EnhanceFunc__增强函数集

想将经常用到的功能函数写在一起,花时间精心维护,然后以后就用起来就舒服很多了

目前就写了进程调试权限,远程线程注入,远程线程释放这三个函数.还有很多功能,以后慢慢加

 1 // last code by [email protected] at 20150708
 2
 3 #pragma once
 4
 5 #ifndef ENHANCEFUNC_H
 6 #define ENHANCEFUNC_H
 7
 8 #include <cstdio>
 9 #include <windows.h>
10
11 using namespace std;
12
13 BOOL EnableDebugPrivileges();
14
15 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId = NULL);
16 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds = INFINITE);
17
18 #endif    //    def    ENHANCEFUNC_H

EnhanceFunc.h

  1 // last code by [email protected] at 20150708
  2
  3 #include "EnhanceFunc.h"
  4
  5 BOOL EnableDebugPrivileges()
  6 {
  7     HANDLE hToken;
  8     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken))
  9         return FALSE;
 10
 11     LUID luid = {};
 12     if (!LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid))
 13     {
 14         CloseHandle(hToken);
 15         return FALSE;
 16     }
 17
 18     TOKEN_PRIVILEGES tp = {};
 19     tp.PrivilegeCount = 1;
 20     tp.Privileges[0].Luid = luid;
 21     tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 22     if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL))
 23     {
 24         CloseHandle(hToken);
 25         return FALSE;
 26     }
 27
 28     CloseHandle(hToken);
 29     return TRUE;
 30 }
 31
 32 HANDLE RemoteThreadInjection(HANDLE hProcess, LPCSTR lpLibFilePath, LPDWORD lpRemoteThreadId)
 33 {
 34     int len = strlen(lpLibFilePath) + 1;
 35
 36     LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 37     if (NULL == lpVir)
 38         return ERROR;
 39
 40     if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL))
 41     {
 42         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 43         return ERROR;
 44     }
 45
 46     HMODULE hModule = GetModuleHandleA("Kernel32.dll");
 47     if (NULL == hModule)
 48     {
 49         hModule = LoadLibraryA("Kernel32.dll");
 50         if (NULL == hModule)
 51         {
 52             VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 53             return ERROR;
 54         }
 55     }
 56
 57     FARPROC fpProc = GetProcAddress(hModule, "LoadLibraryA");
 58     if (NULL == fpProc)
 59     {
 60         FreeLibrary(hModule);
 61         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 62         return ERROR;
 63     }
 64
 65     DWORD dwRemoteThreadId;
 66     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, &dwRemoteThreadId);
 67     if (NULL == hRemoteThread)
 68     {
 69         FreeLibrary(hModule);
 70         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 71         return ERROR;
 72     }
 73
 74     if (NULL != lpRemoteThreadId)
 75         *lpRemoteThreadId = dwRemoteThreadId;
 76
 77     FreeLibrary(hModule);
 78     VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 79     return hRemoteThread;
 80 }
 81
 82 BOOL RemoteThreadFreeing(HANDLE hProcess, LPCSTR lpLibFilePath, DWORD dwMilliseconds)
 83 {
 84     int len = strlen(lpLibFilePath) + 1;
 85
 86     LPVOID lpVir = VirtualAllocEx(hProcess, NULL, len, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 87     if (NULL == lpVir)
 88         return FALSE;
 89
 90     if (!WriteProcessMemory(hProcess, lpVir, lpLibFilePath, len, NULL))
 91     {
 92         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
 93         return FALSE;
 94     }
 95
 96     HMODULE hModule = GetModuleHandleA("Kernel32.dll");
 97     if (NULL == hModule)
 98     {
 99         hModule = LoadLibraryA("Kernel32.dll");
100         if (NULL == hModule)
101         {
102             VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
103             return FALSE;
104         }
105     }
106
107     FARPROC fpProc = GetProcAddress(hModule, "GetModuleHandleA");
108     if (NULL == fpProc)
109     {
110         FreeLibrary(hModule);
111         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
112         return FALSE;
113     }
114
115     HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, lpVir, NULL, NULL);
116     if (NULL == hRemoteThread)
117     {
118         FreeLibrary(hModule);
119         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
120         return FALSE;
121     }
122
123     if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds))
124     {
125         CloseHandle(hRemoteThread);
126         FreeLibrary(hModule);
127         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
128         return FALSE;
129     }
130
131     DWORD dwExitCode;
132     if (!GetExitCodeThread(hRemoteThread, &dwExitCode))    //    dwExitCode is hRemoteLibModule
133     {
134         CloseHandle(hRemoteThread);
135         FreeLibrary(hModule);
136         VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
137         return FALSE;
138     }
139
140     CloseHandle(hRemoteThread);
141     VirtualFreeEx(hProcess, lpVir, len, MEM_RELEASE);
142
143     //    CreateRemoteThread the second times
144
145     fpProc = GetProcAddress(hModule, "FreeLibrary");
146     if (NULL == fpProc)
147     {
148         FreeLibrary(hModule);
149         return FALSE;
150     }
151
152     hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)fpProc, (LPVOID)((HMODULE)dwExitCode), NULL, NULL);
153     if (NULL == hRemoteThread)
154     {
155         FreeLibrary(hModule);
156         return FALSE;
157     }
158
159     if (WAIT_OBJECT_0 != WaitForSingleObject(hRemoteThread, dwMilliseconds))
160     {
161         CloseHandle(hRemoteThread);
162         FreeLibrary(hModule);
163         return FALSE;
164     }
165
166     if (!GetExitCodeThread(hRemoteThread, &dwExitCode))    //    dwExitCode is the return value of Remote FreeLibrary
167     {
168         CloseHandle(hRemoteThread);
169         FreeLibrary(hModule);
170         return FALSE;
171     }
172
173     FreeLibrary(hModule);
174     CloseHandle(hRemoteThread);
175     return (BOOL)dwExitCode;
176 }

