#include <windows.h>
#include <winuser.h>
#include <TlHelp32.h>
#include <stdio.h>
#include <conio.h>
#include <stdlib.h>
#include <assert.h>
typedef DWORD (WINAPI *LPTHREAD_START_ROUTINE)(LPVOID lpThreadParameter);
BOOL EnableDebugPrivilege()
{
BOOL iRet = -1;
HANDLE hToken;
iRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken);//获取当前进程权限令牌
assert(iRet != 0);
LUID uid;
iRet=LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uid);//查看对应权限对应的系统进程uid
assert(iRet != 0);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;//只修改一个权限
tp.Privileges[0].Luid = uid;//让新权限拥有系统进程uid
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
iRet = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, 0);//修改当前进程权限令牌
if (GetLastError() != ERROR_SUCCESS)
{
printf("EnableDebugPrivilege fail\n");
}
else
{
printf("EnableDebugPrivilege success\n");
}
return iRet;
}
DWORD GetProcessID(const char *szProcessName)
{
HANDLE hSnapshoot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);//获取进程快照
assert(hSnapshoot != INVALID_HANDLE_VALUE);
PROCESSENTRY32 pe = {sizeof pe};
BOOL fContinue = Process32First(hSnapshoot, &pe);//遍历那一刻快照中的所有进程
while (fContinue)
{
if (strcmp(pe.szExeFile, szProcessName) == 0)//找到了就返回其进程ID
return pe.th32ProcessID;
fContinue = Process32Next(hSnapshoot, &pe);
}
return 0;
}
BOOL InjectDll(const char *szProcessName, char *szDll)
{
BOOL iRet = FALSE;
HANDLE hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE, FALSE, GetProcessID(szProcessName));
if (GetLastError() != ERROR_SUCCESS)
{
printf("OpenProcess fail\n");
}
else
{
printf("OpenProcess success\n");
}
assert(hRemoteProcess != INVALID_HANDLE_VALUE);
HMODULE hModule = GetModuleHandle("kernel32.dll");
PVOID lpBaseAddr = VirtualAllocEx(hRemoteProcess, NULL, strlen(szDll)+1, MEM_COMMIT, PAGE_READWRITE);//在目标进程中开辟一个空间,用于存放注入dll名的字符串
if (GetLastError() != ERROR_SUCCESS)
{
printf("VirtualAllocEx fail\n");
}
else
{
printf("VirtualAllocEx success\n");
}
assert(lpBaseAddr != NULL);
iRet = WriteProcessMemory(hRemoteProcess, lpBaseAddr, (LPVOID)szDll, strlen(szDll)+1, NULL);//将dll名写入到目标进程
if (GetLastError() != ERROR_SUCCESS)
{
printf("WriteProcessMemory fail\n");
}
else
{
printf("WriteProcessMemory success\n");
}
assert(iRet != 0);
LPTHREAD_START_ROUTINE addr = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA");
iRet = (DWORD)CreateRemoteThread(hRemoteProcess, NULL, 0, addr, lpBaseAddr, 0, NULL);//创建远程线程,在目标进程中的dll字符串地址作为参数传入
if (GetLastError() != ERROR_SUCCESS)
{
printf("CreateRemoteThread fail\n");
}
else
{
printf("CreateRemoteThread success\n");
}
return iRet;
}
int main(int argc, char* argv[])
{
char *dllpath = "C:\\Users\\wangy\\Desktop\\size.dll";
EnableDebugPrivilege();
InjectDll("wps.exe", dllpath);
getch();
return 0;
}
c++ DLL注入,win32 api版,win10测试通过
3星 · 超过75%的资源 需积分: 45 200 浏览量
2017-07-21
22:48:59
上传
评论 1
收藏 3KB ZIP 举报
天一亮就跑
- 粉丝: 25
- 资源: 8