vc dll 주입 없음

10724 단어
// NoDllInjectDlg.cpp : implementation file
//

#include "stdafx.h"
#include "NoDllInject.h"
#include "NoDllInjectDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About

class CAboutDlg : public CDialog
{
public:
	CAboutDlg();

// Dialog Data
	//{{AFX_DATA(CAboutDlg)
	enum { IDD = IDD_ABOUTBOX };
	//}}AFX_DATA

	// ClassWizard generated virtual function overrides
	//{{AFX_VIRTUAL(CAboutDlg)
	protected:
	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV support
	//}}AFX_VIRTUAL

// Implementation
protected:
	//{{AFX_MSG(CAboutDlg)
	//}}AFX_MSG
	DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
	//{{AFX_DATA_INIT(CAboutDlg)
	//}}AFX_DATA_INIT
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CAboutDlg)
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
	//{{AFX_MSG_MAP(CAboutDlg)
		// No message handlers
	//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CNoDllInjectDlg dialog

CNoDllInjectDlg::CNoDllInjectDlg(CWnd* pParent /*=NULL*/)
	: CDialog(CNoDllInjectDlg::IDD, pParent)
{
	//{{AFX_DATA_INIT(CNoDllInjectDlg)
		// NOTE: the ClassWizard will add member initialization here
	//}}AFX_DATA_INIT
	// Note that LoadIcon does not require a subsequent DestroyIcon in Win32
	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CNoDllInjectDlg::DoDataExchange(CDataExchange* pDX)
{
	CDialog::DoDataExchange(pDX);
	//{{AFX_DATA_MAP(CNoDllInjectDlg)
		// NOTE: the ClassWizard will add DDX and DDV calls here
	//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CNoDllInjectDlg, CDialog)
	//{{AFX_MSG_MAP(CNoDllInjectDlg)
	ON_WM_SYSCOMMAND()
	ON_WM_PAINT()
	ON_WM_QUERYDRAGICON()
	ON_BN_CLICKED(IDC_BTN_INJECT, OnBtnInject)
	//}}AFX_MSG_MAP
	ON_BN_CLICKED(IDC_BUTTON1, &CNoDllInjectDlg::OnBnClickedButton1)
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CNoDllInjectDlg message handlers

BOOL CNoDllInjectDlg::OnInitDialog()
{
	CDialog::OnInitDialog();

	// Add "About..." menu item to system menu.

	// IDM_ABOUTBOX must be in the system command range.
	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
	ASSERT(IDM_ABOUTBOX < 0xF000);

	CMenu* pSysMenu = GetSystemMenu(FALSE);
	if (pSysMenu != NULL)
	{
		CString strAboutMenu;
		strAboutMenu.LoadString(IDS_ABOUTBOX);
		if (!strAboutMenu.IsEmpty())
		{
			pSysMenu->AppendMenu(MF_SEPARATOR);
			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
		}
	}

	// Set the icon for this dialog.  The framework does this automatically
	//  when the application's main window is not a dialog
	SetIcon(m_hIcon, TRUE);			// Set big icon
	SetIcon(m_hIcon, FALSE);		// Set small icon
	
	// TODO: Add extra initialization here
    DebugPrivilege();
	
	return TRUE;  // return TRUE  unless you set the focus to a control
}

void CNoDllInjectDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
	{
		CAboutDlg dlgAbout;
		dlgAbout.DoModal();
	}
	else
	{
		CDialog::OnSysCommand(nID, lParam);
	}
}

// If you add a minimize button to your dialog, you will need the code below
//  to draw the icon.  For MFC applications using the document/view model,
//  this is automatically done for you by the framework.

void CNoDllInjectDlg::OnPaint() 
{
	if (IsIconic())
	{
		CPaintDC dc(this); // device context for painting

		SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

		// Center icon in client rectangle
		int cxIcon = GetSystemMetrics(SM_CXICON);
		int cyIcon = GetSystemMetrics(SM_CYICON);
		CRect rect;
		GetClientRect(&rect);
		int x = (rect.Width() - cxIcon + 1) / 2;
		int y = (rect.Height() - cyIcon + 1) / 2;

		// Draw the icon
		dc.DrawIcon(x, y, m_hIcon);
	}
	else
	{
		CDialog::OnPaint();
	}
}

// The system calls this to obtain the cursor to display while the user drags
//  the minimized window.
HCURSOR CNoDllInjectDlg::OnQueryDragIcon()
{
	return (HCURSOR) m_hIcon;
}

#define STRLEN 20

typedef struct _DATA
{
    DWORD dwLoadLibrary;
    DWORD dwGetProcAddress;
    DWORD dwGetModuleHandle;
    DWORD dwGetModuleFileName;

    char User32Dll[STRLEN];
    char MessageBox[STRLEN];
    char Str[STRLEN];
}DATA, *PDATA;

DWORD WINAPI RemoteThreadProc(LPVOID lpParam)
{
	//   ,         ,         ,        
    PDATA pData = (PDATA)lpParam;

    //   API    
    HMODULE (__stdcall *MyLoadLibrary)(LPCTSTR);
    FARPROC (__stdcall *MyGetProcAddress)(HMODULE, LPCSTR);
    HMODULE (__stdcall *MyGetModuleHandle)(LPCTSTR);
    int (__stdcall *MyMessageBox)(HWND, LPCTSTR, LPCTSTR, UINT);
    DWORD (__stdcall *MyGetModuleFileName)(HMODULE, LPTSTR, DWORD);

    MyLoadLibrary = (HMODULE (__stdcall *)(LPCTSTR))pData->dwLoadLibrary;
    MyGetProcAddress = (FARPROC (__stdcall *)(HMODULE,LPCSTR))pData->dwGetProcAddress;
    MyGetModuleHandle = (HMODULE (__stdcall *)(LPCSTR))pData->dwGetModuleHandle;
    MyGetModuleFileName = (DWORD (__stdcall *)(HMODULE,LPTSTR,DWORD nSize))pData->dwGetModuleFileName;
    
    HMODULE hModule = MyLoadLibrary(pData->User32Dll);
    MyMessageBox = (int (__stdcall *)(HWND,LPCTSTR,LPCTSTR,UINT))MyGetProcAddress(hModule, pData->MessageBox);
    char szModuleName[MAX_PATH] = { 0 };
    MyGetModuleFileName(NULL, szModuleName, MAX_PATH);

    MyMessageBox(NULL, pData->Str, szModuleName, MB_OK);

    return 0;
}

void CNoDllInjectDlg::OnBtnInject() 
{
	// TODO: Add your control notification handler code here
	DWORD dwPid = GetDlgItemInt(IDC_EDIT_PID, FALSE, FALSE);
    
    InjectCode(dwPid);
}

VOID CNoDllInjectDlg::DebugPrivilege()
{
    HANDLE hToken = NULL;
    
    BOOL bRet = OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
    
    if ( bRet == TRUE )
    {
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount = 1;
        LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL);
        
        CloseHandle(hToken);
    }
}

VOID CNoDllInjectDlg::InjectCode(DWORD dwPid)
{
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
    if ( hProcess == NULL )
    {
        AfxMessageBox("OpenProcess Error");
        return ;
    }

    DATA Data = { 0 };
    Data.dwLoadLibrary = (DWORD)GetProcAddress(
                            GetModuleHandle("kernel32.dll"),
                            "LoadLibraryA");
    Data.dwGetProcAddress = (DWORD)GetProcAddress(
                            GetModuleHandle("kernel32.dll"),
                            "GetProcAddress");
    Data.dwGetModuleHandle = (DWORD)GetProcAddress(
                            GetModuleHandle("kernel32.dll"),
                            "GetModuleHandleA");
    Data.dwGetModuleFileName = (DWORD)GetProcAddress(
                            GetModuleHandleA("kernel32.dll"),
                            "GetModuleFileNameA");

    lstrcpy(Data.User32Dll, "user32.dll");
    lstrcpy(Data.MessageBox, "MessageBoxA");
    lstrcpy(Data.Str, "Inject Code !!!");

