远程注入执行函数(三)
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
{
//OutputDebugString("AdjustProcessTokenPrivilege AdjustTokenPrivileges Failed ! \n");
CloseHandle(hToken);
return FALSE;
}
return true;
}
DWORD InjectFunctionToProcess(DWORD dwProcessId)
{
AdjustProcessTokenPrivilege();
try
{
HANDLE hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
FALSE, dwProcessId);
if (hProcess == NULL)
{
return 0;
}
HMODULE hUser32 = GetModuleHandle(_T("User32.dll"));
if (hProcess == NULL)
{
return 0;
}
FARPROC MsgAddr = GetProcAddress(hUser32,"MessageBoxW");
ProcStruct PS;
PS.MsgAddr =MsgAddr;
_tcscpy(PS.strMsg,_T("This is Message!"));
_tcscpy(PS.strTitle,_T("Title"));
//开辟存储变量的内存空间
void * pMemProcStruct = VirtualAllocEx(hProcess,NULL,sizeof(ProcStruct),MEM_COMMIT,PAGE_READWRITE);
if (!pMemProcStruct)
{
return 0;
}
//复制参数内容
if (!WriteProcessMemory(hProcess,pMemProcStruct,&PS,sizeof(ProcStruct),NULL))
{
return 0;
}
//开辟存储调用函数的空间
DWORD FuncLen = (DWORD)OffsetFunc - (DWORD)ThreadFunc;
if (!pMemFunction)
{
return 0;
}
//复制函数内容
if (!WriteProcessMemory(hProcess,pMemFunction,ThreadFunc,FuncLen,NULL))
{
return 0;
}
//启动线程函数注入进程
HANDLE hRemoteThread = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)pMemFunction,pMemProcStruct,NULL,NULL);
if (!hRemoteThread)
{
return 0;
}
//等待线程结束
WaitForSingleObject(hRemoteThread,INFINITE);
//释放参数内容
VirtualFreeEx(hProcess,pMemProcStruct,sizeof(ProcStruct),MEM_RELEASE);
//释放函数内容
VirtualFreeEx(hProcess,pMemFunction,FuncLen,MEM_RELEASE);
}
catch (...)
{
return -1;
}
return 0;
}
// “注入”框的消息处理程序。
INT_PTR CALLBACK Inject(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
UNREFERENCED_PARAMETER(lParam);
switch (message)
{
case WM_INITDIALOG:
return (INT_PTR)TRUE;
case WM_COMMAND:
if (LOWORD(wParam) == IDCANCEL)
{
EndDialog(hDlg, LOWORD(wParam));
return (INT_PTR)TRUE;
}
else if (LOWORD(wParam) == IDOK)
{
DWORD dwProcessId = GetDlgItemInt(hDlg, IDC_INJECTTOREMOTEPROCESS, NULL, FALSE);
if (dwProcessId == 0) {
// A process ID of 0 causes everything to take place in the
// local process; this makes things easier for d