主程序代码:
#include <Windows.h>
#include <tchar.h>
#include <TlHelp32.h>
#include <stdio.h>
DWORD GetIDByName(LPCTSTR);//由进程名获得ID,区分大小写
void PrintError(TCHAR* msg);//错误提示
BOOL CreateRemoteThreadByDll(LPCTSTR lpProcessName,LPCTSTR lpDllName);//把dll注入远程进程
BOOL EnablePriv();//提升权限,得到SeDebugPrivilege privilege
int WINAPI WinMain( __in HINSTANCE hInstance, __in_opt HINSTANCE hPrevInstance, __in LPSTR lpCmdLine, __in int nShowCmd )
{
TCHAR szProcessName[]=_T("XDict.exe");
TCHAR szDllPath[MAX_PATH]=_T("D:\\VSCode\\远程dll\\Release\\远程dll.dll");
EnablePriv();
CreateRemoteThreadByDll(szProcessName,szDllPath);
return TRUE;
}
BOOL EnablePriv()
{
HANDLE hToken = NULL;
TOKEN_PRIVILEGES tkp = {0};
if ( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) {
PrintError(_T("OpenProcessToken"));
return FALSE;
}
if ( !LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid)) {
CloseHandle( hToken );
PrintError(_T("LookupPrvilegeToken"));
return FALSE;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( !AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES),NULL,NULL)) {
CloseHandle( hToken );
PrintError(_T("AdjustTokenPrivileges"));
return FALSE;
}
return TRUE;
}
BOOL CreateRemoteThreadByDll(LPCTSTR lpProcessName,LPCTSTR lpDllName)
{
DWORD dwProcessID;
dwProcessID=GetIDByName(lpProcessName);//进程名区分大小写
HANDLE hProccess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwProcessID);
if (hProccess==NULL)
{
PrintError(_T("OpenProcess"));
return FALSE;
}
TCHAR szLibPath[MAX_PATH]={0};
_tcscpy_s(szLibPath,lpDllName);
void* pLibRemote;//远程线程的地址,存放库文件名称
DWORD hLibModule;//加载模块的基地址
pLibRemote=VirtualAllocEx(hProccess,NULL,sizeof(szLibPath),MEM_COMMIT,PAGE_READWRITE);
if (pLibRemote==NULL)
{
PrintError("VirtualAllocEx");
return FALSE;
}
WriteProcessMemory(hProccess,pLibRemote,szLibPath,sizeof(szLibPath),NULL);
//把进程连接库加载到远程地址空间,LoadLibrary和FreeLibrary是kernel32.dll的驻留函数,在每个进程中的入口地址一样
HANDLE hThread=CreateRemoteThread(hProccess,NULL,0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA"),pLibRemote,0,NULL);
if (hThread==NULL)
{
PrintError(_T("CreateRemoteThread"));
}
WaitForSingleObject(hThread,INFINITE);
//得到加载模块的基地址
GetExitCodeThread(hThread,&hLibModule);//获得远程线程的返回码,这个值实际上是LoadLibrary的返回值,也就是映射的动态链接库返回的加载基地址
//清理
VirtualFreeEx(hProccess,pLibRemote,sizeof(szLibPath),MEM_RELEASE);
CloseHandle(hThread);
hThread=CreateRemoteThread(hProccess,NULL,0,
(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"FreeLibrary"),(void*)hLibModule,0,NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hProccess);
return TRUE;
}
DWORD GetIDByName(LPCTSTR lpName)
{
HANDLE hSnapShot;
hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hSnapShot==INVALID_HANDLE_VALUE)
{
PrintError(_T("CreateToolhelp32Snapshot"));
return FALSE;
}
PROCESSENTRY32 pe={0};
pe.dwSize=sizeof(PROCESSENTRY32);
BOOL bRet;
bRet=Process32First(hSnapShot,&pe);
if (bRet==NULL)
{
PrintError(_T("Process32First"));
return FALSE;
}
do
{
if (_tcscmp(pe.szExeFile,lpName)==0)
{
return pe.th32ProcessID;
}
} while (Process32Next(hSnapShot,&pe));
PrintError(_T("Process32Next"));
return FALSE;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
void PrintError( TCHAR* msg )//错误输出
{
DWORD eNum;
TCHAR sysMsg[256],szMsg[256]={0};
TCHAR* p;
eNum = GetLastError( );
FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, eNum,
0, // Default language
sysMsg, 256, NULL );
p=sysMsg;
size_t n=_tcslen(p);
sysMsg[n-2]=0;
_snprintf(szMsg,256,_T("WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );
MessageBox(NULL,szMsg,_T("Warning"),MB_ICONWARNING|MB_OK);
}
dll文件
#include <Windows.h>
#include <stdio.h>
void WINAPI RemoteFunc(void)
{
FILE* fp;
while (TRUE)
{
fopen_s(&fp,"c:\\users\\dong\\desktop\\aaa.txt","a+");
fprintf(fp,"I'm not in you\n");
fclose(fp);
Sleep(3000);
}
}
int APIENTRY DllMain( HANDLE hDllHandle, DWORD dwReason, LPVOID lpreserved )
{
switch(dwReason)
{
case DLL_PROCESS_ATTACH:
RemoteFunc();
break;
default:
return TRUE;
}
return TRUE;
}
在桌面输出文件成功了,但是金山词霸(目标)不能用了,好像挂起了。
这是怎么回事啊,或者告诉我怎么注入后,能让金山词霸继续正常运行。
[课程]Linux pwn 探索篇!