远程注入执行函数

      最近在看病毒相关内容，看着大部分知识都知道，不知道用起来行不行。下午正好有人问怎么注入线程，在公司用《windows核心编程》的注入DLL程序修改了一下，实现了远程注入DLL调用函数。刚才回来，觉得照着别人的程序改，总还是学不到家，自己花了两个小时写了一个。能注入到其他进程中，执行弹出MessageBox框。当然，能注入去弹出这个框，就能干很多坏事了，看你想干什么了。把代码贴上来，也不改了，反正能看懂。有几个细节可能会忽略：

      1. ThreadFunc应该定义成static，不能是全局函数。如果是全局函数，只能取到jmp ThreadFunc这块代码的地址。

      2. 在调试模式会使写函数数据时数据出错。

下午就被这两个东西浪费了一个多小时。

      推荐两篇有用的内容：http://www.cnblogs.com/BoyXiao/archive/2011/08/11/2134367.html

      http://www.vckbase.com/index.php/wv/1580

// InjectToRemoteProcess.cpp : 定义应用程序的入口点。
//

#include "stdafx.h"
#include "InjectToRemoteProcess.h"

#define MAX_LOADSTRING 100

// 全局变量:
HINSTANCE hInst;								// 当前实例
TCHAR szTitle[MAX_LOADSTRING];					// 标题栏文本
TCHAR szWindowClass[MAX_LOADSTRING];			// 主窗口类名

// 此代码模块中包含的函数的前向声明:
ATOM				MyRegisterClass(HINSTANCE hInstance);
BOOL				InitInstance(HINSTANCE, int);
LRESULT CALLBACK	WndProc(HWND, UINT, WPARAM, LPARAM);
INT_PTR CALLBACK	About(HWND, UINT, WPARAM, LPARAM);
INT_PTR CALLBACK	Inject(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam);

int APIENTRY _tWinMain(HINSTANCE hInstance,
                     HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow)
{
	UNREFERENCED_PARAMETER(hPrevInstance);
	UNREFERENCED_PARAMETER(lpCmdLine);

 	// TODO: 在此放置代码。
	MSG msg;
	HACCEL hAccelTable;

	// 初始化全局字符串
	LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
	LoadString(hInstance, IDC_INJECTTOREMOTEPROCESS, szWindowClass, MAX_LOADSTRING);
	MyRegisterClass(hInstance);

	// 执行应用程序初始化:
	if (!InitInstance (hInstance, nCmdShow))
	{
		return FALSE;
	}

	hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_INJECTTOREMOTEPROCESS));

	// 主消息循环:
	while (GetMessage(&msg, NULL, 0, 0))
	{
		if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg))
		{
			TranslateMessage(&msg);
			DispatchMessage(&msg);
		}
	}

	return (int) msg.wParam;
}



//
//  函数: MyRegisterClass()
//
//  目的: 注册窗口类。
//
//  注释:
//
//    仅当希望
//    此代码与添加到 Windows 95 中的“RegisterClassEx”
//    函数之前的 Win32 系统兼容时，才需要此函数及其用法。调用此函数十分重要，
//    这样应用程序就可以获得关联的
//    “格式正确的”小图标。
//
ATOM MyRegisterClass(HINSTANCE hInstance)
{
	WNDCLASSEX wcex;

	wcex.cbSize = sizeof(WNDCLASSEX);

	wcex.style			= CS_HREDRAW | CS_VREDRAW;
	wcex.lpfnWndProc	= WndProc;
	wcex.cbClsExtra		= 0;
	wcex.cbWndExtra		= 0;
	wcex.hInstance		= hInstance;
	wcex.hIcon			= LoadIcon(hInstance, MAKEINTRESOURCE(IDI_INJECTTOREMOTEPROCESS));
	wcex.hCursor		= LoadCursor(NULL, IDC_ARROW);
	wcex.hbrBackground	= (HBRUSH)(COLOR_WINDOW+1);
	wcex.lpszMenuName	= MAKEINTRESOURCE(IDC_INJECTTOREMOTEPROCESS);
	wcex.lpszClassName	= szWindowClass;
	wcex.hIconSm		= LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL));

