线程代码注入 无dll版本

//远程线程需要的数据
typedef  struct __shared
{
	//kernel32
	DWORD loadlib;
	DWORD getprocaddr;
	DWORD getmodulefilename;

	//user32
	char user32dll[20];
	char msgbox[20];
	char output[20];
} shared;

//远程线程代码
DWORD  __stdcall  rthread(void * param)
{
    //函数定义
	typedef HMODULE(WINAPI *LoadLibFunc)(LPCSTR);
	typedef FARPROC(WINAPI * GetProcAddrFunc)(HMODULE,LPCSTR);
	typedef DWORD(WINAPI *GetModuleFileNameFunc)(HMODULE, LPSTR, DWORD);
	typedef int(WINAPI * MsgBoxFunc)(HWND,LPSTR,LPSTR,UINT);

	shared * pshared = (shared*)param;
    //LoadLibraryA
	LoadLibFunc LoadLib = (LoadLibFunc)pshared->loadlib;

    //GetProcAddress
	GetProcAddrFunc procFunc = (GetProcAddrFunc)pshared->getprocaddr;

    //GetModuleFileNameA
	GetModuleFileNameFunc moduleName = (GetModuleFileNameFunc)pshared->getmodulefilename;
	char filename[MAX_PATH];
	moduleName(NULL, filename, MAX_PATH);

    //加载user32
	HMODULE hUser32 = LoadLib(pshared->user32dll);
	MsgBoxFunc msgBox = (MsgBoxFunc)procFunc(hUser32, pshared->msgbox);
	msgBox(NULL, pshared->output, filename, MB_OK);
	

	return 0;
}
void test_remote3(DWORD pid)
{
	HANDLE hPro = OpenProcess(PROCESS_CREATE_THREAD |
		PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
		FALSE, pid
		);
	if (INVALID_HANDLE_VALUE == hPro)
		return;
	shared sh = {0};

    //获取kernel32 中的函数地址
	sh.loadlib = (DWORD)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA");
	sh.getprocaddr = (DWORD)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "GetProcAddress");
	sh.getmodulefilename = (DWORD)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")), "GetModuleFileNameA");

    //复制线程中使用的模块和函数
	strcpy(sh.user32dll, "user32.dll");
	strcpy(sh.msgbox, "MessageBoxA");
	strcpy(sh.output, "hey,fuck u");

    //申请内存页
	void* alloc = VirtualAllocEx(hPro, NULL, sizeof(shared), MEM_COMMIT, PAGE_READWRITE);
	printf("alloc:%p\n", alloc);
	DWORD writeBytes = 0;
        
    //把数据写入对方进程中
	BOOL ret = WriteProcessMemory(hPro, alloc, (void*)&sh, sizeof(shared), &writeBytes);
	printf("writebytes : %d, ret:%d\n", writeBytes, ret);

	DWORD codeSize = 1<<15;

    //申请线程代码块的空间
	void *lpcode = VirtualAllocEx(hPro, NULL,codeSize ,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
	printf("lpcode:%p\n", lpcode);
	ret = WriteProcessMemory(hPro, lpcode,&rthread, codeSize, &writeBytes);
	printf("writebytes:%d , ret = %d\n ", writeBytes, ret);
	if (!ret){
		printf("err:%d\n", GetLastError());
	}
	HANDLE th = CreateRemoteThread(hPro, NULL, 0, 
		(LPTHREAD_START_ROUTINE)lpcode, alloc, 0, NULL);
	if (INVALID_HANDLE_VALUE == th){
		printf("thread :%p\n", th);
	}
	WaitForSingleObject(th, -1);
}