|
|
5鱼币
无法注入dll,注入过程中没有发现任何错误,我的电脑是x64的,平台也是换成了x64,好像还是没用
exe代码:
- #include<Windows.h>
- #include<Stdio.h>
- #include<Psapi.h>
- #include<TlHelp32.h>
- DWORD GetProcessID(char *name)
- {
- HANDLE snapshot;
- PROCESSENTRY32 processinfo;
- processinfo.dwSize = sizeof(processinfo);
- snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if (snapshot == NULL)
- return FALSE;
- BOOL status = Process32First(snapshot, &processinfo);
- while (status)
- {
- if (_stricmp(name, processinfo.szExeFile) == 0)
- return processinfo.th32ProcessID;
- status = Process32Next(snapshot, &processinfo);
- }
- return -1;
- }
- int main()
- {
- DWORD Processid;
- CHAR name[1000];
- CHAR DllName[1000];
- DWORD dwProcessId;
- HANDLE hProcess;
- TCHAR* pDllName;
- BOOL bSuccess;
- HANDLE hThread;
- HANDLE hToken;
- LUID sedebugnameValue;
- TOKEN_PRIVILEGES tkp;
- printf("输入要注入的程序名称:");
- scanf("%s", name);
- dwProcessId = GetProcessID(name);
- strcpy(DllName, "HOOK.dll");
- if (!OpenProcessToken(GetCurrentProcess(),
- TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
- printf("打开令牌失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
- {
- CloseHandle(hToken);
- printf("提权失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- tkp.PrivilegeCount = 1;
- tkp.Privileges[0].Luid = sedebugnameValue;
- tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
- {
- CloseHandle(hToken);
- printf("提权失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- hProcess = OpenProcess(
- PROCESS_CREATE_THREAD |
- PROCESS_VM_OPERATION |
- PROCESS_VM_WRITE,
- FALSE, dwProcessId);
- if (hProcess == NULL)
- {
- printf("打开进程失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- pDllName = (TCHAR*)VirtualAllocEx(hProcess,
- NULL,
- strlen(DllName),
- MEM_COMMIT,
- PAGE_READWRITE);
- if (pDllName == NULL)
- {
- printf("分配内存失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- bSuccess = WriteProcessMemory(hProcess,
- (LPVOID)pDllName,
- &DllName,
- strlen(DllName),
- NULL);
- if (bSuccess == 0)
- {
- printf("写入内存失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
- GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "LoadLibraryW");
- if (pfnThreadRtn == NULL)
- {
- printf("获取LoadLinrary地址失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- hThread = CreateRemoteThread(hProcess,
- NULL,
- 0,
- pfnThreadRtn,
- pDllName,
- 0,
- NULL);
- if (hThread == NULL)
- {
- printf("创建远程线程失败,错误代码:%d", GetLastError());
- Sleep(3000);
- return 0;
- }
- WaitForSingleObject(hThread, INFINITE);
- VirtualFreeEx(hProcess,
- &pDllName,
- strlen(DllName),
- MEM_RELEASE);
- printf("成功将HOOK.dll注入到目标进程中");
- Sleep(INFINITE);
- WaitForSingleObject(hThread, INFINITE);
- return 0;
- }
dll代码:
- #include<windows.h>
- LRESULT WINAPI MsgProc(int, WPARAM, LPARAM);
- HHOOK g_hHook = NULL;
- HINSTANCE g_hInstance;
- BOOL WINAPI DllMain(HINSTANCE hInstanceDll, DWORD fdwReason, PVOID ImpLoad)
- {
- switch (fdwReason)
- {
- case DLL_PROCESS_ATTACH:
- g_hInstance = hInstanceDll;
- g_hHook = SetWindowsHookEx(WH_GETMESSAGE, MsgProc, hInstanceDll, 0);
- MessageBox(NULL, TEXT("学编程到鱼C论坛\nbbs.fishc.com\n按“确认打开bbs.fishc.com”"), TEXT("提醒"), MB_OK | MB_ICONEXCLAMATION);
- system("start bbs.fishc.com");
- return TRUE;
- case DLL_PROCESS_DETACH:
- UnhookWindowsHookEx(g_hHook);
- }
- }
- LRESULT WINAPI MsgProc(int nCode, WPARAM wParam, LPARAM lParam)
- {
- MessageBox(NULL, TEXT("学编程到鱼C论坛\nbbs.fishc.com\n按“确认打开bbs.fishc.com”"), TEXT("提醒"), MB_OK | MB_ICONEXCLAMATION);
- system("start bbs.fishc.com");
- return CallNextHookEx(g_hHook, nCode, wParam, lParam);
- }
注入成功了,但是注入没啥用,已经获得管理员权限并进行了令牌提权
输出:
求大神帮忙! |
|
( 粤ICP备18085999号-1 | 粤公网安备 44051102000585号)
狗仔卡
发表于 2016-8-19 09:22:36
置顶卡
千斤顶
显身卡
楼主
发表于 2016-8-19 10:24:45