CreateRemoteThread简单应用之二

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include <stdio.h>
#include <time.h> 
#include <windows.h>

int foo (void)
{
    printf("foon");

    // MessageBox(NULL, "foo", "Notice",  MB_OK);
#if 0
    HINSTANCE hUser32 = LoadLibrary("User32.dll");  
    typedef int (*DllFun)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption, UINT uType);  
    DllFun dwMessageBox = (DllFun)GetProcAddress(hUser32, "MessageBoxA");  
#endif
    // printf("dwMessageBox GetProcAddress:%0pn", dwMessageBox);
    // dwMessageBox(NULL, "foo", "Notice",  MB_OK);

    HINSTANCE hdll = LoadLibrary("C:\Downloads\hookexe\hookdll\Debug\hookdll.dll");  
    // fnHookfoo对应的函数类型 HOOKDLL_API int fnHookdll(void)
    typedef int (*DllFun)(void);
    DllFun foo = (DllFun)GetProcAddress(hdll, "fnHookdll");
    ///printf("%pn", foo);
    foo();

    return 0;
}

int main(int argc, char* argv[])
{
    while (1)
    {
        Sleep(1000); 
        foo ();
    }
    
	return 0;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
// hookexe2.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"

#pragma once  
#include <windows.h>  
#include <TlHelp32.h> 
#include <stdio.h>

 
//线程参数结构体定义  
typedef struct _RemoteParam {  
    char szMsg[12];    //MessageBox函数中显示的字符提示  
    DWORD dwMessageBox;//MessageBox函数的入口地址  
} RemoteParam, * PRemoteParam;  
//定义MessageBox类型的函数指针  
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);  
  
//线程函数定义  
DWORD __stdcall threadProc(LPVOID lParam)  
{  
    //只要使用api必须拦截 !!!!!!!!  
    RemoteParam* pRP = (RemoteParam*)lParam;  

    typedef int (*DllFun)(void);   // 函数指针，注意要和原函数的原型一制
    DllFun MyFun = (DllFun)pRP->dwMessageBox;  

    //就是这句有错！！！！！！！！！  
    // printf("threadProc GetProcAddress:%0pn", MyFun);
    // printf("szMsg:%sn", pRP->szMsg);
    (DllFun)MyFun();  
    return 0;  
}  
//提升进程访问权限  
bool enableDebugPriv()  
{  
    HANDLE hToken;  
    LUID sedebugnameValue;  
    TOKEN_PRIVILEGES tkp;  
    
    if (!OpenProcessToken(GetCurrentProcess(),   
        TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {  
        return false;  
    }  
    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {  
        CloseHandle(hToken);  
        return false;  
    }  
    tkp.PrivilegeCount = 1;  
    tkp.Privileges[0].Luid = sedebugnameValue;  
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
    if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {  
        CloseHandle(hToken);  
        return false;  
    }  
    return true;  
}  
  
//根据进程名称得到进程ID,如果有多个运行实例的话，返回第一个枚举到的进程的ID  
DWORD processNameToId(LPCTSTR lpszProcessName)  
{  
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);  
    PROCESSENTRY32 pe;  
    pe.dwSize = sizeof(PROCESSENTRY32);  
    if (!Process32First(hSnapshot, &pe)) {  
        MessageBox(NULL,   
            "The frist entry of the process list has not been copyied to the buffer",   
           "Notice", MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    while (Process32Next(hSnapshot, &pe)) {  
        if (!strcmp(lpszProcessName, pe.szExeFile)) {  
            return pe.th32ProcessID;  
        }  
    }  
   
    return 0;  
}  

int main(int argc, char* argv[])  
{  
    //定义线程体的大小  
    const DWORD dwThreadSize = 4096;  
    DWORD dwWriteBytes;  
    //提升进程访问权限  
    enableDebugPriv();  
    //等待输入进程名称，注意大小写匹配  
    char szExeName[MAX_PATH] = { 0 };  
    //cout<< "Please input the name of target process !" <<endl;  
    //      
    //    cin >> szExeName;  
    // cout<<szExeName<<endl;  
    //strcpy(szExeName,"notepad.exe");  
    scanf("%s",szExeName);  
    //cout<<szExeName<<endl; 
    
    DWORD dwProcessId = processNameToId(szExeName);  
    if (dwProcessId == 0) {  
        MessageBox(NULL, "The target process have not been found !",  
            "Notice", MB_ICONINFORMATION | MB_OK);  
        return -1;  
    }  
    //根据进程ID得到进程句柄  
    HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);  
    
    if (!hTargetProcess) {  
        MessageBox(NULL, "Open target process failed !",   
            "Notice", MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    
    //在宿主进程中为线程体开辟一块存储区域  
    //在这里需要注意MEM_COMMIT | MEM_RESERVE内存非配类型以及PAGE_EXECUTE_READWRITE内存保护类型  
    //其具体含义请参考MSDN中关于VirtualAllocEx函数的说明。  
    void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0,   
        dwThreadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);  
    if (!pRemoteThread) {  
        MessageBox(NULL, "Alloc memory in target process failed !",   
            "notice", MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    
    //将线程体拷贝到宿主进程中  
    if (!WriteProcessMemory(hTargetProcess,   
        pRemoteThread, &threadProc, dwThreadSize, 0)) {  
        MessageBox(NULL, "Write data to target process failed !",   
            "Notice", MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    //定义线程参数结构体变量  
    RemoteParam remoteData;  
    ZeroMemory(&remoteData, sizeof(RemoteParam));  
    
    //填充结构体变量中的成员  
    HINSTANCE hdll = LoadLibrary("C:\Downloads\hookexe\hookdll\Debug\hookdll.dll");  
    // fnHookfoo对应的函数类型 HOOKDLL_API int fnHookdll(void)
    remoteData.dwMessageBox = (DWORD)GetProcAddress(hdll, "fnHookdll");  
    strcat(remoteData.szMsg, "Hellon");  
    printf("remoteData.dwMessageBox %pn", remoteData.dwMessageBox);
    //为线程参数在宿主进程中开辟存储区域  
    RemoteParam* pRemoteParam = (RemoteParam*)VirtualAllocEx(  
        hTargetProcess , 0, sizeof(RemoteParam), MEM_COMMIT, PAGE_READWRITE);  
    
    if (!pRemoteParam) {  
        MessageBox(NULL, "Alloc memory failed !",   
            "Notice", MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    //将线程参数拷贝到宿主进程地址空间中  
    if (!WriteProcessMemory(hTargetProcess ,  
        pRemoteParam, &remoteData, sizeof(remoteData), 0)) {  
        MessageBox(NULL, "Write data to target process failed !",   
            "Notice", MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    
    
    //在宿主进程中创建线程  
    HANDLE hRemoteThread = CreateRemoteThread(  
        hTargetProcess, NULL, 0, (DWORD (__stdcall *)(void *))pRemoteThread,   
        pRemoteParam, 0, &dwWriteBytes);  
    if (!hRemoteThread) {  
        MessageBox(NULL, "Create remote thread failed !", "Notice",  MB_ICONINFORMATION | MB_OK);  
        return 0;  
    }  
    CloseHandle(hRemoteThread);  
    FreeLibrary(hdll);  
    return 0;  
} 

1
2
3
4
5
6
7
8
// This is an example of an exported function.
HOOKDLL_API int fnHookdll(void)
{
    char msg[] = "fnHookdll"; // 常量字符串不可复制到其它进程，因此使用局部变量数组
    puts (msg);
	return 42;
}

1
2