VC编程之VC++注射过程-职坐标

VC编程之VC++注射过程

小标 2018-08-28 来源：阅读 1199 评论 0

摘要：本文主要向大家介绍了VC编程之VC++注射过程，通过具体的内容向大家展示，希望对大家学习VC编程有所帮助。

本文主要向大家介绍了VC编程之VC++注射过程，通过具体的内容向大家展示，希望对大家学习VC编程有所帮助。

// stdafx.h :
//
//
//

#pragma once

#include "targetver.h"

#include
#include

//myself
#include

#include

#include
using namespace std;

// TODO:

// Inject.cpp :
//

#include "stdafx.h"

/*
*
*/
int EnableDebugePriv(const char * name){

HANDLE hToken;
/*
*
* PrivilegeCount the number of  entries in the Privileges array
* Privileges[ANYSIZE_ARRAY]
*   LUID
*   SE_PRIVILEGE_ENABLED
*/
TOKEN_PRIVILEGES tp;
/*
* locally unique identifier (LUID) is guaranteed only until the system is restarted.
* call the LookupPrivilegeName function, passing the address of the LUID as the value of the lpLuid parameter.
*/
LUID luid;

/*
* The OpenProcessToken function opens the access token associated with a process.
*   ProcessHandle [in]: A handle to the process whose access token is opened.
*   DesiredAccess [in]Required to enable or disable the privileges in an access token.
*   TokenHandle [out] A pointer to a handle that identifies the newly opened access token when the function returns.
*/
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);

/*
* [lpSystemName]- [in, optional] :If a null string is specified, the function attempts to find the privilege name on the local system.
* [lpName]-[in]  :
* [lpLuid]-[out] : LUID
*/
LookupPrivilegeValue(NULL,name,&luid);

tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;

/*
* Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access.
*   TokenHandle [in]: The handle must have TOKEN_ADJUST_PRIVILEGES access to the token. If the PreviousState parameter is not NULL,
*                    the handle must also have TOKEN_QUERY access.
*   DisableAllPrivileges [in]: Specifies whether the function disables all of the token's privileges.If it is FALSE, the function
*          modifies privileges based on the information pointed to by the NewState parameter.
*   NewState [in, optional]: the DisableAllPrivileges parameter is FALSE, the AdjustTokenPrivileges function enables,
*        disables, or removes these privileges for the token.
*   BufferLength [in]: Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter.
*   PreviousState [out, optional]:  If the PrivilegeCount member of TOKEN_PRIVILEGES is zero,
*         then no privileges have been changed by this function. This parameter can be NULL.
*   ReturnLength [out, optional]: pointer to a variable that receives the required size, in bytes, of the buffer pointed to
*         by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL.
*
*/
AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);

return 0;

}

BOOL InjectDLL(const char * DllFullPath, const DWORD dwRemoteProcessId){

HANDLE hRemoteProcess;
/*
*
*/
EnableDebugePriv(SE_DEBUG_NAME);

//
/*
* Opens an existing local process object.
*   dwDesiredAccess [in] :
* bInheritHandle [in]
* dwProcessId [in]  : The identifier of the local process to be opened.
*/
hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId);

char * pszLibFileRemote;
//VirtualAllocExDLL
/*
* Reserves or commits a region of memory within the virtual address space of a specified process.
* The function initializes the memory it allocates to zero
*   hProcess [in] : The handle to a process. The function allocates memory within the virtual address space of this process.
* lpAddress [in, optional] : If lpAddress is NULL, the function determines where to allocate the region.
* dwSize [in] : The size of the region of memory to allocate, in bytes.
* flAllocationType [in] : The type of memory allocation.
* flProtect [in] :The memory protection for the region of pages to be allocated.
*/
pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DllFullPath)+1,MEM_COMMIT,PAGE_READWRITE);

