#include "windows.h"
#include <stdio.h> typedef DWORD (*A)(LPVOID lpParameter); void Improveauthority();static DWORD ActualFunc(LPVOID lpParameter)
{
typedef int (*Mess)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType);
Mess a=(Mess)lpParameter;
a(NULL, NULL, NULL, MB_OK);
return 0;
} static void ActualFunc1(LPVOID lpParameter)
{
} void main()
{
DWORD p1=0;
DWORD m_threadid;
DWORD m_processid;
DWORD p2=(DWORD)ActualFunc;
DWORD p3=(DWORD)ActualFunc1;
DWORD dwCodeLength=p3-p2;
Improveauthority();
HWND m_hdl1=FindWindow(NULL,"TraceMe 动态分析技术");
GetWindowThreadProcessId(m_hdl1,&m_processid);
HANDLE m_hdl=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,m_processid);
LPVOID lpCodeAddr = VirtualAllocEx(m_hdl,NULL, dwCodeLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
int b=GetLastError();
int a=WriteProcessMemory(m_hdl,lpCodeAddr,ActualFunc,dwCodeLength,&p1);
printf("write in memory address: %x" ,lpCodeAddr);
if(a==0)printf("no write memory!!!"); printf("the memory is %d ,%d ",p1 ,dwCodeLength); ///////////////////////////////////
HMODULE hMod = LoadLibrary("USER32.dll");
FARPROC Message=GetProcAddress(GetModuleHandle("USER32.dll"),"MessageBoxA");
//DWORD num=(DWORD )Message;
/////////////////////////////////// HANDLE handle=CreateRemoteThread(m_hdl,NULL,0,(LPTHREAD_START_ROUTINE)lpCodeAddr,Message,0,&m_threadid);
//printf("the thread is %d",m_threadid);
WaitForSingleObject(handle,INFINITE);
printf("the thread is %d",m_threadid); while(1);
}void Improveauthority()
{
HANDLE token; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&token))
return ; LUID luid;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
return ; TOKEN_PRIVILEGES pToken;
pToken.PrivilegeCount=1;
pToken.Privileges[0].Luid=luid;
pToken.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(token,FALSE,&pToken,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
return ;
}在这远程注入里面,函数时注入进去了,MESSAGEBOX是弹出来了,但是随后就是目的进程崩溃,但是经过一天的研究,OD过后,发现好像是堆栈出现问题,在ActualFunc(LPVOID lpParameter)函数里面,加入int b;__asm pop b 解决了问题,目的进程没有崩溃了,问题是解决了,但是我怎么也不明白为什么堆栈会出现问题,请大家解答一下,谢谢!!!
#include <stdio.h> typedef DWORD (*A)(LPVOID lpParameter); void Improveauthority();static DWORD ActualFunc(LPVOID lpParameter)
{
typedef int (*Mess)(HWND hWnd,LPCTSTR lpText,LPCTSTR lpCaption,UINT uType);
Mess a=(Mess)lpParameter;
a(NULL, NULL, NULL, MB_OK);
return 0;
} static void ActualFunc1(LPVOID lpParameter)
{
} void main()
{
DWORD p1=0;
DWORD m_threadid;
DWORD m_processid;
DWORD p2=(DWORD)ActualFunc;
DWORD p3=(DWORD)ActualFunc1;
DWORD dwCodeLength=p3-p2;
Improveauthority();
HWND m_hdl1=FindWindow(NULL,"TraceMe 动态分析技术");
GetWindowThreadProcessId(m_hdl1,&m_processid);
HANDLE m_hdl=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,m_processid);
LPVOID lpCodeAddr = VirtualAllocEx(m_hdl,NULL, dwCodeLength, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
int b=GetLastError();
int a=WriteProcessMemory(m_hdl,lpCodeAddr,ActualFunc,dwCodeLength,&p1);
printf("write in memory address: %x" ,lpCodeAddr);
if(a==0)printf("no write memory!!!"); printf("the memory is %d ,%d ",p1 ,dwCodeLength); ///////////////////////////////////
HMODULE hMod = LoadLibrary("USER32.dll");
FARPROC Message=GetProcAddress(GetModuleHandle("USER32.dll"),"MessageBoxA");
//DWORD num=(DWORD )Message;
/////////////////////////////////// HANDLE handle=CreateRemoteThread(m_hdl,NULL,0,(LPTHREAD_START_ROUTINE)lpCodeAddr,Message,0,&m_threadid);
//printf("the thread is %d",m_threadid);
WaitForSingleObject(handle,INFINITE);
printf("the thread is %d",m_threadid); while(1);
}void Improveauthority()
{
HANDLE token; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&token))
return ; LUID luid;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid))
return ; TOKEN_PRIVILEGES pToken;
pToken.PrivilegeCount=1;
pToken.Privileges[0].Luid=luid;
pToken.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(token,FALSE,&pToken,sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL))
return ;
}在这远程注入里面,函数时注入进去了,MESSAGEBOX是弹出来了,但是随后就是目的进程崩溃,但是经过一天的研究,OD过后,发现好像是堆栈出现问题,在ActualFunc(LPVOID lpParameter)函数里面,加入int b;__asm pop b 解决了问题,目的进程没有崩溃了,问题是解决了,但是我怎么也不明白为什么堆栈会出现问题,请大家解答一下,谢谢!!!
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货