    LPVOID lpData = VirtualAllocEx(hProcess,
                            NULL,
                            sizeof(DATA),
                            MEM_COMMIT | MEM_RESERVE,
                            PAGE_READWRITE);
    DWORD dwWriteNum = 0;
    WriteProcessMemory(hProcess, lpData, &Data, sizeof(DATA), &dwWriteNum);
    
    DWORD dwFunSize = 0x2000;
    LPVOID lpCode = VirtualAllocEx(hProcess,
                            NULL,
                            dwFunSize,
                            MEM_COMMIT,
                            PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, lpCode, RemoteThreadProc, dwFunSize, &dwWriteNum);

    HANDLE hRemoteThread = CreateRemoteThread(hProcess,
                            NULL,
                            0,
                            (LPTHREAD_START_ROUTINE)lpCode,
                            lpData,
                            0,
                            NULL);
	TCHAR szBuf[1024];  
	LPVOID lpMsgBuf;  
	DWORD dw=GetLastError();  
	FormatMessage(  
		FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,  
		NULL,dw,  
		MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),  
		(LPTSTR) &lpMsgBuf,0, NULL );  
	wsprintf(szBuf,_T("   (   =%d): %s
"), dw, lpMsgBuf); LocalFree(lpMsgBuf); MessageBoxA(szBuf," ",0); WaitForSingleObject(hRemoteThread, INFINITE); CloseHandle(hRemoteThread); CloseHandle(hProcess); } // typedef struct _RemotePara{ PVOID dwMessageBox; // char strMessageBox[12]; // }RemotePara; // DWORD __stdcall ThreadProc(RemotePara *Para) { typedef int (/*__stdcall*/ *PMessageBox) (HWND ,LPCTSTR ,LPCTSTR,UINT); PMessageBox MessageBoxFunc = (PMessageBox)Para->dwMessageBox; MessageBoxFunc(NULL, Para->strMessageBox, Para->strMessageBox, MB_OK); return 0 ; } void CNoDllInjectDlg::OnBnClickedButton1() { DWORD THREADSIZE=1024; DWORD pID; DWORD byte_write; HANDLE hRemoteProcess,hThread; RemotePara myRemotePara,*pRemotePara; void *pRemoteThread; HINSTANCE hUser32 ; pID = GetDlgItemInt(IDC_EDIT_PID, FALSE, FALSE); hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); if(!hRemoteProcess) return ; // pRemoteThread = VirtualAllocEx(hRemoteProcess, 0, THREADSIZE, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!pRemoteThread) return ; // ThreadProc if(!WriteProcessMemory(hRemoteProcess, pRemoteThread, &ThreadProc, THREADSIZE,0)) return ; ZeroMemory(&myRemotePara,sizeof(RemotePara)); hUser32 = LoadLibrary("user32.dll"); myRemotePara.dwMessageBox = (PVOID)GetProcAddress(hUser32, "MessageBoxA"); strcat(myRemotePara.strMessageBox,"Hello !"); // MessageBox // pRemotePara =(RemotePara *)VirtualAllocEx (hRemoteProcess ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE); if(!pRemotePara) return ; if(!WriteProcessMemory (hRemoteProcess ,pRemotePara,&myRemotePara,sizeof(myRemotePara),0)) return ; // hThread = CreateRemoteThread(hRemoteProcess ,0,0,(LPTHREAD_START_ROUTINE)pRemoteThread ,pRemotePara,0,&byte_write); //FreeLibrary(hUser32); CloseHandle(hRemoteProcess); AfxMessageBox("ok"); }

좋은 웹페이지 즐겨찾기