	return RegisterClassEx(&wcex);
}

//
//   函数: InitInstance(HINSTANCE, int)
//
//   目的: 保存实例句柄并创建主窗口
//
//   注释:
//
//        在此函数中，我们在全局变量中保存实例句柄并
//        创建和显示主程序窗口。
//
BOOL InitInstance(HINSTANCE hInstance, int nCmdShow)
{
   HWND hWnd;

   hInst = hInstance; // 将实例句柄存储在全局变量中

   hWnd = CreateWindow(szWindowClass, szTitle, WS_OVERLAPPEDWINDOW,
      CW_USEDEFAULT, 0, CW_USEDEFAULT, 0, NULL, NULL, hInstance, NULL);

   if (!hWnd)
   {
      return FALSE;
   }

   ShowWindow(hWnd, nCmdShow);
   UpdateWindow(hWnd);

   return TRUE;
}

//
//  函数: WndProc(HWND, UINT, WPARAM, LPARAM)
//
//  目的: 处理主窗口的消息。
//
//  WM_COMMAND	- 处理应用程序菜单
//  WM_PAINT	- 绘制主窗口
//  WM_DESTROY	- 发送退出消息并返回
//
//
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
	int wmId, wmEvent;
	PAINTSTRUCT ps;
	HDC hdc;

	switch (message)
	{
	case WM_COMMAND:
		wmId    = LOWORD(wParam);
		wmEvent = HIWORD(wParam);
		// 分析菜单选择:
		switch (wmId)
		{
		case IDM_ABOUT:
			DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);
			break;
		case IDM_EXIT:
			DestroyWindow(hWnd);
			break;
		case IDM_INJECT:
			DialogBox(hInst,MAKEINTRESOURCE(IDD_DLG_INJECT),hWnd,Inject);

		default:
			return DefWindowProc(hWnd, message, wParam, lParam);
		}
		break;
	case WM_PAINT:
		hdc = BeginPaint(hWnd, &ps);
		// TODO: 在此添加任意绘图代码...
		EndPaint(hWnd, &ps);
		break;
	case WM_DESTROY:
		PostQuitMessage(0);
		break;
	default:
		return DefWindowProc(hWnd, message, wParam, lParam);
	}
	return 0;
}

// “关于”框的消息处理程序。
INT_PTR CALLBACK About(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
	UNREFERENCED_PARAMETER(lParam);
	switch (message)
	{
	case WM_INITDIALOG:
		return (INT_PTR)TRUE;

	case WM_COMMAND:
		if (LOWORD(wParam) == IDOK || LOWORD(wParam) == IDCANCEL)
		{
			EndDialog(hDlg, LOWORD(wParam));
			return (INT_PTR)TRUE;
		}
		break;
	}
	return (INT_PTR)FALSE;
}


struct ProcStruct
{
	FARPROC MsgAddr;
	TCHAR strMsg[24];
	TCHAR strTitle[24];
};

static DWORD __stdcall ThreadFunc(ProcStruct * pPS)
{
	typedef int (__stdcall *pMsgBox)(HWND,LPCTSTR,LPCTSTR,UINT);

	pMsgBox MsgBox =(pMsgBox)pPS->MsgAddr;
	MsgBox(NULL,pPS->strMsg,pPS->strTitle,0);

	return 0;
}
static DWORD __stdcall OffsetFunc(LPVOID* pParam)
{
	return 0;
}

bool AdjustProcessTokenPrivilege()
{
	LUID luidTmp;
	HANDLE hToken;
	TOKEN_PRIVILEGES tkp;
	if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
	{
		//OutputDebugString("AdjustProcessTokenPrivilege OpenProcessToken Failed ! \n");
		return false;
	}   
	if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luidTmp))
	{ 
		//OutputDebugString("AdjustProcessTokenPrivilege LookupPrivilegeValue Failed ! \n");
		CloseHandle(hToken);
		return FALSE;
	}
	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = luidTmp;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
	{
		//OutputDebugString("AdjustProcessTokenPrivilege AdjustTokenPrivileges Failed ! \n");
		CloseHandle(hToken);
		return FALSE;
	}
	return true;
}

