代码注入

image.png
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>

typedef int (__stdcall *PMESSAGEBOX)(HWND ,LPCTSTR ,LPCTSTR ,UINT);


typedef struct _CODE_ARGS_
{
    PMESSAGEBOX     pMessageBox;
    HWND            hWnd;         
    LPCTSTR         lpText;   
    LPCTSTR         lpCaption;
    UINT            uType;
}CODE_ARGS;


DWORD Inject_Fun(CODE_ARGS *pCodeArgs)
{
    pCodeArgs->pMessageBox(pCodeArgs->hWnd,pCodeArgs->lpText,pCodeArgs->lpCaption,1);
    return 0;
}
void Inject_Fun_End(void)
{

}

int main(int argc, char* argv[])
{
    DWORD PID = 0;
    puts("Input Target Process ID:\n");
    scanf("%u",&PID);
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);
    DWORD dw = GetLastError();
    void *pRemoteAddr = VirtualAllocEx(hProcess,NULL,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//开辟空间
    CODE_ARGS Code_Args = {0};

    Code_Args.pMessageBox = (PMESSAGEBOX)GetProcAddress(LoadLibrary("User32.dll"),"MessageBoxA");
    Code_Args.hWnd = NULL;
    Code_Args.uType = 1;

    char TextArr[] = "Hello Boys I Come Here!";
    char CaptionArr[] = "Code Inject!";
    DWORD uType = 1;
    void *pRemoteArgAddr = NULL;
    void *pRemoteProc = NULL;

    
    DWORD dwOffset = 0,dwWriteByte = 0;

    //写入结构体两个字符串
    Code_Args.lpText = (char *)pRemoteAddr;
    WriteProcessMemory(hProcess,(void *)((DWORD)pRemoteAddr + dwOffset),TextArr,strlen(TextArr)+1,&dwWriteByte);
    dwOffset += dwWriteByte;

    Code_Args.lpCaption = (char *)((DWORD)pRemoteAddr + dwOffset);
    WriteProcessMemory(hProcess,(void *)((DWORD)pRemoteAddr + dwOffset),CaptionArr,strlen(CaptionArr)+1,&dwWriteByte);
    dwOffset += dwWriteByte;


    //写入结构体
    pRemoteArgAddr = (BYTE *)pRemoteAddr + dwOffset;
    WriteProcessMemory(hProcess,pRemoteArgAddr,&Code_Args,sizeof(Code_Args),&dwWriteByte);
    dwOffset += dwWriteByte;


    //写入函数机器码 写入长度在release下好用,debug版本需要修复
    pRemoteProc = (BYTE *)pRemoteAddr + dwOffset;
    WriteProcessMemory(hProcess,pRemoteProc,(void *)Inject_Fun,(DWORD)Inject_Fun_End - (DWORD)Inject_Fun,&dwWriteByte);
    
    DWORD TID = 0;
    HANDLE hRemotethread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pRemoteProc,pRemoteArgAddr,0,&TID);
    
    WaitForSingleObject(hRemotethread,INFINITE);
    CloseHandle(hRemotethread);
    VirtualFreeEx(hProcess,pRemoteAddr,0,MEM_RELEASE);
    CloseHandle(hProcess);
    return 0;
}
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
【社区内容提示】社区部分内容疑似由AI辅助生成,浏览时请结合常识与多方信息审慎甄别。
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容

友情链接更多精彩内容