C语言实现远程代码注入

Posted 2022-01-30 lyshark

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了C语言实现远程代码注入相关的知识，希望对你有一定的参考价值。

#include <windows.h>
#include <iostream>
#define STRLEN 20

typedef struct _DATA

    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwGetModuleHandle;
    DWORD dwGetModuleFileName;

    char User32Dll[STRLEN];
    char MessageBox[STRLEN];
    char Str[STRLEN];
DATA, *PDATA;

DWORD WINAPI RemoteThreadProc(LPVOID lpParam)

    PDATA pData = (PDATA)lpParam;

    //定义API函数原型
    HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
    FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
    HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
    int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
    DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);

    //对各函数地址进行赋值
    MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
    MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE, LPCSTR))pData->dwGetProcAddress;
    MyGetModuleHandle = (HMODULE (__stdcall *)(LPCTSTR))pData->dwGetModuleHandle;
    MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE, LPTSTR, DWORD))pData->dwGetModuleFileName;

    //加载user32.dll
    HMODULE hModule = MyLoadLibrary(pData->User32Dll);
    //获得MessageBoxA的函数地址
    MyMessageBox = (int (__stdcall *)(HWND, LPCTSTR, LPCTSTR, UINT))
                        MyGetProcAddress(hModule, pData->MessageBox);
    char szModuleFileName[MAX_PATH] = 0;
    MyGetModuleFileName(NULL, szModuleFileName, MAX_PATH);

    MyMessageBox(NULL, pData->Str, szModuleFileName, MB_OK);

    return 0;



void InjectCode(DWORD dwPid)

    //打开进程并获取进程句柄
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,dwPid);
 
    if(NULL== hProcess)
       return;
 
    DATA Data = 0;
 
    //获取kernel32.dll中相关的导出函数
    Data.dwLoadLibrary= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
    Data.dwGetProcAddress= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetProcAddress");
    Data.dwGetModuleHandle= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
    Data.dwGetModuleFileName= (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleFileNameA");

    //需要的其他dll和导出函数
    lstrcpy(Data.User32Dll,"user32.dll");
    lstrcpy(Data.MessageBox,"MessageBoxA");
    //提示字符串
    lstrcpy(Data.Str,"Code Inject !!!");
 
    //在目标进程中申请空间
    LPVOID lpData = VirtualAllocEx(hProcess, NULL, sizeof(Data),
                     MEM_COMMIT,PAGE_EXECUTE_READWRITE);
    DWORD dwWriteNum = 0;
    WriteProcessMemory(hProcess,lpData, &Data,sizeof(Data), &dwWriteNum);
 
    //在目标进程空间中申请用于保存代码的长度
    WORD dwFunSize = 0x4000;
    LPVOID lpCode = VirtualAllocEx(hProcess, NULL, dwFunSize,
                     MEM_COMMIT,PAGE_EXECUTE_READWRITE);
 
    WriteProcessMemory(hProcess,lpCode,&RemoteThreadProc,
                     dwFunSize,&dwWriteNum);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
                     (LPTHREAD_START_ROUTINE)lpCode,
                     lpData,0, NULL);
    WaitForSingleObject(hThread,INFINITE);
 
    CloseHandle(hThread);
    CloseHandle(hProcess);


int GetProcessID(char *Name)

    HWND Pid=::FindWindow(NULL,Name);
    DWORD Retn;
    ::GetWindowThreadProcessId(Pid,&Retn);
    return Retn;


int main()


    int ppid;

    ppid = ::GetProcessID("lyshark.exe");
    InjectCode(ppid);


    return 0;

以上是关于C语言实现远程代码注入的主要内容，如果未能解决你的问题，请参考以下文章

远程监控的原理和实现如何用c语言实现

Frida 实现 Hook 功能的强大能力

如何实现，读取远程文件，用GZIP压缩后保存成文件

c语言实现哈希排序代码

linux下用简单c语言代码怎么实现实现文件夹所有内容的复制

如何用c语言来实现鼠标移动。