- 通过令牌提升权限
1 BOOL opendebug() 2 { 3 //令牌 4 HANDLE htoken; 5 //是否提升权限成功 6 BOOL fok = FALSE; 7 //打开进程令牌,提升调试权限, 8 if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &htoken)) 9 { 10 //权限 11 TOKEN_PRIVILEGES tp; 12 //设置默认权限 13 tp.PrivilegeCount = 1; 14 //开启 15 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 16 //判断令牌是否生效 17 if (!AdjustTokenPrivileges(htoken, FALSE, &tp, sizeof(tp), NULL, NULL)) 18 { 19 20 } 21 else 22 { 23 fok = TRUE; 24 } 25 CloseHandle(htoken);//关闭令牌 26 } 27 return fok; 28 29 }
- 通过线程名获取线程id
1 DWORD findprocessid(char *name) 2 { 3 //使用快照,开启准备 4 HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 5 PROCESSENTRY32 pe32; 6 pe32.dwSize = sizeof(PROCESSENTRY32); 7 Process32First(hsnap, &pe32);//查找 8 do 9 { 10 if (_strcmpi(pe32.szExeFile,name)==0) 11 { 12 puts("find it"); 13 return pe32.th32ProcessID;//找到 14 } 15 16 17 } while (Process32Next(hsnap,&pe32)); 18 CloseHandle(hsnap);//关闭 19 return 0; 20 }
- dll注入
1 //dll注入 2 int dllinject(HANDLE process, const char *dllname, const char *funname) 3 { 4 //偏移量 5 unsigned int off_set = 0; 6 void(*pfun)() = NULL;//函数指针 7 //创建远程线程 8 HANDLE hthread = NULL; 9 //调用dll 10 HMODULE dllit = NULL; 11 //载入dll,存储的是首地址 12 dllit = LoadLibrary(dllname); 13 if (dllit==NULL) 14 { 15 printf("载入失败"); 16 } 17 else 18 { 19 printf("载入OK"); 20 //获取dll中的指定函数的地址 21 pfun = (void(*)())GetProcAddress(dllit, funname); 22 23 24 if (pfun ==NULL) 25 { 26 printf("获取失败"); 27 } 28 else 29 { 30 //计算函数的偏移位置 31 off_set = (char*)pfun - (char *)dllit; 32 33 printf("获取成功,offset=%u",off_set); 34 //pfun();//调用策划死 35 FreeLibrary(dllit);//释放 36 } 37 38 } 39 40 //获取字符串长度 41 int dllnamelength = strlen(dllname) + 1; 42 //在别人的进程分配内存 43 LPVOID paddr = VirtualAllocEx(process, NULL, dllnamelength, MEM_COMMIT, PAGE_READWRITE); 44 //判断内存是否分配成功 45 if (paddr==NULL) 46 { 47 printf("进程内存分配失败"); 48 } 49 else 50 { 51 //写入进程 52 WriteProcessMemory(process, paddr, (void*)dllname, dllnamelength, 0); 53 printf(" 进程内存分配成功并且拷贝成功"); 54 55 //开启内核 56 HMODULE hmode = GetModuleHandleA("Kernel32.dll"); 57 //获取内核地址 58 LPTHREAD_START_ROUTINE funstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmode, "LoadLibraryA"); 59 60 //开启远程线程 61 hthread = CreateRemoteThread(process, NULL, 0, funstart, paddr, 0, 0); 62 //只能调用开始的那个函数 63 if (hthread==NULL) 64 { 65 puts("线程失败"); 66 } 67 //等待线程开启 68 WaitForSingleObject(hthread, INFINITE); 69 printf(" 远程线程结束"); 70 71 //存储远程线程的地址 72 DWORD dllmodule=0; 73 //获取远程线程的地址 74 GetExitCodeThread(hthread, &dllmodule); 75 //函数指针 76 void(*pfunX)() = NULL; 77 pfunX = (void(*)())(dllmodule + off_set);//获取函数地址 78 79 //开启线程 80 hthread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)pfunX, paddr, 0, 0); 81 if (hthread == NULL) 82 { 83 puts("线程失败"); 84 } 85 WaitForSingleObject(hthread, INFINITE); 86 //释放内存 87 VirtualFreeEx(process, paddr, dllnamelength, MEM_DECOMMIT); 88 } 89 return 0; 90 }
- 注入
1 // 进程名 模块名 模块的函数名 2 int insertdll(char *exename, const char *dllname, const char *funname) 3 { 4 //开启权限 5 opendebug(); 6 //寻找线程id 7 DWORD processid = findprocessid(exename); 8 if (processid!=0) 9 { 10 //打开 11 HANDLE process = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, processid); 12 if (process!=NULL) 13 { 14 //注入 15 dllinject(process, dllname, funname); 16 } 17 CloseHandle(process); 18 } 19 else 20 { 21 printf("进程查找失败"); 22 } 23 return 0; 24 }
完整代码
1 #include <Windows.h> 2 #include<TlHelp32.h> 3 #include <stdio.h> 4 #include <stdlib.h> 5 6 //通过令牌提升权限 7 BOOL opendebug() 8 { 9 //令牌 10 HANDLE htoken; 11 //是否提升权限成功 12 BOOL fok = FALSE; 13 //打开进程令牌,提升调试权限, 14 if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &htoken)) 15 { 16 //权限 17 TOKEN_PRIVILEGES tp; 18 //设置默认权限 19 tp.PrivilegeCount = 1; 20 //开启 21 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 22 //判断令牌是否生效 23 if (!AdjustTokenPrivileges(htoken, FALSE, &tp, sizeof(tp), NULL, NULL)) 24 { 25 26 } 27 else 28 { 29 fok = TRUE; 30 } 31 CloseHandle(htoken);//关闭令牌 32 } 33 return fok; 34 35 } 36 37 //发现进程 38 DWORD findprocessid(char *name) 39 { 40 //使用快照,开启准备 41 HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 42 PROCESSENTRY32 pe32; 43 pe32.dwSize = sizeof(PROCESSENTRY32); 44 Process32First(hsnap, &pe32);//查找 45 do 46 { 47 if (_strcmpi(pe32.szExeFile,name)==0) 48 { 49 puts("find it"); 50 return pe32.th32ProcessID;//找到 51 } 52 53 54 } while (Process32Next(hsnap,&pe32)); 55 CloseHandle(hsnap);//关闭 56 return 0; 57 } 58 59 //dll注入 60 int dllinject(HANDLE process, const char *dllname, const char *funname) 61 { 62 //偏移量 63 unsigned int off_set = 0; 64 void(*pfun)() = NULL;//函数指针 65 //创建远程线程 66 HANDLE hthread = NULL; 67 //调用dll 68 HMODULE dllit = NULL; 69 //载入dll,存储的是首地址 70 dllit = LoadLibrary(dllname); 71 if (dllit==NULL) 72 { 73 printf("载入失败"); 74 } 75 else 76 { 77 printf("载入OK"); 78 //获取dll中的指定函数的地址 79 pfun = (void(*)())GetProcAddress(dllit, funname); 80 81 82 if (pfun ==NULL) 83 { 84 printf("获取失败"); 85 } 86 else 87 { 88 //计算函数的偏移位置 89 off_set = (char*)pfun - (char *)dllit; 90 91 printf("获取成功,offset=%u",off_set); 92 //pfun();//调用策划死 93 FreeLibrary(dllit);//释放 94 } 95 96 } 97 98 //获取字符串长度 99 int dllnamelength = strlen(dllname) + 1; 100 //在别人的进程分配内存 101 LPVOID paddr = VirtualAllocEx(process, NULL, dllnamelength, MEM_COMMIT, PAGE_READWRITE); 102 //判断内存是否分配成功 103 if (paddr==NULL) 104 { 105 printf("进程内存分配失败"); 106 } 107 else 108 { 109 //写入进程 110 WriteProcessMemory(process, paddr, (void*)dllname, dllnamelength, 0); 111 printf(" 进程内存分配成功并且拷贝成功"); 112 113 //开启内核 114 HMODULE hmode = GetModuleHandleA("Kernel32.dll"); 115 //获取内核地址 116 LPTHREAD_START_ROUTINE funstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmode, "LoadLibraryA"); 117 118 //开启远程线程 119 hthread = CreateRemoteThread(process, NULL, 0, funstart, paddr, 0, 0); 120 //只能调用开始的那个函数 121 if (hthread==NULL) 122 { 123 puts("线程失败"); 124 } 125 //等待线程开启 126 WaitForSingleObject(hthread, INFINITE); 127 printf(" 远程线程结束"); 128 129 //存储远程线程的地址 130 DWORD dllmodule=0; 131 //获取远程线程的地址 132 GetExitCodeThread(hthread, &dllmodule); 133 //函数指针 134 void(*pfunX)() = NULL; 135 pfunX = (void(*)())(dllmodule + off_set);//获取函数地址 136 137 //开启线程 138 hthread = CreateRemoteThread(process, NULL, 0, (LPTHREAD_START_ROUTINE)pfunX, paddr, 0, 0); 139 if (hthread == NULL) 140 { 141 puts("线程失败"); 142 } 143 WaitForSingleObject(hthread, INFINITE); 144 //释放内存 145 VirtualFreeEx(process, paddr, dllnamelength, MEM_DECOMMIT); 146 } 147 return 0; 148 } 149 150 // 进程名 模块名 模块的函数名 151 int insertdll(char *exename, const char *dllname, const char *funname) 152 { 153 //开启权限 154 opendebug(); 155 //寻找线程id 156 DWORD processid = findprocessid(exename); 157 if (processid!=0) 158 { 159 //打开 160 HANDLE process = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, processid); 161 if (process!=NULL) 162 { 163 //注入 164 dllinject(process, dllname, funname); 165 } 166 CloseHandle(process); 167 } 168 else 169 { 170 printf("进程查找失败"); 171 } 172 return 0; 173 } 174 175 //主函数 176 void main() 177 { 178 char *dllname = "ABC.dll"; 179 180 insertdll("PlantsVsZombies.exe", dllname, "go"); 181 182 system("pause"); 183 }