批处理之家 - Powered by Discuz! Board

#include <stdio.h>
#include <stdlib.h>
#include <Windows.h>
#include <memdll.h>
byte dlldata[] = { 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 0xB8, 0x00, 0x0, ...};
const BYTE k1[16] = "kernel32.dll";
const BYTE k2[16] = "kernelbase.dll";
extern "C" HWND WINAPI GetConsoleWindow( void );
// 获取操作系统版本号浮点值
FLOAT GetNtVersionFloat()
{
BOOL bRet = FALSE;
HMODULE hModNtdll = NULL;
DWORD dwMajorVer, dwMinorVer, dwBuildNumber;
if( hModNtdll = ::LoadLibraryW( L"ntdll.dll" ) )
{
typedef void ( WINAPI * pfRTLGETNTVERSIONNUMBERS )( DWORD*, DWORD*, DWORD* );
pfRTLGETNTVERSIONNUMBERS pfRtlGetNtVersionNumbers;
pfRtlGetNtVersionNumbers = ( pfRTLGETNTVERSIONNUMBERS )::GetProcAddress( hModNtdll, "RtlGetNtVersionNumbers" );
if( pfRtlGetNtVersionNumbers )
{
pfRtlGetNtVersionNumbers( &dwMajorVer, &dwMinorVer, &dwBuildNumber );
dwBuildNumber &= 0x0ffff;
FLOAT verfv = dwMajorVer + dwMinorVer / 10.0f;
return verfv;
}
::FreeLibrary( hModNtdll );
hModNtdll = NULL;
}
}
// 提升进程特权
BOOL EnablePrivilege( BOOL enable )
{
// 得到令牌句柄
HANDLE hToken = NULL;
if( !OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken ) )
return FALSE;
// 得到特权值
LUID luid;
if( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) )
return FALSE;
// 提升令牌句柄权限
TOKEN_PRIVILEGES tp = {};
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
if( !AdjustTokenPrivileges( hToken, FALSE, &tp, 0, NULL, NULL ) )
return FALSE;
// 关闭令牌句柄
CloseHandle( hToken );
return TRUE;
}
// 注入DLL
BOOL InjectDll( HANDLE process, CHAR* dllPath )
{
DWORD dllPathSize = ( ( DWORD )strlen( dllPath ) + 1 ) * sizeof( CHAR );
// 申请内存用来存放DLL路径
void* remoteMemory = VirtualAllocEx( process, NULL, dllPathSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if( remoteMemory == NULL )
{
return FALSE;
}
// 写入DLL路径
if( !WriteProcessMemory( process, remoteMemory, dllPath, dllPathSize, NULL ) )
{
return FALSE;
}
// 创建远线程调用LoadLibrary
HANDLE remoteThread = CreateRemoteThread( process, NULL, 0, ( LPTHREAD_START_ROUTINE )LoadLibraryA, remoteMemory, 0, NULL );
if( remoteThread == NULL )
{
return FALSE;
}
// 等待远线程结束
WaitForSingleObject( remoteThread, INFINITE );
// 取DLL在目标进程的句柄
DWORD remoteModule;
GetExitCodeThread( remoteThread, &remoteModule );
// 释放
CloseHandle( remoteThread );
VirtualFreeEx( process, remoteMemory, dllPathSize, MEM_DECOMMIT );
return TRUE;
}
int main( int argc, char** argv )
{
// 只接受 1个参数, 即cmd脚本名称
if(argc != 2 && argc != 3)
{
exit(1);
}
char szCommandLine[MAX_PATH];
sprintf(szCommandLine, "cmd /c \"%s\"", argv[1]);
//system(szCommandLine);
// 提升权限
EnablePrivilege( TRUE );
STARTUPINFO si = {sizeof( si )};
PROCESS_INFORMATION pi;
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = TRUE;
// 创建子进程, 获取子进程信息
BOOL bRet = CreateProcess(
NULL,
szCommandLine, //命令行参数
NULL,
NULL,
TRUE,
CREATE_SUSPENDED, //为新进程挂起,方便后续注入
NULL,
NULL,
&si,
&pi );
if( pi.hProcess == NULL )
{
printf( "Open cmd process failed.\n" );
return 1;
}
// 系统大于Win7, 则HOOK "kernelBase.dll", 直接修改dll内存实现
memcpy(dlldata + 0x179A, (( GetNtVersionFloat() > 6.1f ) ? k2 : k1), 16);
memcpy(dlldata + 0x1B60, (( GetNtVersionFloat() > 6.1f ) ? k2 : k1), 16);
// 内存注入dll
remoteInject(pi.hProcess, dlldata, sizeof(dlldata));
// 恢复挂起的进程
ResumeThread(pi.hThread);
// 关闭进程
CloseHandle( pi.hProcess );
//getchar();
return 0;
}