一个简单的WIN32程序；
平台VC++ 6.0
干掉360老的版本是可以的


//线程参数结构体定义
typedef struct _RemoteParam
{
    char szMsg[12];    //MessageBox函数中显示的字符提示
    DWORD dwMessageBox;//MessageBox函数的入口地址
} RemoteParam, * PRemoteParam;

//定义MessageBox类型的函数指针
typedef int (__stdcall * PFN_MESSAGEBOX)(HWND, LPCTSTR, LPCTSTR, DWORD);

//线程函数定义
DWORD __stdcall threadProc(LPVOID lParam)
{
    RemoteParam* pRP = (RemoteParam*)lParam;

    PFN_MESSAGEBOX pfnMessageBox;
    pfnMessageBox = (PFN_MESSAGEBOX)pRP->dwMessageBox;
    pfnMessageBox(NULL, pRP->szMsg, pRP->szMsg, 0);

    return 0;
}

//提升进程访问权限
bool enableDebugPriv()
{
    HANDLE hToken;
    LUID sedebugnameValue;
    TOKEN_PRIVILEGES tkp;
  
    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
    {
        return false;
    }

    if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
    {
        CloseHandle(hToken);
        return false;
    }

    XXXXXXivilegeCount = 1;
    XXXXXXivileges[0].Luid = sedebugnameValue;
    XXXXXXivileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
    {
        CloseHandle(hToken);
        return false;
    }

    return true;
}

//根据进程名称得到进程ID,如果有多个运行实例的话，返回第一个枚举到的进程的ID
DWORD processNameToId(LPCTSTR lpszProcessName)
{
    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 pe;
    pe.dwSize = sizeof(PROCESSENTRY32);

    if (!Process32First(hSnapshot, &pe))
    {
        
        return 0;
    }

    while (Process32Next(hSnapshot, &pe))
    {
        if (!StrCmpI(lpszProcessName, XXXXXExeFile))
        {
            return XXXXX32ProcessID;
        }
    }

    return 0;
}

int main(int argc, char* argv[])
{
    //定义线程体的大小
    const DWORD dwThreadSize = 4096;
    DWORD dwWriteBytes;
    //提升进程访问权限
    enableDebugPriv();

    //等待输入进程名称，注意大小写匹配
    std::cout << "[s:9]lease input the name of target process !" << std::endl;
    char szExeName[MAX_PATH] = { 0 };
    std::cin >> szExeName;

    DWORD dwProcessId = processNameToId(szExeName);

    if (dwProcessId == 0)
    {
        MessageBox(NULL, "The target process have not been found !", "Notice", MB_ICONINFORMATION | MB_OK);
        return -1;
    }

    //根据进程ID得到进程句柄
    HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);

    if (!hTargetProcess)
    {
        MessageBox(NULL, "Open target process failed !", "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //在宿主进程中为线程体开辟一块存储区域
    //在这里需要注意MEM_COMMIT | MEM_RESERVE内存非配类型以及PAGE_EXECUTE_READWRITE内存保护类型
    //其具体含义请参考MSDN中关于VirtualAllocEx函数的说明。
    void* pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE, \
        PAGE_EXECUTE_READWRITE);

    if (!pRemoteThread)
    {
        MessageBox(NULL, "Alloc memory in target process failed !", "notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //将线程体拷贝到宿主进程中
    if (!WriteProcessMemory(hTargetProcess, pRemoteThread, &threadProc, dwThreadSize, 0))
    {
        MessageBox(NULL, "Write data to target process failed !", "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }
    //定义线程参数结构体变量
    RemoteParam remoteData;
    ZeroMemory(&remoteData, sizeof(RemoteParam));

    //填充结构体变量中的成员
    HINSTANCE hUser32 = LoadLibrary("User32.dll");
    remoteData.dwMessageBox = (DWORD)GetProcAddress(hUser32, "MessageBoxA");
    strcat(XXXXXXXXXXXXXMsg, "Hello\0");

    //为线程参数在宿主进程中开辟存储区域
    RemoteParam* pRemoteParam = (RemoteParam *)VirtualAllocEx(hTargetProcess , 0, sizeof(RemoteParam), \
        MEM_COMMIT, PAGE_READWRITE);

    if (!pRemoteParam)
    {
        MessageBox(NULL, "Alloc memory failed !", "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //将线程参数拷贝到宿主进程地址空间中
    if (!WriteProcessMemory(hTargetProcess, pRemoteParam, &remoteData, sizeof(remoteData), 0))
    {
        MessageBox(NULL, "Write data to target process failed !", "Notice", MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    //在宿主进程中创建线程
    HANDLE hRemoteThread = CreateRemoteThread(hTargetProcess, NULL, 0, \
        (DWORD (__stdcall *)(void *))pRemoteThread, pRemoteParam, 0, &dwWriteBytes);

    if (!hRemoteThread)
    {
        MessageBox(NULL, "Create remote thread failed !", "Notice",  MB_ICONINFORMATION | MB_OK);
        return 0;
    }

    if (hRemoteThread)
    {
        ::WaitForSingleObject(hRemoteThread, INFINITE);
        ::CloseHandle(hRemoteThread);
    }
    
    ::VirtualFreeEx(hTargetProcess, pRemoteThread,    dwThreadSize, MEM_RELEASE);
    ::VirtualFreeEx(hTargetProcess, pRemoteParam,    sizeof(remoteData), MEM_RELEASE);
    ::CloseHandle(hTargetProcess);
    
    return 0;
}
CreateRemoteThread.rar 9.01KB RAR 23次下载