Timothy's Space 君看一叶舟，出没风波里

// Injection.cpp : 定义控制台应用程序的入口点。
//

#include “stdafx.h”
#include “Injection.h”
#ifdef _DEBUG
#define new DEBUG_NEW
#endif

// 唯一的应用程序对象

CWinApp theApp;

using namespace std;

typedef struct _RemotePara{//参数结构
char pMessageBox[12];
DWORD dwMessageBox;
}RemotePara;
//远程线程
DWORD __stdcall ThreadProc (RemotePara *lpPara){
typedef int (__stdcall *MMessageBoxA)(HWND,LPCTSTR,LPCTSTR,DWORD);//定义MessageBox函数
MMessageBoxA myMessageBoxA;
myMessageBoxA =(MMessageBoxA) lpPara->dwMessageBox ;//得到函数入口地址
myMessageBoxA(NULL,lpPara->pMessageBox ,lpPara->pMessageBox,0);//call
return 0;
}
void EnableDebugPriv();//提升应用级调试权限

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
const DWORD THREADSIZE=1024*4;
DWORD byte_write;
EnableDebugPriv();//提升权限
HANDLE hWnd = ::OpenProcess (PROCESS_ALL_ACCESS,FALSE,760);
if(!hWnd)return 0;
void *pRemoteThread =::VirtualAllocEx(hWnd,0,THREADSIZE,MEM_COMMIT| MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!pRemoteThread)return 0;
if(!::WriteProcessMemory(hWnd,pRemoteThread,&ThreadProc,THREADSIZE,0))
return 0;

//再付值
RemotePara myRemotePara;
::ZeroMemory(&myRemotePara,sizeof(RemotePara));
HINSTANCE hUser32 = ::LoadLibrary (“user32.dll”);
myRemotePara.dwMessageBox =(DWORD) ::GetProcAddress (hUser32 , “MessageBoxA”);
strcat(myRemotePara.pMessageBox,”hello\0″);
//写进目标进程
RemotePara *pRemotePara =(RemotePara *) ::VirtualAllocEx (hWnd ,0,sizeof(RemotePara),MEM_COMMIT,PAGE_READWRITE);//注意申请空间时的页面属性
if(!pRemotePara)return 0;
if(!::WriteProcessMemory (hWnd ,pRemotePara,&myRemotePara,sizeof myRemotePara,0))return 0;

//启动线程
HANDLE hThread = ::CreateRemoteThread (hWnd ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pRemotePara,0,&byte_write);
if(!hThread){
return 0;
}
return 0;
}

void EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
return;
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ){
CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
CloseHandle( hToken );
}

核心代码片断：

if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
MessageBox(“OpenProcessToken failed!”);
}

LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME,&tkp.Privileges[0].Luid); //获得本地机唯一的标识
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES) NULL, 0); //调整获得的权限

if (GetLastError() != ERROR_SUCCESS)
{
MessageBox(“切换系统级权限失败!”);
}

fResult =InitiateSystemShutdown(
NULL, // 要关的计算机用户名
“关机时间已到，WINDOWS将在上面的时间内关机，请做好保存工作!”, // 显示的消息
10, // 关机所需的时间
TRUE, // ask user to close apps
FALSE); //设为TRUE为重起，设为FALSE为关机
if(!fResult)
{
MessageBox(“初始化系统关机失败！”);
}

tkp.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,(PTOKEN_PRIVILEGES) NULL, 0);

if (GetLastError() != ERROR_SUCCESS)
{
MessageBox(“AdjustTokenPrivileges disable failed.”);
}

ExitWindowsEx(EWX_SHUTDOWN,0);

void EnablePrivilege()
{
HANDLE hProcess;
HANDLE hCurrentProcess;
HANDLE hProcessToken;
TOKEN_PRIVILEGES tp;
LUID luid;
hCurrentProcess=GetCurrentProcess();
OpenProcessToken(hCurrentProcess,TOKEN_ALL_ACCESS,&hProcessToken);
LookupPrivilegeValue(NULL,”SeDebugPrivilege”,&luid);
tp.PrivilegeCount=1;
tp.Privileges[0].Luid=luid;
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(
hProcessToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL);
}

包含头文件：
#include “tlhelp32.h”
示例：

void CTerminateProcessDlg::OnGetProcess()
{
m_ListBox.ResetContent();
CString m_output;
HANDLE hProcessSnap=NULL;
PROCESSENTRY32 pe32={0};
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==(HANDLE)-1)
{
::MessageBox(NULL,”查询进程失败！:(“,”错误提示”,MB_OK);

}
pe32.dwSize=sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap,&pe32))
{
do
{
m_output.Format(“%-20s ID:%-5d”,pe32.szExeFile,pe32.th32ProcessID);
m_ListBox.AddString(m_output);
}
while(Process32Next(hProcessSnap,&pe32));
}
else
{
::MessageBox(NULL,”出现意外错误！”,”错误提示”,MB_OK);
}
CloseHandle(hProcessSnap);

}

这是一个能枚举当前系统进程，并且终止进程的小程序。
程序界面如下：

程序源代码下载：

点击下载此文件