DWORD InjectFunctionToProcess(DWORD dwProcessId)
{
	AdjustProcessTokenPrivilege();
	try
	{
		HANDLE hProcess = OpenProcess(         
			PROCESS_QUERY_INFORMATION |   // Required by Alpha
			PROCESS_CREATE_THREAD     |   // For CreateRemoteThread
			PROCESS_VM_OPERATION      |   // For VirtualAllocEx/VirtualFreeEx
			PROCESS_VM_WRITE,             // For WriteProcessMemory
			FALSE, dwProcessId);
		if (hProcess == NULL) 
		{
			return 0;
		}
		HMODULE hUser32 = GetModuleHandle(_T("User32.dll"));
		if (hProcess == NULL)
		{
			return 0;
		}
		FARPROC MsgAddr = GetProcAddress(hUser32,"MessageBoxW");

		ProcStruct PS;
		PS.MsgAddr =MsgAddr;
		_tcscpy(PS.strMsg,_T("This is Message!"));
		_tcscpy(PS.strTitle,_T("Title"));

		//开辟存储变量的内存空间
		void * pMemProcStruct = VirtualAllocEx(hProcess,NULL,sizeof(ProcStruct),MEM_COMMIT,PAGE_READWRITE);
		if (!pMemProcStruct)
		{
			return 0;
		}
		//复制参数内容
		if (!WriteProcessMemory(hProcess,pMemProcStruct,&PS,sizeof(ProcStruct),NULL))
		{
			return 0;
		}
		
		//开辟存储调用函数的空间
		DWORD FuncLen = (DWORD)OffsetFunc - (DWORD)ThreadFunc;
		void * pMemFunction = VirtualAllocEx(hProcess,NULL,FuncLen,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
		if (!pMemFunction)
		{
			return 0;
		}
		//复制函数内容
		if (!WriteProcessMemory(hProcess,pMemFunction,ThreadFunc,FuncLen,NULL))
		{
			return 0;
		}

		//启动线程函数注入进程
		HANDLE hRemoteThread = CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)pMemFunction,pMemProcStruct,NULL,NULL);
		if (!hRemoteThread)
		{
			return 0;
		}

		//等待线程结束
		WaitForSingleObject(hRemoteThread,INFINITE);
		//释放参数内容
		VirtualFreeEx(hProcess,pMemProcStruct,sizeof(ProcStruct),MEM_RELEASE);
		//释放函数内容
		VirtualFreeEx(hProcess,pMemFunction,FuncLen,MEM_RELEASE);

	}
	catch (...)
	{
		return -1;
	}
	return 0;
}

// “注入”框的消息处理程序。
INT_PTR CALLBACK Inject(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam)
{
	UNREFERENCED_PARAMETER(lParam);
	switch (message)
	{
	case WM_INITDIALOG:
		return (INT_PTR)TRUE;

	case WM_COMMAND:
		if (LOWORD(wParam) == IDCANCEL)
		{
			EndDialog(hDlg, LOWORD(wParam));
			return (INT_PTR)TRUE;
		}
		else if (LOWORD(wParam) == IDOK)
		{
			DWORD dwProcessId = GetDlgItemInt(hDlg, IDC_INJECTTOREMOTEPROCESS, NULL, FALSE);
			if (dwProcessId == 0) {
				// A process ID of 0 causes everything to take place in the 
				// local process; this makes things easier for debugging.
				dwProcessId = GetCurrentProcessId();
			}

			if (!InjectFunctionToProcess(dwProcessId)) 
			{
				MessageBox(NULL,_T("DLL Injection/Ejection successful."),_T("Title"),0);
			} 
			else 
			{
				MessageBox(NULL,_T("DLL Injection/Ejection failed."),_T("Error"),0);
			}
		}
		break;
	}
	return (INT_PTR)FALSE;
}