遠程線程註入RemoteThread(dll)
阿新 • • 發佈:2018-10-20
ext cfile create tool string gin == cli file // RemoteInject.h
#pragma once // RemoteInject 對話框 class RemoteInject : public CDialogEx { DECLARE_DYNAMIC(RemoteInject) public: RemoteInject(CWnd* pParent = NULL); // 標準構造函數 virtual ~RemoteInject(); // 對話框數據 enum { IDD = IDD_DIALOG10 }; protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持 DECLARE_MESSAGE_MAP() public: DWORD m_dwPID; CString m_strDllPath; afx_msg void OnBnClickedButton2(); afx_msg void OnBnClickedInject(); };
// RemoteInject.cpp
// RemoteInject.cpp : 實現文件 // #include "stdafx.h" #include "MyInjectTool.h" #include "RemoteInject.h" #include "afxdialogex.h" // RemoteInject 對話框 IMPLEMENT_DYNAMIC(RemoteInject, CDialogEx) RemoteInject::RemoteInject(CWnd* pParent /*=NULL*/) : CDialogEx(RemoteInject::IDD, pParent) , m_dwPID(0) , m_strDllPath(_T("")) { } RemoteInject::~RemoteInject() { } void RemoteInject::DoDataExchange(CDataExchange* pDX) { CDialogEx::DoDataExchange(pDX); DDX_Text(pDX, IDC_EDIT1, m_dwPID); DDX_Text(pDX, IDC_EDIT4, m_strDllPath); } BEGIN_MESSAGE_MAP(RemoteInject, CDialogEx) ON_BN_CLICKED(IDC_BUTTON2, &RemoteInject::OnBnClickedButton2) ON_BN_CLICKED(IDC_INJECT, &RemoteInject::OnBnClickedInject) END_MESSAGE_MAP() // RemoteInject 消息處理程序 void RemoteInject::OnBnClickedButton2() { // TODO: 在此添加控件通知處理程序代碼 char szFilter[] = "動態鏈接庫|*.dll"; CFileDialog fileDlg(TRUE, "dll", NULL, OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT, szFilter); UpdateData(TRUE); if (fileDlg.DoModal() == IDOK) { m_strDllPath = fileDlg.GetPathName(); } UpdateData(FALSE); } void RemoteInject::OnBnClickedInject() { // TODO: 在此添加控件通知處理程序代碼 HANDLE hProcess = NULL; HANDLE hThread = NULL; HANDLE hThread2 = NULL; char* pszRemoteBuffer = NULL; DWORD * pDwTidRemote = NULL; //UpdateData(TRUE); hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwPID); if (hProcess == NULL) { MessageBox("打開進程失敗!!!!"); return; } //1.在遠程進程中分配內存 pszRemoteBuffer = (char *)VirtualAllocEx(hProcess, NULL, m_strDllPath.GetLength(), MEM_COMMIT, PAGE_READWRITE); if (pszRemoteBuffer == NULL) { MessageBox("申請遠程空間失敗"); return; } //2.在遠程申請的地址當中寫入DLL的路徑 SIZE_T dwWriten; if (!WriteProcessMemory(hProcess, pszRemoteBuffer, (LPVOID)m_strDllPath.GetBuffer(0), m_strDllPath.GetLength(), &dwWriten)) { MessageBox("寫入內存失敗"); } //3.獲取遠程進程中LaodLibry的地址,這裏你用的巧合是每個程序中的kernel32的地址的都一樣,遠程中也一樣在 HMODULE hMouDle = GetModuleHandle("Kernel32"); PTHREAD_START_ROUTINE pfnLoadLibrary = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"); if (pfnLoadLibrary == NULL) { MessageBox("獲取LoadLibrary地址失敗!!!"); return; } //4.創建遠程線程 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnLoadLibrary, pszRemoteBuffer, 0, NULL); DWORD dwErrCode = GetLastError(); if (hThread == NULL) { MessageBox("創建遠程線程失敗"); return; } WaitForSingleObject(hThread, 2000); }
遠程線程註入RemoteThread(dll)