C++封装远程注入类CreateRemoteThreadEx实例
来源:本站原创|时间:2020-01-10|栏目:C语言|点击: 次
本文实例讲述了C++封装远程注入类CreateRemoteThreadEx的方法,分享给大家供大家参考。具体方法如下:
首先,类初始化时传入要注入的DLL文件名
只使用两个函数
复制代码 代码如下:
// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);
.h头文件如下:
复制代码 代码如下:
#pragma once
#include <windows.h> //在头文件中包含
class CRemThreadInject
{
public:
CRemThreadInject(LPSTR lpDllName);
~CRemThreadInject(void);
protected:
char m_szDllName[MAX_PATH];
static BOOL EnableDebugPrivilege(BOOL bEnable);
public:
// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);
};
#include <windows.h> //在头文件中包含
class CRemThreadInject
{
public:
CRemThreadInject(LPSTR lpDllName);
~CRemThreadInject(void);
protected:
char m_szDllName[MAX_PATH];
static BOOL EnableDebugPrivilege(BOOL bEnable);
public:
// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);
};
.cpp源文件如下:
复制代码 代码如下:
#include "RemThreadInject.h"
#include <tlhelp32.h>
CRemThreadInject::CRemThreadInject(LPSTR lpDllName)
{
memcpy(m_szDllName, lpDllName, MAX_PATH);
EnableDebugPrivilege(TRUE);
}
CRemThreadInject::~CRemThreadInject(void)
{
EnableDebugPrivilege(FALSE);
}
BOOL CRemThreadInject::EnableDebugPrivilege(BOOL bEnable)
{
HANDLE hToken = INVALID_HANDLE_VALUE;
//OpenProcessToken
if (0 == ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
return FALSE;
}
LUID luid;
//
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnable)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}
::CloseHandle(hToken);
return TRUE;
}
// 注入DLL到指定的地址空间
BOOL CRemThreadInject::InjectModuleInto(DWORD dwProcessId)
{
//
if (::GetCurrentProcessId() == dwProcessId)
{
return FALSE;
}
BOOL bFound;
/************************************************************************/
/* 遍历模块 */
/************************************************************************/
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
me32.dwSize = sizeof( MODULEENTRY32 );
if( !Module32First( hModuleSnap, &me32 ) )
{
CloseHandle( hModuleSnap ); // Must clean up the snapshot object!
return( FALSE );
}
do
{
if (stricmp(me32.szModule, m_szDllName) == 0)
{
bFound = TRUE;
break;
}
} while( Module32Next( hModuleSnap, &me32 ) );
// Do not forget to clean up the snapshot object.
CloseHandle( hModuleSnap );
if (bFound) //如果已经加载了模块,就不再加载
{
return FALSE;
}
//如果没加载,打开进程,远程注入
HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess == NULL)
{
return FALSE;
}
HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "LoadLibraryA");
int cbSize = strlen(m_szDllName)+1;
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnLoadLibraryA, lpRemoteDllName, 0, NULL, NULL);
if (NULL == hRemoteThread)
{
::CloseHandle(hProcess);
return FALSE;
}
//等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
// 从指定的地址空间卸载DLL
BOOL CRemThreadInject::EjectModuleFrom(DWORD dwProcessId)
{
//
if (::GetCurrentProcessId() == dwProcessId)
{
return FALSE;
}
BOOL bFound;
/************************************************************************/
/* 遍历模块 */
/************************************************************************/
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
me32.dwSize = sizeof( MODULEENTRY32 );
if( !Module32First( hModuleSnap, &me32 ) )
{
CloseHandle( hModuleSnap ); // Must clean up the snapshot object!
return( FALSE );
}
do
{
if (stricmp(me32.szModule, m_szDllName) == 0)
{
bFound = TRUE;
break;
}
} while( Module32Next( hModuleSnap, &me32 ) );
// Do not forget to clean up the snapshot object.
CloseHandle( hModuleSnap );
if (!bFound) //如果没有加载模块,就不能卸载
{
return FALSE;
}
//如果加载了,打开进程,远程注入
HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess == NULL)
{
return FALSE;
}
HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnFreeLibrary = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "FreeLibrary");
int cbSize = strlen(m_szDllName)+1;
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnFreeLibrary, lpRemoteDllName, 0, NULL, NULL);
if (NULL == hRemoteThread)
{
::CloseHandle(hProcess);
return FALSE;
}
//等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
#include <tlhelp32.h>
CRemThreadInject::CRemThreadInject(LPSTR lpDllName)
{
memcpy(m_szDllName, lpDllName, MAX_PATH);
EnableDebugPrivilege(TRUE);
}
CRemThreadInject::~CRemThreadInject(void)
{
EnableDebugPrivilege(FALSE);
}
BOOL CRemThreadInject::EnableDebugPrivilege(BOOL bEnable)
{
HANDLE hToken = INVALID_HANDLE_VALUE;
//OpenProcessToken
if (0 == ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
{
return FALSE;
}
LUID luid;
//
::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnable)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
if ( !AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL,
(PDWORD) NULL) )
{
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
return FALSE;
}
::CloseHandle(hToken);
return TRUE;
}
// 注入DLL到指定的地址空间
BOOL CRemThreadInject::InjectModuleInto(DWORD dwProcessId)
{
//
if (::GetCurrentProcessId() == dwProcessId)
{
return FALSE;
}
BOOL bFound;
/************************************************************************/
/* 遍历模块 */
/************************************************************************/
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
me32.dwSize = sizeof( MODULEENTRY32 );
if( !Module32First( hModuleSnap, &me32 ) )
{
CloseHandle( hModuleSnap ); // Must clean up the snapshot object!
