代码注入在Vista或Win7上不起作用?

时间:2011-01-24 06:55:18

标签: c++ windows-7 windows-vista windows-xp code-injection

所以我不得不让两个朋友在Vista和他们的Vista上测试可执行文件。 Win7操作系统。没有执行注入的代码(即使以管理员身份运行),但控制台打开/关闭。通过WriteProcessMemoryCreateRemoteThread进行代码注入是否仍适用于Vista或Win7?

守则

在Visual Studio 2008上使用/ RTCu进行编译,以防止在远程线程终止后在Windows XP上进程崩溃。

CodeInjector.h

#ifndef CODEINJECTOR_H
#define CODEINJECTOR_H

typedef HANDLE(WINAPI *GETPROC)();
typedef HMODULE(WINAPI *PLOADLIBRARYA)(const char *dll);
typedef LPVOID(WINAPI *PGETPROCADDRESS)(HMODULE mod, const char *func);
typedef int (WINAPI *FNMESSAGEBOX)(HWND, LPCSTR, LPCSTR, UINT);

typedef struct _IAT {
    PLOADLIBRARYA pLoadLibraryA;
    PGETPROCADDRESS pGetProcAddress;
    FNMESSAGEBOX fnMessageBox;
} IAT;

typedef struct _DATA {
    void *szData[256];
} DATA;

typedef struct _FNARGS {
    LPVOID pIat;
    LPVOID pData;
} FNARGS;

#endif  /* CODEINJECTOR_H */

CodeInjector.cpp

#include "stdafx.h"

#include <iostream>
#include <string>
#include <windows.h>

#include "CodeInjector.h"

using namespace std;

HANDLE getHandleByName(const char* nameWnd)
{
    HWND hWnd = FindWindowA(0, nameWnd);

    if (hWnd == 0) {
        std::cerr << "Cannot find window" << std::endl;
    } else {
        DWORD pId;
        GetWindowThreadProcessId(hWnd, &pId);

        HANDLE hToken;
        TOKEN_PRIVILEGES tkp;
        if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
            LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid);
            tkp.PrivilegeCount = 1;
            tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
            AdjustTokenPrivileges(hToken, 0, &tkp, sizeof (tkp), NULL, NULL);
        }

        HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pId);

        if (!hProc) {
            std::cerr << "Cannot open process: " << GetLastError() << std::endl;
        } else {
            return hProc;
        }cout << hProc;
        getchar();
    }

    return false;
}

static DWORD WINAPI ThreadFunc(FNARGS *info)
{
    if (info == NULL || info->pIat == NULL || info->pData == NULL) {
        return 0;
    }

    IAT *iat = (IAT *)info->pIat;
    DATA *data = (DATA *)info->pData;

    iat->fnMessageBox(NULL, (char*)data->szData[1], (char*)data->szData[0], MB_OK);

    return 0;
}

static void ThreadFuncEnd() {}

int main(int argc, char** argv)
{
    HANDLE hProc = getHandleByName("Calculator");

    DWORD CodeSize = (DWORD) & ThreadFuncEnd - (DWORD) & ThreadFunc;

    IAT hIAT;

    DWORD hLibModule;
    HMODULE hKernel = LoadLibraryA("kernel32.dll");
    HMODULE hUser32 = LoadLibraryA("user32.dll");

    hIAT.pLoadLibraryA = (PLOADLIBRARYA)GetProcAddress(hKernel, "LoadLibraryA");
    hIAT.pGetProcAddress = (PGETPROCADDRESS)GetProcAddress(hKernel, "GetProcAddress");
    hIAT.fnMessageBox = (FNMESSAGEBOX)GetProcAddress(hUser32, "MessageBoxA");

    LPVOID hIATMemAddr = VirtualAllocEx(hProc, NULL, sizeof (IAT), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(hProc, hIATMemAddr, (LPVOID) & hIAT, sizeof (IAT), NULL);

    DATA hData;
    LPVOID hDataMemAddr = VirtualAllocEx(hProc, NULL, sizeof (DATA), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    hData.szData[0] = VirtualAllocEx(hProc, NULL, 64, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    hData.szData[1] = VirtualAllocEx(hProc, NULL, 64, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    hData.szData[2] = VirtualAllocEx(hProc, NULL, 64, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    hData.szData[3] = VirtualAllocEx(hProc, NULL, 64, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

    char tmp[64];

    strcpy(tmp, "Caption");
    WriteProcessMemory(hProc, hData.szData[0], (LPVOID) & tmp, sizeof (tmp), NULL);

    strcpy(tmp, "Message");
    WriteProcessMemory(hProc, hData.szData[1], (LPVOID) & tmp, sizeof (tmp), NULL);

    WriteProcessMemory(hProc, hDataMemAddr, (LPVOID) &hData, sizeof (DATA), NULL);

    FNARGS tInfo;
    tInfo.pIat = hIATMemAddr;
    tInfo.pData = hDataMemAddr;

    LPVOID hInfoMemAddr = VirtualAllocEx(hProc, NULL, sizeof (FNARGS), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(hProc, hInfoMemAddr, (LPVOID) & tInfo, sizeof (FNARGS), NULL);

    LPVOID CodeMemAddr = VirtualAllocEx(hProc, NULL, CodeSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProc, CodeMemAddr, (LPVOID) & ThreadFunc, CodeSize, NULL);

    HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)CodeMemAddr, hInfoMemAddr, 0, NULL);

    WaitForSingleObject(hRemoteThread, INFINITE);
    GetExitCodeThread(hRemoteThread, &hLibModule);

    CloseHandle(hProc);

    return 0;
}

1 个答案:

答案 0 :(得分:1)

并不奇怪。 Vista和Windows 7提高了安全性。许多恶意软件使用代码注入作为绕过Windows XP安全机制的步骤之一,我很高兴看到微软解决了这个问题。