Parent
640a13d621
révision
cfb0b2c937
|
@ -4,6 +4,7 @@ x64
|
|||
*/
|
||||
#include "stdafx.h"
|
||||
#include "CreateRemoteThread.h"
|
||||
#include <strsafe.h>
|
||||
|
||||
#ifdef _DEBUG
|
||||
#define new DEBUG_NEW
|
||||
|
@ -18,87 +19,83 @@ using namespace std;
|
|||
|
||||
typedef enum _WIN_VERSION
|
||||
{
|
||||
WindowsNT,
|
||||
Windows2000,
|
||||
WindowsXP,
|
||||
Windows2003,
|
||||
WindowsVista,
|
||||
Windows7,
|
||||
Windows8,
|
||||
WinUnknown
|
||||
WindowsNT,
|
||||
Windows2000,
|
||||
WindowsXP,
|
||||
Windows2003,
|
||||
WindowsVista,
|
||||
Windows7,
|
||||
Windows8,
|
||||
Windows10,
|
||||
WinUnknown
|
||||
}WIN_VERSION;
|
||||
typedef NTSTATUS( NTAPI* fnRtlGetVersion )(PRTL_OSVERSIONINFOW lpVersionInformation);
|
||||
|
||||
VOID InjectDll(ULONG_PTR ProcessID);
|
||||
VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath);
|
||||
WIN_VERSION GetWindowsVersion();
|
||||
BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
|
||||
WIN_VERSION WinVersion = WinUnknown;
|
||||
BOOL EnableDebugPrivilege();
|
||||
BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
|
||||
BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
|
||||
|
||||
BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId);
|
||||
typedef long (__fastcall *pfnRtlAdjustPrivilege64)(ULONG,ULONG,ULONG,PVOID);
|
||||
pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;
|
||||
|
||||
|
||||
|
||||
typedef long (__stdcall *pfnRtlAdjustPrivilege32)(ULONG,ULONG,ULONG,PVOID);
|
||||
|
||||
WIN_VERSION WinVersion = WinUnknown;
|
||||
|
||||
int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
|
||||
{
|
||||
cout<<"查看要注入进程的ID"<<endl;
|
||||
ULONG_PTR ProcessID = 0;
|
||||
WinVersion = GetWindowsVersion();
|
||||
printf("Input ProcessID\r\n");
|
||||
cin>>ProcessID;
|
||||
InjectDll(ProcessID);
|
||||
return 0;
|
||||
WinVersion = GetWindowsVersion();
|
||||
|
||||
if(argc == 3)
|
||||
{
|
||||
ULONG ProcessId = 0;
|
||||
swscanf_s(argv[1], L"%d", &ProcessId);
|
||||
InjectDll(ProcessId, argv[2]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
VOID InjectDll(ULONG_PTR ProcessID)
|
||||
VOID InjectDll(ULONG_PTR ProcessID, WCHAR* strPath)
|
||||
{
|
||||
CString strPath32 = L"Dllx86.dll"; //32位dll注入32位系统
|
||||
CString strPath64 = L"Dllx64.dll";
|
||||
if (ProcessID == 0)
|
||||
WCHAR wzPath[MAX_PATH] = {0};
|
||||
|
||||
if (ProcessID == 0 || strPath == NULL)
|
||||
{
|
||||
printf("Inject Fail ProcessId or strPath is not exists \r\n");
|
||||
return;
|
||||
}
|
||||
if (PathFileExists(strPath32)&&PathFileExists(strPath64))
|
||||
|
||||
GetCurrentDirectory(260,wzPath);
|
||||
wcsncat_s(wzPath, L"\\", 2);
|
||||
wcsncat_s(wzPath, strPath, wcslen(strPath));//dll完整路径
|
||||
|
||||
if (!PathFileExists(wzPath))
|
||||
{
|
||||
switch(WinVersion)
|
||||
{
|
||||
case Windows7: //这里用的是Win7 x64 sp1
|
||||
{
|
||||
|
||||
WCHAR wzPath[MAX_PATH] = {0};
|
||||
GetCurrentDirectory(260,wzPath);
|
||||
wcsncat_s(wzPath, L"\\", 2);
|
||||
wcsncat_s(wzPath, strPath64.GetBuffer(), strPath64.GetLength());//dll完整路径
|
||||
strPath32.ReleaseBuffer();
|
||||
if (!InjectDllByRemoteThread64(wzPath,ProcessID))
|
||||
printf("Inject Fail\r\n");
|
||||
else printf ("Inject Success\r\n");
|
||||
break;
|
||||
}
|
||||
|
||||
case WindowsXP: //WinXp x86 sp3
|
||||
{
|
||||
WCHAR wzPath[MAX_PATH] = {0};
|
||||
