zoukankan      html  css  js  c++  java

  • windows目标进程注入dll

    在别的程序注入dll

    步骤:
1,获取目标进程ID,CreateToolhelp32Snapshot()函数;
2,获取目标进程句柄,OpenProcess()函数;
3,目标进程要一块内存,VirtualAllocEx()函数,不是VirtualAlloc()函数;
4,往要来的目标内存写入要注入的dll文件名,WriteProcessMemory;
5,拿到kernel32模块句柄,GetModuleHandle()函数;
6,拿到kernel32模块里LoadLibraryA()函数地址,GetProcAddress()函数;
7,把dll注入目标进程,CreateRemoteThread()函数

    获取进程ID的方法:

    DWORD GetPid(const TCHAR* pDest)
{
    HANDLE hProcessHandle;
    PROCESSENTRY32 pe32 = {0};

    hProcessHandle = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if (hProcessHandle == INVALID_HANDLE_VALUE)
    {
        return FALSE;
    }
    pe32.dwSize = sizeof(PROCESSENTRY32);

    while (Process32Next(hProcessHandle,&pe32))
    {
        //printf("%s
", pe32.szExeFile);
        if (wcscmp(pe32.szExeFile,pDest)==0)
        {    
            CloseHandle(hProcessHandle);
            return pe32.th32ProcessID;
            wcout << pe32.szExeFile << ":" << pe32.th32ProcessID << endl;
        }
        
    }
    return 0;

}

    注入过程,封装个方法:

    BOOL LoadDll(DWORD pID,const TCHAR* pName)
{
    HANDLE hDestProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);

    DWORD pLEN = wcslen(pName)+1;
    LPVOID lpStart =  VirtualAllocEx(hDestProcess, NULL, pLEN, MEM_COMMIT, PAGE_READWRITE);
    BOOL bRET = WriteProcessMemory(hDestProcess, lpStart, pName, pLEN, NULL);
    if (!bRET)
    {
        cout << "writeprocessmemory failed error : %d" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        return FALSE;
    }
    HMODULE hModule = GetModuleHandle(TEXT("Kernel32.dll"));
    if (!hModule)
    {
        cout << "get kernel32 failed error :" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        return FALSE;
    }
    DWORD f = (DWORD)GetProcAddress(hModule, "LoadLibraryA");
    if (!f)
    {
        cout << "get loadLibraryA failed error :" << GetLastError() << endl;
        CloseHandle(hDestProcess);
        CloseHandle(hModule);
        return FALSE;
    }
    CreateRemoteThread(hDestProcess,NULL,0, (LPTHREAD_START_ROUTINE)f,lpStart,NULL,NULL);
    CloseHandle(hDestProcess);
    CloseHandle(hModule);
    return TRUE;
}
  • 相关阅读:
    如何自我介绍可以吸引面试官?
    测试用例有多重要?
    文档测试的要点是什么?
    android应用性能优化技法
    android中的ems的真正含义
    android studio的java代码中,提取普通字符串为常量
    Android配置启动页
    C/C++函数未运行,且显示Process returned -1073741571 (0xC00000FD)
    vue的组件及其使用方法
    Vue关闭ESLint
  • 原文地址:https://www.cnblogs.com/a-s-m/p/12232442.html
Copyright © 2011-2022 走看看