王小懒
发表于 2023-4-13 18:14:11
祝资源共享吧越来越火!
xiongmao111
发表于 2023-4-16 19:01:31
ddddddd
koot
发表于 2023-4-21 20:36:57
优秀
2162149512
发表于 2023-4-23 07:37:51
6666666
m920420
发表于 2023-4-25 23:06:24
669666666
哎妈呀!真帅
发表于 2023-4-28 18:12:53
下载下载下载下载下载下载下载下载下载下载下载
zygx8gt
发表于 2023-5-3 10:36:17
1
夏水流萤
发表于 2023-5-7 15:35:20
感谢分享。。。
zmxsyn
发表于 2023-5-12 23:52:51
学习
一个懒人
发表于 2023-5-13 02:30:55
#include <windows.h>
#include <iostream>
#include <vector>
#include <memory>
// 函数声明
DWORD GetProcessID(const wchar_t* szProcessName);
BOOL InjectDLL(DWORD dwPid);
int main()
{
DWORD dwPid = GetProcessID(L"target_process.exe");
if (dwPid == 0xFFFFFFFF)
{
std::cout << "GetProcessID failed." << std::endl;
return 1;
}
if (!InjectDLL(dwPid))
{
std::cout << "InjectDLL failed." << std::endl;
return 1;
}
std::cout << "InjectDLL success." << std::endl;
return 0;
}
DWORD GetProcessID(const wchar_t* szProcessName)
{
// 创建快照
std::unique_ptr<void, decltype(&CloseHandle)> hSnap(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL), &CloseHandle);
if (hSnap == nullptr)
{
std::cout << "CreateToolhelp32Snapshot failed." << std::endl;
return 0xFFFFFFFF;
}
// 遍历进程列表,查找指定名称进程
PROCESSENTRY32W pe = { sizeof(pe) };
for (BOOL bRet = Process32FirstW(hSnap.get(), &pe); bRet; bRet = Process32NextW(hSnap.get(), &pe))
{
if (wcscmp(szProcessName, pe.szExeFile) == 0)
return pe.th32ProcessID;
}
return 0xFFFFFFFF;
}
BOOL InjectDLL(DWORD dwPid)
{
std::vector<BYTE> Shellcode = { 0x48, 0x83, 0xEC, 0x28, 0x48, 0x8B, 0xC1, 0x48, 0x8D, 0x54, 0x24, 0x20, 0x48, 0x8B, 0x49, 0x18, 0xB8,
0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x28, 0xC3 };
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess == NULL)
{
std::cout << "OpenProcess failed." << std::endl;
return FALSE;
}
SIZE_T nShellcodeSize = Shellcode.size();
// 在目标进程分配一块内存,放Shellcode
LPVOID pRemoteShellcode = VirtualAllocEx(hProcess, NULL, nShellcodeSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pRemoteShellcode == NULL)
{
std::cout << "VirtualAllocEx failed." << std::endl;
return FALSE;
}
// 将Shellcode写入目标进程空间中
if (!WriteProcessMemory(hProcess, pRemoteShellcode, Shellcode.data(), nShellcodeSize, NULL))
{
std::cout << "WriteProcessMemory failed." << std::endl;
return FALSE;
}
// 找到目标线程
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
DWORD dwThreadId = 0;
THREADENTRY32 te;
for (BOOL ret = Thread32First(hSnap, &te); ret; ret = Thread32Next(hSnap, &te))
{
if (te.th32OwnerProcessID == dwPid)
{
dwThreadId = te.th32ThreadID;
break;
}
}
CloseHandle(hSnap);
// 指定目标线程,执行Shellcode
HANDLE hThread = OpenThread(THREAD_SET_CONTEXT, FALSE, dwThreadId);
DWORD dwRet = QueueUserAPC((PAPCFUNC)pRemoteShellcode, hThread, NULL);
if (dwRet == 0)
{
std::cout << "QueueUserAPC failed." << std::endl;
return FALSE;
}
// 等待远程线程结束
WaitForSingleObject(hThread, INFINITE);
return TRUE;
}