zoukankan      html  css  js  c++  java
  • 远程进程注入

    /*-----------------------------------------------------------------------------
    *  
    *   版权声明:
    *   可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明
    *   http://www.cnblogs.com/yuliyang/
    *   联系方式:
    *   Mail:yuliyang@qq.com
    *
    *-----------------------------------------------------------------------------*/

    流程如下:

    image

    先写一个dll文件,用于注入远程进程。(就是在远程进程里新建一个远程线程,远程线程里调用的就是预先准备的dll文件)

    为了简单起见,我们的dll文件没有任何导出函数,只有在DllMain中弹出一个窗口,没写任何导出函数,

    #include "stdafx.h"
    //对话框弹出dll
    BOOL APIENTRY DllMain( HMODULE hModule,
                           DWORD  ul_reason_for_call,
                           LPVOID lpReserved
                         )
    {
        switch (ul_reason_for_call)
        {
        case DLL_PROCESS_ATTACH:
            MessageBox(NULL,"yuliyang","inject",MB_OK);
            break;
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
        }
        return TRUE;
    }

    测试函数:

    /*
     * =====================================================================================
     *
     *       Filename:  testdialogdll.cpp
     *      Environment:    
     *    Description:  测试注入DLL
     *
     *
     *        Version:  1.0
     *        Created:  2013/11/3 19:54:41
     *         Author:  yuliyang
    I*
     *             Mail:  wzyuliyang911@gmail.com
     *             Blog:  http://www.cnblogs.com/yuliyang
     *
     * =====================================================================================
     */
    
    /*------------------------------------------------------------------------------------------------------------
     * 
     *
     * 只要程序一加载dialogdll.dll就会弹出对话框
     *
     *
     *------------------------------------------------------------------------------------------------------------*/
    //#include <Windows.h>
    //int main(){
    //
    //    HINSTANCE hinst;
    //    hinst=LoadLibrary("dialogdll.dll");
    //    return 0;
    //
    //}
    // ConRunDll.cpp : Defines the entry point for the console application.
    //
    
    //#include "stdafx.h"
    #include <stdio.h>
    #include <windows.h>
    
    int EnableDebugPriv(const char* name)
    {
        HANDLE hToken;
        if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
        {
            printf("打开指定令牌环失败!
    ");
            return -1;
        }
    
        LUID luid;
    
        if( !LookupPrivilegeValue(NULL, name, &luid) )
        {
            printf("查询LUID失败!
    ");
            return -1;
        }
    
        TOKEN_PRIVILEGES tp;
        tp.PrivilegeCount = 1;
        tp.Privileges[0].Luid = luid;
        tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
        if( !AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL) )
        {
            printf("提升进程权限失败!
    ");
            return -1;
        }
    
        printf("提升权限成功!
    ");
        return 0;
    }
    
    BOOL InjectDll(const char* DllFullPath, const DWORD dwRemoteProcessId)
    {
        HANDLE hRemoteProcess;
        hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
            FALSE, dwRemoteProcessId);
        if( hRemoteProcess == NULL )
        {
            printf("打开远程进程失败!
    ");
            return FALSE;
        }
    
        char *pszLibFileRemote ;
    
        pszLibFileRemote = (char*)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);
        if( pszLibFileRemote == NULL )
        {
            printf("分配内存失败!
    ");
            return FALSE;
        }
    
        if( !WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (LPVOID)DllFullPath, lstrlen(DllFullPath)+1, NULL) )
        {
            printf("写入内存失败!
    ");
            return FALSE;
        }
    
        PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
        if( pfnStartAddr == NULL )
        {
            printf("获取LoadLibrary函数地址失败!
    ");
            return FALSE;
        }
    
        if( CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) == NULL)
        {
            printf("创建远程线程失败!
    ");
            return FALSE;
        }
    
        return TRUE;
    }
    
    int main(int argc, char* argv[])
    {
        EnableDebugPriv(SE_DEBUG_NAME);             /* 提升权限 */
        InjectDll("c:\dialogdll.dll", 2640);       /* 注入远程进程,2640是这时刻我机子上记事本程序的PID,dll文件存放在c:/里 */
        return 0;
    }

    结果:

    86

    87

    本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。
  • 相关阅读:
    mysql常用sql语句的练习笔记
    docker-compose使用--config启动mongodb出错的采坑记录
    ubuntu1804安装docker和docker-compose的最新2020详细教程
    ubuntu1804使用国内git源安装fastdfs的笔记
    2020最新nginx+gunicorn+supervisor部署基于flask开发的项目的生产环境的详细攻略
    2020年ubuntu1804安装php7.3最新详细教程
    2020年ubuntu1804安装nginx最新稳定版1.16详细教程笔记
    ubuntu1804python安装mysqlclient的模块报错的解决办法
    ubuntu1804开启mysql远程访问功能和设置root远程访问
    ubuntu1804使用python3 venv 创建虚拟目录和制定Pip国内安装源
  • 原文地址:https://www.cnblogs.com/yuliyang/p/3405378.html
Copyright © 2011-2022 走看看