[toc]

C语言调用带参函数的例子

1.C语言传递参数的例子

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <windows.h>

void Message(int a)
{
    MessageBoxA(NULL, "HellWorld", "Text", a);
}

int main(int argc, char** argv)
{
    int a = 1;
    Message(a);
    return 0;
}

2. 通过指针传递变量的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <windows.h>

void Message(int a)
{
    MessageBoxA(NULL, "HellWorld", "Text", a);
}

int main(int argc, char** argv)
{
    int a = 1;
    int* p = &a;
    Message(*p);
    return 0;
}

3. 通过指针传递内存地址的值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#include <windows.h>

void Message(int a)
{
    MessageBoxA(NULL, "HellWorld", "Text", a);
}

int main(int argc, char** argv)
{
    int a = 1;
    int* p = (int*)malloc(sizeof(int));
    memcpy(p,&a,sizeof(int));
    Message(*p);
    return 0;
}

4. 通过远程线程加载带参数的函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <windows.h>

void Message(int a)
{
    MessageBoxA(NULL, "HellWorld", "Text", a);
}

int main(int argc, char** argv)
{
    int a = 1;
    int* p = (int*)malloc(sizeof(int));
    memcpy(p,&a,sizeof(int));
    DWORD NumberOfByte;
    HANDLE hThread1 = CreateRemoteThread(-1, NULL, 0,
        (LPTHREAD_START_ROUTINE)Message, *p, 0, &NumberOfByte);
    WaitForSingleObject(hThread1, INFINITE);
    CloseHandle(hThread1);
    return 0;
}

4. 通过远程线程加载带参数的函数,以打开句柄的方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#include <windows.h>

void Message(int a)
{
    MessageBoxA(NULL, "HellWorld", "Text", a);
}

int InjectFunc(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess;
    LPVOID mFuncAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    int a = 1;
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
        (LPTHREAD_START_ROUTINE)mFunc, &a, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    return 0;
}
int main(int argc, char** argv)
{
    InjectFunc(GetCurrentProcessId(), Message);
    return 0;
}

5. 通过远程线程加载带参数的函数,以打开句柄的方式,使用结构体传递参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <windows.h>
typedef struct tagParamCall
{
    HWND hWnd;
    char* Text;
    char* Caption;
    UINT uType;

}ParamCall, * PParamCall;

void Message(PParamCall addr)
{
    MessageBoxA(addr->hWnd, addr->Text, addr->Caption, addr->uType);
}

int InjectFunc(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess;
    LPVOID mFuncAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    ParamCall a;
    a.hWnd = NULL;
    a.Text = "HellWorld";
    a.Caption = "Text";
    a.uType = 1;
  
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
        (LPTHREAD_START_ROUTINE)mFunc, &a, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    return 0;
}
int main(int argc, char** argv)
{
    InjectFunc(GetCurrentProcessId(), Message);
    return 0;
}

6. C语言通过远程线程在本进程中加载User32.dll中的MessageBoxA函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    HWND hWnd;
    char* Text;
    char* Caption;
    UINT uType;

}ParamCall, * PParamCall;

void Message(PParamCall addr)
{
    // 动态加载 User32.dll
    HMODULE hUser32 = LoadLibraryA("User32.dll");
    // 获取 MessageBoxA 函数的地址
    typedef int (WINAPI* MessageBoxA_t)(HWND, LPCSTR, LPCSTR, UINT);
    MessageBoxA_t pMessageBoxA = (MessageBoxA_t)GetProcAddress(hUser32, "MessageBoxA");
    // 调用 MessageBoxA 函数
    pMessageBoxA(addr->hWnd, addr->Text, addr->Caption, addr->uType);
    // 释放 User32.dll
    FreeLibrary(hUser32);
}

int InjectFunc(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess;
    LPVOID mFuncAddr, ParamAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    ParamCall a;
    a.hWnd = NULL;
    a.Text = "HellWorld";
    a.Caption = "Text";
    a.uType = 1;
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
        (LPTHREAD_START_ROUTINE)mFunc, &a, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    return 0;
}
int main(int argc, char** argv)
{
    printf("MessageBoxA address is 0x%p\n", &MessageBoxA);
    InjectFunc(GetCurrentProcessId(), Message);
    return 0;
}

