updates and moves

n/a
2026-06-15 15:29:23 +00:00 · 2022-04-11 20:00:13 -05:00
parent 1275ea2e03
commit 900263ea6f
809 changed files with 149115 additions and 1594 deletions
@@ -0,0 +1,26 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDllBySetThreadContextx64", "InjectDllBySetThreadContextx64\InjectDllBySetThreadContextx64.vcxproj", "{A30978AA-ED87-42CC-9A57-5E52A67FF248}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Debug|Win32.ActiveCfg = Debug|Win32
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Debug|Win32.Build.0 = Debug|Win32
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Debug|x64.ActiveCfg = Debug|x64
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Debug|x64.Build.0 = Debug|x64
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Release|Win32.ActiveCfg = Release|Win32
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Release|Win32.Build.0 = Release|Win32
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Release|x64.ActiveCfg = Release|x64
+		{A30978AA-ED87-42CC-9A57-5E52A67FF248}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,356 @@
+// InjectDllBySetThreadContextx64.cpp : 定义控制台应用程序的入口点。
+//
+
+#include "stdafx.h"
+
+#include <iostream>
+using namespace std;
+#include <windows.h>
+#include "tlhelp32.h"
+BYTE ShellCode[64]=
+{
+    0x60,
+    0x9c,
+    0x68,               //push
+    0xaa,0xbb,0xcc,0xdd,//dll path  +3  dll最目标进程中的地址
+    0xff,0x15,          //call     这里感觉有点乱，我在64下直接call 相对地址 
+    0xdd,0xcc,0xbb,0xaa,//+9 LoadLibrary Addr  Addr
+    0x9d,
+    0x61,
+    0xff,0x25,          //jmp
+    0xaa,0xbb,0xcc,0xdd,// +17  jmp  eip
+    0xaa,0xaa,0xaa,0xaa,// loadlibrary addr
+    0xaa,0xaa,0xaa,0xaa//  jmpaddr  +25
+
+    //  +29
+}; 
+
+/*
+{
+00973689 >    60                PUSHAD
+0097368A      9C                PUSHFD
+0097368B      68 50369700       PUSH notepad.00973650
+00973690      FF15 70369700     CALL DWORD PTR DS:[973670]
+00973696      9D                POPFD
+00973697      61                POPAD
+00973698    - FF25 30369700     JMP DWORD PTR DS:[973630]
+}
+*/
+
+BYTE ShellCode64[64]=
+{
+    0x48,0x83,0xEC,0x28,  // sub rsp ,28h
+
+    0x48,0x8D,0x0d,       // [+4] lea rcx,
+    0xaa,0xbb,0xcc,0xdd,  // [+7] dll path offset =  TargetAddress- Current(0x48)[+4] -7 
+
+    0x48, 0xB8,
+    0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+    0xff, 0xd0,
+
+    0x48,0x83,0xc4,0x28,  // [+16] add rsp,28h
+    //0xcc, 调试时断下来的int 3 正常运行的时候非常傻逼的没有请掉...难怪一直死
+    0xff,0x25,            // [+20]
+    0xaa,0xbb,0xcc,0xdd,  // [+22] jmp rip offset  = TargetAddress - Current(0xff)[+20] - 6
+
+    0xaa,0xbb,0xcc,0xdd,  //+26
+    0xaa,0xbb,0xcc,0xdd   
+    //+34
+};
+
+BOOL EnableDebugPriv() ;
+BOOL StartHook(HANDLE hProcess,HANDLE hThread);
+
+
+DWORD main_GetProcessIdByName(LPWSTR pszProcessName, PDWORD pdwProcessId)
+{
+    DWORD dwProcessId = 0;
+    HANDLE hSnapshot = NULL;
+    PROCESSENTRY32 pe = { 0 };
+    DWORD eReturn = 0;
+
+    hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (NULL == hSnapshot)
+    {
+        eReturn = -1;
+        printf("CreateToolhelp32Snapshot error. GLE: %d.", GetLastError());
+        goto lblCleanup;
+    }
+
+    pe.dwSize = sizeof(PROCESSENTRY32);
+    if (FALSE == Process32First(hSnapshot, &pe))
