mirror of
https://github.com/ttttupup/wxhelper.git
synced 2024-11-16 23:39:25 +08:00
fix: 注入工具简单支持pid注入
This commit is contained in:
parent
34eb14edb2
commit
c0b55da015
@ -771,6 +771,128 @@ error:
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int InjectDllAndStartHttpByPid(unsigned int pid, wchar_t* szDllPath, DWORD port)
|
||||||
|
{
|
||||||
|
if(!EnableDebugPrivilege()){
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
int result = 0;
|
||||||
|
HANDLE hRemoteThread = NULL;
|
||||||
|
LPTHREAD_START_ROUTINE lpSysLibAddr = NULL;
|
||||||
|
HINSTANCE__* hKernelModule = NULL;
|
||||||
|
LPVOID lpRemoteDllBase = NULL;
|
||||||
|
HANDLE hProcess;
|
||||||
|
size_t ulDllLength;
|
||||||
|
wchar_t* dllName = (wchar_t*)L"wxhelper.dll";
|
||||||
|
size_t dllNameLen = wcslen(dllName) * 2 + 2;
|
||||||
|
char* funcName = (char* )"http_start";
|
||||||
|
size_t funcNameLen = strlen(funcName) + 1;
|
||||||
|
|
||||||
|
HANDLE hStartHttp = NULL;
|
||||||
|
LPVOID portAddr = NULL;
|
||||||
|
HANDLE getProcThread = NULL;
|
||||||
|
|
||||||
|
LPVOID paramsAddr = NULL;
|
||||||
|
LPVOID param1Addr = NULL;
|
||||||
|
LPVOID param2Addr = NULL;
|
||||||
|
LPVOID GetProcFuncAddr = NULL;
|
||||||
|
|
||||||
|
DWORD params[2] = { 0 };
|
||||||
|
|
||||||
|
ulDllLength = (wcslen(szDllPath) + 1) * sizeof(wchar_t);
|
||||||
|
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
|
||||||
|
if (!hProcess) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
lpRemoteDllBase = VirtualAllocEx(hProcess, NULL, ulDllLength, MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
if (lpRemoteDllBase)
|
||||||
|
{
|
||||||
|
if (WriteProcessMemory(hProcess, lpRemoteDllBase, szDllPath, ulDllLength, NULL)
|
||||||
|
&& (hKernelModule = GetModuleHandleW(L"kernel32.dll")) != 0
|
||||||
|
&& (lpSysLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernelModule, "LoadLibraryW")) != 0
|
||||||
|
&& (hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpSysLibAddr, lpRemoteDllBase, 0, NULL)) != 0)
|
||||||
|
{
|
||||||
|
WaitForSingleObject(hRemoteThread, INFINITE);
|
||||||
|
GetProcFuncAddr = FillAsmCode(hProcess);
|
||||||
|
param1Addr = VirtualAllocEx(hProcess, NULL, dllNameLen, MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
if (param1Addr) {
|
||||||
|
SIZE_T dwWriteSize;
|
||||||
|
BOOL bRet = WriteProcessMemory(hProcess, (LPVOID)param1Addr, dllName, dllNameLen, &dwWriteSize);
|
||||||
|
if (!bRet) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
param2Addr = VirtualAllocEx(hProcess, NULL, funcNameLen, MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
if (param2Addr) {
|
||||||
|
SIZE_T dwWriteSize;
|
||||||
|
BOOL bRet = WriteProcessMemory(hProcess, (LPVOID)param2Addr, funcName, funcNameLen, &dwWriteSize);
|
||||||
|
if (!bRet) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
params[0] = (DWORD)param1Addr;
|
||||||
|
params[1] = (DWORD)param2Addr;
|
||||||
|
|
||||||
|
paramsAddr = VirtualAllocEx(hProcess, NULL, sizeof(params), MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
if (paramsAddr) {
|
||||||
|
SIZE_T dwWriteSize;
|
||||||
|
BOOL bRet = WriteProcessMemory(hProcess, (LPVOID)paramsAddr, ¶ms[0], sizeof(params), &dwWriteSize);
|
||||||
|
if (!bRet) {
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
DWORD dwRet = 0;
|
||||||
|
getProcThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcFuncAddr, paramsAddr, 0, NULL);
|
||||||
|
|
||||||
|
if (getProcThread)
|
||||||
|
{
|
||||||
|
WaitForSingleObject(getProcThread, INFINITE);
|
||||||
|
GetExitCodeThread(getProcThread, &dwRet);
|
||||||
|
if (dwRet) {
|
||||||
|
hStartHttp = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)dwRet, (LPVOID)port, 0, NULL);
|
||||||
|
WaitForSingleObject(hStartHttp, INFINITE);
|
||||||
|
result = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
error:
|
||||||
|
if (hRemoteThread) {
|
||||||
|
CloseHandle(hRemoteThread);
|
||||||
|
}
|
||||||
|
if (getProcThread) {
|
||||||
|
CloseHandle(getProcThread);
|
||||||
|
}
|
||||||
|
if (hStartHttp) {
|
||||||
|
CloseHandle(hStartHttp);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (lpRemoteDllBase) {
|
||||||
|
VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
}
|
||||||
|
if (param1Addr) {
|
||||||
|
VirtualFreeEx(hProcess, param1Addr, dllNameLen, MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (param2Addr) {
|
||||||
|
VirtualFreeEx(hProcess, param1Addr, funcNameLen, MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (paramsAddr) {
|
||||||
|
