标签:
Pnig0s1992:算是复习了,最经典的教科书式的Dll注入。
总结一下基本的注入过程,分注入和卸载
注入Dll:
1,OpenProcess获得要注入进程的句柄
2,VirtualAllocEx在远程进程中开辟出一段内存,长度为strlen(dllname)+1;
3,WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。
4,CreateRemoteThread将LoadLibraryA作为线程函数,参数为Dll的名称,创建新线程
5,CloseHandle关闭线程句柄
卸载Dll:
1,CreateRemoteThread将GetModuleHandle注入到远程进程中,参数为被注入的Dll名
2,GetExitCodeThread将线程退出的退出码作为Dll模块的句柄值。
3,CloseHandle关闭线程句柄
3,CreateRemoteThread将FreeLibraryA注入到远程进程中,参数为第二步获得的句柄值。
4,WaitForSingleObject等待对象句柄返回
5,CloseHandle关闭线程及进程句柄。
1: //Code By Pnig0s1992
2: //Date:2012,3,13
3: #include <stdio.h>
4: #include <Windows.h>
5: #include <TlHelp32.h>
6:
7:
8: DWORD getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID
9: {
10: DWORD dwRet = 0;
11: HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
12: if(hSnapShot == INVALID_HANDLE_VALUE)
13: {
14: printf("\n获得进程快照失败%d",GetLastError());
15: return dwRet;
16: }
17:
18: PROCESSENTRY32 pe32;//声明进程入口对象
19: pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
20: Process32First(hSnapShot,&pe32);//遍历进程列表
21: do
22: {
23: if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定进程名的PID
24: {
25: dwRet = pe32.th32ProcessID;
26: break;
27: }
28: } while (Process32Next(hSnapShot,&pe32));
29: CloseHandle(hSnapShot);
30: return dwRet;//返回
31: }
32:
33: INT main(INT argc,CHAR * argv[])
34: {
35: DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]);
36: LPCSTR lpDllName = "EvilDll.dll";
37: HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
38: if(hProcess == NULL)
39: {
40: printf("\n获取进程句柄错误%d",GetLastError());
41: return -1;
42: }
43: DWORD dwSize = strlen(lpDllName)+1;
44: DWORD dwHasWrite;
45: LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
46: if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite))
47: {
48: if(dwHasWrite != dwSize)
49: {
50: VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);
51: CloseHandle(hProcess);
52: return -1;
53: }
54:
55: }else
56: {
57: printf("\n写入远程进程内存空间出错%d。",GetLastError());
58: CloseHandle(hProcess);
59: return -1;
60: }
61:
62: DWORD dwNewThreadId;
63: LPVOID lpLoadDll = LoadLibraryA;
64: HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId);
65: if(hNewRemoteThread == NULL)
66: {
67: printf("\n建立远程线程失败%d",GetLastError());
68: CloseHandle(hProcess);
69: return -1;
70: }
71:
72: WaitForSingleObject(hNewRemoteThread,INFINITE);
73: CloseHandle(hNewRemoteThread);
74:
75: //准备卸载之前注入的Dll
76: DWORD dwHandle,dwID;
77: LPVOID pFunc = GetModuleHandleA;//获得在远程线程中被注入的Dll的句柄
78: HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);
79: WaitForSingleObject(hThread,INFINITE);
80: GetExitCodeThread(hThread,&dwHandle);//线程的结束码即为Dll模块儿的句柄
81: CloseHandle(hThread);
82: pFunc = FreeLibrary;
83: hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到远程线程中去卸载Dll
84: WaitForSingleObject(hThread,INFINITE);
85: CloseHandle(hThread);
86: CloseHandle(hProcess);
87: return 0;
88: }
标签:
原文地址:http://www.cnblogs.com/kangxiaopao/p/4739914.html
