01-12-2012، 11:40 PM
کد:
typedef struct _INJECT
{
char szCaption[32];
char szMessage[128];
FARPROC fMessageBox;
FARPROC fExitThread;
} INJECT, *PINJECT, *LPINJECT;
void InjectRemoteCode(unsigned long ulProcessId)
{
/* By: og__ */
char szShellcode[] = {
"\x56" // PUSH ESI
"\x8B\x74\x24\x08" // MOV ESI,DWORD PTR SS:[ESP+8]
"\x6A\x00" // PUSH 0
"\x8D\x46\x20" // LEA EAX,DWORD PTR DS:[ESI+20]
"\x56" // PUSH ESI
"\x50" // PUSH EAX
"\x6A\x00" // PUSH 0
"\xFF\x96\xA0\x00\x00\x00" // CALL DWORD PTR DS:[ESI+A0]
"\x6A\x00" // PUSH 0
"\xFF\x96\xA4\x00\x00\x00" // CALL DWORD PTR DS:[ESI+A4]
"\x5E" // POP ESI
};
INJECT *lpInject = NULL;
HANDLE hProcess, hThread;
void *lpRemoteInfo = NULL, *lpRemoteCode = NULL;
__try
{
if ((hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION, FALSE, ulProcessId)) == NULL)
return;
if ((lpInject = (INJECT *)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(INJECT))) == NULL)
__leave;
strcpy(lpInject->szCaption, "Message Box");
strcpy(lpInject->szMessage, "Hello World!");
lpInject->fMessageBox = GetProcAddress(GetModuleHandle("USER32.DLL"), "MessageBoxA");
lpInject->fExitThread = GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "ExitThread");
if ((lpRemoteInfo = VirtualAllocEx(hProcess, NULL, sizeof(INJECT), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE)) == NULL)
__leave;
if (WriteProcessMemory(hProcess, lpRemoteInfo, lpInject, sizeof(INJECT), 0) == 0)
__leave;
if ((lpRemoteCode = VirtualAllocEx(hProcess, NULL, sizeof(szShellcode) - 1, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)) == NULL)
__leave;
if (WriteProcessMemory(hProcess, lpRemoteCode, szShellcode, sizeof(szShellcode) - 1, 0) == 0)
__leave;
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpRemoteCode, lpRemoteInfo, 0, NULL);
}
__finally
{
if (hThread != 0)
CloseHandle(hThread);
if (lpInject != NULL)
HeapFree(GetProcessHeap(), 0, lpInject);
CloseHandle(hProcess);
}
return;
}