#include <stdio.h>
#include <windows.h>
#include <conio.h>
HWND hWnd;
HWND hwnd2;
struct MyData
{
char sz[64];
DWORD dwMessageBox;
HWND hwnd3;
LRESULT sendx;
};
DWORD __stdcall RMTFunc(MyData *pData)
{
typedef int(__stdcall*MMessageBox)(HWND,LPCTSTR,LPCTSTR,UINT);
typedef int(__stdcall*MMessageBox2)(HWND,UINT,WPARAM,LPARAM);
MMessageBox MsgBox = (MMessageBox)pData->dwMessageBox;
MsgBox(NULL, pData->sz, NULL, MB_OK);
MMessageBox2 message = (MMessageBox2)pData->sendx;
//message(pData->hwnd3,WM_SETTEXT,0,(LPARAM)"123456789");//为什么这里发送此消息会没有任何反应?
//message(pData->hwnd3,WM_CLOSE,0,0);//用这个却很正常
return 0;
}
void main()
{
DWORD dwImageSize = 0;
HMODULE hModule = NULL;
DWORD dwProcessId;
MyData data;
ZeroMemory(&data, sizeof (MyData));
hWnd = FindWindow("notepad", NULL);
hwnd2=FindWindowEx(hWnd,0,0,0);
data.hwnd3 =hWnd;
printf("句柄=%x\n",hwnd2);
GetWindowThreadProcessId(hWnd, &dwProcessId);/////////////////////////////////////////////////////////
//DWORD dwProcessId=GetCurrentProcessId();
HANDLE hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
dwProcessId);
strcat(data.sz, TEXT("成功了!!!!!"));
HINSTANCE hUser = LoadLibrary("user32.dll");
printf("%x\n",hUser);
data.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
data.sendx = (LRESULT)GetProcAddress(hUser, "SendMessageA");
FreeLibrary(hUser);
if (! data.dwMessageBox)
return;
void *pRemoteThread
= VirtualAllocEx(hProcess, 0,
1024*4, MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pRemoteThread, &RMTFunc, 1024*4, 0);
MyData *pData
= (MyData*)VirtualAllocEx(hProcess, 0,
sizeof (MyData), MEM_COMMIT,
PAGE_READWRITE);
WriteProcessMemory(hProcess, pData, &data, sizeof (MyData), 0);
Sleep(3000);
HANDLE hThread
= CreateRemoteThread(hProcess, 0,
0, (LPTHREAD_START_ROUTINE)pRemoteThread,
pData, 0, 0);
if (! hThread)
{
printf("远程线程创建失败");
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, pRemoteThread, 1024*3, MEM_RELEASE);
VirtualFreeEx(hProcess, pData, sizeof (MyData), MEM_RELEASE);
CloseHandle(hProcess);
printf("Hello World!\n");
getchar();
}
麻烦帮我看一下这段代码,为什么我注释的地方,使用后发送消息无任何反应??
[课程]Linux pwn 探索篇!