程序功能:通过OpenProcess WriteProcessMemory修改程序进程空间代码改变程序功能。
1. 有一个简单的程序,代码如下
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
getchar();
MessageBoxA(NULL, "hello", "title", MB_OK);
return 0;
}
2. 我们将写程序修改上述进程,使敲击键盘以后不弹出MessageBox,而是直接退出,代码如下:
#include <windows.h>
#include<Tlhelp32.h>
HMODULE GetModuleAddrByPid(DWORD pid, LPCTSTR moduleName)
{
HANDLE hSnapshot;
MODULEENTRY32 lpme;
hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (hSnapshot == 0) return 0;
lpme.dwSize = sizeof(MODULEENTRY32);
if (!::Module32First(hSnapshot, &lpme))
return false;
do
{
if(lstrcmpi(lpme.szModule, moduleName) == 0)
{
return (HMODULE)lpme.modBaseAddr;
}
}
while (::Module32Next(hSnapshot, &lpme));
}
DWORD GetPidByProcessName(TCHAR *pProcess)
{
HANDLE hSnapshot;
PROCESSENTRY32 lppe;
hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (hSnapshot == NULL)
return 0;
lppe.dwSize = sizeof(lppe);
if (!::Process32First(hSnapshot, &lppe))
return false;
do
{
if(lstrcmpi(lppe.szExeFile, pProcess) == 0)
{
return lppe.th32ProcessID;
}
}
while (::Process32Next(hSnapshot, &lppe));
return 1;
}
int _tmain(int argc, _TCHAR* argv[])
{
DWORD dwCrackProPid = GetPidByProcessName(_T("testMessageBox.exe"));
HMODULE hmCrackProUserModule = GetModuleAddrByPid(dwCrackProPid, _T("user32.dll"));
HANDLE haCrackProOpen = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwCrackProPid);
HMODULE hmUser32 = LoadLibrary(_T("user32.dll"));
HMODULE hmFuncMessage = (HMODULE)GetProcAddress(hmUser32, "MessageBoxA");
DWORD hmCreateProcMessageBoxBase = (DWORD)hmFuncMessage - (DWORD)hmUser32 + (DWORD)hmCrackProUserModule;
unsigned char shell_code[] = { 0xc2, 0x10, 0x00};// retn 0x10
SIZE_T sizeToWrite;
WriteProcessMemory( haCrackProOpen,
(LPVOID)hmCreateProcMessageBoxBase,
shell_code,
sizeof(shell_code),
&sizeToWrite);
CloseHandle(haCrackProOpen);
return 0;
}
执行程序1,执行程序2,再在程序1中敲击任意键,程序1退出。
附件去掉后缀就是程序1,2,和源文件
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
