概述
#include <cstdlib>
#include <iostream>
#include <windows.h>
#include "tlhelp32.h"
using namespace std;
typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);
typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);
typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
//
typedef struct tagHYPINJECT {
ProcLoadLibrary fnLoad;
ProcGetProcAddress fnGetProc;
char MsgStr [MAX_PATH];
char DLLName [MAX_PATH];
char ProcName [MAX_PATH];
} HYPINJECT;
//
static DWORD WINAPI ThreadProc (LPVOID lpParameter)
{
HYPINJECT* p = (HYPINJECT*)lpParameter; //初始化一个结构体 Initialize a struct
HMODULE hDLL = p->fnLoad (p->DLLName); //hDll is a parameter of GerProcAddress,fnLoad is a func pointer---LoadLibrary
ProcMessageBox MsgBox = (ProcMessageBox)p->fnGetProc(hDLL,p->ProcName); //get the address of messagebox
MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK); //then we can use msgbox
return 0;
}
static void AfterThreadProc (void) { } //用来计算要写入代码的大小,所以两者都定义成static
HYPINJECT hypInject; //pData写入的结构体
BOOL InjectFunc(DWORD PID)
{
HMODULE hk = LoadLibrary ("kernel32.dll");
hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");
hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");
strcpy(hypInject.MsgStr, " hyp's Knowledge Base");
strcpy (hypInject.DLLName, "user32.dll");
strcpy (hypInject.ProcName, "MessageBoxA"); //pData要写入的是一个结构体,所以把信息都保存在结构体中,执行的是ThreadProc
PVOID pCode = NULL;
PVOID pData = NULL;
BOOL bc = FALSE;
DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;
HANDLE hProc = OpenProcess(
PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,
FALSE, PID);
if (hProc == NULL)
{
return FALSE;
}
pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);
pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);
HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);
CloseHandle(hProc);
return TRUE;
}
int main()
{
HANDLE hSnapshot = NULL;
hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
PROCESSENTRY32 pe;
pe.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe);
do
{
if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)
{
InjectFunc(pe.th32ProcessID);
break;
}
}
while(Process32Next(hSnapshot,&pe)==TRUE);
CloseHandle (hSnapshot);
system("pause");
return 0;
}最后
以上就是调皮银耳汤为你收集整理的CreateRemoteThread注入NOTEPAD的全部内容,希望文章能够帮你解决CreateRemoteThread注入NOTEPAD所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复