|
[求助]求助个地址计算的函数问题
求帮助 |
|
[求助]Win10下记事本Dll注入不成功
另一种方式学习存档: // FileName : KernelFuncInject.cpp // Creator : PeterZheng // Date : 2019/01/10 21:32 // Comment : Use Kernel Function To Inject // //////////////////////////////// #pragma once #include <cstdio> #include <cstdlib> #include <iostream> #include <strsafe.h> #include <Windows.h> #include <TlHelp32.h> #ifdef _WIN64 typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, ULONG CreateThreadFlags, SIZE_T ZeroBits, SIZE_T StackSize, SIZE_T MaximumStackSize, LPVOID pUnkown); #else typedef DWORD(WINAPI* typedef_ZwCreateThreadEx)( PHANDLE ThreadHandle, ACCESS_MASK DesiredAccess, LPVOID ObjectAttributes, HANDLE ProcessHandle, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, BOOL CreateSuspended, DWORD dwStackSize, DWORD dw1, DWORD dw2, LPVOID pUnkown); #endif using namespace std; // 提权函数 BOOL EnableDebugPriv(LPCSTR name) { HANDLE hToken; LUID luid; TOKEN_PRIVILEGES tp; // 打开进程令牌 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken)) { printf("[!]Get Process Token Error!\n"); return false; } // 获取权限Luid if (!LookupPrivilegeValue(NULL, name, &luid)) { printf("[!]Get Privilege Error!\n"); return false; } tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // 修改进程权限 if (!AdjustTokenPrivileges(hToken, false, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { printf("[!]Adjust Privilege Error!\n"); return false; } return true; } // 根据进程名字获取进程Id BOOL GetProcessIdByName(CHAR* szProcessName, DWORD& dwPid) { HANDLE hSnapProcess = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hSnapProcess == NULL) { printf("[*] Create Process Snap Error!\n"); return FALSE; } PROCESSENTRY32 pe32 = { 0 }; ::RtlZeroMemory(&pe32, sizeof(pe32)); pe32.dwSize = sizeof(pe32); BOOL bRet = ::Process32First(hSnapProcess, &pe32); while (bRet) { if (_stricmp(pe32.szExeFile, szProcessName) == 0) { dwPid = pe32.th32ProcessID; return TRUE; } bRet = ::Process32Next(hSnapProcess, &pe32); } return FALSE; } int main(int argc, char* argv[]) { if (argc != 3) { printf("[*] Format Error! \nYou Should FOLLOW THIS FORMAT: <APCInject EXENAME DLLNAME> \n"); return 0; } LPSTR szExeName = (LPSTR)::VirtualAlloc(NULL, 100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); LPSTR szDllPath = (LPSTR)::VirtualAlloc(NULL, 100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); ::RtlZeroMemory(szExeName, 100); ::RtlZeroMemory(szDllPath, 100); ::StringCchCopy(szExeName, 100, argv[1]); ::StringCchCopy(szDllPath, 100, argv[2]); DWORD dwPid = 0; // 系统进程必须先提权才能打开,否则在OpenProcess步骤会失败 EnableDebugPriv(SE_DEBUG_NAME); BOOL bRet = GetProcessIdByName(szExeName, dwPid); if (!bRet) { printf("[*] Get Process Id Error!\n"); return 0; } HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid); if (hProcess == NULL) { printf("[*] Open Process Error!\n"); return 0; } DWORD dwDllPathLen = strlen(szDllPath) + 1; LPVOID lpBaseAddress = ::VirtualAllocEx(hProcess, NULL, dwDllPathLen, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (lpBaseAddress == NULL) { printf("[*] VirtualAllocEx Error!\n"); return 0; } SIZE_T dwWriten = 0; // 把DLL路径字符串写入目标进程 ::WriteProcessMemory(hProcess, lpBaseAddress, szDllPath, dwDllPathLen, &dwWriten); if (dwWriten != dwDllPathLen) { printf("[*] Write Process Memory Error!\n"); return 0; } // 获取LoadLibrary函数地址 LPVOID pLoadLibraryFunc = ::GetProcAddress(::GetModuleHandle("kernel32.dll"), "LoadLibraryA"); if (pLoadLibraryFunc == NULL) { printf("[*] Get Func Address Error!\n"); return 0; } HMODULE hNtdll = ::LoadLibrary("ntdll.dll"); if (hNtdll == NULL) { printf("[*] Load NtDLL Error!