CreateRemoteThread注入NOTEPAD

 

#include <cstdlib>#include <iostream>#include <windows.h> #include "tlhelp32.h"using namespace std;typedef HINSTANCE (WINAPI *ProcLoadLibrary)(char*);typedef FARPROC (WINAPI *ProcGetProcAddress)(HMODULE, LPCSTR);typedef int (WINAPI *ProcMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);//////////////////////////////////////////////////////////////////////////////////////////////typedef struct tagHYPINJECT {       ProcLoadLibrary    fnLoad;       ProcGetProcAddress fnGetProc;       char MsgStr [MAX_PATH];       char DLLName [MAX_PATH];       char ProcName [MAX_PATH];} HYPINJECT;//////////////////////////////////////////////////////////////////////////////////////////////static DWORD WINAPI ThreadProc (LPVOID lpParameter){       HYPINJECT* p = (HYPINJECT*)lpParameter;                                   //初始化一个结构体 Initialize a struct        HMODULE hDLL = p->fnLoad (p->DLLName);                                    //hDll is a parameter of GerProcAddress,fnLoad is a func pointer---LoadLibrary       ProcMessageBox MsgBox = (ProcMessageBox)p->fnGetProc(hDLL,p->ProcName);   //get the address of messagebox       MsgBox(NULL,p->MsgStr,p->MsgStr,MB_OK);                                   //then we can use msgbox       return 0;}static void AfterThreadProc (void) { }                                           //用来计算要写入代码的大小，所以两者都定义成static HYPINJECT hypInject;                                                              //pData写入的结构体 BOOL InjectFunc(DWORD PID){       HMODULE hk = LoadLibrary ("kernel32.dll");       hypInject.fnLoad = (ProcLoadLibrary)GetProcAddress (hk, "LoadLibraryA");       hypInject.fnGetProc = (ProcGetProcAddress)GetProcAddress (hk, "GetProcAddress");       strcpy(hypInject.MsgStr, " hyp's Knowledge Base");       strcpy (hypInject.DLLName, "user32.dll");       strcpy (hypInject.ProcName, "MessageBoxA");                                //pData要写入的是一个结构体，所以把信息都保存在结构体中，执行的是ThreadProc        PVOID pCode = NULL;       PVOID pData = NULL;       BOOL bc = FALSE;       DWORD cbCodeSize = (BYTE*)AfterThreadProc - (BYTE*)ThreadProc;       HANDLE hProc = OpenProcess(              PROCESS_QUERY_INFORMATION |                PROCESS_CREATE_THREAD     |              PROCESS_VM_OPERATION      |              PROCESS_VM_WRITE,                         FALSE, PID);       if (hProc == NULL)       {              return FALSE;       }             pCode=VirtualAllocEx(hProc,NULL,cbCodeSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE);       bc = WriteProcessMemory(hProc,pCode,(LPVOID)(DWORD) ThreadProc,cbCodeSize,NULL);       pData = VirtualAllocEx (hProc,NULL, sizeof (hypInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE);       bc = WriteProcessMemory (hProc, pData, &hypInject, sizeof (hypInject), NULL);       HANDLE ht=CreateRemoteThread(hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)pCode,pData,0,NULL);       CloseHandle(hProc);       return TRUE;}int main(){       HANDLE hSnapshot = NULL;       hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);       PROCESSENTRY32 pe;       pe.dwSize = sizeof(PROCESSENTRY32);       Process32First(hSnapshot,&pe);          do       {              if(stricmp(pe.szExeFile,"NOTEPAD.EXE")==0)              {                     InjectFunc(pe.th32ProcessID);                     break;              }       }       while(Process32Next(hSnapshot,&pe)==TRUE);              CloseHandle (hSnapshot);           system("pause");       return 0;}