1、C void ShowInfo();/ TODO: reference additional headers your program requires here/AFX_INSERT_LOCATION/ Microsoft Visual C+ will insert additional declarations immediately before the previous line.#endif / !StdAfx.cpp/ stdafx.cpp : source file that includes just the standard includes/ 01_001.pch will
2、 be the pre-compiled header/ stdafx.obj will contain the pre-compiled type information#include stdafx.h#include /Message()void ShowInfo() MessageBox(NULL,ShowInfo() test, MQ, MB_OK);调用静态链接库ExecuteStaticLib.cpp/ ExecuteStaticLib.cpp : Defines the entry point for the application.#pragma comment(lib, S
3、taticLibTest.lib)int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) / TODO: Place code here. ShowInfo(); return 0;二、动态链接库Dynamic Link Library(DLL)DLL的格式和EXE文件是一样的,但是不能直接执行。它把代码封装到自己的内部,只是提供函数接口让外面的EXE程序调用。在编译的时候不会将所包含的动态链接库编译到程序中。制作静态链接库 DynamicLibTestD
4、ynamicLibTest.cpp/ DynamicLibTest.cpp : Defines the entry point for the DLL application.BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) return TRUE;_declspec(dllexport) void ShowInfo()DynammicLib调用动态链接库ExecuteDynamicLib.cpp/ ExecuteDynamicLib.cpp : Defines the en
5、try point for the console application.DynamicLibTest.libvoid ShowInfo();int main(int argc, char* argv)编译的时候用.lib文件,执行的时候用.dll文件第2课 DLL基础再讨论一、动态链接库的模块定义文件(.def)模块定义文件是一个有着.def文件扩展名的文本文件。它被用于导出DLL的函数。一个.def文件只有两个必需的部分,也就是“LIBRARY”和“EXPORTS”。DynamicLibDefTest.cpp/ DynamicLibDefTest.cpp :_declspec(dllex
6、port) void showInfo() MessageBox(NULL, DynamicLibvoid UseDEFShowInfo()def showEXPORTS.defLIBRARY DynamicLibDefTestEXPORTS UseDEFShowInfo 1ExecuteDynamicDEFLib.cpp/ ExecuteDynamicDEFLib.cpp :DynamicLibDefTest.libvoid showInfo();void UseDEFShowInfo(); showInfo(); UseDEFShowInfo();二、动态链接库的入口函数(DLLMain(
7、)函数)每一个DLL必须有一个入口函数,DLLMain()函数是一个缺省的入口函数。DLLMain()函数负责初始化和结束工作。每当一个新的进程或该进程的新线程访问DLL时,或者访问DLL的每个进程或者线程不再使用DLL或者线程结束时,都会调用DLLMain()函数。定义只在进入时调用DLLMain()函数 switch(ul_reason_for_call) case DLL_PROCESS_ATTACH: MessageBox(NULL, DLL first default: return TRUE; 第3次课 进程权限的提升一、OpenProcessToken函数打开进程令牌环二、Loo
8、kupPrivilegeValue函数获得进程本地唯一ID三、AdjustTokenPrivileges函数提升进程的权限GetCurrentProcess() /获得当前进程句柄ConRunDll.cpp/ ConRunDll.cpp :stdio.h /提升权限用/提升权限函数int EnableDebugPriv(const char* name) HANDLE hToken; if (! OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) printf(open fai
9、l!n); return -1; LUID luid; if(! LookupPrivilegeValue(NULL, name, &luid)look up fail! TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; tp.Privileges0.Luid = luid; tp.Privileges0.Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL)privileges fail! printf(success!
10、EnableDebugPriv(SE_DEBUG_NAME);第4次课 远程线程的创建一、打开远程进程OpenProcess函数二、在远程进程的内存中分配空间VirtualAllocEx函数三、远程进程的内存的写入WriteProcessMemory函数四、找到LoadLibrary函数在Kernel32中的地址GetProcAddress函数五、在远程进程中线程(远程线程)CreateRemoteThread函数BOOL InjectDLL(const char* DLLFullPath, const DWORD dwRemoteProcessId) HANDLE hRemoteProces
11、s; hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwRemoteProcessId); if(hRemoteProcess = NULL)open process fail! return FALSE; char *pszLibFileRemote; pszLibFileRemote = (char*)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DLLFullPath)+1, MEM_COM
12、MIT, PAGE_READWRITE); if(pszLibFileRemote = NULL)alloc fail! WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (LPVOID)DLLFullPath, lstrlen(DLLFullPath)+1, NULL)write memory fail! PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT(Kernel32), LoadLibrar
13、yA ); if(pfnStartAddr = NULL)get proc addr fail! if(CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) = NULL)create remote thread fail!good! InjectDLL(D:DynamicLibDefTest.dll, 4892); while(1); getchar();第5次课 进程ID的获取一、系统进程快照CreateToolhelp32Snapshot函数二、在快照中搜索指定进程Proc
14、ess32First函数Processe32Next函数TlHelp32.hunsigned long getprocid(char *pn) HANDLE hnd; hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if(hnd = NULL)snapshort fail! return 0; PROCESSENTRY32 pe; pe.dwSize = sizeof(PROCESSENTRY32); BOOL b; b = Process32First(hnd, &pe); while(b) if(strcmp(pe.szExeFile, pn) = 0) return pe.th32ProcessID; b = Process32Next(hnd, & /InjectDLL(,getpro
copyright@ 2008-2023 冰点文库 网站版权所有
经营许可证编号:鄂ICP备19020893号-2
升级会员 