写其他进程的环境变量-白红宇

写其他进程的环境变量

阅读量：6821 次

发布时间：2019-06-26

本文共 3025 字，大约阅读时间需要 10 分钟。

#include 
    
     #include 
     
      #include 
      
       #include 
       
        #include 
        
         DWORD GetParentProcessId(DWORD pid){    DWORD ppid = (DWORD)(-1);    HANDLE hProcessSnap;    PROCESSENTRY32 pe32;    hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );    assert(hProcessSnap != INVALID_HANDLE_VALUE);    pe32.dwSize = sizeof( PROCESSENTRY32 );    BOOL bResult = Process32First( hProcessSnap, &pe32 );    assert(bResult != FALSE);    do    {        if (pid == pe32.th32ProcessID)        {            ppid = pe32.th32ParentProcessID;            break;        }    } while( Process32Next( hProcessSnap, &pe32 ) );    CloseHandle( hProcessSnap );    return( ppid );}DWORD ppid(VOID){    return GetParentProcessId( GetCurrentProcessId() );}typedef struct _RemoteParam {    DWORD funcptr;    BYTE Param1[64];    BYTE Param2[64];} RemoteParam, *PRemoteParam;typedef int  (WINAPI *PFN_MessageBox)(HWND, LPCTSTR, LPCTSTR, DWORD);typedef BOOL (WINAPI *PFN_SetEnvironmentVariable)(LPCTSTR, LPCTSTR);DWORD WINAPI threadProc(LPVOID lpParam){    RemoteParam *pRP = (RemoteParam *)lpParam;    PFN_SetEnvironmentVariable pfnSetEnvironmentVariable = (PFN_SetEnvironmentVariable)pRP[0].funcptr;    pfnSetEnvironmentVariable(pRP[0].Param1, pRP[0].Param2);    PFN_MessageBox pfnMessageBox = (PFN_MessageBox)pRP[1].funcptr;    pfnMessageBox(NULL, pRP[1].Param1, pRP[1].Param2, 0);    return 0;}int main(int argc, char *argv[]){    DWORD dwProcessId = ppid();    assert(dwProcessId != (DWORD)(-1));    HANDLE hTargetProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);     assert(hTargetProcess != NULL);    DWORD dwMemSize = 4096;    LPVOID pRemoteThread = VirtualAllocEx(hTargetProcess, 0, dwMemSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE) ;     assert(pRemoteThread != NULL);    BOOL bResult = WriteProcessMemory(hTargetProcess, pRemoteThread, threadProc, dwMemSize, NULL) ;     assert(bResult != FALSE);    RemoteParam RemoteParams[2] = {
    {0}};    HMODULE hUser32 = LoadLibrary("User32.dll");    HMODULE hKernel32 = LoadLibrary("Kernel32.dll");    RemoteParams[0].funcptr = (DWORD)GetProcAddress(hKernel32, "SetEnvironmentVariableA");    strcpy(RemoteParams[0].Param1, "__var");    strcpy(RemoteParams[0].Param2, "hello");    RemoteParams[1].funcptr = (DWORD)GetProcAddress(hUser32, "MessageBoxA");    strcpy(RemoteParams[1].Param1, "www.bathome.net");    strcpy(RemoteParams[1].Param2, "hello");    dwMemSize = sizeof(RemoteParams);    LPVOID pRemoteParam = VirtualAllocEx(hTargetProcess, 0, dwMemSize, MEM_COMMIT, PAGE_READWRITE);    assert(pRemoteParam != NULL);    bResult = WriteProcessMemory(hTargetProcess, pRemoteParam, RemoteParams, dwMemSize, NULL) ;     assert(bResult != FALSE);    HANDLE hRemoteThread = CreateRemoteThread(hTargetProcess, NULL, 0, pRemoteThread, pRemoteParam, 0, NULL);     assert(hRemoteThread != NULL);    CloseHandle(hRemoteThread);    CloseHandle(hTargetProcess);    return 0;}