//WriteProcessMemoryDLL
/*
* Writes data to an area of memory in a specified process.
*   hProcess [in] A handle to the process memory to be modified.
* lpBaseAddress [in] A pointer to the base address in the specified process to which data is written.
* lpBuffer [in] A pointer to the buffer that contains data to be written in the address space of the specified process.
* nSize [in] The number of bytes to be written to the specified process.
* lpNumberOfBytesWritten [out]  If lpNumberOfBytesWritten is NULL, the parameter is ignored.
*
*/
WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void *)DllFullPath,lstrlen(DllFullPath)+1,NULL);

//LoadLibraryA()
//LoadLibraryA
/*
* Retrieves() the address of an exported function or variable from the specified dynamic-link library (DLL).
*   hModule [in] : A handle to the DLL module that contains the function or variable.
*       The LoadLibrary, LoadLibraryEx, LoadPackagedLibrary, or GetModuleHandle function returns this handle.
* lpProcName [in]  The function or variable name, or the function's ordinal value. If this parameter is an ordinal value,
*        it must be in the low-order word; the high-order word must be zero.
*/

//LoadLibraryA
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA");

//LoadLibraryA
HANDLE hRemoteThread;

/*
* Creates a thread that runs in the virtual address space of another process.
*   hProcess [in] : A handle to the process in which the thread is to be created.
* lpThreadAttributes [in] : A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor
*         for the new thread and determines whether child processes can inherit the returned handle.
*         If lpThreadAttributes is NULL, the thread gets a default security descriptor and the handle
*         cannot be inherited.
*   dwStackSize [in] : The initial size of the stack, in bytes.If this parameter is 0 (zero),
*        the new thread uses the default size for the executable.
* lpStartAddress [in] : A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread
*           and represents the starting address of the thread in the remote process.
* lpParameter [in] : A pointer to a variable to be passed to the thread function.
* dwCreationFlags [in] : The flags that control the creation of the thread.
* lpThreadId [out] :
*/
if((hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL))==NULL){

  cout<<""<<endl;
  return FALSE;
}

//
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);

return TRUE;
}

DWORD GetProcessId(){
DWORD Pid=-1;

/*
* Takes a snapshot of the specified processes
*   dwFlags [in]: TH32CS_SNAPPROCESS-Includes all processes in the system in the snapshot.
*   th32ProcessID [in]: The process identifier of the process to be included in the snapshot.
*      This parameter can be zero to indicate the current process. This parameter is used when the TH32CS_SNAPHEAPLIST,
*      TH32CS_SNAPMODULE, TH32CS_SNAPMODULE32, or TH32CS_SNAPALL value is specified.
*      Otherwise, it is ignored and all processes are included in the snapshot.
*/
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

//
/*
* Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.
*   th32ProcessID: The process identifier.
* szExeFile : The name of the executable file for the process.
*/
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(PROCESSENTRY32));
lPrs.dwSize=sizeof(lPrs);
char * TargetFile="QQ.exe";

/*
* Retrieves information about the first process encountered in a system snapshot.
*   hSnapshot [in] : A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
* lppe [in, out] : A pointer to a PROCESSENTRY32 structure.
*/
Process32First(hSnap,&lPrs);
if(strstr(TargetFile,lPrs.szExeFile)!=NULL){
  Pid=lPrs.th32ProcessID;
  return Pid;
}
while(1){
  ZeroMemory(&lPrs,sizeof(PROCESSENTRY32));
  lPrs.dwSize=sizeof(lPrs);

  /*
  * Returns TRUE if the next entry of the process list has been copied to the buffer or FALSE otherwise.
  * The comparison is case-sensitive.
  */
  if(!Process32Next(hSnap,&lPrs)){

   Pid=-1;
   break;
  }
  /*
  * Returns the address of the first occurrence of the matching substring if successful, or NULL otherwise.
  */
  if(strstr(TargetFile,lPrs.szExeFile)!=NULL){

   Pid=lPrs.th32ProcessID;
   break;
  }

}
return Pid;
}

int _tmain(int argc, _TCHAR* argv[])
{
char myFile[MAX_PATH];
GetCurrentDirectory(MAX_PATH,myFile);

//myFile
strcat(myFile,"\\door.dll");
InjectDLL(myFile,GetProcessId());

return 0;
}