7. C语言通过远程线程在本进程中加载User32.dll中的MessageBoxA函数并传递参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <windows.h>
#include <stdio.h>
typedef struct tagParamCall
{
    HWND hWnd;
    char* Text;
    char* Caption;
    UINT uType;

}ParamCall, * PParamCall;

void Message(PParamCall addr)
{
    // 动态加载 User32.dll
    HMODULE hUser32 = LoadLibraryA("User32.dll");
    // 获取 MessageBoxA 函数的地址
    typedef int (WINAPI* MessageBoxA_t)(HWND, LPCSTR, LPCSTR, UINT);
    MessageBoxA_t pMessageBoxA = (MessageBoxA_t)GetProcAddress(hUser32, "MessageBoxA");
    // 调用 MessageBoxA 函数
    pMessageBoxA(addr->hWnd, addr->Text, addr->Caption, addr->uType);
    // 释放 User32.dll
    FreeLibrary(hUser32);
}

int InjectFunc(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess;
    LPVOID mFuncAddr, ParamAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    ParamCall a;
    a.hWnd = NULL;
    a.Text = "HellWorld";
    a.Caption = "Text";
    a.uType = 1;
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
        (LPTHREAD_START_ROUTINE)mFunc, &a, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    return 0;
}
int main(int argc, char** argv)
{
    printf("MessageBoxA address is 0x%p\n", &MessageBoxA);
    InjectFunc(GetCurrentProcessId(), Message);
    return 0;
}

C语言通过远程线程在其他进程中加载带参数的函数

1.用c语言写一个弹出消息框MessageBoxA的程序

  1. 在项目中属性->高级->随机基地址中选择关闭
  2. 代码如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
//message.c
#include <windows.h>
#include <stdio.h>

void Message(int style)
{
    MessageBoxA(NULL, "HellWorld", "Text", style);
}
void AsmMessage(void* addr)
{
    __asm {
        push 2
        mov edx, addr  //addr is Message() address
        call edx
        add esp,4
    }
}
int main(int argc, char** argv)
{
    printf("MessageBoxA address is 0x%p\n", &MessageBoxA);
    printf("Message() address is 0x%p\n", &Message);
    printf("AsmMessage() address is 0x%p\n", &AsmMessage);
    printf("Current pid is %d\n", GetCurrentProcessId());
    AsmMessage(&Message);
    MSG msg;
    while (GetMessageW(&msg, NULL, NULL, NULL))
    {
    }
    return 0;
}

3.编译后运行查看结果

2.编写注入代码汇编调用Message(UINT style)

main.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
//main.c
#include <windows.h>
#include <stdio.h>

//Message() address is 0x00401040
void  AddSun()
{
    _asm {
        push 2
        mov edx, 0x00401040
        call edx
        add esp, 4
    }
}
void InjectCode(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess, hThread;
    LPVOID mFuncAddr, ParamAddr = NULL;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr, ParamAddr, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int main(int argc, char** argv)
{
    InjectCode(35344, AddSun);
    return 0;
}

3. 编写注入带参数的代码汇编调用Message(UINT style)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
//main.c
#include <windows.h>
#include <stdio.h>

//Message() address is 0x00401040
void  __declspec(naked) AddSun(void* Addr)
{
    _asm {
        mov edx, [esp+4]
        push 2
        call edx
        add esp, 4
        ret
    }
}
void InjectCode(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess, hThread;
    LPVOID mFuncAddr, ParamAddr = 0x00401040;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr, ParamAddr, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int main(int argc, char** argv)
{
    InjectCode(50596, AddSun);
    return 0;
}

4. 编写注入带多个参数的代码汇编调用MessageBoxA,使用结构体传参数

  • 代码注入没有依赖库,只能调用程序已有库。
  • 项目需要设置为Realse
  • char*类型的数据需要memcpy拷贝不能直接赋值
  • main.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
//main.c
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    void* addr;
    HWND hWnd;
    char Text[MAXCHAR];
    char Caption[MAXCHAR];
    UINT uType;

