代码注入

image.png

#include "stdafx.h"
#include 
#include 

typedef int (__stdcall *PMESSAGEBOX)(HWND ,LPCTSTR ,LPCTSTR ,UINT);


typedef struct _CODE_ARGS_
{
    PMESSAGEBOX     pMessageBox;
    HWND            hWnd;         
    LPCTSTR         lpText;   
    LPCTSTR         lpCaption;
    UINT            uType;
}CODE_ARGS;


DWORD Inject_Fun(CODE_ARGS *pCodeArgs)
{
    pCodeArgs->pMessageBox(pCodeArgs->hWnd,pCodeArgs->lpText,pCodeArgs->lpCaption,1);
    return 0;
}
void Inject_Fun_End(void)
{

}

int main(int argc, char* argv[])
{
    DWORD PID = 0;
    puts("Input Target Process ID:\n");
    scanf("%u",&PID);
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID);
    DWORD dw = GetLastError();
    void *pRemoteAddr = VirtualAllocEx(hProcess,NULL,1024,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//开辟空间
    CODE_ARGS Code_Args = {0};

    Code_Args.pMessageBox = (PMESSAGEBOX)GetProcAddress(LoadLibrary("User32.dll"),"MessageBoxA");
    Code_Args.hWnd = NULL;
    Code_Args.uType = 1;

    char TextArr[] = "Hello Boys I Come Here!";
    char CaptionArr[] = "Code Inject!";
    DWORD uType = 1;
    void *pRemoteArgAddr = NULL;
    void *pRemoteProc = NULL;

    
    DWORD dwOffset = 0,dwWriteByte = 0;

    //写入结构体两个字符串
    Code_Args.lpText = (char *)pRemoteAddr;
    WriteProcessMemory(hProcess,(void *)((DWORD)pRemoteAddr + dwOffset),TextArr,strlen(TextArr)+1,&dwWriteByte);
    dwOffset += dwWriteByte;

    Code_Args.lpCaption = (char *)((DWORD)pRemoteAddr + dwOffset);
    WriteProcessMemory(hProcess,(void *)((DWORD)pRemoteAddr + dwOffset),CaptionArr,strlen(CaptionArr)+1,&dwWriteByte);
    dwOffset += dwWriteByte;


    //写入结构体
    pRemoteArgAddr = (BYTE *)pRemoteAddr + dwOffset;
    WriteProcessMemory(hProcess,pRemoteArgAddr,&Code_Args,sizeof(Code_Args),&dwWriteByte);
    dwOffset += dwWriteByte;


    //写入函数机器码 写入长度在release下好用，debug版本需要修复
    pRemoteProc = (BYTE *)pRemoteAddr + dwOffset;
    WriteProcessMemory(hProcess,pRemoteProc,(void *)Inject_Fun,(DWORD)Inject_Fun_End - (DWORD)Inject_Fun,&dwWriteByte);
    
    DWORD TID = 0;
    HANDLE hRemotethread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pRemoteProc,pRemoteArgAddr,0,&TID);
    
    WaitForSingleObject(hRemotethread,INFINITE);
    CloseHandle(hRemotethread);
    VirtualFreeEx(hProcess,pRemoteAddr,0,MEM_RELEASE);
    CloseHandle(hProcess);
    return 0;
}