远线程注入代码

远线程注入代码

 1 #include <windows.h>
 2 #include <iostream>
 3 using namespace std;
 4 
 5 DWORD threadInject(WCHAR* dllpath, DWORD pid)
 6 {
 7     int t = sizeof(dllpath);
 8     //先激活权限
 9     HANDLE hToken;
10     LUID newLuid;
11     TOKEN_PRIVILEGES tr;
12     tr.PrivilegeCount = 1;
13     tr.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
14     OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
15     LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &newLuid);
16     tr.Privileges->Luid = newLuid;
17     AdjustTokenPrivileges(hToken, FALSE, &tr, sizeof(tr), 0, 0);
18     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
19     //获取进程句柄
20     if (hProcess == 0 || hProcess == INVALID_HANDLE_VALUE)
21     {
22         printf("创建远线程失败\n");
23         CloseHandle(hToken);
24         return 0;
25     }
26     //申请内存存放参数
27     LPVOID p = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
28     if (!p)
29     {
30         printf("创建远线程失败\n");
31         CloseHandle(hProcess);
32         CloseHandle(hToken);
33         return 0;
34     }
35     //写参数
36     if (!WriteProcessMemory(hProcess, p, (LPVOID)(dllpath), sizeof(WCHAR)* (wcslen(dllpath)+1), NULL))
37     {
38         printf("创建远线程失败\n");
39         VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE);
40         CloseHandle(hProcess);
41         CloseHandle(hToken);
42         return 0;
43     }
44     //创建远程线程并执行LoadLibraryW加载dll
45     HANDLE cThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW")), p, 0, 0);
46     if (cThread == 0 || cThread == INVALID_HANDLE_VALUE)
47     {
48         printf("创建远线程失败\n");
49         VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE);
50         CloseHandle(hProcess);
51         CloseHandle(hToken);
52         return 0;
53     }
54     //5.等待线程结束返回,释放资源
55     WaitForSingleObject(cThread, -1);
56     CloseHandle(cThread);
57     CloseHandle(hProcess);
58     CloseHandle(hToken);
59     printf("创建远线程成功\n");
60 
61     return 0;
62 }
63 
64 int main() {
65     DWORD pid;
66     wstring str = L"C:\\Users\\97905\\source\\repos\\RemoteInjectDll\\Debug\\RemoteInjectDll.dll";
67     cout << "输入pid" << endl;
68     cin >> pid;
69     //RemoteThreadInject(pid);    
70     threadInject((WCHAR*)str.c_str(), pid);
71 
72     return 0;
73 }

 

posted @ 2020-03-25 16:35  OneTrainee  阅读(357)  评论(0编辑  收藏  举报