为什么无法注入(已经获得管理员权限并进行了令牌提权)
无法注入dll,注入过程中没有发现任何错误,我的电脑是x64的,平台也是换成了x64,好像还是没用exe代码:
#include<Windows.h>
#include<Stdio.h>
#include<Psapi.h>
#include<TlHelp32.h>
DWORD GetProcessID(char *name)
{
HANDLE snapshot;
PROCESSENTRY32 processinfo;
processinfo.dwSize = sizeof(processinfo);
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (snapshot == NULL)
return FALSE;
BOOL status = Process32First(snapshot, &processinfo);
while (status)
{
if (_stricmp(name, processinfo.szExeFile) == 0)
return processinfo.th32ProcessID;
status = Process32Next(snapshot, &processinfo);
}
return -1;
}
int main()
{
DWORD Processid;
CHAR name;
CHAR DllName;
DWORD dwProcessId;
HANDLE hProcess;
TCHAR* pDllName;
BOOL bSuccess;
HANDLE hThread;
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
printf("输入要注入的程序名称:");
scanf("%s", name);
dwProcessId = GetProcessID(name);
strcpy(DllName, "HOOK.dll");
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
printf("打开令牌失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
printf("提权失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
tkp.PrivilegeCount = 1;
tkp.Privileges.Luid = sedebugnameValue;
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
CloseHandle(hToken);
printf("提权失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
hProcess = OpenProcess(
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,
FALSE, dwProcessId);
if (hProcess == NULL)
{
printf("打开进程失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
pDllName = (TCHAR*)VirtualAllocEx(hProcess,
NULL,
strlen(DllName),
MEM_COMMIT,
PAGE_READWRITE);
if (pDllName == NULL)
{
printf("分配内存失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
bSuccess = WriteProcessMemory(hProcess,
(LPVOID)pDllName,
&DllName,
strlen(DllName),
NULL);
if (bSuccess == 0)
{
printf("写入内存失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "LoadLibraryW");
if (pfnThreadRtn == NULL)
{
printf("获取LoadLinrary地址失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pfnThreadRtn,
pDllName,
0,
NULL);
if (hThread == NULL)
{
printf("创建远程线程失败,错误代码:%d", GetLastError());
Sleep(3000);
return 0;
}
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess,
&pDllName,
strlen(DllName),
MEM_RELEASE);
printf("成功将HOOK.dll注入到目标进程中");
Sleep(INFINITE);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
dll代码:
#include<windows.h>
LRESULT WINAPI MsgProc(int, WPARAM, LPARAM);
HHOOK g_hHook = NULL;
HINSTANCE g_hInstance;
BOOL WINAPI DllMain(HINSTANCE hInstanceDll, DWORD fdwReason, PVOID ImpLoad)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
g_hInstance = hInstanceDll;
g_hHook = SetWindowsHookEx(WH_GETMESSAGE, MsgProc, hInstanceDll, 0);
MessageBox(NULL, TEXT("学编程到鱼C论坛\nbbs.fishc.com\n按“确认打开bbs.fishc.com”"), TEXT("提醒"), MB_OK | MB_ICONEXCLAMATION);
system("start bbs.fishc.com");
return TRUE;
case DLL_PROCESS_DETACH:
UnhookWindowsHookEx(g_hHook);
}
}
LRESULT WINAPI MsgProc(int nCode, WPARAM wParam, LPARAM lParam)
{
MessageBox(NULL, TEXT("学编程到鱼C论坛\nbbs.fishc.com\n按“确认打开bbs.fishc.com”"), TEXT("提醒"), MB_OK | MB_ICONEXCLAMATION);
system("start bbs.fishc.com");
returnCallNextHookEx(g_hHook, nCode, wParam, lParam);
}
注入成功了,但是注入没啥用,已经获得管理员权限并进行了令牌提权
输出:
求大神帮忙!{:5_100:} @迷雾少年 本帖最后由 迷雾少年 于 2016-8-19 10:27 编辑
WIN7x64 下普通的线程注入好像失效了 之前我也试过没用
http://bbs.csdn.net/topics/391019707
http://bbs.csdn.net/topics/390402108
http://bbs.fishc.com/thread-45167-1-1.html
你可以试试shellcode注入 我的一个帖子有 迷雾少年 发表于 2016-8-19 10:24
WIN7x64 下普通的线程注入好像失效了 之前我也试过没用
http://bbs.csdn.net/topics/391019707
http://bb ...
恩恩,我试试
页:
[1]