C语言实现远程代码注入

原创

LyShark 2022-05-23 15:12:00 ©著作权

文章标签 2d #include 导出函数 文章分类 Java 后端开发

©著作权归作者所有：来自51CTO博客作者LyShark的原创作品，请联系作者获取转载授权，否则将追究法律责任

#include <windows.h>
#include <iostream>
#define STRLEN 20

typedef struct _DATA
{
    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwGetModuleHandle;
    DWORD dwGetModuleFileName;

    char User32Dll[STRLEN];
    char MessageBox[STRLEN];
    char Str[STRLEN];
}DATA, *PDATA;

DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
    PDATA pData = (PDATA)lpParam;

    //定义API函数原型
    HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
    FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
    HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
    int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
    DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);

    //对各函数地址进行赋值
    MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
    MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
    MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
    MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;

    //加载user32.dll
    HMODULE hModule = MyLoadLibrary(pData->User32Dll);
    //获得MessageBoxA的函数地址
    MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
                        MyGetProcAddress(hModule, pData->MessageBox);
    char szModuleFileName[MAX_PATH] = {0};
    MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);

    MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);

    return 0;
}


void InjectCode(DWORD dwPid)
{
    //打开进程并获取进程句柄
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
 
    if(NULL== hProcess)
       return;
 
    DATA Data = {0};
 
    //获取kernel32.dll中相关的导出函数
    Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
    Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
    Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
    Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");

    //需要的其他dll和导出函数
    lstrcpy(Data.User32Dll,"user32.dll");
    lstrcpy(Data.MessageBox,"MessageBoxA");
    //提示字符串
    lstrcpy(Data.Str,"Code Inject !!!");
 
    //在目标进程中申请空间
    LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
                     MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    DWORD dwWriteNum = 0;
    WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
 
    //在目标进程空间中申请用于保存代码的长度
    WORD dwFunSize = 0x4000;
    LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
                     MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
                     dwFunSize,&dwWriteNum);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
                     (LPTHREAD_START_ROUTINE)lpCode,
                     lpData,0, NULL);
    WaitForSingleObject(hThread,INFINITE);
 
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int GetProcessID(char *Name)
{
    HWND Pid=::FindWindow(NULL,Name);
    DWORD Retn;
    ::GetWindowThreadProcessId(Pid,&Retn);
    return Retn;
}

int main()
{

    int ppid;

    ppid = ::GetProcessID("lyshark.exe");
    InjectCode(ppid);


    return 0;
}