#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
int MsgBoxInject(int procID);
int LocateProcID(char* str);
typedef struct DATAPAK //待注入的数据包
{
FARPROC FuncAddr[3]; //ABC三个函数的地址
char str[4][128]; //字符串集
}DATAPAK;
static int CodetoInject(LPVOID DataAddr) //待注入的代码
{
DATAPAK *dat = DataAddr;
HMODULE hMod;
HMODULE(*FuncA)(char* str); //函数声明,A函数LoadLibraryA,B函数GetProcAddress,C函数MessageBoxA,D函数FreeLibrary。
FARPROC(*FuncB)(HMODULE hMod, char* str);
int(*FuncC)(HWND hWnd, char* str, char* strl, int style);
void(*FuncD)(HMODULE hMod);
FuncA = (void*)dat->FuncAddr[0]; //设置函数地址
FuncB = (void*)dat->FuncAddr[1];
FuncD = (void*)dat->FuncAddr[2];
hMod = FuncA(dat->str[3]);
FuncC = (void*)FuncB(hMod, dat->str[2]);
FuncC(NULL, dat->str[1], dat->str[0], MB_OK | MB_ICONERROR);
FuncD(hMod);
return 0;
}
static void End()
{
;
}
int main()
{
char* str = L"TraceMe 动态分析技术"; //窗口字符串。
printf("[INFO] 正在尝试注入消息窗口。。。\n");
int procID = 0; //进程ID,没有设置就调用函数获取
if (!procID) procID=LocateProcID(str);
int result = MsgBoxInject(procID); //注入消息框
printf("[DEBUG] result = 0x%X\n", result);
return 0;
}
int LocateProcID(char* str)
{
HWND hWnd = 0;
UINT ProcID, ThreadID;
hWnd = FindWindowW(NULL, str);
if (hWnd)
{
printf("[INFO] 窗口定位成功。\n");
}
ThreadID = GetWindowThreadProcessId(hWnd, &ProcID);
return ProcID;
}
int MsgBoxInject(int procID)
{
HANDLE hProc;
HANDLE hMod;
DATAPAK dat;
LPVOID DataAddr;
LPVOID CodeAddr;
HANDLE hThread;
DWORD ExitCode=0x0;
//int result=1;
int CodeSize = (int)End - (int)CodetoInject;
printf("[INFO] 待注入的代码大小为:%dB。\n", CodeSize);
hMod = GetModuleHandleA("kernel32.dll");
dat.FuncAddr[0] = GetProcAddress(hMod, "LoadLibraryA");
dat.FuncAddr[1] = GetProcAddress(hMod, "GetProcAddress");
dat.FuncAddr[2] = GetProcAddress(hMod, "FreeLibrary");
//printf("0x%X\n", dat.FuncAddr[2]);
strcpy(dat.str[0], "未知错误");
strcpy(dat.str[1], "警告,该进程可能被注入恶意代码!");
strcpy(dat.str[2], "MessageBoxA");
strcpy(dat.str[3], "user32.dll");
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); //打开进程
if (GetLastError()) printf("[ERROR] 获取内存读写操作权限失败,错误代码为:%d。\n", GetLastError());
else printf("[INFO] 获取内存读写操作权限成功。\n");
DataAddr = VirtualAllocEx(hProc, NULL, sizeof(DATAPAK), MEM_COMMIT, PAGE_READWRITE); //申请内存空间
CodeAddr = VirtualAllocEx(hProc, NULL, CodeSize, MEM_COMMIT, PAGE_READWRITE);
if (GetLastError()) printf("[ERROR] 申请内存失败。异常代码为:%d\n", GetLastError());
else printf("[INFO] 申请内存成功。\n");
WriteProcessMemory(hProc, DataAddr, &dat, sizeof(DATAPAK), NULL); //写入内存
WriteProcessMemory(hProc, CodeAddr, CodetoInject, CodeSize, NULL);
if (GetLastError()) printf("[ERROR] 写入过程中出现异常。异常代码为:%d\n", GetLastError());
else printf("[INFO] 代码成功写入内存。\n");
hThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)CodeAddr, DataAddr, 0, NULL);
if (hThread) printf("[INFO] 创建远程线程成功。\n");
else printf("[ERROR] 创建远程线程失败。\n");
WaitForSingleObject(hThread, INFINITE);
GetExitCodeThread(hThread, &ExitCode);
printf("[INFO] 进程已退出,退出码为:0x%X\n", ExitCode);
VirtualFreeEx(hProc, CodeAddr, 0, MEM_RELEASE);
VirtualFreeEx(hProc, DataAddr, 0, MEM_RELEASE);
CloseHandle(hThread);
CloseHandle(hProc);
return ExitCode;
}
( 粤ICP备18085999号-1 | 粤公网安备 44051102000585号)
狗仔卡
发表于 2022-9-22 20:25:41
置顶卡
千斤顶
显身卡
楼主