1.dll中的内容
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"DLL has been mapped!", L"1st RemoteThread", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(NULL, L"RemoteThread has been created!", L"2nd RemoteThread", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(NULL, L"RemoteThread exit!", L"13rd RemoteThread", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL, L"DLL has been unmapped!", L"4th RemoteThread", MB_OK);
break;
}
return TRUE;
}
2.注入程序内容
#include "stdafx.h"
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>
int ListProcess();
bool enableDebugPriv();
int main(int argc, char* argv[])
{
while(true){
char YesNo;
printf("是否查看当前进程列表获得进程ID: Y or N?");
scanf_s("%c", &YesNo);
Sleep(250);
if (YesNo == 'Y' || YesNo == 'y')
ListProcess();
printf("请输入要注入的进程ID【0表示自身进程】:
");
DWORD dwRemoteProcessID;
scanf_s("%d",&dwRemoteProcessID);
if(dwRemoteProcessID==0)
dwRemoteProcessID=GetCurrentProcessId();
if(!enableDebugPriv()){
printf("add privilege error
");
system("pause");
return -1;
}
HANDLE hRemoteProcess;
if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessID))==NULL){
printf("OpenProcess error");
system("pause");
return -2;
}
char DllPath[256];
GetCurrentDirectoryA(256,DllPath);
printf("the currentprocess directory is %s
",DllPath);
strcat_s(DllPath,"\..\x64\Debug\dll_demo.dll");
LPVOID pRemoteDllPath=VirtualAllocEx(hRemoteProcess,NULL,strlen(DllPath)+1,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteDllPath==NULL){
printf("virtualalloc error");
system("pause");
return -3;
}
printf("DLLPath is %s
",DllPath);
//DWORD size;
SIZE_T size;
if(WriteProcessMemory(hRemoteProcess,pRemoteDllPath,DllPath,strlen(DllPath)+1,&size)==NULL)
{
printf("writeProcessMemory error
");
system("pause");
return -4;
}
printf("WriteRrmoyrProcess Size is %d
", size);
LPTHREAD_START_ROUTINE pLoadLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA");
if(pLoadLibrary==NULL){
printf("getProcAddress error");
system("pause");
return -5;
}
printf("LoadLibrary's Address is 0x%x
", pLoadLibrary);
//启动远程线程
DWORD dwThreadID;
HANDLE hThread;
if((hThread=CreateRemoteThread(hRemoteProcess,NULL,0,pLoadLibrary,pRemoteDllPath,0,&dwThreadID))==NULL){
printf("createRemoteThread error");
system("pause");
return -6;
}
WaitForSingleObject(hThread,INFINITE);
printf("dwThreadId is %d
", dwThreadID);
printf("Inject is done
");
if(VirtualFreeEx(hRemoteProcess,pRemoteDllPath,0,MEM_RELEASE)==NULL){
printf("VitualFreeEx error
");
system("pause");
return -7;
}
if (hThread != NULL) CloseHandle(hThread);
if (hRemoteProcess != NULL) CloseHandle(hRemoteProcess);
//system("pause");
}
return 0;
}
int ListProcess()
{
//获取系统快照
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //不要写错CreateToolhelp32Snapshot()
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolHelp32Snapshot error!
");
return -1;
}
//创建单个进程快照结构体,初始化大小
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32); //务必提前初始化,否则默认的大小不一定满足要求
//枚举系统快照链表中的第一个进程项目
BOOL bProcess = Process32First(hProcessSnap, &pe32);
while (bProcess)
{
printf("FileName:%-30sID:%-6d
", pe32.szExeFile, pe32.th32ProcessID);
//继续枚举下一个进程
bProcess = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//提升进程访问权限
bool enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
CloseHandle(hToken);
return false;
}
return true;
}