}ParamCall, * PParamCall;

void  AddSun(PParamCall Addr)
{
    int uType = Addr->uType;
    const char* Caption = Addr->Caption;
    DWORD* addr = Addr->addr;
    _asm {
        mov edx, [addr]
        push uType
        push Caption
        push 0
        push 0
        call edx

    }
}

void InjectCode(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess, hThread;
    LPVOID mFuncAddr, mParamAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    ParamCall mParam;
    mParam.addr = &MessageBoxA;
    mParam.hWnd = NULL;
    memcpy(mParam.Text, "Text",strlen("Text"));
    memcpy(mParam.Caption, "title", strlen("title"));
    mParam.uType = 2;
    mParamAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mParamAddr, &mParam, 1024, &NumberOfByte);
    hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr, mParamAddr, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    VirtualFreeEx(hProcess, mParamAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int main(int argc, char** argv)
{
    InjectCode(44060, AddSun);
    return 0;
}

5.C语言编写代码让目标进程加载”user.dll”中的MessageA函数

1.分析多个参数的传递

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//main.c
#include <windows.h>
#include <stdio.h>

void fun(DWORD* addr,char*Text)
{
    DWORD addr1=0;
    __asm {
        mov eax,[addr]
        mov ecx,[eax]
        mov [addr1],ecx
    }
    printf("0x%x\n",addr1);
    char* Text1 = NULL;
    //0045DC55  mov         eax, dword ptr[Text]
    //0045DC58  mov         dword ptr[Text1], eax

    __asm {
        mov eax, [Text]
        mov[Text1], eax
    }
    printf("%s\n", Text);

}
int main(int argc, char** argv)
{
    ParamCall a;
    a.addr = 0x666;
    a.Caption = "title";
    fun(&a.addr, a.Caption);
    return 0;
}

2. 分析结构体传递参数的方法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
//main.c
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    DWORD* addr;
    HWND hWnd;
    char* Text;
    char* Caption;
    UINT uType;

}ParamCall, * PParamCall;
/*
DWORD addr = Addr->addr;
0045DAA5  mov         eax, dword ptr[Addr]
0045DAA8  mov         ecx, dword ptr[eax]
0045DAAA  mov         dword ptr[addr], ecx
char* Text = Addr->Text;
0045DACE  mov         eax, dword ptr[Addr]
0045DAD1  mov         ecx, dword ptr[eax + 8]
0045DAD4  mov         dword ptr[Text], ecx
char* caption = Addr->Caption;
0045DAD7  mov         eax, dword ptr[Addr]
0045DADA  mov         ecx, dword ptr[eax + 0Ch]
0045DADD  mov         dword ptr[caption], ecx
UINT uType = Addr->uType;
0045DAE0  mov         eax, dword ptr[Addr]
0045DAE3  mov         ecx, dword ptr[eax + 10h]
0045DAE6  mov         dword ptr[uType], ecx
*/
void fun(PParamCall Addr)
{
    //DWORD addr = Addr->addr;
    DWORD addr;
    _asm{
          mov  eax, dword ptr[Addr]
          mov  ecx, dword ptr[eax]
          mov  dword ptr[addr], ecx
    }
    printf("0x%x\n", addr);
    char* Text = Addr->Text;
    printf("%s\n", Text);
    char* caption = Addr->Caption;
    UINT uType = Addr->uType;
}
int main(int argc, char** argv)
{
    ParamCall a;
    a.addr = 0x666;
    a.Text = "Text";
    a.Caption = "title";
    fun(&a);
    return 0;
}

3. 使用结构体传递参数并在本程序中汇编调用MessageBoxA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
//main.c
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    void* addr;
    HWND hWnd;
    char* Text;
    char* Caption;
    UINT uType;

