[转]Dll注入经典方法完整版

Pnig0s1992:算是复习了，最经典的教科书式的Dll注入。

总结一下基本的注入过程，分注入和卸载

注入Dll：

1，OpenProcess获得要注入进程的句柄

2，VirtualAllocEx在远程进程中开辟出一段内存，长度为strlen(dllname)+1;

3，WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。

4，CreateRemoteThread将LoadLibraryA作为线程函数，参数为Dll的名称，创建新线程

5，CloseHandle关闭线程句柄

卸载Dll：

1，CreateRemoteThread将GetModuleHandle注入到远程进程中，参数为被注入的Dll名

2，GetExitCodeThread将线程退出的退出码作为Dll模块的句柄值。

3，CloseHandle关闭线程句柄

3，CreateRemoteThread将FreeLibraryA注入到远程进程中，参数为第二步获得的句柄值。

4，WaitForSingleObject等待对象句柄返回

5，CloseHandle关闭线程及进程句柄。

//Code By Pnig0s1992
//Date:2012,3,13
#include <stdio.h>
#include <Windows.h>
#include <TlHelp32.h>


DWORD getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID
{
    DWORD dwRet = 0;
    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    if(hSnapShot == INVALID_HANDLE_VALUE)
    {
        printf("
获得进程快照失败%d",GetLastError());
        return dwRet;
    }

    PROCESSENTRY32 pe32;//声明进程入口对象
    pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
    Process32First(hSnapShot,&pe32);//遍历进程列表
    do
    {
        if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定进程名的PID
        {
            dwRet = pe32.th32ProcessID;
            break;
        }
    } while (Process32Next(hSnapShot,&pe32));
    CloseHandle(hSnapShot);
    return dwRet;//返回
}

INT main(INT argc,CHAR * argv[])
{
    DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]);
    LPCSTR lpDllName = "EvilDll.dll";
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
    if(hProcess == NULL)
    {
        printf("
获取进程句柄错误%d",GetLastError());
        return -1;
    }
    DWORD dwSize = strlen(lpDllName)+1;
    DWORD dwHasWrite;
    LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
    if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite))
    {
        if(dwHasWrite != dwSize)
        {
            VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);
            CloseHandle(hProcess);
            return -1;
        }

    }else
    {
        printf("
写入远程进程内存空间出错%d。",GetLastError());
        CloseHandle(hProcess);
        return -1;
    }

    DWORD dwNewThreadId;
    LPVOID lpLoadDll = LoadLibraryA;
    HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId);
    if(hNewRemoteThread == NULL)
    {
        printf("
建立远程线程失败%d",GetLastError());
        CloseHandle(hProcess);
        return -1;
    }

    WaitForSingleObject(hNewRemoteThread,INFINITE);
    CloseHandle(hNewRemoteThread);

    //准备卸载之前注入的Dll
    DWORD dwHandle,dwID;
    LPVOID pFunc = GetModuleHandleA;//获得在远程线程中被注入的Dll的句柄
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);
    WaitForSingleObject(hThread,INFINITE);
    GetExitCodeThread(hThread,&dwHandle);//线程的结束码即为Dll模块儿的句柄
    CloseHandle(hThread);
    pFunc = FreeLibrary;
    hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到远程线程中去卸载Dll
    WaitForSingleObject(hThread,INFINITE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
    return 0;
}