69,369
社区成员
发帖
与我相关
我的任务
分享
#include <windows.h>
#pragma comment(lib,"user32.lib")
void main(){
while(1){
MessageBoxA(NULL,"hello","msg",MB_OK);
}
}
#include <windows.h>
#pragma comment(lib,"user32.lib")
typedef int (__stdcall *pOldMBox)(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType);
pOldMBox pMBox = NULL;
int __stdcall MyMessageBox(HWND hWnd, LPCTSTR lpText, LPCTSTR lpCaption,UINT uType)
{
return pMBox(NULL,"i'm hacked","hello",MB_OK);
}
BOOL CompStr(LPSTR s1, LPSTR s2)
{
PCHAR p, q;
for (p = s1, q = s2; (*p != 0) && (*q != 0); p++, q++) {
if (*p != *q) return FALSE;
}
return TRUE;
}
int myHook()
{
DWORD dwBase;
LPCSTR lpszFuncName;
lpszFuncName="MessageBoxA";
HMODULE hMod = GetModuleHandle(NULL);
dwBase = (DWORD)hMod;
DWORD dwRVAImpTbl;
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_OPTIONAL_HEADER32 pOptHeader;
PIMAGE_IMPORT_DESCRIPTOR pImpTbl;
PIMAGE_THUNK_DATA pthunk1, pthunk2;
PIMAGE_IMPORT_BY_NAME pOrdinalName;
pDosHeader = (PIMAGE_DOS_HEADER)dwBase;
pNtHeaders = (PIMAGE_NT_HEADERS)(dwBase + pDosHeader->e_lfanew);
pOptHeader = &(pNtHeaders->OptionalHeader);
dwRVAImpTbl = pOptHeader->DataDirectory[1].VirtualAddress;
pImpTbl = (PIMAGE_IMPORT_DESCRIPTOR)(dwBase + dwRVAImpTbl);
while(pImpTbl->FirstThunk){
pthunk1 = (PIMAGE_THUNK_DATA) (dwBase + pImpTbl->OriginalFirstThunk);
pthunk2 = (PIMAGE_THUNK_DATA) (dwBase + pImpTbl->FirstThunk);
while(pthunk1->u1.Function){
pOrdinalName = (PIMAGE_IMPORT_BY_NAME) (dwBase + pthunk1->u1.AddressOfData);
if (CompStr((LPSTR)lpszFuncName, (LPSTR)&pOrdinalName->Name)){
MEMORY_BASIC_INFORMATION mbi_thunk;
VirtualQuery(pthunk2, &mbi_thunk, sizeof(MEMORY_BASIC_INFORMATION)); //查询地址空间中内存地址的信息
DWORD dwOLD;
VirtualProtect(pthunk2,sizeof(DWORD),PAGE_READWRITE,&dwOLD);
pMBox =(pOldMBox)(pthunk2->u1.Function);
pthunk2->u1.Function = (DWORD)MyMessageBox;
VirtualProtect(pthunk2,sizeof(DWORD),dwOLD,0);
break;
}
pthunk1++;
pthunk2++;
}
pImpTbl++;
}
return 0;
}
int main()
{
MessageBoxA(NULL, "hello", "msg", MB_OK);
myHook();
MessageBoxA(NULL, "hello", "msg", MB_OK);
}
/*
Application: Code Injection in Explorer
Author: @_RT
Compiled on: Feb 2014
URL:http://www.codeproject.com/Tips/732044/Code-Injection-2
We will see the different steps involved to perform a code injection into an already running process.
Following are the quick steps through the process of injection.
1.Get the API addresses that you will be calling from the injected code.
2.Prepare shell code of your function that you want to get executed from the injected process.
3.Get the process ID of the running process that you wish to inject into by enumerating through the
list of processes or by finding the process's window (in case it's a GUI application) by class name or title.
4.Open the process using its Pid with All Access rights.
5.Allocate different memory spaces in the process that you are going to inject to with desired access
rights for holding different segments of your shell code.
Code part (executable instructions)
Data part (strings, function parameters, etc.)
6.Write the allocated memories with the respective values (code and data).
7.Call CreateRemoteThread API and pass to it the start of allocated memory address where you have
written your shell code from the process we are injecting.
*/
#include <windows.h>
#pragma comment(lib,"user32.lib")
LPVOID addr;
LPVOID addr2;
BOOL InjectExecutable(DWORD dwPid,LPVOID si,LPVOID pi,int sisize,int pisize)
{
LPVOID hNewModule;
HANDLE hProcess;
CHAR S[] = { "C:\\Windows\\notepad.exe" };
BYTE byt[] = {0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x01, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x68};
BYTE byt2[] = {0xE8};
BYTE byt3[] = {0x68};
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
if (hProcess == NULL)
{
return FALSE;
}
LPVOID staddr = VirtualAllocEx(hProcess, NULL, sizeof(S), MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, staddr, S, sizeof(S), NULL);
LPVOID fnaddr = VirtualAllocEx(hProcess, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, fnaddr, si, sisize, NULL);
LPVOID fnaddr2 = VirtualAllocEx(hProcess, NULL, 4, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, fnaddr2, pi, pisize, NULL);
hNewModule = VirtualAllocEx(hProcess, NULL, 100, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (hNewModule == NULL)
{
return FALSE;
}
LPTHREAD_START_ROUTINE strtaddr = (LPTHREAD_START_ROUTINE)hNewModule;
WriteProcessMemory(hProcess, hNewModule, byt3, sizeof(byt3), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt3));
WriteProcessMemory(hProcess, hNewModule, &fnaddr, sizeof(fnaddr), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(fnaddr));
WriteProcessMemory(hProcess, hNewModule, byt3, sizeof(byt3), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt3));
WriteProcessMemory(hProcess, hNewModule, &fnaddr2, sizeof(fnaddr2), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(fnaddr2));
WriteProcessMemory(hProcess, hNewModule, byt, sizeof(byt), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt));
WriteProcessMemory(hProcess, hNewModule, &staddr, sizeof(staddr), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(staddr));
WriteProcessMemory(hProcess, hNewModule, byt2, sizeof(byt2), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt2));
addr = (LPVOID)((int)addr - ((int)hNewModule + 4));
WriteProcessMemory(hProcess, hNewModule, &addr, sizeof(addr), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(addr));
WriteProcessMemory(hProcess, hNewModule, byt, 2, NULL);
hNewModule = (LPVOID)((int)hNewModule + 2);
WriteProcessMemory(hProcess, hNewModule, byt2, sizeof(byt2), NULL);
hNewModule = (LPVOID)((int)hNewModule + sizeof(byt2));
addr2 = (LPVOID)((int)addr2 - ((int)hNewModule + 4));
WriteProcessMemory(hProcess, hNewModule, &addr2, sizeof(addr2), NULL);
CreateRemoteThread(hProcess, 0, 0, strtaddr, NULL, 0, NULL);
return TRUE;
}
void main()
{
_STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
DWORD dwPid;
HMODULE ldlib = LoadLibraryA("Kernel32.dll");
addr = GetProcAddress(ldlib, "CreateProcessA");
addr2 = GetProcAddress(ldlib, "ExitThread");
GetWindowThreadProcessId(FindWindow(NULL, L"Start Menu"), &dwPid);
InjectExecutable(dwPid,&si,&pi,sizeof(si),sizeof(pi));
}