标签:class blog code tar ext com
// CommonInject.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <WinUser.h>
#include <WinDef.h>
#include <iostream>
#include <Tlhelp32.h>
using namespace std;
#include <Psapi.h>
#pragma comment(lib,"Psapi.lib")
//通用dll 注入器
HANDLE GetProcessWithName(const std::wstring &proc_name){
HANDLE hd = NULL;
HANDLE hpross = NULL;
int retls = 0;
PROCESSENTRY32 pinfo = {0};
wchar_t szFileName[MAX_PATH] = {0};
hpross = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(INVALID_HANDLE_VALUE == hpross)
{
return hd;
}
HANDLE hToken;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
{
LUID luid;
if(LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
TOKEN_PRIVILEGES TokenPrivileges;
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivileges.Privileges[0].Luid = luid;
AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, 0, NULL, NULL);
}
CloseHandle(hToken);
}
pinfo.dwSize = sizeof(PROCESSENTRY32);
retls = Process32First(hpross,&pinfo);
while(retls)
{
swprintf_s(szFileName,_countof(szFileName)-1,L"%s",pinfo.szExeFile);
if (0 == _wcsicmp(szFileName,proc_name.c_str()))
{
hd = OpenProcess(PROCESS_ALL_ACCESS ,TRUE,pinfo.th32ProcessID);
}
if(!Process32Next(hpross, &pinfo))
{
break;
}
}
CloseHandle(hpross);
hpross = NULL;
return hd;
}
//提权操作
BOOL EnablePrivilege(LPWSTR name)
{
HANDLE hToken;
BOOL rv;
TOKEN_PRIVILEGES priv = {1, {0, 0, SE_PRIVILEGE_ENABLED}};
LookupPrivilegeValue(0, name, &priv.Privileges[0].Luid);
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
AdjustTokenPrivileges(hToken, FALSE, &priv, sizeof priv, 0, 0);
rv = GetLastError() == ERROR_SUCCESS;
CloseHandle(hToken);
return rv;
}
int inject(){
if (0 == EnablePrivilege(SE_DEBUG_NAME))
return 0;
DWORD dwPID;
PWSTR libFileRemote=NULL;
HANDLE hThread=NULL;
HANDLE handle=NULL;
__try{
int processid;
cout<<"输入要注入的进程id:"<<endl;
cin>>processid;
handle=GetProcessWithName(L"FileMD5.exe");
// handle=OpenProcess(PROCESS_ALL_ACCESS,TRUE, processid);
if(NULL==handle){
cout<<"进程打开失败"<<endl;
return -1;
}
std::string dllname="E:\\C++Code\\windows\\Dll\\myDll\\Debug\\myDll.dll";
libFileRemote=(PWSTR)VirtualAllocEx(handle,NULL,dllname.size(),MEM_COMMIT,PAGE_READWRITE);
if(libFileRemote==NULL){
cout<<"申请远程进程空间失败"<<::GetLastError()<<endl;
return -1;
}
BOOL RET=WriteProcessMemory(handle,libFileRemote,dllname.c_str(),dllname.size(),NULL);
if(RET ==FALSE){
cout<<"远程进程数据写入失败"<<endl;
}
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
hThread = CreateRemoteThread(handle, NULL, 0,
pfnThreadRtn, libFileRemote, 0, NULL);
if(hThread==NULL){
cout<<"远程线程创建失败";
}
WaitForSingleObject(hThread, INFINITE);
cout<<"注入完成";
}
__finally{
if (libFileRemote != NULL)
VirtualFreeEx(handle, libFileRemote, 0, MEM_RELEASE);
if (hThread != NULL)
CloseHandle(hThread);
if (handle != NULL)
CloseHandle(handle);
cout<<"完成释放";
}
}
int _tmain(int argc, _TCHAR* argv[])
{
inject();
system("pause");
return 0;
}
vs2010 编译通过,unicode编码
通过输入进程id或者,通过修改进程名,来选择目标进程
标签:class blog code tar ext com
原文地址:http://blog.csdn.net/seanyxie/article/details/28428397
