注入正常,也能弹框了。但就是被注入进程会崩溃。
// Test.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <windows.h>
BOOL EnablePriviledge();
typedef struct _MyData
{
char szWord[12];
DWORD pMyBox;
} MyData;
static DWORD _stdcall MyFunc(MyData * myd)
{
typedef int (*pMyMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
pMyMessageBox MyMessageBox;
MyMessageBox = (pMyMessageBox)myd->pMyBox;
MyMessageBox(NULL,myd->szWord,myd->szWord,NULL);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
EnablePriviledge();
DWORD dwProcID;
MyData mydata;
strcpy(mydata.szWord,"ab");
HMODULE hMessage = LoadLibrary("user32.dll");
DWORD dwAddress = (DWORD)GetProcAddress(hMessage,"MessageBoxA");
FreeLibrary(hMessage);
mydata.pMyBox = dwAddress;
HWND hNotepad = FindWindow("Notepad",NULL);
if (NULL == hNotepad)
{
MessageBox(NULL,NULL,NULL,NULL);
return 1;
}
GetWindowThreadProcessId(hNotepad,&dwProcID);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,NULL,dwProcID);
if (NULL == hProcess)
{
MessageBox(NULL,NULL,NULL,NULL);
return 2;
}
void * dwProcAddress = VirtualAllocEx(hProcess,
0,
1000,
MEM_COMMIT ,
PAGE_EXECUTE_READWRITE);
if (NULL == dwProcAddress)
{
MessageBox(NULL,NULL,NULL,NULL);
return 4;
}
if(0 == WriteProcessMemory(hProcess,dwProcAddress,&MyFunc,1000,NULL))
{
MessageBox(NULL,NULL,NULL,NULL);
return 4;
}
MyData * dwDataAddress = (MyData *)VirtualAllocEx(hProcess,
0,
sizeof(MyData),
MEM_COMMIT| MEM_RESERVE,
PAGE_READWRITE);
if (NULL == dwDataAddress)
{
MessageBox(NULL,NULL,NULL,NULL);
return 3;
}
if(0 == WriteProcessMemory(hProcess,dwDataAddress,&mydata,sizeof(MyData),NULL))
{
MessageBox(NULL,NULL,NULL,NULL);
return 4;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess,
0,
0,
(LPTHREAD_START_ROUTINE)dwProcAddress,
dwDataAddress,
0,
&dwProcID);
// VirtualFreeEx(hProcess,dwProcAddress,1000,MEM_DECOMMIT|MEM_RELEASE);
// VirtualFreeEx(hProcess,dwDataAddress,sizeof(MyData),MEM_DECOMMIT);
CloseHandle(hProcess);
CloseHandle(hRemoteThread);
return 0;
}
BOOL EnablePriviledge()
{
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
tkp.PrivilegeCount = 1;
if(TRUE == OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken))
{
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid);
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
CloseHandle(hToken);
return TRUE;
}
else
return FALSE;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)