zoukankan      html  css  js  c++  java

  • EnhanceFunc__增强函数集

    想将经常用到的功能函数写在一起,花时间精心维护,然后以后就用起来就舒服很多了

    目前就写了进程调试权限,远程线程注入,远程线程释放这三个函数.还有很多功能,以后慢慢加

     1 // last code by gwsbhqt@163.com at 20150708
 2 
 3 #pragma once
 4 
 5 #ifndef ENHANCEFUNC_H
 6 #define ENHANCEFUNC_H
 7 
 8 #include <cstdio>
 9 #include <windows.h>
10 
11 using namespace std;
12 
13 BOOL EnableDebugPrivileges();
14 
15 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId = NULL);
16 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds = INFINITE);
17 
18 #endif    //    def    ENHANCEFUNC_H
    EnhanceFunc.h
      1 // last code by gwsbhqt@163.com at 20150708
  2 
  3 #include "EnhanceFunc.h"
  4 
  5 BOOL EnableDebugPrivileges()
  6 {
  7     HANDLE hToken;
  8     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
  9         return FALSE;
 10 
 11     LUID luid = {};
 12     if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid))
 13     {
 14         CloseHandle(hToken);
 15         return FALSE;
 16     }
 17 
 18     TOKEN_PRIVILEGES tp = {};
 19     tp.PrivilegeCount = 1;
 20     tp.Privileges[0].Luid = luid;
 21     tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 22     if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL))
 23     {
 24         CloseHandle(hToken);
 25         return FALSE;
 26     }
 27     
 28     CloseHandle(hToken);
 29     return TRUE;
 30 }
 31 
 32 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId)
 33 {
 34     int len = strlen(lpLibFilePath) + 1;
 35 
 36     LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 37     if (NULL == lpVir)
 38         return ERROR;
 39 
 40     if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL))
 41     {
 42         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 43         return ERROR;
 44     }
 45 
 46     HMODULE hModule = GetModuleHandleA("Kernel32.dll");
 47     if (NULL == hModule)
 48     {
 49         hModule = LoadLibraryA("Kernel32.dll");
 50         if (NULL == hModule)
 51         {
 52             VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 53             return ERROR;
 54         }
 55     }
 56 
 57     FARPROC fpProc = GetProcAddress(hModule, "LoadLibraryA");
 58     if (NULL == fpProc)
 59     {
 60         FreeLibrary(hModule);
 61         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 62         return ERROR;
 63     }
 64 
 65     DWORD dwRemoteThreadId;
 66     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, &dwRemoteThreadId);
 67     if (NULL == hRemoteThread)
 68     {
 69         FreeLibrary(hModule);
 70         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 71         return ERROR;
 72     }
 73 
 74     if (NULL != lpRemoteThreadId)
 75         *lpRemoteThreadId = dwRemoteThreadId;
 76 
 77     FreeLibrary(hModule);
 78     VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 79     return hRemoteThread;
 80 }
 81 
 82 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds)
 83 {
 84     int len = strlen(lpLibFilePath) + 1;
 85 
 86     LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 87     if (NULL == lpVir)
 88         return FALSE;
 89 
 90     if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL))
 91     {
 92         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 93         return FALSE;
 94     }
 95 
 96     HMODULE hModule = GetModuleHandleA("Kernel32.dll");
 97     if (NULL == hModule)
 98     {
 99         hModule = LoadLibraryA("Kernel32.dll");
100         if (NULL == hModule)
101         {
102             VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
103             return FALSE;
104         }
105     }
106 
107     FARPROC fpProc = GetProcAddress(hModule, "GetModuleHandleA");
108     if (NULL == fpProc)
109     {
110         FreeLibrary(hModule);
111         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
112         return FALSE;
113     }
114 
115     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, NULL);
116     if (NULL == hRemoteThread)
117     {
118         FreeLibrary(hModule);
119         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
120         return FALSE;
121     }
122 
123     if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds))
124     {
125         CloseHandle(hRemoteThread);
126         FreeLibrary(hModule);
127         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
128         return FALSE;
129     }
130     
131     DWORD dwExitCode;
132     if (!GetExitCodeThread(hRemoteThread, &dwExitCode))    //    dwExitCode is hRemoteLibModule
133     {
134         CloseHandle(hRemoteThread);
135         FreeLibrary(hModule);
136         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
137         return FALSE;
138     }
139 
140     CloseHandle(hRemoteThread);
141     VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
142     
143     //    CreateRemoteThread the second times
144 
145     fpProc = GetProcAddress(hModule, "FreeLibrary");
146     if (NULL == fpProc)
147     {
148         FreeLibrary(hModule);
149         return FALSE;
150     }
151 
152     hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, (LPVOID)((HMODULE)dwExitCode), NULL, NULL);
153     if (NULL == hRemoteThread)
154     {
155         FreeLibrary(hModule);
156         return FALSE;
157     }
158 
159     if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds))
160     {
161         CloseHandle(hRemoteThread);
162         FreeLibrary(hModule);
163         return FALSE;
164     }
165 
166     if (!GetExitCodeThread(hRemoteThread, &dwExitCode))    //    dwExitCode is the return value of Remote FreeLibrary
167     {
168         CloseHandle(hRemoteThread);
169         FreeLibrary(hModule);
170         return FALSE;
171     }
172 
173     FreeLibrary(hModule);
174     CloseHandle(hRemoteThread);
175     return (BOOL)dwExitCode;
176 }
    EnhanceFunc.cpp
     1 #include <cstdio>
 2 #include <windows.h>
 3 
 4 #include "EnhanceFunc.h"
 5 
 6 using namespace std;
 7 
 8 int main()
 9 {
10     char cTargetDllPath[MAX_PATH] = "C:\\DLL.dll";    //    suppose I have a dll file in this path
11 
12     printf("Enable Debug Privilege %s...\n", EnableDebugPrivileges() ? "Succeed" : "Faild");
13 
14     system("pause > nul");
15     
16     STARTUPINFOA si = {};
17     si.cb = sizeof(si);
18     PROCESS_INFORMATION pi = {};
19     CreateProcessA(NULL, "C:\\Windows\\System32\\calc.exe", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
20 
21     system("pause > nul");
22 
23     printf("DLL.dll Inject %s...\n", RemoteThreadInjection(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild");
24 
25     system("pause > nul");
26 
27     printf("DLL.dll Freeing %s...\n", RemoteThreadFreeing(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild");
28 
29     system("pause > nul");
30 
31     TerminateProcess(pi.hProcess, NULL);
32 
33     system("pause > nul && exit");
34     return 0;
35 }
    main.cpp
  • 相关阅读:
    Jsp语法、指令及动作元素
    java之Cookie详解
    servlet请求转发、包含以及重定向
    20181114_特性
    20181114_反射_泛型反射
    20181112_反射基础_对象获取
    20181110_wait和async
    20181106_线程之异常_取消_变量_安全Lock
    20181105_线程之Task
    20181104_C#线程之Thread_ThreadPool_使用Thread实现回到和带参数的回调
  • 原文地址:https://www.cnblogs.com/gwsbhqt/p/4628963.html
Copyright © 2011-2022 走看看