/*-----------------------------------------------------------------------------
*
* 版权声明:
* 可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明
* http://www.cnblogs.com/yuliyang/
* 联系方式:
* Mail:yuliyang@qq.com
*
*-----------------------------------------------------------------------------*/
流程如下:
先写一个dll文件,用于注入远程进程。(就是在远程进程里新建一个远程线程,远程线程里调用的就是预先准备的dll文件)
为了简单起见,我们的dll文件没有任何导出函数,只有在DllMain中弹出一个窗口,没写任何导出函数,
#include "stdafx.h" //对话框弹出dll BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL,"yuliyang","inject",MB_OK); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
测试函数:
/* * ===================================================================================== * * Filename: testdialogdll.cpp * Environment: * Description: 测试注入DLL * * * Version: 1.0 * Created: 2013/11/3 19:54:41 * Author: yuliyang I* * Mail: wzyuliyang911@gmail.com * Blog: http://www.cnblogs.com/yuliyang * * ===================================================================================== */ /*------------------------------------------------------------------------------------------------------------ * * * 只要程序一加载dialogdll.dll就会弹出对话框 * * *------------------------------------------------------------------------------------------------------------*/ //#include <Windows.h> //int main(){ // // HINSTANCE hinst; // hinst=LoadLibrary("dialogdll.dll"); // return 0; // //} // ConRunDll.cpp : Defines the entry point for the console application. // //#include "stdafx.h" #include <stdio.h> #include <windows.h> int EnableDebugPriv(const char* name) { HANDLE hToken; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken)) { printf("打开指定令牌环失败! "); return -1; } LUID luid; if( !LookupPrivilegeValue(NULL, name, &luid) ) { printf("查询LUID失败! "); return -1; } TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if( !AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL) ) { printf("提升进程权限失败! "); return -1; } printf("提升权限成功! "); return 0; } BOOL InjectDll(const char* DllFullPath, const DWORD dwRemoteProcessId) { HANDLE hRemoteProcess; hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE, FALSE, dwRemoteProcessId); if( hRemoteProcess == NULL ) { printf("打开远程进程失败! "); return FALSE; } char *pszLibFileRemote ; pszLibFileRemote = (char*)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE); if( pszLibFileRemote == NULL ) { printf("分配内存失败! "); return FALSE; } if( !WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (LPVOID)DllFullPath, lstrlen(DllFullPath)+1, NULL) ) { printf("写入内存失败! "); return FALSE; } PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); if( pfnStartAddr == NULL ) { printf("获取LoadLibrary函数地址失败! "); return FALSE; } if( CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) == NULL) { printf("创建远程线程失败! "); return FALSE; } return TRUE; } int main(int argc, char* argv[]) { EnableDebugPriv(SE_DEBUG_NAME); /* 提升权限 */ InjectDll("c:\dialogdll.dll", 2640); /* 注入远程进程,2640是这时刻我机子上记事本程序的PID,dll文件存放在c:/里 */ return 0; }
结果: