Windows下的dll注入(使用CreateRemoteThread)
阿新 • • 發佈:2022-01-16
話不多說,直接貼程式碼。
dll注入方式挺多,個人感覺比較方便的就是這個。效果很明顯,編譯執行階段
就會被火絨攔截;手動新增信任才能正常執行。
需要注意的就是64位編譯出來,遠端注入的程式必須是64位,dll也必須是64位的;32位也必須統一。
還有就是注入系統程序貌似都是建立執行緒失敗,錯誤為5,大概是許可權不足吧。
這種方式框架就是這樣,都是Win32API,只需要知道基本呼叫就好了。
#include <windows.h> #include <tlhelp32.h> #include <memoryapi.h> #include <iostream> usingnamespace std; string dllNamea; string procNamea; DWORD pid; char* wideCharToMultiByte(wchar_t* pWCStrKey) { //第一次呼叫確認轉換後單位元組字串的長度,用於開闢空間 int pSize = WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), NULL, 0, NULL, NULL); char* pCStrKey = new char[pSize+1]; //第二次呼叫將雙位元組字串轉換成單位元組字串WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), pCStrKey, pSize, NULL, NULL); pCStrKey[pSize] = '\0'; // qDebug()<<"cstrkey "<<pCStrKey; return pCStrKey; //如果想要轉換成string,直接賦值即可 //string pKey = pCStrKey; } DWORD GetProcId(string procName) { BOOL bRet; PROCESSENTRY32 pe32; HANDLE hSnap; hSnap= CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); pe32.dwSize = sizeof(pe32); bRet = Process32First(hSnap,&pe32); char* array; WCHAR* ff; string arr; while(bRet) { array = (char*)pe32.szExeFile; // array = wideCharToMultiByte(ff); cout<<"array = "<<array<<endl; arr = array; if(procName == arr) { cout<<"找到了"<<endl; return pe32.th32ProcessID; } bRet = Process32Next(hSnap,&pe32); } return 0; } void InjectDll(DWORD pid,string dllName) { if(pid==0||dllName.length()==0) { return; } char* pFunName = "LoadLibraryA"; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid); if(hProcess==NULL) { return; } int dllLen = dllName.length(); PVOID pDllAddr = VirtualAllocEx(hProcess,NULL,dllLen,MEM_COMMIT,PAGE_READWRITE); if(pDllAddr ==NULL) { CloseHandle(hProcess); return; } cout<<"注入成功"<<endl; DWORD writeNum = 0; cout<<WriteProcessMemory(hProcess,(LPVOID)pDllAddr,(LPCVOID)dllName.c_str(),(SIZE_T)dllLen,(SIZE_T *)&writeNum)<<endl; FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName); cout<<pDllAddr<<endl; cout<<pFunAddr<<endl; HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,pDllAddr,0,NULL); cout<<"hthread = "<<hThread<<endl; if(hThread) { WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread); } else { cout<<GetLastError()<<endl; } CloseHandle(hProcess); } void on_inject_clicked() { // dllNamea = "C:\\Users\\17724\\Desktop\\dll4\\dllTest.dll"; // dllNamea = "C:\\Users\\17724\\Desktop\\dll2\\dllTesta.dll"; // procNamea = "Everything.exe"; dllNamea = "C:\\Users\\17724\\Desktop\\dllTest\\myTest.dll"; procNamea = "test.exe"; pid = GetProcId(procNamea); cout<<"pid = "<<pid<<endl; InjectDll(pid,dllNamea); } void UninjectDll(DWORD pid, string dllName) { if(pid==0||dllName.length()==0) { return; } HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid); MODULEENTRY32 me32; me32.dwSize = sizeof(me32); BOOL bRet = Module32Next(hSnap,&me32); char* array; WCHAR* ff; string arr; while(bRet) { array = (char*)me32.szExePath; arr = array; if(dllName == arr) { cout<<"也找到了"<<endl; break; } bRet = Module32Next(hSnap,&me32); } CloseHandle(hSnap); char* pFunName = "FreeLibrary"; HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid); if(hProcess==NULL) { return; } FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName); HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,me32.hModule,0,NULL); WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread); CloseHandle(hProcess); } void on_detatch_clicked() { UninjectDll(pid,dllNamea); } int main() { on_inject_clicked(); int num; while(true) { cin>>num; if(num == 5) { on_detatch_clicked(); } } }