-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathremote_thread.c
More file actions
36 lines (31 loc) · 1.19 KB
/
remote_thread.c
File metadata and controls
36 lines (31 loc) · 1.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#include <stdio.h>
#include <windows.h>
#include <tchar.h>
int _tmain(int argc, TCHAR* argv[]) {
if (argc != 3) {
printf("usage xxx.exe pid xxx.dll\n"); //使用方法
exit(0);
}
HANDLE p = NULL;
HANDLE t = NULL;
HMODULE module = NULL;
LPVOID namebuffer = NULL;
DWORD size = (DWORD)(_tcslen(argv[2]) + 1) * sizeof(TCHAR); //dll名称长度
LPTHREAD_START_ROUTINE pThreadProc;
DWORD pid = (DWORD)_tstol(argv[1]);
if (!(p = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid))) { //打开远程进程
printf("open process failed\n");
exit(0);
}
namebuffer = VirtualAllocEx(p, NULL, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //分配空间
WriteProcessMemory(p, namebuffer, (LPVOID)argv[2], size, NULL); //写入dll name
module = GetModuleHandle(L"kernel32.dll");//获取模块句柄
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(module, "LoadLibraryW"); //获取函数地址,这边转化成线程函数
t = CreateRemoteThread(p, NULL, 0, pThreadProc, namebuffer, 0, NULL); //创建远程线程,开始注入
printf("start!\n");
WaitForSingleObject(t, INFINITE);//等待结束
CloseHandle(t);
CloseHandle(p);
printf("yes!\n");
return 0;
}