无DLL远程注入

界面如下：

主要代码如下：

 1 #define STRLEN 20

 2 

 3 typedef struct _DATA

 4 {

 5     DWORD dwLoadLibrary;

 6     DWORD dwGetProcAddress;

 7     DWORD dwGetModuleHandle;

 8     DWORD dwGetModuleFileName;

 9     

10     char User32Dll[STRLEN];

11     char MessageBox[STRLEN];

12     char Str[STRLEN];

13 }DATA, *PDATA;

14 

15 void CNoDllInjectDlg::OnBnClickedButtonInject()

16 {

17     // TODO: 在此添加控件通知处理程序代码

18     UpdateData(TRUE);

19     InjectCode(m_dwPid);

20 }

21 

22 

23 DWORD WINAPI RemoteThreadProc(LPVOID lpParam)

24 {

25     PDATA pData = (PDATA)lpParam;

26 

27     HMODULE (__stdcall *MyLoadLibrary)(LPCSTR);

28     FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);

29     HMODULE (__stdcall *MyGetModuleHandle)(LPCSTR);

30     int (__stdcall *MyMessageBox)(HWND, LPCSTR, LPCSTR, UINT);

31     DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPSTR, DWORD);

32 

33     MyLoadLibrary = (HMODULE (__stdcall *)(LPCSTR))pData->dwLoadLibrary;

34     MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;

35     MyGetModuleHandle = (HMODULE (__stdcall *)(LPCSTR))pData->dwGetModuleHandle;

36     MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPSTR, DWORD))pData->dwGetModuleFileName;

37 

38     HMODULE hModule = MyLoadLibrary(pData->User32Dll);

39     MyMessageBox = (int (__stdcall *)(HWND, LPCSTR, LPCSTR, UINT))MyGetProcAddress(hModule, pData->MessageBox);

40     char szModuleName[MAX_PATH] = {0};

41     MyGetModuleFileName(NULL, szModuleName, MAX_PATH);

42 

43     MyMessageBox(NULL, pData->Str, szModuleName, MB_OK);

44 

45     return 0;

46 }

47 

48 

49 void CNoDllInjectDlg::InjectCode(DWORD dwPid)

50 {

51     DebugPrivilege();

52     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);

53     if (NULL == hProcess)

54     {

55         AfxMessageBox(_T("OpenProcess Error!"));

56         return;

57     }

58 

59     DATA Data = {0};

60     Data.dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");

61     Data.dwGetProcAddress = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress");

62     Data.dwGetModuleHandle = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA");

63     Data.dwGetModuleFileName = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleFileNameA");

64 

65     strcpy(Data.User32Dll, "user32.dll");

66     strcpy(Data.MessageBox, "MessageBoxA");

67     strcpy(Data.Str, "Inject Code !!");

68 

69     LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(DATA), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

70     DWORD dwWriteNum = 0;

71     WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum);

72 

73     DWORD dwFunSize = 0x2000;

74     LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

75     WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum);

76 

77     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpCode, lpData, 0, NULL);

78     WaitForSingleObject(hRemoteThread, INFINITE);

79 

80     CloseHandle(hRemoteThread);

81     CloseHandle(hProcess);

82 }

83 

84 void CNoDllInjectDlg::DebugPrivilege(void)

85 {

86     HANDLE hToken = NULL;

87     BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);

88     if (TRUE == bRet)

89     {

90         TOKEN_PRIVILEGES tp;

91         tp.PrivilegeCount = 1;

92         LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);

93         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

94         AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);

95 

96         CloseHandle(hToken);

97     }

98 }