Windows基础知识
CreateRemoteThread远程汪入DLL
2023-11-01
14
0
被注入的DLL
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
OutputDebugString(L"DLL Inject Sucess");
MessageBox(NULL, L"dll sucess", L"dll sucess", MB_OK);
break;//加载DLL时运行d
case DLL_THREAD_ATTACH: //释放DLL运行的
OutputDebugString(L"DLL free Sucess");
MessageBox(NULL, L"dll free", L"dll free", MB_OK);
break;//加载DLL时运行d
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
注入器-使用以下代码注码:
#include<stdio.h>
#include<Windows.h>
#include<iostream>
#include<string>
using namespace std;
BOOL CreateRemoteDllInjectDll(DWORD dwProcessId, char *pdllname);
int main() {
DWORD dwProcessId;
char DLLName[20]; //需要输入的DLL文件名字
cout << "Pleace input DLLfile name :" << endl;
cin >> DLLName;
cout << "Pleace input PRocessID :" << endl;
cin >> dwProcessId;
CreateRemoteDllInjectDll(dwProcessId,DLLName);
return 0;
}
/**
1.打开要注入的进程
2.给进程分配虚拟内存 VirtualAllocEx
3.给分配的内存写入要注入的DLL目录
4.找到 kernel32.dll 模块的里面的LoadLibrary函数的地址
5.用CreatRemoTethread给目标进程注入dll
6.关闭目标进程的句柄
**/
BOOL CreateRemoteDllInjectDll(DWORD dwProcessId, char *pdllname) {
HANDLE hProcess = NULL;
LPVOID pDLLAddr =NULL;\
HMODULE hker=NULL;
FARPROC pFunProcAddr =NULL;
DWORD dwsize=0;
hker = GetModuleHandleA("kernel32.dll"); //得到kernel32.dll进程中的地址
if( NULL == hker) {
puts("GetModuleHandle kernel32.dll is error");
return false;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessId);//打开要注入的进程
if( NULL == hProcess) { // 检查打开进程是否成功
puts("OpenProcess is error");
return false;
}
dwsize = strlen(pdllname)+1; //DLL文件目录的长度
pDLLAddr = VirtualAllocEx(hProcess,NULL,dwsize,MEM_COMMIT,PAGE_READWRITE );
//申请的内存空间,并且地址保存在pDLLAddr目录中
if(pDLLAddr == NULL) { //检查
puts("VirtualAllocEx is error");
return false;
}
if(!WriteProcessMemory(hProcess,pDLLAddr,pdllname,dwsize,NULL)) {//把所需要的注入的dll文件目录字符注入给目标进程
puts("WriteProcessMemory is error");
return false;
}
pFunProcAddr = GetProcAddress(hker,"LoadLibraryA"); //得到loadlibrarya函数的地址
if(pFunProcAddr == NULL) {
puts("Get LoadLibraryA is error");
return false;
}
HANDLE hRemotehandle = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)(pFunProcAddr),pDLLAddr,0,NULL); //创造远程线程
if(!hRemotehandle) {
puts(" CreateRemoteThread is error");
return false;
WaitForSingleObject(hRemotehandle, INFINITE);
CloseHandle(hRemotehandle);//关闭句柄
CloseHandle(hProcess);
return 0;
}
}
