远程线程注入并调用API

zjh7272

win7 的GetProAddress地址会变动，所以该代码不适用于win7

// 远程线程注入_调用API.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include "windows.h"

typedef int (_stdcall * Type_MessageBoxA)(HWND hWnd,LPCSTR lpText,LPCSTR lpCaption,UINT uType);

typedef HMODULE (_stdcall * Type_LoadLibraryA)(LPCSTR lpLibFileName);

typedef FARPROC (_stdcall * Type_GetProcAddress) (HMODULE hModule, LPCSTR lpProcName);

typedef struct
{
        DWORD Add_LoadLibraryA;
        DWORD Add_GetProcAddress;
        char DLLname[20];
        char APIname[20];
        char Param1[20];
} Param_Str;

DWORD GetFunAddress(PUCHAR lpFunStart)
{
        DWORD dwFunAddress;
        if (*lpFunStart==0xE9)
        {
                //在Debug版本里VC会做一个跳转
                dwFunAddress = (DWORD)lpFunStart+*(DWORD *)(lpFunStart+1)+5;
        }
        else
        {
                dwFunAddress = (DWORD)lpFunStart;
        }
        return dwFunAddress;
}

__declspec (naked) VOID FunFirst(){_asm{nop}};//定义函数结束的位置

int _stdcall  romente_true(Param_Str *P_str)
{
        Type_LoadLibraryA p_LoadLibraryA;
        Type_GetProcAddress p_GetProcAddress;
        Type_MessageBoxA p_MessageBoxA;
        FARPROC Func_add;

        p_LoadLibraryA=(Type_LoadLibraryA)P_str->Add_LoadLibraryA;
        p_GetProcAddress=(Type_GetProcAddress)P_str->Add_GetProcAddress;
       
        Func_add=p_GetProcAddress(p_LoadLibraryA(P_str->DLLname),P_str->APIname);//获取该函数的地址

        p_MessageBoxA =(Type_MessageBoxA)Func_add;
        p_MessageBoxA(NULL,P_str->Param1,P_str->Param1,MB_YESNO|MB_ICONQUESTION|MB_DEFBUTTON1|MB_SYSTEMMODAL);
        return 0;
};

__declspec (naked) VOID FunEnd(){_asm{nop}};//定义函数结束的位置

bool InjectFunc()
{
        LPVOID ParamAddr;
        LPVOID FuncAddr;
        HANDLE hProcess;
        HWND hWnd;
        DWORD Pid;
        HANDLE hThread;
        Param_Str params;
        DWORD ParamSize;

        //SIZE_T lpNumberOfBytes;
        DWORD FuncAddr_First,FuncAddr_End,FuncAddr_Size;
        //1 将函数写入目标程序
        hWnd=FindWindowA(NULL,"计算器");
        GetWindowThreadProcessId(hWnd, &Pid)   ;
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, Pid);

        FuncAddr_First=GetFunAddress((PUCHAR)romente_true);
        FuncAddr_End=GetFunAddress((PUCHAR)FunEnd);
        FuncAddr_Size=FuncAddr_End-FuncAddr_First;

        FuncAddr = VirtualAllocEx(hProcess,  NULL, FuncAddr_Size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(hProcess,FuncAddr,(PVOID)FuncAddr_First, FuncAddr_Size, NULL);

        strcpy(params.APIname,"MessageBoxA");
        strcpy(params.DLLname,"user32.dll");
        strcpy(params.Param1,"asd");
        params.Add_LoadLibraryA= (DWORD)GetProcAddress( GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
    params.Add_GetProcAddress= (DWORD)GetProcAddress( GetModuleHandleA("KernelBase.dll"), "GetProcAddress");//此处大问题，WIN7的GetProcAddress每个进程的基地址都不同

        ParamSize=sizeof(params);
        if (ParamSize)
        {
                ParamAddr = VirtualAllocEx(hProcess,NULL, ParamSize, MEM_COMMIT, PAGE_READWRITE);
                WriteProcessMemory(hProcess,  ParamAddr,  (LPCVOID)¶ms, ParamSize, NULL);
        }
        printf("0x%x\n",params.Add_GetProcAddress);
        romente_true(¶ms);
       
        hThread = CreateRemoteThread(hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)FuncAddr, ParamAddr, 0, NULL);// 创建远程线程   
        WaitForSingleObject(hThread, INFINITE) ;

        return true;
}


int _tmain(int argc, _TCHAR* argv[])
{
        InjectFunc();
        return 0;
}