首页 > 其他 > 详细

CreateRemoteThread 远程dll注入

时间:2014-05-07 12:56:04      阅读:537      评论:0      收藏:0      [点我收藏+]

1.dll中的内容

// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"

 

BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"DLL has been mapped!", L"1st RemoteThread", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(NULL, L"RemoteThread has been created!", L"2nd RemoteThread", MB_OK);
break;
case DLL_THREAD_DETACH:
MessageBox(NULL, L"RemoteThread exit!", L"13rd RemoteThread", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL, L"DLL has been unmapped!", L"4th RemoteThread", MB_OK);
break;
}
return TRUE;
}

2.注入程序内容


#include "stdafx.h"
#include <windows.h>
#include <TlHelp32.h>
#include <iostream>

int ListProcess();
bool enableDebugPriv();

 

int main(int argc, char* argv[])
{
while(true){
char YesNo;
printf("是否查看当前进程列表获得进程ID: Y or N?");
scanf_s("%c", &YesNo);
Sleep(250);
if (YesNo == ‘Y‘ || YesNo == ‘y‘)
ListProcess();
printf("请输入要注入的进程ID【0表示自身进程】:\n");

DWORD dwRemoteProcessID;
scanf_s("%d",&dwRemoteProcessID);

if(dwRemoteProcessID==0)
dwRemoteProcessID=GetCurrentProcessId();

if(!enableDebugPriv()){
printf("add privilege error \n");
system("pause");
return -1;
}
HANDLE hRemoteProcess;
if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessID))==NULL){
printf("OpenProcess error");
system("pause");
return -2;
}

char DllPath[256];
GetCurrentDirectoryA(256,DllPath);
printf("the currentprocess directory is %s\n",DllPath);
strcat_s(DllPath,"\\..\\x64\\Debug\\dll_demo.dll");

LPVOID pRemoteDllPath=VirtualAllocEx(hRemoteProcess,NULL,strlen(DllPath)+1,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteDllPath==NULL){
printf("virtualalloc error");
system("pause");
return -3;
}
printf("DLLPath is %s\n",DllPath);
//DWORD size;
SIZE_T size;
if(WriteProcessMemory(hRemoteProcess,pRemoteDllPath,DllPath,strlen(DllPath)+1,&size)==NULL)
{
printf("writeProcessMemory error\n");
system("pause");
return -4;
}
printf("WriteRrmoyrProcess Size is %d\n\n", size);

LPTHREAD_START_ROUTINE pLoadLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA");
if(pLoadLibrary==NULL){
printf("getProcAddress error");
system("pause");
return -5;
}
printf("LoadLibrary‘s Address is 0x%x\n\n", pLoadLibrary);
//启动远程线程
DWORD dwThreadID;
HANDLE hThread;
if((hThread=CreateRemoteThread(hRemoteProcess,NULL,0,pLoadLibrary,pRemoteDllPath,0,&dwThreadID))==NULL){
printf("createRemoteThread error");
system("pause");
return -6;
}
WaitForSingleObject(hThread,INFINITE);
printf("dwThreadId is %d\n\n", dwThreadID);
printf("Inject is done\n");

if(VirtualFreeEx(hRemoteProcess,pRemoteDllPath,0,MEM_RELEASE)==NULL){
printf("VitualFreeEx error\n");
system("pause");
return -7;
}
if (hThread != NULL) CloseHandle(hThread);
if (hRemoteProcess != NULL) CloseHandle(hRemoteProcess);

//system("pause");

}
return 0;
}


int ListProcess()
{
//获取系统快照
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); //不要写错CreateToolhelp32Snapshot()
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("CreateToolHelp32Snapshot error!\n");
return -1;
}

//创建单个进程快照结构体,初始化大小
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32); //务必提前初始化,否则默认的大小不一定满足要求


//枚举系统快照链表中的第一个进程项目
BOOL bProcess = Process32First(hProcessSnap, &pe32);
while (bProcess)
{

printf("FileName:%-30sID:%-6d\r\n", pe32.szExeFile, pe32.th32ProcessID);
//继续枚举下一个进程
bProcess = Process32Next(hProcessSnap, &pe32);
}

CloseHandle(hProcessSnap);
return 0;
}

//提升进程访问权限
bool enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
return false;
}

if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) {
CloseHandle(hToken);
return false;
}

tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
CloseHandle(hToken);
return false;
}

return true;
}

 

CreateRemoteThread 远程dll注入,布布扣,bubuko.com

CreateRemoteThread 远程dll注入

原文:http://www.cnblogs.com/duyy/p/3712777.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!