+    {
+        eReturn = -1;
+        printf("Process32First error. GLE: %d.", GetLastError());
+        goto lblCleanup;
+    }
+
+    do
+    {
+        if (NULL != wcsstr(pe.szExeFile, pszProcessName))
+        {
+            dwProcessId = pe.th32ProcessID;
+            break;
+        }
+    } while (Process32Next(hSnapshot, &pe));
+
+    if (0 == dwProcessId)
+    {
+        printf("[*] Process '%S' could not be found.\n\n\n", pszProcessName);
+        eReturn = -1;
+        goto lblCleanup;
+    }
+
+    printf("[*] Found process '%S'. PID: %d (0x%X).\n\n\n", pszProcessName, dwProcessId, dwProcessId);
+    *pdwProcessId = dwProcessId;
+    eReturn = 0;
+
+lblCleanup:
+    if ((NULL != hSnapshot) && (INVALID_HANDLE_VALUE != hSnapshot))
+    {
+        CloseHandle(hSnapshot);
+        hSnapshot = NULL;
+    }
+    return eReturn;
+
+}
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+    EnableDebugPriv() ;
+
+    DWORD ProcessId = 0;
+#ifdef _WIN64
+    main_GetProcessIdByName(L"targetx64.exe", &ProcessId);
+#else
+    main_GetProcessIdByName(L"target.exe", &ProcessId);
+#endif
+    
+
+    HANDLE Process = OpenProcess(PROCESS_ALL_ACCESS,NULL,ProcessId);
+    if(Process == NULL)
+    {
+        printf("OpenProcess Fail LastError [%d]\n", GetLastError());
+        getchar();
+        return 0;
+    }
+    printf("Open Process [%d] OK.\n", ProcessId);
+
+    THREADENTRY32 te32 = {sizeof(THREADENTRY32)} ;  
+    HANDLE hThreadSnap = CreateToolhelp32Snapshot (TH32CS_SNAPTHREAD, 0) ;  
+    if ( hThreadSnap == INVALID_HANDLE_VALUE )  
+    {
+        printf("CreateToolhelp32Snapshot fail LastError [%d]\n", GetLastError());
+        getchar();
+        return FALSE;  
+    }
+
+    if (Thread32First(hThreadSnap, &te32))  
+    {  
+        do{  
+            if(te32.th32OwnerProcessID == ProcessId)
+            {
+                HANDLE Thread = OpenThread(THREAD_ALL_ACCESS,NULL,te32.th32ThreadID);
+                if(Thread == NULL)
+                {
+                    printf("OpenThread Failed LastError [%d]\n", GetLastError());
+                    break;
+                }
+                SuspendThread(Thread);
+
+                printf("start Hook.\n");
+                if (!StartHook(Process,Thread))
+                {
+                    printf("失败\n");
+                    getchar();
+                }
+                else
+                {
+                    CloseHandle(Thread);
+                    break;
+                }
+                CloseHandle(Thread);
+            }        
+        }while(Thread32Next(hThreadSnap, &te32));  
+    }  
+    CloseHandle(Process);
+    CloseHandle(hThreadSnap);  
+
+    getchar();
+}
+
+BYTE *DllPath;
+BOOL StartHook(HANDLE hProcess,HANDLE hThread)
+{
+#ifdef _WIN64 
+    CONTEXT ctx;
+    ctx.ContextFlags=CONTEXT_ALL;
+    if (!GetThreadContext(hThread,&ctx))
+    {
+        printf("GetThreadContext Error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+
+    printf("getThreadContext OK.\n");
+    LPVOID LpAddr=VirtualAllocEx(hProcess,NULL,64,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
+    if (LpAddr==NULL)
+    {
+        printf("VirtualAlloc Error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    DWORD64 LoadDllAAddr=(DWORD64)GetProcAddress(GetModuleHandle(L"kernel32.dll"),"LoadLibraryA");
