Pnig0s1992:算是复习了,最经典的教科书式的Dll注入。
总结一下基本的注入过程,分注入和卸载
注入Dll:
1,OpenProcess获得要注入进程的句柄
2,VirtualAllocEx在远程进程中开辟出一段内存,长度为strlen(dllname)+1;
3,WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。
4,CreateRemoteThread将LoadLibraryA作为线程函数,参数为Dll的名称,创建新线程
5,CloseHandle关闭线程句柄
卸载Dll:
1,CreateRemoteThread将GetModuleHandle注入到远程进程中,参数为被注入的Dll名
2,GetExitCodeThread将线程退出的退出码作为Dll模块的句柄值。
3,CloseHandle关闭线程句柄
3,CreateRemoteThread将FreeLibraryA注入到远程进程中,参数为第二步获得的句柄值。
4,WaitForSingleObject等待对象句柄返回
5,CloseHandle关闭线程及进程句柄。
- //Code By Pnig0s1992
- //Date:2012,3,13
- #include <stdio.h>
- #include <Windows.h>
- #include <TlHelp32.h>
- DWORD getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID
- {
- DWORD dwRet = 0;
- HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
- if(hSnapShot == INVALID_HANDLE_VALUE)
- {
- printf(" 获得进程快照失败%d",GetLastError());
- return dwRet;
- }
- PROCESSENTRY32 pe32;//声明进程入口对象
- pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
- Process32First(hSnapShot,&pe32);//遍历进程列表
- do
- {
- if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定进程名的PID
- {
- dwRet = pe32.th32ProcessID;
- break;
- }
- } while (Process32Next(hSnapShot,&pe32));
- CloseHandle(hSnapShot);
- return dwRet;//返回
- }
- INT main(INT argc,CHAR * argv[])
- {
- DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]);
- LPCSTR lpDllName = "EvilDll.dll";
- HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
- if(hProcess == NULL)
- {
- printf(" 获取进程句柄错误%d",GetLastError());
- return -1;
- }
- DWORD dwSize = strlen(lpDllName)+1;
- DWORD dwHasWrite;
- LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
- if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite))
- {
- if(dwHasWrite != dwSize)
- {
- VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);
- CloseHandle(hProcess);
- return -1;
- }
- }else
- {
- printf(" 写入远程进程内存空间出错%d。",GetLastError());
- CloseHandle(hProcess);
- return -1;
- }
- DWORD dwNewThreadId;
- LPVOID lpLoadDll = LoadLibraryA;
- HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId);
- if(hNewRemoteThread == NULL)
- {
- printf(" 建立远程线程失败%d",GetLastError());
- CloseHandle(hProcess);
- return -1;
- }
- WaitForSingleObject(hNewRemoteThread,INFINITE);
- CloseHandle(hNewRemoteThread);
- //准备卸载之前注入的Dll
- DWORD dwHandle,dwID;
- LPVOID pFunc = GetModuleHandleA;//获得在远程线程中被注入的Dll的句柄
- HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);
- WaitForSingleObject(hThread,INFINITE);
- GetExitCodeThread(hThread,&dwHandle);//线程的结束码即为Dll模块儿的句柄
- CloseHandle(hThread);
- pFunc = FreeLibrary;
- hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到远程线程中去卸载Dll
- WaitForSingleObject(hThread,INFINITE);
- CloseHandle(hThread);
- CloseHandle(hProcess);
- return 0;
- }