#include <stdio.h>
#include <windows.h>
#include <TLHELP32.H>
#pragma comment(linker, "/base:0xf00000")
DWORD inject(PVOID param)
{
MessageBox(NULL, "hello inject", "hello inject", 0);
return 0;
}
int main(int argc, char* argv[])
{
HANDLE hMoudle = GetModuleHandle(NULL);
PIMAGE_DOS_HEADER dosHead = (PIMAGE_DOS_HEADER)hMoudle;
PIMAGE_NT_HEADERS ntHead = (PIMAGE_NT_HEADERS)((PCHAR)dosHead + dosHead->e_lfanew);
int imgSize = ntHead->OptionalHeader.SizeOfImage;
printf("image %08x size %08x\n", hMoudle, imgSize);
//获取待注入线程的PID
PROCESSENTRY32 processEntry;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
processEntry.th32ProcessID = 0;
while (Process32Next(hSnapshot, &processEntry))
{
if (strnicmp(processEntry.szExeFile, "explorer", 8) == 0)
break;
}
CloseHandle(hSnapshot);
if (processEntry.th32ProcessID)
{
HANDLE hTarget = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processEntry.th32ProcessID);
if (hTarget)
{
//
//注意:这里将自身镜像直接映射到目标进程的内存空间,地址没有变化,故可以直接使用API
// 这里要确保修改默认镜像基地址->0xf00000,也确保直接映射成功
PVOID injectFunAddress = VirtualAllocEx(hTarget, hMoudle, imgSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (injectFunAddress)
{
HANDLE hRemoteThread = NULL;
DWORD writeSize = 0;
DWORD threadId = 0;
WriteProcessMemory(hTarget, injectFunAddress, hMoudle, imgSize, &writeSize);
hRemoteThread = CreateRemoteThread(hTarget, NULL, 0, (LPTHREAD_START_ROUTINE)inject, NULL, 0, &threadId);
CloseHandle(hRemoteThread);
CloseHandle(hTarget);
}
}
}
return 0;
}
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
