執行緒程式碼注入 無dll版本
阿新 • • 發佈:2018-11-10
//遠端執行緒需要的資料 typedef struct __shared { //kernel32 DWORD loadlib; DWORD getprocaddr; DWORD getmodulefilename; //user32 char user32dll[20]; char msgbox[20]; char output[20]; } shared; //遠端執行緒程式碼 DWORD __stdcall rthread(void * param) { //函式定義 typedef HMODULE(WINAPI *LoadLibFunc)(LPCSTR); typedef FARPROC(WINAPI * GetProcAddrFunc)(HMODULE,LPCSTR); typedef DWORD(WINAPI *GetModuleFileNameFunc)(HMODULE, LPSTR, DWORD); typedef int(WINAPI * MsgBoxFunc)(HWND,LPSTR,LPSTR,UINT); shared * pshared = (shared*)param; //LoadLibraryA LoadLibFunc LoadLib = (LoadLibFunc)pshared->loadlib; //GetProcAddress GetProcAddrFunc procFunc = (GetProcAddrFunc)pshared->getprocaddr; //GetModuleFileNameA GetModuleFileNameFunc moduleName = (GetModuleFileNameFunc)pshared->getmodulefilename; char filename[MAX_PATH]; moduleName(NULL, filename, MAX_PATH); //載入user32 HMODULE hUser32 = LoadLib(pshared->user32dll); MsgBoxFunc msgBox = (MsgBoxFunc)procFunc(hUser32, pshared->msgbox); msgBox(NULL, pshared->output, filename, MB_OK); return 0; } void test_remote3(DWORD pid) { HANDLE hPro = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, pid ); if (INVALID_HANDLE_VALUE == hPro) return; shared sh = {0}; //獲取kernel32 中的函式地址 sh.loadlib = (DWORD)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA"); sh.getprocaddr = (DWORD)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "GetProcAddress"); sh.getmodulefilename = (DWORD)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "GetModuleFileNameA"); //複製執行緒中使用的模組和函式 strcpy(sh.user32dll, "user32.dll"); strcpy(sh.msgbox, "MessageBoxA"); strcpy(sh.output, "hey,fuck u"); //申請記憶體頁 void* alloc = VirtualAllocEx(hPro, NULL, sizeof(shared), MEM_COMMIT, PAGE_READWRITE); printf("alloc:%p\n", alloc); DWORD writeBytes = 0; //把資料寫入對方程序中 BOOL ret = WriteProcessMemory(hPro, alloc, (void*)&sh, sizeof(shared), &writeBytes); printf("writebytes : %d, ret:%d\n", writeBytes, ret); DWORD codeSize = 1<<15; //申請執行緒程式碼塊的空間 void *lpcode = VirtualAllocEx(hPro, NULL,codeSize ,MEM_COMMIT,PAGE_EXECUTE_READWRITE); printf("lpcode:%p\n", lpcode); ret = WriteProcessMemory(hPro, lpcode,&rthread, codeSize, &writeBytes); printf("writebytes:%d , ret = %d\n ", writeBytes, ret); if (!ret){ printf("err:%d\n", GetLastError()); } HANDLE th = CreateRemoteThread(hPro, NULL, 0, (LPTHREAD_START_ROUTINE)lpcode, alloc, 0, NULL); if (INVALID_HANDLE_VALUE == th){ printf("thread :%p\n", th); } WaitForSingleObject(th, -1); }