}ParamCall, * PParamCall;
//0045DAA5  mov         eax, dword ptr[Addr]
//0045DAA8  mov         ecx, dword ptr[eax]
//0045DAAA  mov         dword ptr[addr], ecx
//Message() address is 0x00401040
void AsmMessageBoxA(PParamCall Addr)
{
    HANDLE handle = NULL;
    const char* Text = Addr->Text;
    const char* Title = "Inline";
    int style = MB_OK;
    DWORD* addr = NULL;
    __asm {
        mov  eax, dword ptr[Addr]//Addr==eax
        mov  ecx, dword ptr[eax]
        push style
        push Title
        push Text
        push handle
        call ecx
    }
}

int main(int argc, char** argv)
{
    ParamCall mParam;
    mParam.addr = 0x75B8B730;
    mParam.hWnd = NULL;
    mParam.Text = "Text";
    mParam.Caption = "title";
    mParam.uType = 2;
    AsmMessageBoxA(&mParam);
    return 0;
}

4.使用结构体传递参数并在其他程序中汇编调用MessageBoxA

  • 代码注入没有依赖库,只能调用程序已有库。
  • 项目需要设置为Realse
  • char*类型的数据需要memcpy拷贝不能直接赋值
  • main.c(计算一个结构体偏移)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
//main.c
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    void* addr;
    UINT uType;
    HWND hWnd;
    char Text[MAXCHAR];
    char Caption[MAXCHAR];


}ParamCall, * PParamCall;

//Message() address is 0x00401040
void  AddSun(PParamCall Addr)
{
    int uType = 0;
    const char* Caption=Addr->Caption;
    DWORD* addr = Addr->addr;
    _asm {
        mov eax, [Addr]
        mov ecx,[eax+0x4]
        mov uType,ecx
        mov ecx,[addr]
        push uType
        push Caption
        push 0
        push 0
        call ecx

    }
}

void InjectCode(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess, hThread;
    LPVOID mFuncAddr, mParamAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    ParamCall mParam;
    mParam.addr = &MessageBoxA;
    mParam.hWnd = NULL;
    memcpy(mParam.Text, "Text",strlen("Text"));
    memcpy(mParam.Caption, "title", strlen("title"));
    mParam.uType = 1;
    printf("0x%X\n", sizeof(mParam.uType));
    mParamAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mParamAddr, &mParam, 1024, &NumberOfByte);
    hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr, mParamAddr, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    VirtualFreeEx(hProcess, mParamAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int main(int argc, char** argv)
{
    InjectCode(56736, AddSun);
    return 0;
}

  • main.c(计算二个结构体偏移)

  • 有bug,改动代码后程序失效,原因是AddSun中不能定义变量。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    //main.c
    #include <windows.h>
    #include <stdio.h>

    typedef struct tagParamCall
    {
        DWORD addr;
        UINT uType;
        HWND hWnd;
        char Caption[256];
        char Text[256];



    }ParamCall, * PParamCall;

    //Message() address is 0x00401040
    void  AddSun(PParamCall Addr)
    {
        int uType;
        const char* Caption;
        char* Text;
        DWORD addr;
        __asm {
            mov eax, [Addr]
            mov ecx, [eax]
            mov [addr], ecx
            mov ecx, [eax + 0x4]
            mov uType, ecx
            lea ecx, [eax + 0xc]
            mov Caption, ecx
            lea ecx, [eax + 0x10C]
            mov Text, ecx
            push uType
            push Caption
            push Text
            push 0
            call addr

        }
    }

    void InjectCode(DWORD dwProcId, LPVOID mFunc)
    {
        HANDLE hProcess, hThread;
        LPVOID mFuncAddr, mParamAddr;
        DWORD NumberOfByte;

        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
        mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
        ParamCall mParam;
        mParam.addr = &MessageBoxA;
        mParam.hWnd = NULL;
        memcpy(mParam.Text, "Text", strlen("Text")+1);
        memcpy(mParam.Caption, "title", strlen("title")+1);
        mParam.uType = 2;
        printf("0x%X\n", sizeof(mParam.uType));
        mParamAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
        WriteProcessMemory(hProcess, mParamAddr, &mParam, 1024, &NumberOfByte);
        hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr, mParamAddr, 0, &NumberOfByte);
        WaitForSingleObject(hThread, INFINITE);
        VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
        VirtualFreeEx(hProcess, mParamAddr, 1024, MEM_RELEASE);
        CloseHandle(hThread);
        CloseHandle(hProcess);
    }

