1. APC即远程过程调用, 分为内核级和用户级,在ring3层中,使用用户级的APC即可进行注入dll
但是不能针对已有进程
2.
//apc注入, 需要新建立目标进程, 不能针对已运行的进程 DWORD apcInject(WCHAR* dllpath,WCHAR* exepath) { STARTUPINFOW sp = { 0 }; sp.cb = sizeof(STARTUPINFOW); sp.dwFlags = STARTF_USESHOWWINDOW; sp.wShowWindow = SW_MINIMIZE; PROCESS_INFORMATION pi = { 0 }; //暂停方式启动进程 if (!CreateProcessW(exepath, NULL, 0, 0, 0, CREATE_SUSPENDED, 0, 0, &sp, &pi)) { return 0; } //申请内存存放参数 LPVOID p = VirtualAllocEx(pi.hProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!p) { CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return 0; } //写参数 if (!WriteProcessMemory(pi.hProcess, p, (LPVOID)(dllpath), lstrlenW(dllpath)*2+2, NULL)) { VirtualFreeEx(pi.hProcess, p, 0x1000, MEM_FREE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return 0; } LPVOID ll = (LPVOID)GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW"); //插入apc if (!QueueUserAPC((PAPCFUNC)ll, pi.hThread, (ULONG_PTR)p)) { VirtualFreeEx(pi.hProcess, p, 0x1000, MEM_FREE); CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return 0; } CloseHandle(pi.hProcess); CloseHandle(pi.hThread); return 1; }
未完待续...