1.dll中的内容
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD
ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"DLL has been mapped!", L"1st RemoteThread", MB_OK);
break;
case DLL_THREAD_ATTACH:
MessageBox(NULL, L"RemoteThread has
been created!", L"2nd RemoteThread", MB_OK);
break;
case
DLL_THREAD_DETACH:
MessageBox(NULL, L"RemoteThread exit!", L"13rd
RemoteThread", MB_OK);
break;
case DLL_PROCESS_DETACH:
MessageBox(NULL, L"DLL has been unmapped!", L"4th RemoteThread",
MB_OK);
break;
}
return TRUE;
}
2.注入程序内容
#include "stdafx.h"
#include <windows.h>
#include
<TlHelp32.h>
#include <iostream>
int ListProcess();
bool enableDebugPriv();
int main(int argc, char* argv[])
{
while(true){
char
YesNo;
printf("是否查看当前进程列表获得进程ID: Y or N?");
scanf_s("%c",
&YesNo);
Sleep(250);
if (YesNo == ‘Y‘ || YesNo == ‘y‘)
ListProcess();
printf("请输入要注入的进程ID【0表示自身进程】:\n");
DWORD
dwRemoteProcessID;
scanf_s("%d",&dwRemoteProcessID);
if(dwRemoteProcessID==0)
dwRemoteProcessID=GetCurrentProcessId();
if(!enableDebugPriv()){
printf("add privilege error
\n");
system("pause");
return -1;
}
HANDLE
hRemoteProcess;
if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessID))==NULL){
printf("OpenProcess
error");
system("pause");
return -2;
}
char DllPath[256];
GetCurrentDirectoryA(256,DllPath);
printf("the
currentprocess directory is
%s\n",DllPath);
strcat_s(DllPath,"\\..\\x64\\Debug\\dll_demo.dll");
LPVOID
pRemoteDllPath=VirtualAllocEx(hRemoteProcess,NULL,strlen(DllPath)+1,MEM_COMMIT,PAGE_READWRITE);
if(pRemoteDllPath==NULL){
printf("virtualalloc
error");
system("pause");
return -3;
}
printf("DLLPath is
%s\n",DllPath);
//DWORD size;
SIZE_T
size;
if(WriteProcessMemory(hRemoteProcess,pRemoteDllPath,DllPath,strlen(DllPath)+1,&size)==NULL)
{
printf("writeProcessMemory
error\n");
system("pause");
return
-4;
}
printf("WriteRrmoyrProcess Size is %d\n\n", size);
LPTHREAD_START_ROUTINE
pLoadLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")),"LoadLibraryA");
if(pLoadLibrary==NULL){
printf("getProcAddress
error");
system("pause");
return -5;
}
printf("LoadLibrary‘s
Address is 0x%x\n\n", pLoadLibrary);
//启动远程线程
DWORD
dwThreadID;
HANDLE
hThread;
if((hThread=CreateRemoteThread(hRemoteProcess,NULL,0,pLoadLibrary,pRemoteDllPath,0,&dwThreadID))==NULL){
printf("createRemoteThread
error");
system("pause");
return
-6;
}
WaitForSingleObject(hThread,INFINITE);
printf("dwThreadId is
%d\n\n", dwThreadID);
printf("Inject is done\n");
if(VirtualFreeEx(hRemoteProcess,pRemoteDllPath,0,MEM_RELEASE)==NULL){
printf("VitualFreeEx error\n");
system("pause");
return
-7;
}
if (hThread != NULL) CloseHandle(hThread);
if
(hRemoteProcess != NULL) CloseHandle(hRemoteProcess);
//system("pause");
}
return 0;
}
int ListProcess()
{
//获取系统快照
HANDLE hProcessSnap =
CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
//不要写错CreateToolhelp32Snapshot()
if (hProcessSnap ==
INVALID_HANDLE_VALUE)
{
printf("CreateToolHelp32Snapshot
error!\n");
return -1;
}
//创建单个进程快照结构体,初始化大小
PROCESSENTRY32 pe32;
pe32.dwSize =
sizeof(PROCESSENTRY32); //务必提前初始化,否则默认的大小不一定满足要求
//枚举系统快照链表中的第一个进程项目
BOOL bProcess = Process32First(hProcessSnap,
&pe32);
while (bProcess)
{
printf("FileName:%-30sID:%-6d\r\n", pe32.szExeFile, pe32.th32ProcessID);
//继续枚举下一个进程
bProcess = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return 0;
}
//提升进程访问权限
bool enableDebugPriv()
{
HANDLE hToken;
LUID
sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if
(!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken)) {
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return false;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid =
sedebugnameValue;
tkp.Privileges[0].Attributes =
SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL,
NULL)) {
CloseHandle(hToken);
return false;
}
return true;
}
CreateRemoteThread 远程dll注入,布布扣,bubuko.com
原文:http://www.cnblogs.com/duyy/p/3712777.html