+    if (LoadDllAAddr==NULL)
+    {
+        printf("LoadDllAddr error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    /*
+
+    0x48,0x83,0xEC,0x28,  //sub rsp ,28h
+
+    0x48,0x8D,0x0d,       // [+4] lea rcx,
+    0xaa,0xbb,0xcc,0xdd,  // [+7] dll path offset =  TargetAddress- Current(0x48)[+4] -7 
+
+    0x48, 0xB8,           // [+11]mov rax,  ptr
+    0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc,
+    0xff, 0xd0,           // [+21] call rax
+
+    0x48,0x83,0xc4,0x28,  // [+23] add rsp,28h
+
+    0xff,0x25,            // [+27]
+    0xaa,0xbb,0xcc,0xdd,  // [+29] jmp rip offset  = TargetAddress - Current(0xff)[+20] - 6
+
+    0xaa,0xbb,0xcc,0xdd,  //+33
+    0xaa,0xbb,0xcc,0xdd   
+    //+41
+    */
+    DllPath=ShellCode64+41;
+    strcpy((char*)DllPath,"Dllx64.dll");//这里是要注入的DLL名字
+    DWORD DllNameOffset = 30;// ((BYTE*)LpAddr+34) -((BYTE*)LpAddr+4) -7 这个指令7个字节
+    *(DWORD*)(ShellCode64+7)=(DWORD)DllNameOffset;
+    ////////////////
+    DWORD64 LoadDllAddroffset = (DWORD64)LoadDllAAddr;// - ((BYTE*)LpAddr + 11) -5;  //这个指令5个字节e8 + 4addroffset
+    *(DWORD64*)(ShellCode64+13)=LoadDllAddroffset;
+    //////////////////////////////////
+    
+    
+    *(DWORD64*)(ShellCode64+33)=ctx.Rip; //64下为rip
+    *(DWORD*)(ShellCode64+29)= (DWORD)0; //我将地址放在+26的地方，相对offset为0
+    
+//  这里因为这样写跳转不到目标地址，故x64 应该要中转一次  相对寻址
+//     DWORD Ds = (DWORD)ctx.SegDs;
+//     DWORD RipOffset = (BYTE*)ctx.Rip - ((BYTE*)LpAddr+20) -6;
+//     *(DWORD*)(ShellCode64+22)=(DWORD)ctx.Rip;
+
+    ////////////////////////////////////
+    if (!WriteProcessMemory(hProcess,LpAddr,ShellCode64,64,NULL))
+    {
+        printf("write Process Error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    ctx.Rip=(DWORD64)LpAddr;
+    if (!SetThreadContext(hThread,&ctx))
+    {
+        printf("set thread context error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+
+    printf("SetThreadContext OK.\n");
+    ResumeThread(hThread);
+    return TRUE;
+    
+#else
+    CONTEXT ctx = {0};
+    ctx.ContextFlags=CONTEXT_ALL;
+    if (!GetThreadContext(hThread,&ctx))
+    {
+        printf("GetThreadContext Error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    printf("GetThreaxContext OK.\n");
+    LPVOID LpAddr=VirtualAllocEx(hProcess,NULL,64,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
+    if (LpAddr==NULL)
+    {
+        printf("VirtualAlloc Error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    DWORD LoadDllAAddr=(DWORD)GetProcAddress(GetModuleHandle(L"kernel32.dll"),"LoadLibraryA");
+    if (LoadDllAAddr==NULL)
+    {
+        printf("LoadDllAddr error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+
+    /////////////
+    /*
+    0x60,              PUSHAD
+    0x9c,              PUSHFD
+    0x68,              PUSH 
+    0xaa,0xbb,0xcc,0xdd,//dll path  address  
+    0xff,0x15,            CALL
+    0xdd,0xcc,0xbb,0xaa,  offset  
+    0x9d,                  POPFD
+    0x61,                  POPAD
+    0xff,0x25,             JMP 
+    0xaa,0xbb,0xcc,0xdd,//  [xxxxx]
+    0xaa,0xaa,0xaa,0xaa,// LoadLibrary Address
+    0xaa,0xaa,0xaa,0xaa//  恢复的EIP  Address  
+                         // +29  Dll名字
+    */
