CreateRemoteThread注入NOTEPAD

115 阅读 0 评论 76 点赞

我是靠谱客的博主调皮银耳汤，这篇文章主要介绍CreateRemoteThread注入NOTEPAD，现在分享给大家，希望可以做个参考。

复制代码

#include <cstdlib>
#include <iostream>
#include <windows.h> 
#include "tlhelp32.h"
using namespace std;
typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);
typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
//
typedef struct tagHYPINJECT {
       ProcLoadLibrary    fnLoad;
       ProcGetProcAddress fnGetProc;
       char MsgStr [MAX_PATH];
       char DLLName [MAX_PATH];
       char ProcName [MAX_PATH];
} HYPINJECT;
//
static DWORD WINAPI ThreadProc (LPVOID lpParameter)
{
       HYPINJECT* p = (HYPINJECT*)lpParameter;                                   //初始化一个结构体 Initialize a struct 
       HMODULE hDLL = p->fnLoad (p->DLLName);                                    //hDll is a parameter of GerProcAddress,fnLoad is a func pointer---LoadLibrary
       ProcMessageBox MsgBox = (ProcMessageBox)p->fnGetProc(hDLL,p->ProcName);   //get the address of messagebox
       MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK);                                   //then we can use msgbox
       return 0;
}
static void AfterThreadProc (void) { }                                           //用来计算要写入代码的大小，所以两者都定义成static 
HYPINJECT hypInject;                                                              //pData写入的结构体 
BOOL InjectFunc(DWORD PID)
{
       HMODULE hk = LoadLibrary ("kernel32.dll");
       hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");
       hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");
       strcpy(hypInject.MsgStr, " hyp's Knowledge Base");
       strcpy (hypInject.DLLName, "user32.dll");
       strcpy (hypInject.ProcName, "MessageBoxA");                                //pData要写入的是一个结构体，所以把信息都保存在结构体中，执行的是ThreadProc 
       PVOID pCode = NULL;
       PVOID pData = NULL;
       BOOL bc = FALSE;
       DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;
       HANDLE hProc = OpenProcess(
              PROCESS_QUERY_INFORMATION |  
              PROCESS_CREATE_THREAD     |
              PROCESS_VM_OPERATION      |
              PROCESS_VM_WRITE,           
              FALSE, PID);
       if (hProc == NULL)
       {
              return FALSE;
       }
      
       pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
       bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);
       pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
       bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);
       HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);
       CloseHandle(hProc);
       return TRUE;
}
int main()
{
       HANDLE hSnapshot = NULL;
       hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
       PROCESSENTRY32 pe;
       pe.dwSize = sizeof(PROCESSENTRY32);
       Process32First(hSnapshot,&pe);
       
	   do
       {
              if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)
              {
                     InjectFunc(pe.th32ProcessID);
                     break;
              }
       }
       while(Process32Next(hSnapshot,&pe)==TRUE);
       
       CloseHandle (hSnapshot);    
       system("pause");
       return 0;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#include <cstdlib>
#include <iostream>
#include <windows.h> 
#include "tlhelp32.h"
using namespace std;
typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);
typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
//
typedef struct tagHYPINJECT {
       ProcLoadLibrary    fnLoad;
       ProcGetProcAddress fnGetProc;
       char MsgStr [MAX_PATH];
       char DLLName [MAX_PATH];
       char ProcName [MAX_PATH];
} HYPINJECT;
//
static DWORD WINAPI ThreadProc (LPVOID lpParameter)
{
       HYPINJECT* p = (HYPINJECT*)lpParameter;                                   //初始化一个结构体 Initialize a struct 
       HMODULE hDLL = p->fnLoad (p->DLLName);                                    //hDll is a parameter of GerProcAddress,fnLoad is a func pointer---LoadLibrary
       ProcMessageBox MsgBox = (ProcMessageBox)p->fnGetProc(hDLL,p->ProcName);   //get the address of messagebox
       MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK);                                   //then we can use msgbox
       return 0;
}
static void AfterThreadProc (void) { }                                           //用来计算要写入代码的大小，所以两者都定义成static 
HYPINJECT hypInject;                                                              //pData写入的结构体 
BOOL InjectFunc(DWORD PID)
{
       HMODULE hk = LoadLibrary ("kernel32.dll");
       hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");
       hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");
       strcpy(hypInject.MsgStr, " hyp's Knowledge Base");
       strcpy (hypInject.DLLName, "user32.dll");
       strcpy (hypInject.ProcName, "MessageBoxA");                                //pData要写入的是一个结构体，所以把信息都保存在结构体中，执行的是ThreadProc 
       PVOID pCode = NULL;
       PVOID pData = NULL;
       BOOL bc = FALSE;
       DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;
       HANDLE hProc = OpenProcess(
              PROCESS_QUERY_INFORMATION |  
              PROCESS_CREATE_THREAD     |
              PROCESS_VM_OPERATION      |
              PROCESS_VM_WRITE,           
              FALSE, PID);
       if (hProc == NULL)
       {
              return FALSE;
       }
      
       pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
       bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);
       pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
       bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);
       HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);
       CloseHandle(hProc);
       return TRUE;
}
int main()
{
       HANDLE hSnapshot = NULL;
       hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
       PROCESSENTRY32 pe;
       pe.dwSize = sizeof(PROCESSENTRY32);
       Process32First(hSnapshot,&pe);
       
	   do
       {
              if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)
              {
                     InjectFunc(pe.th32ProcessID);
                     break;
              }
       }
       while(Process32Next(hSnapshot,&pe)==TRUE);
       
       CloseHandle (hSnapshot);    
       system("pause");
       return 0;
}