EnhanceFunc.cpp

 1 #include <cstdio>
 2 #include <windows.h>
 3
 4 #include "EnhanceFunc.h"
 5
 6 using namespace std;
 7
 8 int main()
 9 {
10     char cTargetDllPath[MAX_PATH] = "C:\\DLL.dll";    //    suppose I have a dll file in this path
11
12     printf("Enable Debug Privilege %s...\n", EnableDebugPrivileges() ? "Succeed" : "Faild");
13
14     system("pause > nul");
15
16     STARTUPINFOA si = {};
17     si.cb = sizeof(si);
18     PROCESS_INFORMATION pi = {};
19     CreateProcessA(NULL, "C:\\Windows\\System32\\calc.exe", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi);
20
21     system("pause > nul");
22
23     printf("DLL.dll Inject %s...\n", RemoteThreadInjection(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild");
24
25     system("pause > nul");
26
27     printf("DLL.dll Freeing %s...\n", RemoteThreadFreeing(pi.hProcess, cTargetDllPath) ? "Succeed" : "Faild");
28
29     system("pause > nul");
30
31     TerminateProcess(pi.hProcess, NULL);
32
33     system("pause > nul && exit");
34     return 0;
35 }

main.cpp

时间： 2024-10-21 04:18:24

EnhanceFunc__增强函数集的相关文章

Linux字符串函数集

//Linux字符串函数集: 头文件:string.h 函数名: strstr 函数原型:extern char *strstr(char *str1, char *str2); 功能:找出str2字符串在str1字符串中第一次出现的位置(不包括str2的串结束符). 返回值:返回该位置的指针,如找不到,返回空指针. 包含文件:string.h 函数名: strstr 函数原型:extern char *strstr(char *str1, char *str2); 功能:找出str2字符串在s

VB字符串函数集

1. ASC,Chr函数 [说明]: 转换字符字符码 [格式]: P=Asc(X) 返回字符串X的第一个字符的字符码 P=Chr(X) 返回字符码等于X的字符 [范例]: (1)P=Chr(65) ' 输出字符A,因为A的ASCII码等于65 (2)P=Asc("A") ' 输出65 2. Len函数 [格式]: P=Len(X) [说明]: 计算字符串X的长度,空字符串长度为0,空格符也算一个字符,一个中文字虽然占用2 Bytes,但也算一个字符.

VBA 字符串处理函数集

转自:http://blog.csdn.net/jyh_jack/article/details/2315345 mid(字符串,从第几个开始,长度) 在[字符串]中[从第几个开始]取出[长度个字符串] 例如 mid("小欣无敌",1,3) 则返回 "小欣无" instr(从第几个开始,字符串1,字符串2) 从规定的位置开始查找,返回字符串2在字符串1中的位置例如 instr(1,"小欣无敌","小") 则返回 1,i

C语言通用双向循环链表操作函数集

说明相比Linux内核链表宿主结构可有多个链表结构的优点,本函数集侧重封装性和易用性,而灵活性和效率有所降低. 可基于该函数集方便地构造栈或队列集. 本函数集暂未考虑并发保护. 一概念链表是一种物理存储单元上非连续.非顺序的存储结构,数据元素的逻辑顺序通过链表中的指针链接次序实现.链表由一系列存储结点组成,结点可在运行时动态生成.每个结点均由两部分组成,即存储数据元素的数据域和存储相邻结点地址的指针域.当进行插入或删除操作时,链表只需修改相关结点的指针域即可,因此相比线性

SQLite构建常用函数集

查询数组中元素的个数作者定义了一个查询数组个数的宏: /* ** A convenience macro that returns thenumber of elements in ** an array. */ #define ArraySize(X) ((int)(sizeof(X)/sizeof(X[0])))

JS判断字符串是否为空、过滤空格、查找字符串位置等函数集

这是一个由网上收集的JS代码段,用于判断指定字符串是否为空,过滤字符串中某字符两边的空格.查找指定字符串开始的位置.使用IsFloat函数判断一个字符串是否由数字(int or long or float)组成.IsDigital函数判断一个字符串是否由数字(int or long)组成等功能: //IsEmpty函数判断一个字符串是否为空 function IsEmpty(his) { flag = true; for(var i=0;i<his.length;i++) { if(his.c

js函数集

js函数集·字符串(String) 1.声明 var myString = new String("Every good boy does fine."); var myString = "Every good boy does fine.";2.字符串连接 var myString = "Every " + "good boy " + "does fine."; var myString = "

php常用函数集

网络请求: 1 /** 2 * 发起HTTPS请求 3 */ 4 function curl_post($url,$data=null,$header=null,$post=0) 5 { 6 //初始化curl 7 $ch = curl_init(); 8 //参数设置 9 $res= curl_setopt ($ch, CURLOPT_URL,$url); 10 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); 11 curl_setopt($c

搜刮来的JavaScript工具函数集

/*** [getQueryStringArgs 用以解析查询字符串]* @return {[Object]} [一个包含所有参数的对象]*/function getQueryStringArgs(){ //取得查询字符串并去掉开头的"?" var qs = (location.search.length > 0 ? location.search.substring(1) : ""), // 保存数据对象 args = {}, // 取得每一项 items