[新手上路]批处理新手入门导读[视频教程]批处理基础视频教程[视频教程]VBS基础视频教程[批处理精品]批处理版照片整理器
[批处理精品]纯批处理备份&还原驱动[批处理精品]CMD命令50条不能说的秘密[在线下载]第三方命令行工具[在线帮助]VBScript / JScript 在线参考
返回列表 发帖
IUnknown

Rank: 1

帖子
10 
积分
84 
技术
9  
捐助
0  
注册时间
2011-8-8 
1 跳转到 »
发表于 2012-9-15 17:24 | 显示全部帖子
远程注入法,简单写了一个:
  1. #include <windows.h>

  2. #include <stdio.h>

  3. #include <tchar.h>

  4. #include <assert.h>

  5. #include <tlhelp32.h>

  6. 

  7. DWORD GetParentProcessId(DWORD pid)

  8. {

  9.     DWORD ppid = (DWORD)(-1);

  10.     HANDLE hProcessSnap;

  11.     PROCESSENTRY32 pe32;

  12. 

  13.     hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

  14.     assert(hProcessSnap != INVALID_HANDLE_VALUE);

  15. 

  16.     pe32.dwSize = sizeof( PROCESSENTRY32 );

  17.     BOOL bResult = Process32First( hProcessSnap, &pe32 );

  18.     assert(bResult != FALSE);

  19. 

  20.     do

  21.     {

  22.         if (pid == pe32.th32ProcessID)

  23.         {

  24.             ppid = pe32.th32ParentProcessID;

  25.             break;

  26.         }

  27.     } while( Process32Next( hProcessSnap, &pe32 ) );

  28. 

  29.     CloseHandle( hProcessSnap );

  30.     return( ppid );

  31. }

  32. 

  33. DWORD ppid(VOID)

  34. {

  35.     return GetParentProcessId( GetCurrentProcessId() );

  36. }

  37. 

  38. 

  39. typedef struct _RemoteParam {

  40.     DWORD funcptr;

  41.     BYTE Param1[64];

  42.     BYTE Param2[64];

  43. } RemoteParam, *PRemoteParam;

  44. 

  45. typedef int  (WINAPI *PFN_MessageBox)(HWND, LPCTSTR, LPCTSTR, DWORD);

  46. typedef BOOL (WINAPI *PFN_SetEnvironmentVariable)(LPCTSTR, LPCTSTR);

  47. 

  48. 

  49. DWORD WINAPI threadProc(LPVOID lpParam)

  50. {

  51.     RemoteParam *pRP = (RemoteParam *)lpParam;

  52. 

  53.     PFN_SetEnvironmentVariable pfnSetEnvironmentVariable = (PFN_SetEnvironmentVariable)pRP[0].funcptr;

  54.     pfnSetEnvironmentVariable(pRP[0].Param1, pRP[0].Param2);

  55. 

  56.     PFN_MessageBox pfnMessageBox = (PFN_MessageBox)pRP[1].funcptr;

  57.     pfnMessageBox(NULL, pRP[1].Param1, pRP[1].Param2, 0);

  58. 

  59.     return 0;

  60. }

  61. 

  62. 

  63. int main(int argc, char *argv[])

  64. {

  65.     DWORD dwProcessId = ppid();

  66.     assert(dwProcessId != (DWORD)(-1));

  67. 

  68.     HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); 

  69.     assert(hTargetProcess != NULL);

  70. 

  71.     DWORD dwMemSize = 4096;

  72.     LPVOID pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwMemSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE) ; 

  73.     assert(pRemoteThread != NULL);

  74.     BOOL bResult = WriteProcessMemory(hTargetProcess, pRemoteThread, threadProc, dwMemSize, NULL) ; 

  75.     assert(bResult != FALSE);

  76. 

  77.     RemoteParam RemoteParams[2] = {{0}};

  78.     HMODULE hUser32 = LoadLibrary("User32.dll");

  79.     HMODULE hKernel32 = LoadLibrary("Kernel32.dll");

  80. 

  81.     RemoteParams[0].funcptr = (DWORD)GetProcAddress(hKernel32, "SetEnvironmentVariableA");

  82.     strcpy(RemoteParams[0].Param1, "__var");

  83.     strcpy(RemoteParams[0].Param2, "hello");

  84.     RemoteParams[1].funcptr = (DWORD)GetProcAddress(hUser32, "MessageBoxA");

  85.     strcpy(RemoteParams[1].Param1, "www.bathome.net");

  86.     strcpy(RemoteParams[1].Param2, "hello");

  87. 

  88.     dwMemSize = sizeof(RemoteParams);

  89.     LPVOID pRemoteParam = VirtualAllocEx(hTargetProcess, 0, dwMemSize, MEM_COMMIT, PAGE_READWRITE);

  90.     assert(pRemoteParam != NULL);

  91.     bResult = WriteProcessMemory(hTargetProcess, pRemoteParam, RemoteParams, dwMemSize, NULL) ; 

  92.     assert(bResult != FALSE);

  93. 

  94.     HANDLE hRemoteThread = CreateRemoteThread(hTargetProcess, NULL, 0, pRemoteThread, pRemoteParam, 0, NULL); 

  95.     assert(hRemoteThread != NULL);

  96. 

  97.     CloseHandle(hRemoteThread);

  98.     CloseHandle(hTargetProcess);

  99.     return 0;

  100. }
复制代码
E:\Projects\Inject>set
ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\root\Application Data
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=POWERPC
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\root
LOGONSERVER=\\POWERPC
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;E:\MinGW\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2505
ProgramFiles=D:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\root\LOCALS~1\Temp
TMP=D:\DOCUME~1\root\LOCALS~1\Temp
USERDOMAIN=POWERPC
USERNAME=root
USERPROFILE=D:\Documents and Settings\root
windir=D:\WINDOWS

E:\Projects\Inject>gcc -o conset.exe conset.c

E:\Projects\Inject>conset

E:\Projects\Inject>set
ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\root\Application Data
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=POWERPC
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\root
LOGONSERVER=\\POWERPC
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;E:\MinGW\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2505
ProgramFiles=D:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\root\LOCALS~1\Temp
TMP=D:\DOCUME~1\root\LOCALS~1\Temp
USERDOMAIN=POWERPC
USERNAME=root
USERPROFILE=D:\Documents and Settings\root
windir=D:\WINDOWS
__var=hello

E:\Projects\Inject>
2

评分人数

    • CrLf: 膜拜技术 + 1
    • plp626: 这里卧虎藏龙啊,感谢分享。。PB + 10 技术 + 1
我不知道

TOP

返回列表