远程注入代码

1.复制代码的编写原则：
　　不能有全局变量
　　不能使用常量字符串
　　不能使用系统调用
　　不能嵌套调用其他函数
  1 // 远程代码注入.cpp : 定义控制台应用程序的入口点。
  2 //
  3 
  4 #include "stdafx.h"
  5 #include <windows.h>
  6 //自己定义个结构体，方面后面参数使用
  7 /************************************************************************/
  8 /* 远程线程实现CreateFile                                                                     */
  9 /************************************************************************/
 10 typedef struct 
 11 {
 12 
 13     DWORD dwCreateAPIAddr;                //Createfile函数的地址
 14     LPCTSTR lpFileName;                    //下面都是CreateFile所需要用到的参数
 15     DWORD dwDesiredAccess;
 16     DWORD dwShareMode;
 17     LPSECURITY_ATTRIBUTES lpSecurityAttributes;
 18     DWORD dwCreationDisposition;
 19     DWORD dwFlagsAndAttributes;
 20     HANDLE hTemplateFile;
 21 }CREATEFILE_PARAM;
 22 
 23 //定义一个函数指针
 24 
 25 typedef HANDLE(WINAPI* PFN_CreateFile)
 26 (LPCTSTR lpFileName,
 27     DWORD dwDesiredAccess,
 28     DWORD dwShareMode,
 29     LPSECURITY_ATTRIBUTES lpSecurityAttributes,
 30     DWORD dwCreationDisposition,
 31     DWORD dwFlagsAndAttributes,
 32     HANDLE hTemplateFile);
 33 
 34 
 35 
 36 
 37 //编写要复制到目标进程的函数 2 
 38 DWORD _stdcall CreateFileThreadProc(LPVOID lparam)
 39 {
 40     CREATEFILE_PARAM* Gcreate = (CREATEFILE_PARAM*)lparam;
 41     PFN_CreateFile pfnCreateFile;
 42     pfnCreateFile =(PFN_CreateFile) Gcreate->dwCreateAPIAddr;
 43     //creatFile结构体全部参数 1
 44     pfnCreateFile(Gcreate->lpFileName, Gcreate->dwDesiredAccess, Gcreate->dwShareMode,
 45         Gcreate->lpSecurityAttributes, Gcreate->dwCreationDisposition, Gcreate->dwFlagsAndAttributes,
 46         Gcreate->hTemplateFile);
 47     
 48     return 0; 
 49 
 50 }
 51 
 52 //远程创建文件
 53 BOOL RemotCreateFile(DWORD dwProcessID, char* szFilePathName)
 54 {
 55     BOOL bRet;
 56     DWORD dwThread;
 57     HANDLE hProcess;
 58     HANDLE hThread;
 59     DWORD dwThreadFunSize;
 60     CREATEFILE_PARAM GCreateFile;
 61     LPVOID lpFilePathName;
 62     LPVOID lpRemotThreadAddr;
 63     LPVOID lpFileParamAddr;
 64     DWORD dwFunAddr;
 65     HMODULE hModule;
 66     
 67 
 68     bRet = 0;
 69     hProcess = 0;
 70     dwThreadFunSize = 0x400;
 71     //1.获取进程的句柄
 72     hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
 73     if (hProcess == NULL)
 74     {
 75         OutputDebugString("OpenProcessError!
");
 76         return FALSE;
 77     }
 78     //2.分配3段内存：存储参数，线程函数，文件名
 79 
 80     //2.1 用来存储文件名，//+1是要计算到结尾处
 81     lpFilePathName = VirtualAllocEx(hProcess, NULL, strlen(szFilePathName)+1, MEM_COMMIT, PAGE_READWRITE);//在指定的进程中分配内存
 82     
 83     //2.2 用来存储线程函数
 84     lpRemotThreadAddr = VirtualAllocEx(hProcess, NULL, dwThreadFunSize, MEM_COMMIT, PAGE_READWRITE);//在指定的进程中分配内存
 85 
 86     //2.3 用来存储文件参数
 87     lpFileParamAddr = VirtualAllocEx(hProcess, NULL, sizeof(CREATEFILE_PARAM), MEM_COMMIT, PAGE_READWRITE);//在指定的进程中分配内存
 88 
 89 
 90     //3. 初始化CreateFile参数
 91     GCreateFile.dwDesiredAccess = GENERIC_READ | GENERIC_WRITE;
 92     GCreateFile.dwShareMode = 0;
 93     GCreateFile.lpSecurityAttributes = NULL;
 94     GCreateFile.dwCreationDisposition = OPEN_ALWAYS;
 95     GCreateFile.dwFlagsAndAttributes = FILE_ATTRIBUTE_NORMAL;
 96     GCreateFile.hTemplateFile = NULL;
 97     
 98     //4.获取CreateFile的地址
 99     /*因为每个进程中的LoadLibrary函数都在Kernel32,dll中，而且此dll的物理页是共享的，所以
100     我们进程中获得的LoadLibrary地址和别的进程都是一样的*/
101     hModule = GetModuleHandle("kernel32.dll");
102     GCreateFile.dwCreateAPIAddr = (DWORD)GetProcAddress(hModule, "CreateFileA");
103     FreeLibrary(hModule);
104 
105     //5.初始化CreatFile文件名
106     GCreateFile.lpFileName = (LPCTSTR)lpFilePathName;
107 
108     //6.修改线程函数起始地址
109     dwFunAddr = (DWORD)CreateFileThreadProc;
110     
111     //间接跳
112     if (*((BYTE*)dwFunAddr) == 0xE9)
113     {
114         dwFunAddr = dwFunAddr + 5 + *(DWORD*)(dwFunAddr + 1);
115     }
116 
117     //7.开始复制
118     //7.1 拷贝文件名
119     WriteProcessMemory(hProcess, lpFilePathName, szFilePathName, strlen(szFilePathName) + 1, 0);
120 
121     //7.2 拷贝线程函数
122     WriteProcessMemory(hProcess, lpRemotThreadAddr, (LPVOID)dwFunAddr, dwThreadFunSize, 0);
123 
124     //7.3拷贝参数
125     WriteProcessMemory(hProcess, lpFileParamAddr, &GCreateFile, sizeof(CREATEFILE_PARAM), 0);
126 
127 
128     //8.创建远程线程
129 
130     hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpRemotThreadAddr, lpFileParamAddr, 0, &dwThread);//lpAllocAddr传给线程函数的参数.因为dll名字分配在内存中
131     if (hThread == NULL)
132     {
133         OutputDebugString("CreateRemoteThread Error!
");
134         CloseHandle(hProcess);
135         CloseHandle(hModule);
136         return FALSE;
137     }
138     //9.关闭资源
139     CloseHandle(hProcess);
140     CloseHandle(hThread);
141     CloseHandle(hModule);
142     return TRUE;
143 
144 }
145 
146 
147 int main()
148 {
149     RemotCreateFile(PID, "文件名");150     return 0;
151 }
请勿转载，仅供学习使用！！！！！！