross,&pinfo); while(retls) { swprintf_s(szFileName,_countof(szFileName)-1,L"%s",pinfo.szExeFile); if (0 == _wcsicmp(szFileName,proc_name.c_str())) { hd = OpenProcess(PROCESS_ALL_ACCESS ,TRUE,pinfo.th32ProcessID); } if(!Process32Next(hpross, &pinfo)) { break; } } CloseHandle(hpross); hpross = NULL; return hd; } //提权操作 BOOL EnablePrivilege(LPWSTR name) { HANDLE hToken; BOOL rv; TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}}; LookupPrivilegeValue(0, name, &priv.Privileges[0].Luid); OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken); AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof priv, 0, 0); rv = GetLastError() == ERROR_SUCCESS; CloseHandle(hToken); return rv; } int inject(){ if (0 == EnablePrivilege(SE_DEBUG_NAME)) return 0; DWORD dwPID; PWSTR libFileRemote=NULL; HANDLE hThread=NULL; HANDLE handle=NULL; __try{ int processid; cout<<"输入要注入的进程id:"<<endl; cin>>processid; handle=GetProcessWithName(L"FileMD5.exe"); // handle=OpenProcess(PROCESS_ALL_ACCESS,TRUE, processid); if(NULL==handle){ cout<<"进程打开失败"<<endl; return -1; } std::string dllname="E:\\C++Code\\windows\\Dll\\myDll\\Debug\\myDll.dll"; libFileRemote=(PWSTR)VirtualAllocEx(handle,NULL,dllname.size(),MEM_COMMIT,PAGE_READWRITE); if(libFileRemote==NULL){ cout<<"申请远程进程空间失败"<<::GetLastError()<<endl; return -1; } BOOL RET=WriteProcessMemory(handle,libFileRemote,dllname.c_str(),dllname.size(),NULL); if(RET ==FALSE){ cout<<"远程进程数据写入失败"<<endl; } PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); hThread = CreateRemoteThread(handle, NULL, 0, pfnThreadRtn, libFileRemote, 0, NULL); if(hThread==NULL){ cout<<"远程线程创建失败"; } WaitForSingleObject(hThread, INFINITE); cout<<"注入完成"; } __finally{ if (libFileRemote != NULL) VirtualFreeEx(handle, libFileRemote, 0, MEM_RELEASE); if (hThread != NULL) CloseHandle(hThread); if (handle != NULL) CloseHandle(handle); cout<<"完成释放"; } } int _tmain(int argc, _TCHAR* argv[]) { inject(); system("pause"); return 0; }
vs2010 编译通过,unicode编码
通过输入进程id或者,通过修改进程名,来选择目标进程