zoukankan      html  css  js  c++  java

  • dll注入的代码

    #include <stdio.h>
    02#include <tchar.h>
    03#include <windows.h>
    04#include <atlbase.h>
    05 
    06BOOL EnableDebugPriv(LPCTSTR name)
    07{
    08    HANDLE h;
    09    TOKEN_PRIVILEGES tp;
    10    LUID id;
    11 
    12    // 打开进程令牌环
    13    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &h))
    14        return FALSE;
    15 
    16    // 获得进程本地唯一ID
    17    if (!LookupPrivilegeValue(NULL, name, &id))
    18        return FALSE;
    19 
    20    tp.PrivilegeCount = 1;
    21    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    22    tp.Privileges[0].Luid = id;
    23 
    24    // 调整权限
    25    if (!AdjustTokenPrivileges(h, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
    26        return FALSE;
    27 
    28    return TRUE;
    29}
    30 
    31BOOL InjectDll(LPCTSTR dll_full_path, DWORD remote_process_id)
    32{
    33    HANDLE h;
    34 
    35    if (!EnableDebugPriv(SE_DEBUG_NAME))
    36        return FALSE;
    37 
    38    // 打开远程线程.
    39    h = OpenProcess(PROCESS_ALL_ACCESS, FALSE, remote_process_id);
    40    if (!h)
    41        return FALSE;
    42 
    43    DWORD size = _tcsclen(dll_full_path) + 1;
    44 
    45    // 使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
    46    LPVOID r = VirtualAllocEx(h, NULL, size, MEM_COMMIT, PAGE_READWRITE);
    47    if (!r)
    48        return FALSE;
    49 
    50    // 使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
    51    if (!WriteProcessMemory(h, r, (void *)dll_full_path, size, NULL))
    52        return FALSE;
    53 
    54    // 计算LoadLibraryA的入口地址
    55    PTHREAD_START_ROUTINE start =
    56        (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
    57    if (!start)
    58        return FALSE;
    59 
    60    // (关于GetModuleHandle函数和GetProcAddress函数)
    61    // 启动远程线程LoadLibraryA,通过远程线程调用创建新的线程.
    62    DWORD tid;
    63    HANDLE t = CreateRemoteThread(h, NULL, 0, start, r, 0, &tid);
    64    if(!t)
    65        return FALSE;
    66 
    67    WaitForSingleObject(t, INFINITE);
    68 
    69    // 释放资源和句柄
    70    VirtualFreeEx(h, r, size, MEM_DECOMMIT);
    71    CloseHandle(t);
    72    CloseHandle(h);
    73 
    74    return TRUE;
    75}
    76 
    77int main(int argc, char **argv)
    78{
    79    if (argc < 3)
    80    {
    81        printf("usage: InjectDll.exe <dll_path> <process_id>\n");
    82        return -1;
    83    }
    84 
    85    TCHAR dll[MAX_PATH];
    86    int id = atoi(argv[2]);
    87 
    88    USES_CONVERSION;
    89    _tcscpy(dll, A2T(argv[1]));
    90 
    91    if (!InjectDll(dll, id))
    92    {
    93        printf("inject dll failed!\n");
    94        return -1;
    95    }
    96 
    97    return 0;
    98}
  • 相关阅读:
    HDU 3681 Prison Break(状态压缩dp + BFS)
    POJ 2711 Regular Words(DP + 高精度)
    ZOJ 2745 01-K Code(DP)(转)
    DAG模型——硬币问题
    HDU 1619 Unidirectional TSP(单向TSP + 路径打印)
    DAG模型——嵌套矩阵
    HDU 4294 A Famous Equation(DP)
    HDU 3920 Clear All of Them I(DP + 状态压缩 + 贪心)
    POJ 3254 Corn Fields(DP + 状态压缩)
    HDU 2089 不要62(数位DP)
  • 原文地址:https://www.cnblogs.com/shihao/p/2697865.html
Copyright © 2011-2022 走看看