zoukankan      html  css  js  c++  java
  • dll 注入~

    把DLL插进去 T T , 传说中的硬编码。 我真懒得写全了 意思一下就好了。

     1 #include "stdafx.h"
    2 #include <windows.h>
    3
    4
    5 BOOL InjectProcess(DWORD dwProcessId, char* szLibName)
    6 {
    7 BOOL bOK = FALSE;
    8 HANDLE hProcess = NULL;
    9 HANDLE hThread = NULL;
    10 char* pszRemoteLibName = NULL;
    11
    12 __try
    13 {
    14 hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessId);
    15 if(hProcess == NULL) __leave;
    16
    17 int cch = 1 + lstrlen(szLibName);
    18 int cb = cch * sizeof(char);
    19
    20 pszRemoteLibName = (char *)VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
    21 if(pszRemoteLibName == NULL) __leave;
    22
    23 if(!WriteProcessMemory(hProcess, pszRemoteLibName, (PVOID)szLibName, cb, NULL)) __leave;
    24
    25 LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)
    26 GetProcAddress(GetModuleHandleA("kernel32.dll"),"LoadLibraryA");
    27 if(pfnLoadLibraryA == NULL) __leave;
    28
    29 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnLoadLibraryA, pszRemoteLibName, 0, NULL);
    30 if(hThread == NULL) __leave;
    31
    32 WaitForSingleObject(hThread, INFINITE);
    33
    34 bOK = TRUE;
    35
    36 }
    37
    38 __finally
    39 {
    40 if(pszRemoteLibName != NULL)
    41 VirtualFreeEx(hProcess, pszRemoteLibName, 0, MEM_RELEASE);
    42
    43 if(hThread != NULL)
    44 CloseHandle(hThread);
    45
    46 if(hProcess != NULL)
    47 CloseHandle(hProcess);
    48 }
    49
    50 return bOK;
    51 }
    52
    53 /************************************************************************/
    54 /* 函数说明:提升进程权限;
    55 /* 参 数:进程句柄、权限名称;
    56 /* 返 回 值:成功返回TRUE,否则返回FALSE;
    57 /************************************************************************/
    58 BOOL EnableDebugPrivilege(IN HANDLE hProcess, IN LPCTSTR lpPrivilegeName)
    59 {
    60 HANDLE hToken;
    61 LUID sedebugnameValue;
    62 TOKEN_PRIVILEGES tkp;
    63
    64 if (!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    65 {
    66 return FALSE;
    67 }
    68
    69 if (!LookupPrivilegeValue(NULL, lpPrivilegeName, &sedebugnameValue))
    70 {
    71 CloseHandle(hToken);
    72 return FALSE;
    73 }
    74
    75 tkp.PrivilegeCount = 1;
    76 tkp.Privileges[0].Luid = sedebugnameValue;
    77 tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    78
    79 if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
    80 {
    81 CloseHandle(hToken);
    82 return FALSE;
    83 }
    84
    85 return TRUE;
    86 }
    87
    88
    89
    90 int main(int argc, char* argv[])
    91 {
    92 EnableDebugPrivilege(GetCurrentProcess(), SE_DEBUG_NAME);
    93 InjectProcess(6916, "d:\\work\\MyProjects\\apihook\\Debug\\apihook.dll");
    94 return 0;
    95 }



  • 相关阅读:
    PHP 文件包含之文件路径截断(转)
    如何使用Linux通用后门(转zafe)
    利用sqlmap和burpsuite绕过csrf token进行SQL注入 (转)
    正则表达式30分钟入门教程<转载>
    php empty()和isset()的区别<转载>
    $_SERVER详细资料整理(转)
    [C语言(VC)] 打造自己的键盘记录器 (zaroty)
    metasploit(MSF)终端命令大全
    linux提权总结(外文)
    kettle菜鸟学习笔记1----相关准备知识
  • 原文地址:https://www.cnblogs.com/whoiskevin/p/2416864.html
Copyright © 2011-2022 走看看