1 #include "stdafx.h"
2 #include "windows.h"
3 #include "stdio.h"
4 #include <Tlhelp32.h.>
5 /*熊健
6 2009.12.23 武汉
7 perfectxiong@gmail.com
8 /////////////////////////////////////////////*/
9 // ========== 定义一个代码结构,本例为一个对话框============
10 struct MyData
11 {
12 char sz[64]; // 对话框显示内容
13 DWORD dwMessageBox; // 对话框的地址
14 };
15
16 // ========== 远程线程的函数 ==============================
17 DWORD __stdcall RMTFunc(MyData *pData)
18 {
19 typedef int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
20 MMessageBox MsgBox = (MMessageBox)pData->dwMessageBox;
21 MsgBox(NULL, pData->sz, NULL, MB_OK);
22 return 0;
23 }
24
25 int inject(DWORD dwProcessId)
26 {
27 HANDLE hProcess = OpenProcess(
28 PROCESS_ALL_ACCESS,
29 FALSE,
30 dwProcessId);
31
32 // ========= 代码结构 ================================================
33 MyData data;
34 ZeroMemory(&data, sizeof (MyData));
35 strcat(data.sz, "sylar");
36 HINSTANCE hUser = LoadLibrary("user32.dll");
37 if (! hUser)
38 {
39 printf("Can not load library.\n");
40 return 0;
41 }
42 data.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
43 FreeLibrary(hUser);
44 if (! data.dwMessageBox)
45 return 0;
46
47 // ======= 分配空间 ===================================================
48 void *pRemoteThread
49 = VirtualAllocEx(hProcess, 0,
50 1024*4, MEM_COMMIT|MEM_RESERVE,
51 PAGE_EXECUTE_READWRITE);
52 if (! pRemoteThread)
53 return 0;
54 if (! WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, 1024*4, 0))
55 return 0;
56
57 MyData *pData
58 = (MyData*)VirtualAllocEx(hProcess, 0,
59 sizeof (MyData), MEM_COMMIT,
60 PAGE_READWRITE);
61 if (!pData)
62 return 0;
63
64 if (! WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0))
65 return 0;
66
67 // =========== 创建远程线程 ===========================================
68 HANDLE hThread
69 = CreateRemoteThread(hProcess, 0,
70 0, (LPTHREAD_START_ROUTINE)pRemoteThread,
71 pData, 0, 0);
72 if (! hThread)
73 {
74 printf("远程线程创建失败");
75 return 0;
76 }
77 CloseHandle(hThread);
78 VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
79 VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
80 CloseHandle(hProcess);
81 printf("Hello World!\n");
82 return 1;
83 }
84
85 int main(int argc, char* argv[])
86 {
87 // ===== 获得需要创建REMOTETHREAD的进程句柄 ===============================
88 //or
89 HANDLE hSnapshot = NULL;
90 hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
91 PROCESSENTRY32 pe;
92 pe.dwSize = sizeof(PROCESSENTRY32);
93 Process32First(hSnapshot,&pe);
94 do
95 {
96 //if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)
97 // {
98 inject(pe.th32ProcessID);
99 // break;
100 // }
101 }
102 while(Process32Next(hSnapshot,&pe)==TRUE);
103 CloseHandle (hSnapshot);
104 /*
105 HWND hWnd = FindWindow("notepad", NULL); // 以NOTEPAD为例
106 DWORD dwProcessId;
107 ::GetWindowThreadProcessId(hWnd, &dwProcessId);
108 inject(dwProcessId);
109 */
110 return 0;
111 }
112
113