界面如下:
主要代码如下:
1 #define STRLEN 20 2 3 typedef struct _DATA 4 { 5 DWORD dwLoadLibrary; 6 DWORD dwGetProcAddress; 7 DWORD dwGetModuleHandle; 8 DWORD dwGetModuleFileName; 9 10 char User32Dll[STRLEN]; 11 char MessageBox[STRLEN]; 12 char Str[STRLEN]; 13 }DATA, *PDATA; 14 15 void CNoDllInjectDlg::OnBnClickedButtonInject() 16 { 17 // TODO: 在此添加控件通知处理程序代码 18 UpdateData(TRUE); 19 InjectCode(m_dwPid); 20 } 21 22 23 DWORD WINAPI RemoteThreadProc(LPVOID lpParam) 24 { 25 PDATA pData = (PDATA)lpParam; 26 27 HMODULE (__stdcall *MyLoadLibrary)(LPCSTR); 28 FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR); 29 HMODULE (__stdcall *MyGetModuleHandle)(LPCSTR); 30 int (__stdcall *MyMessageBox)(HWND, LPCSTR, LPCSTR, UINT); 31 DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPSTR, DWORD); 32 33 MyLoadLibrary = (HMODULE (__stdcall *)(LPCSTR))pData->dwLoadLibrary; 34 MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress; 35 MyGetModuleHandle = (HMODULE (__stdcall *)(LPCSTR))pData->dwGetModuleHandle; 36 MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPSTR, DWORD))pData->dwGetModuleFileName; 37 38 HMODULE hModule = MyLoadLibrary(pData->User32Dll); 39 MyMessageBox = (int (__stdcall *)(HWND, LPCSTR, LPCSTR, UINT))MyGetProcAddress(hModule, pData->MessageBox); 40 char szModuleName[MAX_PATH] = {0}; 41 MyGetModuleFileName(NULL, szModuleName, MAX_PATH); 42 43 MyMessageBox(NULL, pData->Str, szModuleName, MB_OK); 44 45 return 0; 46 } 47 48 49 void CNoDllInjectDlg::InjectCode(DWORD dwPid) 50 { 51 DebugPrivilege(); 52 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); 53 if (NULL == hProcess) 54 { 55 AfxMessageBox(_T("OpenProcess Error!")); 56 return; 57 } 58 59 DATA Data = {0}; 60 Data.dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); 61 Data.dwGetProcAddress = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"); 62 Data.dwGetModuleHandle = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"); 63 Data.dwGetModuleFileName = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleFileNameA"); 64 65 strcpy(Data.User32Dll, "user32.dll"); 66 strcpy(Data.MessageBox, "MessageBoxA"); 67 strcpy(Data.Str, "Inject Code !!"); 68 69 LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(DATA), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 70 DWORD dwWriteNum = 0; 71 WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum); 72 73 DWORD dwFunSize = 0x2000; 74 LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 75 WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum); 76 77 HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpCode, lpData, 0, NULL); 78 WaitForSingleObject(hRemoteThread, INFINITE); 79 80 CloseHandle(hRemoteThread); 81 CloseHandle(hProcess); 82 } 83 84 void CNoDllInjectDlg::DebugPrivilege(void) 85 { 86 HANDLE hToken = NULL; 87 BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); 88 if (TRUE == bRet) 89 { 90 TOKEN_PRIVILEGES tp; 91 tp.PrivilegeCount = 1; 92 LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); 93 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 94 AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); 95 96 CloseHandle(hToken); 97 } 98 }