远线程注入代码
远线程注入代码
1 #include <windows.h> 2 #include <iostream> 3 using namespace std; 4 5 DWORD threadInject(WCHAR* dllpath, DWORD pid) 6 { 7 int t = sizeof(dllpath); 8 //先激活权限 9 HANDLE hToken; 10 LUID newLuid; 11 TOKEN_PRIVILEGES tr; 12 tr.PrivilegeCount = 1; 13 tr.Privileges->Attributes = SE_PRIVILEGE_ENABLED; 14 OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); 15 LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &newLuid); 16 tr.Privileges->Luid = newLuid; 17 AdjustTokenPrivileges(hToken, FALSE, &tr, sizeof(tr), 0, 0); 18 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid); 19 //获取进程句柄 20 if (hProcess == 0 || hProcess == INVALID_HANDLE_VALUE) 21 { 22 printf("创建远线程失败\n"); 23 CloseHandle(hToken); 24 return 0; 25 } 26 //申请内存存放参数 27 LPVOID p = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 28 if (!p) 29 { 30 printf("创建远线程失败\n"); 31 CloseHandle(hProcess); 32 CloseHandle(hToken); 33 return 0; 34 } 35 //写参数 36 if (!WriteProcessMemory(hProcess, p, (LPVOID)(dllpath), sizeof(WCHAR)* (wcslen(dllpath)+1), NULL)) 37 { 38 printf("创建远线程失败\n"); 39 VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE); 40 CloseHandle(hProcess); 41 CloseHandle(hToken); 42 return 0; 43 } 44 //创建远程线程并执行LoadLibraryW加载dll 45 HANDLE cThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW")), p, 0, 0); 46 if (cThread == 0 || cThread == INVALID_HANDLE_VALUE) 47 { 48 printf("创建远线程失败\n"); 49 VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE); 50 CloseHandle(hProcess); 51 CloseHandle(hToken); 52 return 0; 53 } 54 //5.等待线程结束返回,释放资源 55 WaitForSingleObject(cThread, -1); 56 CloseHandle(cThread); 57 CloseHandle(hProcess); 58 CloseHandle(hToken); 59 printf("创建远线程成功\n"); 60 61 return 0; 62 } 63 64 int main() { 65 DWORD pid; 66 wstring str = L"C:\\Users\\97905\\source\\repos\\RemoteInjectDll\\Debug\\RemoteInjectDll.dll"; 67 cout << "输入pid" << endl; 68 cin >> pid; 69 //RemoteThreadInject(pid); 70 threadInject((WCHAR*)str.c_str(), pid); 71 72 return 0; 73 }