    int main(int argc, char** argv)
    {

        InjectCode(93680, AddSun);
        return 0;
    }

6.C语言使用函数指针在其他程序中调用MessageBoxA

1.根据函数指针调用MessageBoxA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
//main.c
#include <windows.h>
#include <stdio.h>


void  AddSun()
{
    int uType;
    const char* Caption;
    char* Text;
    DWORD addr;
    // 获取 MessageBoxA 函数的地址
    typedef int (WINAPI* MessageBoxA_t)(HWND, LPCSTR, LPCSTR, UINT);
    MessageBoxA_t pMessageBoxA = (MessageBoxA_t)&MessageBoxA;
    // 调用 MessageBoxA 函数
    pMessageBoxA(NULL, "Hello, World!", "My Message Box", MB_OK);
}

int main(int argc, char** argv)
{

    AddSun();
    return 0;
}

2.根据函数指针动态调用MessageBoxA并通过结构体传递参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
//main.c
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    DWORD addr;
    UINT uType;
    HWND hWnd;
    char Caption[256];
    char Text[256];

}ParamCall, * PParamCall;

void  AddSun(PParamCall Addr)
{
    // 获取 MessageBoxA 函数的地址
    typedef int (WINAPI* MessageBoxA_t)(HWND, LPCSTR, LPCSTR, UINT);
    MessageBoxA_t pMessageBoxA = (MessageBoxA_t)Addr->addr;
    // 调用 MessageBoxA 函数
    pMessageBoxA(Addr->hWnd, Addr->Text, Addr->Caption, Addr->uType);
}

int main(int argc, char** argv)
{
    ParamCall mParam;
    mParam.addr = &MessageBoxA;
    mParam.hWnd = NULL;
    mParam.uType = MB_OK;
    memcpy(mParam.Text, "Text", strlen("Text") + 1);
    memcpy(mParam.Caption, "title", strlen("title") + 1);
    AddSun(&mParam);
    return 0;
}

3.使用函数指针在其他程序中调用MessageBoxA

需要release模式编译

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
//main.c
#include <windows.h>
#include <stdio.h>

typedef struct tagParamCall
{
    DWORD addr;
    UINT uType;
    HWND hWnd;
    char Caption[256];
    char Text[256];
}ParamCall, * PParamCall;

void  AddSun(PParamCall Addr)
{
    // 获取 MessageBoxA 函数的地址
    typedef int (WINAPI* MessageBoxA_t)(HWND, LPCSTR, LPCSTR, UINT);
    MessageBoxA_t pMessageBoxA = (MessageBoxA_t)Addr->addr;
    // 调用 MessageBoxA 函数
    pMessageBoxA(Addr->hWnd, Addr->Text, Addr->Caption, Addr->uType);
}

void InjectCode(DWORD dwProcId, LPVOID mFunc)
{
    HANDLE hProcess, hThread;
    LPVOID mFuncAddr, mParamAddr;
    DWORD NumberOfByte;

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcId);
    mFuncAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mFuncAddr, mFunc, 1024, &NumberOfByte);
    ParamCall mParam;
    mParam.addr = &MessageBoxA;
    mParam.hWnd = NULL;
    mParam.uType = 2;
    memcpy(mParam.Text, "Text", strlen("Text") + 1);
    memcpy(mParam.Caption, "title", strlen("title") + 1);
    printf("0x%X\n", sizeof(mParam.uType));
    mParamAddr = VirtualAllocEx(hProcess, NULL, 1024, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    WriteProcessMemory(hProcess, mParamAddr, &mParam, 1024, &NumberOfByte);
    hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)mFuncAddr, mParamAddr, 0, &NumberOfByte);
    WaitForSingleObject(hThread, INFINITE);
    VirtualFreeEx(hProcess, mFuncAddr, 1024, MEM_RELEASE);
    VirtualFreeEx(hProcess, mParamAddr, 1024, MEM_RELEASE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
}

int main(int argc, char** argv)
{
    InjectCode(93112, AddSun);
    return 0;
}