能力值:
( LV2,RANK:10 )
|
-
-
2 楼
没代码怎么分析呀?
试下这段代码,在我xp sp3下正常。
LONG FindTarget(LPCTSTR pProcessName)
{
BOOL bRet;
HANDLE hProcessSnap;
unsigned long ProcessID = -1;
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
bRet = Process32First(hProcessSnap, &pe);
while(bRet)
{
if(lstrcmpi(pe.szExeFile, pProcessName) == 0)
{
ProcessID = pe.th32ProcessID;
break;
}
bRet = Process32Next(hProcessSnap, &pe);
}
CloseHandle(hProcessSnap);
return ProcessID;
}
BOOL InjectExplorer(LPCTSTR szDllPath)
{
long pid = 0;
int ret = 0;
pid = FindTarget("Explorer.exe");
if(pid == -1)
{
//没找到目标进程处理
//....
return FALSE;
}
HANDLE hProcess = NULL;
HANDLE hRemoteThread = NULL;
void *pLibRemote = NULL;
DWORD hLibModule = 0;
HMODULE hKernel32 = NULL;
hKernel32 = GetModuleHandle("Kernel32");
hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, pid);
if(hProcess == NULL)
{
//打开进程失败处理
//...
return FALSE;
}
//在目标进程内分配内存
pLibRemote = VirtualAllocEx(hProcess,NULL,sizeof(szDllPath),MEM_COMMIT,PAGE_READWRITE);
//在目标进程空间内写入数据
ret = WriteProcessMemory(hProcess,pLibRemote,(void *) szDllPath,sizeof(szDllPath),NULL);
if(ret == 0)
{
//写入失败处理
//...
return FALSE;
}
//创建远程线程
hRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryA"),pLibRemote,0,NULL);
//等待执行结束
WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread(hRemoteThread, &hLibModule);
CloseHandle(hRemoteThread);
//释放分配内存
VirtualFreeEx(hProcess, pLibRemote, sizeof(szDllPath), MEM_RELEASE);
// 关闭远程进程句柄
CloseHandle(hProcess);
return TRUE;
}
|