return( FALSE );
}
do
{
if (stricmp(me32.szModule, m_szDllName) == 0)
{
bFound = TRUE;
break;
}
} while( Module32Next( hModuleSnap, &me32 ) );
// Do not forget to clean up the snapshot object.
CloseHandle( hModuleSnap );
if (bFound) //如果已经加载了模块,就不再加载
{
return FALSE;
}
//如果没加载,打开进程,远程注入
HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess == NULL)
{
return FALSE;
}
HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "LoadLibraryA");
int cbSize = strlen(m_szDllName)+1;
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnLoadLibraryA, lpRemoteDllName, 0, NULL, NULL);
if (NULL == hRemoteThread)
{
::CloseHandle(hProcess);
return FALSE;
}
//等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
// 从指定的地址空间卸载DLL
BOOL CRemThreadInject::EjectModuleFrom(DWORD dwProcessId)
{
//
if (::GetCurrentProcessId() == dwProcessId)
{
return FALSE;
}
BOOL bFound;
/************************************************************************/
/* 遍历模块 */
/************************************************************************/
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
// Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
return( FALSE );
}
me32.dwSize = sizeof( MODULEENTRY32 );
if( !Module32First( hModuleSnap, &me32 ) )
{
CloseHandle( hModuleSnap ); // Must clean up the snapshot object!
return( FALSE );
}
do
{
if (stricmp(me32.szModule, m_szDllName) == 0)
{
bFound = TRUE;
break;
}
} while( Module32Next( hModuleSnap, &me32 ) );
// Do not forget to clean up the snapshot object.
CloseHandle( hModuleSnap );
if (!bFound) //如果没有加载模块,就不能卸载
{
return FALSE;
}
//如果加载了,打开进程,远程注入
HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
if (hProcess == NULL)
{
return FALSE;
}
HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnFreeLibrary = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "FreeLibrary");
int cbSize = strlen(m_szDllName)+1;
LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnFreeLibrary, lpRemoteDllName, 0, NULL, NULL);
if (NULL == hRemoteThread)
{
::CloseHandle(hProcess);
return FALSE;
}
//等待目标线程运行结束,即LoadLibraryA函数返回
::WaitForSingleObject(hRemoteThread, INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return TRUE;
}
希望本文所述对大家的C++程序设计有所帮助。
上一篇:C++计算ICMP头的校验和实例
栏 目:C语言
下一篇:C++针对bmp格式解析实例
本文标题:C++封装远程注入类CreateRemoteThreadEx实例
本文地址:https://www.xiuzhanwang.com/a1/Cyuyan/3236.html
您可能感兴趣的文章
- 04-02c语言没有round函数 round c语言
- 01-10深入理解C++中常见的关键字含义
- 01-10使用C++实现全排列算法的方法详解
- 01-10c++中inline的用法分析
- 01-10用C++实现DBSCAN聚类算法
- 01-10全排列算法的非递归实现与递归实现的方法(C++)
- 01-10C++大数模板(推荐)
- 01-10浅谈C/C++中的static与extern关键字的使用详解
- 01-10深入C/C++浮点数在内存中的存储方式详解
- 01-10深入理解C/C++混合编程
阅读排行
本栏相关
- 04-02c语言函数调用后清空内存 c语言调用
- 04-02func函数+在C语言 func函数在c语言中
- 04-02c语言的正则匹配函数 c语言正则表达
- 04-02c语言用函数写分段 用c语言表示分段
- 04-02c语言中对数函数的表达式 c语言中对
- 04-02c语言编写函数冒泡排序 c语言冒泡排
- 04-02c语言没有round函数 round c语言
- 04-02c语言分段函数怎么求 用c语言求分段
- 04-02C语言中怎么打出三角函数 c语言中怎
- 04-02c语言调用函数求fibo C语言调用函数求
随机阅读
- 08-05dedecms(织梦)副栏目数量限制代码修改
- 01-10C#中split用法实例总结
- 01-10SublimeText编译C开发环境设置
- 01-11ajax实现页面的局部加载
- 01-10使用C语言求解扑克牌的顺子及n个骰子
- 04-02jquery与jsp,用jquery
- 08-05DEDE织梦data目录下的sessions文件夹有什
- 01-11Mac OSX 打开原生自带读写NTFS功能(图文
- 01-10delphi制作wav文件的方法
- 08-05织梦dedecms什么时候用栏目交叉功能?