// Injection.cpp : 定義控制臺(tái)應(yīng)用程序的入口點(diǎn)。
//
#include "stdafx.h"
#include "Injection.h"
#ifdef _DEBUG
#define new DEBUG_NEW
#endif
// 唯一的應(yīng)用程序?qū)ο?
CWinApp theApp;
using namespace std;
typedef struct _RemotePara{//參數(shù)結(jié)構(gòu)
char pMessageBox[12];
DWORD dwMessageBox;
}RemotePara;
//遠(yuǎn)程線程
DWORD __stdcall ThreadProc (RemotePara *lpPara){
typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定義MessageBox函數(shù)
MMessageBoxA myMessageBoxA;
myMessageBoxA =(MMessageBoxA) lpPara->dwMessageBox ;//得到函數(shù)入口地址
myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call
return 0;
}
void EnableDebugPriv();//提升應(yīng)用級(jí)調(diào)試權(quán)限
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
const DWORD THREADSIZE=1024*4;
DWORD byte_write;
EnableDebugPriv();//提升權(quán)限
HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,760);
if(!hWnd)return 0;
void *pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!pRemoteThread)return 0;
if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,THREADSIZE,0))
return 0;
//再付值
RemotePara myRemotePara;
::ZeroMemory(&myRemotePara,sizeof(RemotePara));
HINSTANCE hUser32 = ::LoadLibrary ("user32.dll");
myRemotePara.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , "MessageBoxA");
strcat(myRemotePara.pMessageBox,"hello\0");
//寫(xiě)進(jìn)目標(biāo)進(jìn)程
RemotePara *pRemotePara =(RemotePara *) ::VirtualAllocEx (hWnd
,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申請(qǐng)空間時(shí)的頁(yè)面屬性
if(!pRemotePara)return 0;
if(!::WriteProcessMemory (hWnd ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;
//啟動(dòng)線程
HANDLE hThread = ::CreateRemoteThread (hWnd ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
if(!hThread){
return 0;
}
return 0;
}
void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnamevalue;
TOKEN_PRIVILEGES tkp;
if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegevalue( NULL, SE_DEBUG_NAME, &sedebugnamevalue ) ){
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnamevalue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}