\n"); return 0; } typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)::GetProcAddress(hNtdll, "ZwCreateThreadEx"); if (ZwCreateThreadEx == NULL) { printf("[*] Get NTDLL Func Address Error!\n"); return 0; } DWORD dwStatus = 0; HANDLE hRemoteThread = NULL; dwStatus = ZwCreateThreadEx(&hRemoteThread, PROCESS_ALL_ACCESS, NULL, hProcess, (LPTHREAD_START_ROUTINE)pLoadLibraryFunc, lpBaseAddress, 0, 0, 0, 0, NULL); if (hRemoteThread == NULL) { printf("[*] Create Remote Thread Error!\n"); return 0; } // DLL路径分割,方便输出 LPCSTR szPathSign = "\\"; LPSTR p = NULL; LPSTR next_token = NULL; p = strtok_s(szDllPath, szPathSign, &next_token); while (p) { StringCchCopy(szDllPath, 100, p); p = strtok_s(NULL, szPathSign, &next_token); } printf("[*] High Privilege Inject Info [%s ==> %s] Success\n", szDllPath, szExeName); ::CloseHandle(hProcess); ::FreeLibrary(hNtdll); ::VirtualFree(szExeName, 0, MEM_RELEASE); ::VirtualFree(szDllPath, 0, MEM_RELEASE); ::ExitProcess(0); return 0; } |
|
[求助]Win10下记事本Dll注入不成功
非常感谢可以的! |
|
[求助]Win10下记事本Dll注入不成功
我的是64位的dll也是编译的时候选了64位,引子exe也是编译时候选了64位,我用ce查看了notepad里面是写入了dll,但是最后没有执行。 |
|
[求助]远程线程注入windows10 64位计算器失败
#include <iostream> #include <windows.h> #include <string.h> #include <string> using namespace std; HWND hwnd = NULL; DWORD dwProcessId = NULL; HANDLE hProcess = NULL; PVOID lpPathAddr = NULL; char pszDllFileName[25] = "F:\\test\\1\\2Dll1.dll"; char loadfunc[25] = "LoadLibraryA"; FARPROC loadfuncaddr = NULL; BOOL todo(){ hwnd = ::FindWindow("Notepad", NULL); //以注入记事本为例 if (hwnd == NULL) { MessageBox(NULL, "找不到记事本", "错误", MB_OK); } GetWindowThreadProcessId(hwnd, &dwProcessId); // 1.打开目标进程 HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, // 打开权限 FALSE, // 是否继承 dwProcessId); // 进程PID if (NULL == hProcess) { MessageBox(NULL, "打开目标进程失败", "错误", MB_OK); return FALSE; } // 2.在目标进程中申请空间 LPVOID lpPathAddr = VirtualAllocEx( hProcess, // 目标进程句柄 0, // 指定申请地址 strlen(pszDllFileName) + 1, // 申请空间大小 MEM_RESERVE | MEM_COMMIT, // 内存的状态 PAGE_READWRITE); // 内存属性 if (NULL == lpPathAddr) { MessageBox(NULL, "在目标进程中申请空间失败", "错误", MB_OK); CloseHandle(hProcess); return FALSE; } // 3.在目标进程中写入Dll路径 SIZE_T dwWriteSize = 0; if (FALSE == WriteProcessMemory( hProcess, // 目标进程句柄 lpPathAddr, // 目标进程地址 pszDllFileName, // 写入的缓冲区 strlen(pszDllFileName) + 1, // 缓冲区大小 &dwWriteSize)) // 实际写入大小 { MessageBox(NULL, "目标进程中写入Dll路径失败!", "错误", MB_OK); CloseHandle(hProcess); return FALSE; } //获取LoadLibraryA的函数地址 //FARPROC可以自适应32位与64位 FARPROC pFuncProcAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); if (NULL == pFuncProcAddr) { MessageBox(NULL, "获取LoadLibrary函数地址失败!", "错误", MB_OK); CloseHandle(hProcess); return FALSE; } // 4.在目标进程中创建线程 HANDLE hThread = CreateRemoteThread( hProcess, // 目标进程句柄 NULL, // 安全属性 NULL, // 栈大小 (PTHREAD_START_ROUTINE)pFuncProcAddr, // 回调函数 lpPathAddr, // 回调函数参数 NULL, // 标志 NULL // 线程ID ); if (NULL == hThread) { MessageBox(NULL, "目标进程中创建线程失败!", "错误", MB_OK); CloseHandle(hProcess); return FALSE; } // 5.等待线程结束 WaitForSingleObject(hThread, -1); // 6.清理环境 VirtualFreeEx(hProcess, lpPathAddr, 0, MEM_RELEASE); CloseHandle(hThread); CloseHandle(hProcess); return TRUE; } int main() { std::cout << "Hello World!\n"; todo(); } 注入DLL还是借用你的 BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { MessageBox(NULL, L"远程线程注入成功!", L"提示", NULL); break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } 我借用你的记事本都注入不了,能否帮抽空看下,操作系统版本如下: |
|
[分享]脱壳破解工具箱 UnPacKinG & CrAcKinG TooLs v2o12.o1.13 By RegKiller 完整版
能否来个可用的115地址呢,这个似乎不能用了、 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值