下面是代码(部分为伪代码)
//shellcode
ULONG_PTR WINAPI MemoryLoadLibrary_Begin(INJECTPARAM* InjectParam) {
printf("InjectParam->dwDataLength:%d\r\n", InjectParam->dwDataLength);
return 0;
}
//用于辅助计算shellcode长度
void MemoryLoadLibrary_End()
{printf("MemoryLoadLibrary_End\r\n");
}
//执行这个函数向目标进程注入shellcode
void InjectDll::RemoteMapLoadDll(HANDLE TargetProcess)
{
SIZE_T dwWrited = 0;
//初始化参数结构体
INJECTPARAM InjectParam;
RtlZeroMemory(&InjectParam, sizeof(InjectParam));
//shellcode长度
DWORD ShellCodeSize = (ULONG_PTR)MemoryLoadLibrary_End - (ULONG_PTR)MemoryLoadLibrary_Begin;
//拷贝ShellCode代码
PVOID pShellCodeBuffer = malloc(ShellCodeSize);
RtlCopyMemory(pShellCodeBuffer, MemoryLoadLibrary_Begin, ShellCodeSize);
//结构体参数赋值
InjectParam.dwDataLength = 0x1000;
////申请内存,把Shellcode和参数复制到目标进程
////安全起见,大小多加0x100
PBYTE pStartAddress = (PBYTE)VirtualAllocEx(TargetProcess, 0, ShellCodeSize +0x100+ sizeof(InjectParam), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//结构体参数赋值
InjectParam.lpFileData = pStartAddress;
//写入ShellCode
PBYTE ShellCodeAddress = pStartAddress;
WriteProcessMemory(TargetProcess,ShellCodeAddress,pShellCodeBuffer, ShellCodeSize, &dwWrited);
//写入参数
PBYTE ShellCodeParamAddress = pStartAddress + 0x100 + ShellCodeSize;
WriteProcessMemory(TargetProcess, ShellCodeParamAddress, &InjectParam, sizeof(InjectParam), &dwWrited);
HANDLE hRemoteThread = CreateRemoteThread(TargetProcess, 0, 0, (LPTHREAD_START_ROUTINE)ShellCodeAddress, ShellCodeParamAddress, 0, 0);
//关闭资源...
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)