Inject-APC （Ring3）

  1 // APCInject.cpp : 定义控制台应用程序的入口点。
  2 //
  3 
  4 #include "stdafx.h"
  5 #include "APCInject.h"
  6 
  7 #include <windows.h>
  8 #include <TlHelp32.h>
  9 
 10 #include <iostream>
 11 #include <string>
 12  
 13 
 14 
 15 #define _WIN32_WINNT 0x0400
 16 
 17 #define DEF_BUF_SIZE 1024
 18 
 19 
 20 #ifdef _DEBUG
 21 #define new DEBUG_NEW
 22 #endif
 23 
 24 
 25 // 唯一的应用程序对象
 26 
 27 CWinApp theApp;
 28 
 29 using namespace std;
 30 
 31 
 32 typedef long(__fastcall *pfnRtlAdjustPrivilege64)(ULONG, ULONG, ULONG, PVOID);
 33 pfnRtlAdjustPrivilege64 RtlAdjustPrivilege;
 34 BOOL InjectModuleToProcessById(DWORD dwProcessId);
 35 // 用于存储注入模块DLL的路径全名
 36 char szDllPath[DEF_BUF_SIZE] = { 0 };
 37 int main()
 38 {
 39     int nRetCode = 0;
 40     // 取得当前工作目录路径
 41     GetCurrentDirectoryA(DEF_BUF_SIZE, szDllPath);
 42 
 43     // 生成注入模块DLL的路径全名
 44     strcat(szDllPath, "\MessageBox32.dll");
 45 
 46     DWORD dwProcessId = 0;
 47     // 接收用户输入的目标进程ID
 48     while (cout << "请输入目标进程ID：" && cin >> dwProcessId && dwProcessId > 0)
 49     {
 50         BOOL bRet = InjectModuleToProcessById(dwProcessId);
 51         cout << (bRet ? "注入成功！" : "注入失败！") << endl;
 52     }
 53     
 54     return nRetCode;
 55 }
 56 
 57 
 58 
 59 // 使用APC机制向指定ID的进程注入模块
 60 BOOL InjectModuleToProcessById(DWORD dwProcessId)
 61 {
 62     DWORD    dwRet = 0;
 63     BOOL    bStatus = FALSE;
 64     LPVOID    lpData = NULL;
 65     UINT    uLen = strlen(szDllPath) + 1;
 66     LPTHREAD_START_ROUTINE FuncAddress = NULL;
 67     DWORD dwRetVal = 0;
 68 #ifdef _WIN64   // x64 OpenProcess提权操作
 69     //RtlAdjustPrivilege = (pfnRtlAdjustPrivilege64)GetProcAddress((HMODULE)(FuncAddress(L"ntdll.dll")), "RtlAdjustPrivilege");
 70 
 71     //if (RtlAdjustPrivilege == NULL)
 72     //{
 73     //    return FALSE;
 74     //}
 75     ///*
 76     //.常量 SE_BACKUP_PRIVILEGE, "17", 公开
 77     //.常量 SE_RESTORE_PRIVILEGE, "18", 公开
 78     //.常量 SE_SHUTDOWN_PRIVILEGE, "19", 公开
 79     //.常量 SE_DEBUG_PRIVILEGE, "20", 公开
 80     //*/
 81     //RtlAdjustPrivilege(20, 1, 0, &dwRetVal);  //19
 82 #endif
 83                                               // 打开目标进程
 84     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
 85     if (hProcess)
 86     {
 87         // 分配空间
 88         lpData = VirtualAllocEx(hProcess, NULL, uLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 89         if (lpData)
 90         {
 91             // 写入需要注入的模块路径全名
 92             bStatus = WriteProcessMemory(hProcess, lpData, szDllPath, uLen, NULL);
 93         }
 94         CloseHandle(hProcess);
 95     }
 96 
 97     if (bStatus == FALSE)
 98         return FALSE;
 99 
100     // 创建线程快照
101     THREADENTRY32 te32 = { sizeof(THREADENTRY32) };
102     HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
103     if (hThreadSnap == INVALID_HANDLE_VALUE)
104         return FALSE;
105 
106     bStatus = FALSE;
107     // 枚举所线程
108     if (Thread32First(hThreadSnap, &te32))
109     {
110         do {
111             // 判断是否目标进程中的线程
112             if (te32.th32OwnerProcessID == dwProcessId)
113             {
114                 // 打开线程
115                 HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);
116                 if (hThread)
117                 {
118                     // 向指定线程添加APC
119                     DWORD dwRet = QueueUserAPC((PAPCFUNC)LoadLibraryA, hThread, (ULONG_PTR)lpData);
120                     if (dwRet > 0)
121                         bStatus = TRUE;
122                     CloseHandle(hThread);
123                 }
124             }
125 
126         } while (Thread32Next(hThreadSnap, &te32));
127     }
128 
129     CloseHandle(hThreadSnap);
130     return bStatus;
131 }