1 // PE注入.cpp : 定义控制台应用程序的入口点。  2 //  3   4 #include "stdafx.h"  5   6 #include <windows.h>  7   8 #include <tlhelp32.h>  9  10 #include <process.h> 11  12 #include <stdio.h> 13  14  15  16 #pragma comment (lib, "winmm.lib") 17  18  19 #pragma comment (lib, "kernel32.lib") 20  21 /*获取进程ID号*/ 22  23 DWORD GetProcessIdByName(LPWSTR name) 24  25 { 26  27     PROCESSENTRY32 pe32; 28  29     HANDLE snapshot = NULL; 30  31     DWORD pid = 0; 32  33  34  35     snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 36  37     if (snapshot != INVALID_HANDLE_VALUE) 38  39     { 40  41         pe32.dwSize = sizeof(PROCESSENTRY32); 42  43         if (Process32First(snapshot, &pe32)) 44  45         { 46  47             do 48  49             { 50  51                 if (!lstrcmp(pe32.szExeFile, name)) 52  53                 { 54  55                     pid = pe32.th32ProcessID; 56  57                     break; 58  59                 } 60  61             } while (Process32Next(snapshot, &pe32)); 62  63         } 64  65         CloseHandle(snapshot); 66  67     } 68  69     return pid; 70  71 } 72  73 extern "C" void mainCRTStartup(); 74 DWORD main(); 75  76 /** 77   78  * 远程进程内存中注入PE 79    80   */ 81  82 HMODULE injectModule(HANDLE proc, LPVOID module) 83  84  85  86 { 87  88  89     DWORD i = 0; 90  91     DWORD_PTR delta = NULL; 92  93     DWORD_PTR olddelta = NULL; 94  95     /* 获取模块PE头 */ 96  97     PIMAGE_NT_HEADERS headers = (PIMAGE_NT_HEADERS)((LPBYTE)module + ((PIMAGE_DOS_HEADER)module)->e_lfanew); 98  99     PIMAGE_DATA_DIRECTORY datadir;100 101 102 103     /* 计算注入代码长度 */104 105     DWORD moduleSize = headers->OptionalHeader.SizeOfImage;106 107     LPVOID distantModuleMemorySpace = NULL;108 109     LPBYTE tmpBuffer = NULL;110 111     BOOL ok = FALSE;112 113     if (headers->Signature != IMAGE_NT_SIGNATURE)114 115         return NULL;116 117     if (IsBadReadPtr(module, moduleSize))118 119         return NULL;120 121     distantModuleMemorySpace = VirtualAllocEx(proc, NULL, moduleSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);122 123     if (distantModuleMemorySpace != NULL)124 125     {126 127         tmpBuffer = (LPBYTE)VirtualAlloc(NULL, moduleSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);128 129         if (tmpBuffer != NULL)130 131         {132 133             RtlCopyMemory(tmpBuffer, module, moduleSize);134 135             datadir = &headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];136 137             if (datadir->Size > 0 && datadir->VirtualAddress > 0)138 139             {140 141                 delta = (DWORD_PTR)((LPBYTE)distantModuleMemorySpace - headers->OptionalHeader.ImageBase);142 143 144 145                 olddelta = (DWORD_PTR)((LPBYTE)module - headers->OptionalHeader.ImageBase);146 147 148 149 150 151                 PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)(tmpBuffer + datadir->VirtualAddress);152 153 154 155                 while (reloc->VirtualAddress != 0)156 157                 {158 159                     if (reloc->SizeOfBlock >= sizeof(IMAGE_BASE_RELOCATION))160 161                     {162 163                         DWORD relocDescNb = (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);164 165 166 167                         LPWORD relocDescList = (LPWORD)((LPBYTE)reloc + sizeof(IMAGE_BASE_RELOCATION));168 169 170 171                         for (i = 0; i < relocDescNb; i++)172 173                         {174 175                             if (relocDescList[i] > 0)176 177                             {178 179                                 DWORD_PTR *p = (DWORD_PTR *)(tmpBuffer + (reloc->VirtualAddress + (0x0FFF & (relocDescList[i]))));180 181 182 183                                 *p -= olddelta;184 185                                 *p += delta;186 187                             }188 189                         }190 191                     }192 193                     reloc = (PIMAGE_BASE_RELOCATION)((LPBYTE)reloc + reloc->SizeOfBlock);194 195                 }196 197 198 199                 tmpBuffer[(DWORD)main - (DWORD)module] = 0x55;200 201 202 203                 ok = WriteProcessMemory(proc, distantModuleMemorySpace, tmpBuffer, moduleSize, NULL);204 205             }206 207             VirtualFree(tmpBuffer, 0, MEM_RELEASE);208 209         }210 211 212 213         if (!ok)214 215 216 217         {218 219 220             VirtualFreeEx(proc, distantModuleMemorySpace, 0, MEM_RELEASE);221 222             distantModuleMemorySpace = NULL;223 224         }225 226     }227 228     return (HMODULE)distantModuleMemorySpace;229 230 }231 232 233 /**234  235  * 获取DEBUG权限236   237   */238 239 BOOL EnableDebugPrivileges(void)240 241 {242 243     HANDLE token;244 245     TOKEN_PRIVILEGES priv;246 247     BOOL ret = FALSE;248 249 250 251     if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &token))252 253     {254 255         priv.PrivilegeCount = 1;256 257         priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;258 259 260 261         if (LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid) != FALSE &&262 263             AdjustTokenPrivileges(token, FALSE, &priv, 0, NULL, NULL) != FALSE)264 265         {266 267             ret = TRUE;268 269         }270 271         CloseHandle(token);272 273     }274 275     return ret;276 277 }278 279 BOOL peInjection(DWORD pid, LPTHREAD_START_ROUTINE callRoutine)280 281 {282 283     HANDLE proc, thread;284 285     HMODULE module, injectedModule;286 287 288 289     BOOL result = FALSE;290 291 292 293 294     proc = OpenProcess(PROCESS_CREATE_THREAD |295 296         PROCESS_QUERY_INFORMATION |297 298         PROCESS_VM_OPERATION |299 300         PROCESS_VM_WRITE |301 302         PROCESS_VM_READ,303 304         FALSE,305 306         pid);307 308 309 310     if (proc != NULL)311 312     {313 314         module = GetModuleHandle(NULL);315 316         injectedModule = (HMODULE)injectModule(proc, module);317 318         if (injectedModule != NULL)319 320         {321 322             LPTHREAD_START_ROUTINE remoteThread = (LPTHREAD_START_ROUTINE)((LPBYTE)injectedModule + (DWORD_PTR)((LPBYTE)callRoutine - (LPBYTE)module));323 324             thread = CreateRemoteThread(proc, NULL, 0, remoteThread, NULL, 0, NULL);325 326             if (thread != NULL)327 328             {329 330                 CloseHandle(thread);331 332                 result = TRUE;333 334             }335 336             else337 338             {339 340                 VirtualFreeEx(proc, module, 0, MEM_RELEASE);341 342             }343 344         }345 346         CloseHandle(proc);347 348     }349 350     return result;351 352 }353 354 DWORD WINAPI entryThread(LPVOID param)355 356 {357 358 359 360     DWORD newModuleD = (DWORD)param;361 362 363     MessageBox(NULL, L"Injection success.Now initializing runtime library.", NULL, 0);364 365     //mainCRTStartup();366 367     MessageBox(NULL, L"This will never be called.", NULL, 0);368 369     return 0;370 371 }372 373 void entryPoint()374 375 {376 377     MessageBox(NULL, L"entryPoint", NULL, 0);378 379     EnableDebugPrivileges();380 381 382 383     //peInjection(GetProcessIdByName(L"explorer.exe"), entryThread);384     peInjection( 6384, entryThread);385 386 }387 DWORD main()388 389 {390 391     //MessageBox(NULL, L"In Main ", NULL, 0);392 393     printf("This printf can work because runtime library is now initialized.\n");394     entryPoint();395 396 397 398 399     //(NULL, L"In main end", NULL, 0);400 401     ExitThread(0);402 403     return 0;404 405 }406 407