GetCurrentDirectory(260,wzPath);
|
||||
wcsncat_s(wzPath, L"\\", 2);
|
||||
wcsncat_s(wzPath, strPath32.GetBuffer(), strPath32.GetLength());
|
||||
|
||||
strPath32.ReleaseBuffer();
|
||||
if (!InjectDllByRemoteThread32(wzPath,ProcessID))
|
||||
printf("Inject Fail\r\n");
|
||||
else printf("Inject Success\r\n");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
printf("Inject Fail strPath is not exists LastError [%d]\r\n", GetLastError());
|
||||
return;
|
||||
}
|
||||
|
||||
printf("Inject Target [%d], strPath [%S]\n", ProcessID, wzPath);
|
||||
|
||||
if(WinVersion >= Windows7)
|
||||
{
|
||||
if (!InjectDllByRemoteThreadWin7(wzPath,ProcessID))
|
||||
printf("Inject Fail\r\n");
|
||||
else
|
||||
printf ("Inject Success\r\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!InjectDllByRemoteThreadXP(wzPath,ProcessID))
|
||||
printf("Inject Fail\r\n");
|
||||
else
|
||||
printf("Inject Success\r\n");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
||||
BOOL InjectDllByRemoteThreadWin7(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
||||
{
|
||||
if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
|
||||
{
|
||||
|
@ -122,7 +119,13 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
return FALSE;
|
||||
}
|
||||
|
||||
#ifdef _WIN64
|
||||
pfnRtlAdjustPrivilege64 RtlAdjustPrivilege = NULL;
|
||||
RtlAdjustPrivilege=(pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
|
||||
#else
|
||||
pfnRtlAdjustPrivilege32 RtlAdjustPrivilege = NULL;
|
||||
RtlAdjustPrivilege=(pfnRtlAdjustPrivilege32)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")),"RtlAdjustPrivilege");
|
||||
#endif
|
||||
|
||||
if (RtlAdjustPrivilege==NULL)
|
||||
{
|
||||
|
@ -140,7 +143,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
|
||||
if (NULL == hProcess)
|
||||
{
|
||||
printf("Open Process Fail\r\n");
|
||||
printf("Open Process Fail lastError [%d]\r\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
|
@ -149,7 +152,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
|
||||
if (NULL == VirtualAddress)
|
||||
{
|
||||
printf("Virtual Process Memory Fail\r\n");
|
||||
printf("Virtual Process Memory Fail lastError [%d]\r\n", GetLastError());
|
||||
CloseHandle(hProcess);
|
||||
return FALSE;
|
||||
}
|
||||
|
@ -157,7 +160,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
// 在目标进程的内存空间中写入所需参数(模块名)
|
||||
if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
|
||||
{
|
||||
printf("Write Data Fail\r\n");
|
||||
printf("Write Data Fail LastError [%d]\r\n", GetLastError());
|
||||
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
|
||||
CloseHandle(hProcess);
|
||||
return FALSE;
|
||||
|
@ -166,7 +169,7 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
|
||||
if (NULL == hThread)
|
||||
{
|
||||
printf("CreateRemoteThread Fail\r\n");
|
||||
printf("CreateRemoteThread Fail lastError [%d]\r\n", GetLastError());
|
||||
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
|
||||
CloseHandle(hProcess);
|
||||
return FALSE;
|
||||
|
@ -178,11 +181,10 @@ BOOL InjectDllByRemoteThread64(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
CloseHandle(hThread);
|
||||
CloseHandle(hProcess);
|
||||
return TRUE;
|
||||
|
||||
}
|
||||
|
||||
|
||||
BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
||||
BOOL InjectDllByRemoteThreadXP(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
