注入都是可以成功的也是可以执行的,通过了测试,但是我把一个Win32窗口程序注入控制台程序,Win32窗口程序却弹不出窗口不知道为什么? 而且吧一个控制台循环产生MessageBox的程序,注入Win32成功 会不停打印MessageBox,求教一个看雪的大佬们,以前辈们见多识广的眼光,如果能指点一二,相信对我就收获良多,下面的代码共享了自己写的没参考 注入了两次镜像傻的狠,希望也能对一些朋友产生一些帮助 ,还有程序里的开辟的指针都么有释放,时间紧
// 内存写入注入进程.cpp : Defines the entry point for the console application. //
// 贴入exe.cpp : Defines the entry point for the console application. //
#include "stdafx.h"
#include <Windows.h>
#define PID 0x9E8
#define EXEPATH "C:\Documents and Settings\Administrator\桌面\测试贴入.exe"
#define SAVE "C:\Documents and Settings\Administrator\桌面\1111.exe"
#define BASE 0x1000000 char Mem1=NULL; //读取磁盘文件的FileBuf char Mem2=NULL; //将磁盘问的Filebuf拉伸成ImageBuf char* Mem3=NULL; //自己进程的Imagebase 因为IAT表代表在自己的进程中 DWORD FileSize=0; DWORD ImageBase=0; DWORD SizeofImage=0;
DWORD CurrentImageBase=0; DWORD CuurentSizeofImage=0; DWORD OEP=0; HANDLE Heap=0;
int SaveFile(); int RestoreIATTaber(DWORD MemBase); int ImageBuffToFileBuff(); int RestoreReLcationTaber(DWORD MemAddr,DWORD NewImagebase,DWORD loImageBase);
int ReadCurrentImageBuff(){ HMODULE Hmoudle=GetModuleHandle(NULL); if(NULL==Hmoudle){ MessageBox(NULL,"获取当前进程模块失败",0,0); return 0; } PIMAGE_DOS_HEADER PeStructDosHeader=NULL; PIMAGE_FILE_HEADER PeStructFileHeader=NULL; PIMAGE_OPTIONAL_HEADER PeStructOptionHeader=NULL;
} int ReadData(){ HANDLE hFile=CreateFile(EXEPATH, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(NULL==hFile){ MessageBox(NULL,"打开文件失败",0,0); return 0; } FileSize=GetFileSize(hFile,NULL); if(INVALID_FILE_SIZE==FileSize){ MessageBox(NULL,"获取函数大小失败",0,0); CloseHandle(hFile); return 0; } Heap=HeapCreate(0,FileSize,0); if(NULL==Heap){ MessageBox(NULL,"创建进程私有堆失败",0,0); CloseHandle(hFile); return 0; }
} DWORD GetSizeofImagSize(){ PIMAGE_DOS_HEADER PeStructDosHeader=NULL; PIMAGE_FILE_HEADER PeStructFileHeader=NULL; PIMAGE_OPTIONAL_HEADER PeStructOptionHeader=NULL;
} DWORD MallocMemroy(){
} int FIleBufToImageBuff(){ PIMAGE_DOS_HEADER PeStructDosHeader=NULL; PIMAGE_FILE_HEADER PeStructFileHeader=NULL; PIMAGE_OPTIONAL_HEADER PeStructOptionHeader=NULL; PIMAGE_SECTION_HEADER PeStructSetionHeader=NULL;
} int InjectMem2(HANDLE hProcess){ //Mem2 注入磁盘文件 char Dest2=(char )VirtualAllocEx(hProcess,NULL,SizeofImage,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(NULL==Dest2){ MessageBox(NULL,"目标进程开辟第一块空间失败",0,0); return 0; } if(!RestoreReLcationTaber((DWORD)Mem2,(DWORD)Dest2,ImageBase)){ return 0; } DWORD length=0; if(!WriteProcessMemory(hProcess,Dest2,Mem2,SizeofImage,&length)){ int c=GetLastError(); MessageBox(NULL,"向目标进程中写入镜像失败",0,0); return 0; } if(ImageBase==length){ MessageBox(NULL,"向目标进程中写入字节数不对",0,0); return 0; } memset(Mem2,0,SizeofImage); if(!ReadProcessMemory(hProcess,Dest2,Mem2,SizeofImage,&length)){ MessageBox(NULL,"读取目表进程内容失败",0,0); return 0; } if(ImageBase==length){ MessageBox(NULL,"从目标进程中读取字节数不对",0,0); return 0; }