VirtualFreeEx(hProcess, param1Addr, sizeof(params), MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (GetProcFuncAddr) {
|
||||||
|
VirtualFreeEx(hProcess, GetProcFuncAddr, sizeof(GetProcAddressAsmCode), MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
}
|
||||||
|
|
||||||
|
CloseHandle(hProcess);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
int InjectDll(wchar_t* szPName, wchar_t* szDllPath)
|
int InjectDll(wchar_t* szPName, wchar_t* szDllPath)
|
||||||
{
|
{
|
||||||
if(!EnableDebugPrivilege()){
|
if(!EnableDebugPrivilege()){
|
||||||
@ -825,6 +947,58 @@ int InjectDll(wchar_t* szPName, wchar_t* szDllPath)
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
int InjectDllByPid(unsigned int pid, wchar_t* szDllPath)
|
||||||
|
{
|
||||||
|
if(!EnableDebugPrivilege()){
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
int result = 0;
|
||||||
|
HANDLE hRemoteThread;
|
||||||
|
LPTHREAD_START_ROUTINE lpSysLibAddr;
|
||||||
|
HINSTANCE__* hKernelModule;
|
||||||
|
LPVOID lpRemoteDllBase;
|
||||||
|
HANDLE hProcess;
|
||||||
|
size_t ulDllLength;
|
||||||
|
|
||||||
|
ulDllLength = (wcslen(szDllPath) + 1) * sizeof(wchar_t);
|
||||||
|
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pid);
|
||||||
|
if (!hProcess) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
lpRemoteDllBase = VirtualAllocEx(hProcess, NULL, ulDllLength, MEM_COMMIT, PAGE_READWRITE);
|
||||||
|
if (lpRemoteDllBase)
|
||||||
|
{
|
||||||
|
if (WriteProcessMemory(hProcess, lpRemoteDllBase, szDllPath, ulDllLength, NULL)
|
||||||
|
&& (hKernelModule = GetModuleHandleW(L"kernel32.dll")) != 0
|
||||||
|
&& (lpSysLibAddr = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernelModule, "LoadLibraryW")) != 0
|
||||||
|
&& (hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpSysLibAddr, lpRemoteDllBase, 0, NULL)) != 0)
|
||||||
|
{
|
||||||
|
WaitForSingleObject(hRemoteThread, INFINITE);
|
||||||
|
VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
CloseHandle(hRemoteThread);
|
||||||
|
CloseHandle(hProcess);
|
||||||
|
OutputDebugStringA("[DBG] dll inject success");
|
||||||
|
printf("dll inject success");
|
||||||
|
printf("dll path : %s ", szDllPath);
|
||||||
|
printf("pid : %d ", pid);
|
||||||
|
result = 1;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
VirtualFreeEx(hProcess, lpRemoteDllBase, ulDllLength, MEM_DECOMMIT | MEM_RELEASE);
|
||||||
|
CloseHandle(hProcess);
|
||||||
|
result = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
CloseHandle(hProcess);
|
||||||
|
result = 0;
|
||||||
|
}
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
int UnInjectDll(wchar_t* szPName, wchar_t* szDName)
|
int UnInjectDll(wchar_t* szPName, wchar_t* szDName)
|
||||||
{
|
{
|
||||||
HMODULE hDll;
|
HMODULE hDll;
|
||||||
@ -878,8 +1052,9 @@ int main(int argc, char** argv)
|
|||||||
int port = 0;
|
int port = 0;
|
||||||
|
|
||||||
ULONG pid = 0;
|
ULONG pid = 0;
|
||||||
|
unsigned int injectPid =0;
|
||||||
|
|
||||||
while ((param = getopt(argc, argv, "i:p:u:d:m:P:h")) != -1)
|
while ((param = getopt(argc, argv, "i:p:u:d:m:P:I:h")) != -1)
|
||||||
{
|
{
|
||||||
switch (param)
|
switch (param)
|
||||||
{
|
{
|
||||||
@ -916,6 +1091,9 @@ int main(int argc, char** argv)
|
|||||||
case 'P':
|
case 'P':
|
||||||
port = std::atoi(optarg);
|
port = std::atoi(optarg);
|
||||||
break;
|
break;
|
||||||
|
case 'I':
|
||||||
|
injectPid = std::atoi(optarg);
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
abort();
|
abort();
|
||||||
break;
|
break;
|
||||||
@ -925,6 +1103,24 @@ int main(int argc, char** argv)
|
|||||||
if (pid) {
|
if (pid) {
|
||||||
FindHandles(pid, (LPSTR)"_WeChat_App_Instance_Identity_Mutex_Name", TRUE, TRUE);
|
FindHandles(pid, (LPSTR)"_WeChat_App_Instance_Identity_Mutex_Name", TRUE, TRUE);
|
||||||
}
|
}
|
||||||
|
if (injectPid != 0 && cDllPath[0] != 0)
|
||||||
|
{
|
||||||
|
if(cDllPath[0] != '\0')
|
||||||
|
{
|
||||||
|
if (port == 0) {
|
||||||
|
std::wstring wsPath = Utf8ToUnicode(cDllPath);
|
||||||
|
int ret = InjectDllByPid(injectPid, (wchar_t*)wsPath.c_str());
|
||||||
|
printf(" 注入结果:%i \n", ret);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
std::wstring wsPath = Utf8ToUnicode(cDllPath);
|
||||||
|
int ret = InjectDllAndStartHttpByPid(injectPid, (wchar_t*)wsPath.c_str(), port);
|
||||||
|
printf(" 注入结果:%i \n", ret);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
if (cInjectprogram[0] != 0 && cDllPath[0] != 0)
|
if (cInjectprogram[0] != 0 && cDllPath[0] != 0)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user