||||
{
|
||||
// 参数无效
|
||||
if (NULL == wzDllFile || 0 == ::_tcslen(wzDllFile) || ProcessId == 0 || -1 == _taccess(wzDllFile, 0))
|
||||
|
@ -194,11 +196,18 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
DWORD dwSize = 0;
|
||||
TCHAR* VirtualAddress = NULL;
|
||||
LPTHREAD_START_ROUTINE FuncAddress = NULL;
|
||||
|
||||
if(!EnableDebugPrivilege())
|
||||
{
|
||||
printf("EnableDebugPrivilege fail lasterror is [%d]\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
// 获取目标进程句柄
|
||||
hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, ProcessId);
|
||||
if (NULL == hProcess)
|
||||
{
|
||||
printf("Open Process Fail\r\n");
|
||||
printf("Open Process Fail LastError [%d]\r\n", GetLastError());
|
||||
return FALSE;
|
||||
}
|
||||
// 在目标进程中分配内存空间
|
||||
|
@ -206,14 +215,14 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
VirtualAddress = (TCHAR*)::VirtualAllocEx(hProcess, NULL, dwSize * sizeof(TCHAR), MEM_COMMIT, PAGE_READWRITE);
|
||||
if (NULL == VirtualAddress)
|
||||
{
|
||||
printf("Virtual Process Memory Fail\r\n");
|
||||
printf("Virtual Process Memory Fail LastError [%d]\r\n", GetLastError());
|
||||
CloseHandle(hProcess);
|
||||
return FALSE;
|
||||
}
|
||||
// 在目标进程的内存空间中写入所需参数(模块名)
|
||||
if (FALSE == ::WriteProcessMemory(hProcess, VirtualAddress, (LPVOID)wzDllFile, dwSize * sizeof(TCHAR), NULL))
|
||||
{
|
||||
printf("Write Data Fail\r\n");
|
||||
printf("Write Data Fail LastError [%d]\r\n", GetLastError());
|
||||
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
|
||||
CloseHandle(hProcess);
|
||||
return FALSE;
|
||||
|
@ -227,7 +236,7 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
|
||||
if (NULL == FuncAddress)
|
||||
{
|
||||
printf("Get LoadLibrary Fail\r\n");
|
||||
printf("Get LoadLibrary Fail LastError [%d]\r\n", GetLastError());
|
||||
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
|
||||
CloseHandle(hProcess);
|
||||
return false;
|
||||
|
@ -237,7 +246,7 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
hThread = ::CreateRemoteThread(hProcess, NULL, 0, FuncAddress, VirtualAddress, 0, NULL);
|
||||
if (NULL == hThread)
|
||||
{
|
||||
printf("CreateRemoteThread Fail\r\n");
|
||||
printf("CreateRemoteThread Fail LastError [%d]\r\n", GetLastError());
|
||||
VirtualFreeEx(hProcess, VirtualAddress, dwSize, MEM_DECOMMIT);
|
||||
CloseHandle(hProcess);
|
||||
return FALSE;
|
||||
|
@ -255,50 +264,74 @@ BOOL InjectDllByRemoteThread32(const TCHAR* wzDllFile, ULONG_PTR ProcessId)
|
|||
|
||||
WIN_VERSION GetWindowsVersion()
|
||||
{
|
||||
OSVERSIONINFOEX OsVerInfoEx;
|
||||
OsVerInfoEx.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
|
||||
GetVersionEx((OSVERSIONINFO *)&OsVerInfoEx); // 注意转换类型
|
||||
switch (OsVerInfoEx.dwPlatformId)
|
||||
RTL_OSVERSIONINFOEXW verInfo = { 0 };
|
||||
verInfo.dwOSVersionInfoSize = sizeof( verInfo );
|
||||
|
||||
fnRtlGetVersion RtlGetVersion = (fnRtlGetVersion)GetProcAddress( GetModuleHandleW( L"ntdll.dll" ), "RtlGetVersion" );
|
||||
if(RtlGetVersion != NULL && RtlGetVersion((PRTL_OSVERSIONINFOW)&verInfo) == 0)
|
||||
{
|
||||
case VER_PLATFORM_WIN32_NT:
|
||||
if (verInfo.dwMajorVersion <= 4 )
|
||||
{
|
||||
if (OsVerInfoEx.dwMajorVersion <= 4 )
|
||||
{
|
||||
return WindowsNT;
|
||||
}
|
||||
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 0)
|
||||
{
|
||||