+    _asm mov esp,esp
+    DllPath=ShellCode+29;
+    strcpy((char*)DllPath,"Dllx86.dll");//这里是要注入的DLL名字
+    *(DWORD*)(ShellCode+3)=(DWORD)LpAddr+29;
+    ////////////////
+    *(DWORD*)(ShellCode+21)=LoadDllAAddr;   //loadlibrary地址放入shellcode中
+    *(DWORD*)(ShellCode+9)=(DWORD)LpAddr+21;//修改call 之后的地址 为目标空间存放 loaddlladdr的地址
+    //////////////////////////////////
+    *(DWORD*)(ShellCode+25)=ctx.Eip;
+    *(DWORD*)(ShellCode+17)=(DWORD)LpAddr+25;//修改jmp 之后为原来eip的地址
+    ////////////////////////////////////
+    if (!WriteProcessMemory(hProcess,LpAddr,ShellCode,64,NULL))
+    {
+        printf("write Process Error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    ctx.Eip=(DWORD)LpAddr;
+    if (!SetThreadContext(hThread,&ctx))
+    {
+        printf("set thread context error LastError [%d]\n", GetLastError());
+        return FALSE;
+    }
+    printf("SetThreadContext OK.\n");
+    ResumeThread(hThread);
+    return TRUE;
+#endif
+    
+};
+
+BOOL EnableDebugPriv() 
+{
+    HANDLE   hToken; 
+    LUID   sedebugnameValue; 
+    TOKEN_PRIVILEGES   tkp;
+    if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 
+    { 
+        return FALSE; 
+    } 
+
+    if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue)) 
+    { 
+        CloseHandle(hToken); 
+        return FALSE; 
+    } 
+    tkp.PrivilegeCount = 1; 
+    tkp.Privileges[0].Luid = sedebugnameValue; 
+    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
+
+    if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL)) 
+    { 
+        return FALSE; 
+    }   
+    CloseHandle(hToken); 
+    return TRUE;
+} 
+
+
@@ -0,0 +1,152 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A30978AA-ED87-42CC-9A57-5E52A67FF248}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>InjectDllBySetThreadContextx64</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="InjectDllBySetThreadContextx64.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="源文件">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="头文件">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="资源文件">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="InjectDllBySetThreadContextx64.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,4 @@
+Inject 32 bit process by change eip to execute the shellcode which will load a dll
+Inject 64 bit process by change rip to execute the shellcode which will load a dll
+
+http://www.cnblogs.com/aliflycoris/p/5432621.html
@@ -0,0 +1,8 @@
+// stdafx.cpp : 只包括标准包含文件的源文件
+// InjectDllBySetThreadContextx64.pch 将作为预编译头
+// stdafx.obj 将包含预编译类型信息
+
+#include "stdafx.h"
+
+// TODO: 在 STDAFX.H 中
+// 引用任何所需的附加头文件，而不是在此文件中引用
@@ -0,0 +1,15 @@
+// stdafx.h : 标准系统包含文件的包含文件，
+// 或是经常使用但不常更改的
+// 特定于项目的包含文件
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <stdio.h>
+#include <tchar.h>
+
+
+
+// TODO: 在此处引用程序需要的其他头文件
@@ -0,0 +1,8 @@
+#pragma once
+
+// 包括 SDKDDKVer.h 将定义可用的最高版本的 Windows 平台。
+
+// 如果要为以前的 Windows 平台生成应用程序，请包括 WinSDKVer.h，并将
+// WIN32_WINNT 宏设置为要支持的平台，然后再包括 SDKDDKVer.h。
+
+#include <SDKDDKVer.h>
@@ -0,0 +1,4 @@
+Inject 32 bit process by change eip to execute the shellcode which will load a dll
+Inject 64 bit process by change rip to execute the shellcode which will load a dll
+
+http://www.cnblogs.com/aliflycoris/p/5432621.html