1.简介
最经典的注入方式, 容易实现但是监控LoadLibrary系列函数即可
还可以注入中转,如先将模块注入到系统进程中,利用系统进程再次注入到目标进程,然后从系统进程卸载掉模块
2.代码
DWORD threadInject(WCHAR* dllpath,DWORD pid) { //先激活权限 HANDLE hToken; LUID newLuid; TOKEN_PRIVILEGES tr; tr.PrivilegeCount = 1; tr.Privileges->Attributes = SE_PRIVILEGE_ENABLED; OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken); LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &newLuid); tr.Privileges->Luid = newLuid; AdjustTokenPrivileges(hToken, FALSE, &tr, sizeof(tr), 0, 0); HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid); //获取进程句柄 if (hProcess==0||hProcess==INVALID_HANDLE_VALUE) { CloseHandle(hToken); return 0; } //申请内存存放参数 LPVOID p = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!p) { CloseHandle(hProcess); CloseHandle(hToken); return 0; } //写参数 if (!WriteProcessMemory(hProcess, p, (LPVOID)(dllpath), sizeof(dllpath), NULL)) { VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE); CloseHandle(hProcess); CloseHandle(hToken); return 0; } //创建远程线程并执行LoadLibraryW加载dll HANDLE cThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW")), p, 0, 0); if (cThread==0||cThread==INVALID_HANDLE_VALUE) { VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE); CloseHandle(hProcess); CloseHandle(hToken); return 0; } CloseHandle(cThread); CloseHandle(hProcess); CloseHandle(hToken); }