return Windows2000;
|
||||
}
|
||||
|
||||
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 1)
|
||||
{
|
||||
return WindowsXP;
|
||||
}
|
||||
if (OsVerInfoEx.dwMajorVersion == 5 && OsVerInfoEx.dwMinorVersion == 2)
|
||||
{
|
||||
return Windows2003;
|
||||
}
|
||||
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 0)
|
||||
{
|
||||
return WindowsVista;
|
||||
}
|
||||
|
||||
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 1)
|
||||
{
|
||||
return Windows7;
|
||||
}
|
||||
if (OsVerInfoEx.dwMajorVersion == 6 && OsVerInfoEx.dwMinorVersion == 2 )
|
||||
{
|
||||
return Windows8;
|
||||
}
|
||||
break;
|
||||
return WindowsNT;
|
||||
}
|
||||
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 0)
|
||||
{
|
||||
return Windows2000;
|
||||
}
|
||||
|
||||
default:
|
||||
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 1)
|
||||
{
|
||||
return WinUnknown;
|
||||
return WindowsXP;
|
||||
}
|
||||
if (verInfo.dwMajorVersion == 5 && verInfo.dwMinorVersion == 2)
|
||||
{
|
||||
return Windows2003;
|
||||
}
|
||||
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 0)
|
||||
{
|
||||
return WindowsVista;
|
||||
}
|
||||
|
||||
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 1)
|
||||
{
|
||||
return Windows7;
|
||||
}
|
||||
if (verInfo.dwMajorVersion == 6 && verInfo.dwMinorVersion == 2 )
|
||||
{
|
||||
return Windows8;
|
||||
}
|
||||
if (verInfo.dwMajorVersion == 10 && verInfo.dwMinorVersion == 0 && verInfo.dwBuildNumber >= 10240)
|
||||
{
|
||||
return Windows10;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
return WinUnknown;
|
||||
}
|
||||
|
||||
BOOL EnableDebugPrivilege()
|
||||
{
|
||||
HANDLE hToken;
|
||||
TOKEN_PRIVILEGES TokenPrivilege;
|
||||
LUID uID;
|
||||
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken))
|
||||
{
|
||||
printf("OpenProcessToken is Error\n");
|
||||
return FALSE;
|
||||
}
|
||||
if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID))
|
||||
{
|
||||
printf("LookupPrivilegeValue is Error\n");
|
||||
return FALSE;
|
||||
}
|
||||
TokenPrivilege.PrivilegeCount = 1;
|
||||
TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
||||
TokenPrivilege.Privileges[0].Luid = uID;
|
||||
//在这里我们进行调整权限
|
||||
if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
|
||||
{
|
||||
printf("AdjuestTokenPrivileges is Error\n");
|
||||
return FALSE;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
|
@ -3,15 +3,15 @@
|
|||
// Used by CreateRemoteThread.rc
|
||||
//
|
||||
|
||||
#define IDS_APP_TITLE 103
|
||||
#define IDS_APP_TITLE 103
|
||||
|
||||
// 新对象的下一组默认值
|
||||
//
|
||||
#ifdef APSTUDIO_INVOKED
|
||||
#ifndef APSTUDIO_READONLY_SYMBOLS
|
||||
#define _APS_NEXT_RESOURCE_VALUE 101
|
||||
#define _APS_NEXT_COMMAND_VALUE 40001
|
||||
#define _APS_NEXT_CONTROL_VALUE 1000
|
||||
#define _APS_NEXT_SYMED_VALUE 101
|
||||
#define _APS_NEXT_RESOURCE_VALUE 101
|
||||
#define _APS_NEXT_COMMAND_VALUE 40001
|
||||
#define _APS_NEXT_CONTROL_VALUE 1000
|
||||
#define _APS_NEXT_SYMED_VALUE 101
|
||||
#endif
|
||||
#endif
|
||||
|
|
|
@ -2,3 +2,6 @@
|
|||
64 bit process Inject The dll to 64 bit process
|
||||
sometimes you maybe fail to inject because cann't openprocess successful
|
||||
and many safe software will protect it avoiding you to inject
|
||||
|
||||
|
||||
support more OS.
|
Chargement…
Référencer dans un nouveau ticket