} int InjectMem3(HANDLE hProcess,DWORD PosBase){ //注入字节 Mem3是自己 char Dest1=(char )VirtualAllocEx(hProcess,NULL,CuurentSizeofImage,MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if(NULL==Dest1){ MessageBox(NULL,"目标进程开辟第一块空间失败",0,0); return 0; } if(!RestoreReLcationTaber((DWORD)Mem3,(DWORD)Dest1,CurrentImageBase)){ return 0; } DWORD length=0; if(!WriteProcessMemory(hProcess,Dest1,Mem3,CuurentSizeofImage,&length)){ int c=GetLastError(); MessageBox(NULL,"向目标进程中写入镜像失败",0,0); return 0; } if(ImageBase==length){ MessageBox(NULL,"向目标进程中写入字节数不对",0,0); return 0; }
} int OpenDestProcess(){ HANDLE hProcess=OpenProcess( PROCESS_ALL_ACCESS,FALSE,PID); if(NULL==hProcess){ MessageBox(NULL,"打开进程失败",0,0); return 0; } DWORD Pos=0; if(!(Pos=InjectMem2(hProcess))){ //先注入磁盘镜像 return 0; } if(!(InjectMem3(hProcess,Pos))){ //在注入自己的镜像 return 0; }
} int RestoreReLcationTaber(DWORD MemAddr,DWORD NewImagebase,DWORD oldImageBase){ PIMAGE_DOS_HEADER PeStructDosHeader=NULL; PIMAGE_FILE_HEADER PeStructFileHeader=NULL; PIMAGE_OPTIONAL_HEADER PeStructOptionHeader=NULL; PIMAGE_BASE_RELOCATION PeStructReLocatHeader=NULL;
} int RestoreIATTaber(DWORD MemBase){
} int ImageBuffToFileBuff(){ PIMAGE_DOS_HEADER PeStructDosHeader=NULL; PIMAGE_FILE_HEADER PeStructFileHeader=NULL; PIMAGE_OPTIONAL_HEADER PeStructOptionHeader=NULL; PIMAGE_SECTION_HEADER PeStructSetionHeader=NULL;
} int SaveFile(){ HANDLE hFile=CreateFile(SAVE, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, //如果文件存在则重写 FILE_ATTRIBUTE_NORMAL, NULL); if(NULL==hFile){ MessageBox(NULL,"打开文件失败",0,0); return 0; } DWORD Size=0;
}
int main(int argc, char* argv[]) { if(!ReadCurrentImageBuff()){ //读取自己的imagebuf 到mem3内存没有修复重定位 return 0; } if(!ReadData()){ //读取磁盘上一个文件的FIleBuf 保存在开辟Mem1空间中个 return 0; } GetSizeofImagSize(); //获取这个磁盘的OEP imagebase sizeof等信息 if(!MallocMemroy()){ //开辟一个Mem3准备保存 Mem1拉伸后的内容 return 0; } FIleBufToImageBuff(); //将FIleBuf拉伸成 ImageBuf 并保存在Mme2中 此时Mme2和Mem3都没修复重定位
#if 0 if(!RestoreIATTaber()){ return -4; } if(!RestoreReLcationTaber()){ //修复重定位 return 0; } ImageBuffToFileBuff(); if(!SaveFile()){ return -5; }
#endif OpenDestProcess();
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)