c++DLL注入，win32api版，win10测试通过

共5个文件

cpp：2个

rc：1个

bat：1个

inject

dll,

win10,

DLL注入

3星 · 超过75%的资源需积分: 45 200 浏览量 2017-07-21 22:48:59 上传评论 1 收藏 3KB ZIP 举报

资源推荐

资源详情

资源评论

收起资源包目录

inject.zip （5个子文件）

make.bat 134B

uac.manifest 342B

uac.rc 50B

inject.cpp 3KB

size.cpp 1KB

#include <windows.h> #include <winuser.h> #include <TlHelp32.h> #include <stdio.h> #include <conio.h> #include <stdlib.h> #include <assert.h> typedef DWORD (WINAPI *LPTHREAD_START_ROUTINE)(LPVOID lpThreadParameter); BOOL EnableDebugPrivilege() { BOOL iRet = -1; HANDLE hToken; iRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken);//获取当前进程权限令牌 assert(iRet != 0); LUID uid; iRet=LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uid);//查看对应权限对应的系统进程uid assert(iRet != 0); TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1;//只修改一个权限 tp.Privileges[0].Luid = uid;//让新权限拥有系统进程uid tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; iRet = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, 0);//修改当前进程权限令牌 if (GetLastError() != ERROR_SUCCESS) { printf("EnableDebugPrivilege fail\n"); } else { printf("EnableDebugPrivilege success\n"); } return iRet; } DWORD GetProcessID(const char *szProcessName) { HANDLE hSnapshoot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//获取进程快照 assert(hSnapshoot != INVALID_HANDLE_VALUE); PROCESSENTRY32 pe = {sizeof pe}; BOOL fContinue = Process32First(hSnapshoot, &pe);//遍历那一刻快照中的所有进程 while (fContinue) { if (strcmp(pe.szExeFile, szProcessName) == 0)//找到了就返回其进程ID return pe.th32ProcessID; fContinue = Process32Next(hSnapshoot, &pe); } return 0; } BOOL InjectDll(const char *szProcessName, char *szDll) { BOOL iRet = FALSE; HANDLE hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE, FALSE, GetProcessID(szProcessName)); if (GetLastError() != ERROR_SUCCESS) { printf("OpenProcess fail\n"); } else { printf("OpenProcess success\n"); } assert(hRemoteProcess != INVALID_HANDLE_VALUE); HMODULE hModule = GetModuleHandle("kernel32.dll"); PVOID lpBaseAddr = VirtualAllocEx(hRemoteProcess, NULL, strlen(szDll)+1, MEM_COMMIT, PAGE_READWRITE);//在目标进程中开辟一个空间，用于存放注入dll名的字符串 if (GetLastError() != ERROR_SUCCESS) { printf("VirtualAllocEx fail\n"); } else { printf("VirtualAllocEx success\n"); } assert(lpBaseAddr != NULL); iRet = WriteProcessMemory(hRemoteProcess, lpBaseAddr, (LPVOID)szDll, strlen(szDll)+1, NULL);//将dll名写入到目标进程 if (GetLastError() != ERROR_SUCCESS) { printf("WriteProcessMemory fail\n"); } else { printf("WriteProcessMemory success\n"); } assert(iRet != 0); LPTHREAD_START_ROUTINE addr = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA"); iRet = (DWORD)CreateRemoteThread(hRemoteProcess, NULL, 0, addr, lpBaseAddr, 0, NULL);//创建远程线程，在目标进程中的dll字符串地址作为参数传入 if (GetLastError() != ERROR_SUCCESS) { printf("CreateRemoteThread fail\n"); } else { printf("CreateRemoteThread success\n"); } return iRet; } int main(int argc, char* argv[]) { char *dllpath = "C:\\Users\\wangy\\Desktop\\size.dll"; EnableDebugPrivilege(); InjectDll("wps.exe", dllpath); getch(); return 0; }

评论收藏

内容反馈