最新看了下关于dll远程注入的东西,这个技术原来是用来隐藏木马很好的方式,现在貌似很难通过了,一般的杀软都能检测到相关的行为,
// 一个dll的代码,随便加了一个messagebox函数,仅用来测试注入时候成功的,注入成功会弹出这个对话框
- #include "stdafx.h"
- #include <stdio.h>
- BOOL APIENTRY DllMain( HANDLE hModule,
- DWORD ul_reason_for_call,
- LPVOID lpReserved
- )
- {
- MessageBoxA(NULL,"hello world","dll",MB_OK);
- return TRUE;
- }
// dll远程注入的代码,我这里是手动输入一个进程的pid的,其实也可以通过快照方式来固定一个进程进行注入
- #include <windows.h>
- int main ()
- {
- DWORD pid = 2324;
- LPVOID pAddress = 0;
- char *dllpath = "C:\\Documents and Settings\\All Users\\桌面\\dll\\Debug\\dll.dll";
- int dwSize = lstrlen(dllpath) + 1;
- DWORD write = 0;
- BOOL bRet = FALSE;
- HANDLE hThread = 0;
- DWORD dwthread = 0;
- PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("kernel32")),"LoadLibraryA");
- HANDLE hPid = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
- if ( NULL == hPid )
- {
- CloseHandle(hPid);
- }
- pAddress = VirtualAllocEx( hPid,0,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
- if ( NULL == pAddress)
- {
- VirtualFreeEx(hPid,pAddress,0x1000,MEM_RELEASE);
- CloseHandle(hPid);
- }
- bRet = WriteProcessMemory(hPid,pAddress,dllpath,dwSize,&write);
- if ( FALSE == bRet )
- {
- VirtualFreeEx(hPid,pAddress,0x1000,MEM_RELEASE);
- CloseHandle(hPid);
- }
- hThread = CreateRemoteThread(hPid,NULL,0,pfnThreadRtn,pAddress,0,&dwthread);
- if ( NULL == hThread)
- {
- VirtualFreeEx(hPid,pAddress,0x1000,MEM_RELEASE);
- CloseHandle(hPid);
- }
- return 0;
- }
本文转自wiliiwin 51CTO博客,原文链接:http://blog.51cto.com/wiliiwin/385444
