大路貨就不說了,做下總結:
1、權限。如果需要Inject一些系統關鍵程序,需要先提權。提權用到的函數:
OpenProcessToken
LookupPrivilegeValue
AdjustTokenPrivileges
能找到現成的可用代碼,一搜一大把,我就不貼了
2、打開程序。
3、打開成功後,配置設定記憶體。因為要注入程序,而其隻能通路自己程序的空間,但這時他并不知道要注入DLL的路徑,是以需要把路徑以這種方式寫道對方程序裡去。(得到目标程序中儲存字元串的起始位址)
4、在對方位址包含要加載DLL的路徑之後,從Kernel32中擷取LoadLibrary的位址(這個位址在每個程序中都一樣),調用CreateRemoteThread函數,把目标程序的字元串當作參數傳給CreateRemoteThread。這樣就Inject進去了。
Inject完了得釋放,釋放就是Inject過程的逆過程,加載DLL是LoadLibrary,釋放是FreeLibrary:
1、先便利下目标程序已加載的所有子產品,如果找到了我們剛剛注入的,則儲存,跳出循環
2、得到FreeLibrary的位址,通過Kernel32子產品。
3、調用CreateRemoteThread線程,将步驟1中得到的目标程序中我們注入的子產品位址當參數傳進去,然後就釋放了。
晚上的時候閱讀了下《WINDOWS核心程式設計》的源碼,其中有這部分的代碼,是99年編寫的。拿VS2005轉換并編譯,注入功能依舊可用(我現在用的是WIN7)不禁讓人唏噓不已。。十年間多少人用這份代碼學習WINDOWS程式設計,書上說的可維護、可移植的代碼大概就是說的這種吧。。貼下主要部分:
代碼
1 #ifdef UNICODE
2 #define InjectLib InjectLibW
3 #define EjectLib EjectLibW
4 #else
5 #define InjectLib InjectLibA
6 #define EjectLib EjectLibA
7 #endif // !UNICODE
8
9
10 // /
11
12
13 const char * szDllPath = " D:\\source\\CreateRomoteThreadDemo\\dllsingle.dll " ;
14
15 BOOL WINAPI InjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {
16
17 BOOL fOk = FALSE; // Assume that the function fails
18 HANDLE hProcess = NULL, hThread = NULL;
19 PWSTR pszLibFileRemote = NULL;
20
21 __try {
22 // Get a handle for the target process.
23 hProcess = OpenProcess(
24 PROCESS_QUERY_INFORMATION | // Required by Alpha
25 PROCESS_CREATE_THREAD | // For CreateRemoteThread
26 PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
27 PROCESS_VM_WRITE, // For WriteProcessMemory
28 FALSE, dwProcessId);
29 if (hProcess == NULL) __leave;
30
31 // Calculate the number of bytes needed for the DLL's pathname
32 int cch = 1 + lstrlenW(pszLibFile);
33 int cb = cch * sizeof (WCHAR);
34
35 // Allocate space in the remote process for the pathname
36 pszLibFileRemote = (PWSTR)
37 VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
38 if (pszLibFileRemote == NULL) __leave;
39
40 // Copy the DLL's pathname to the remote process's address space
41 if ( ! WriteProcessMemory(hProcess, pszLibFileRemote,
42 (PVOID) pszLibFile, cb, NULL)) __leave;
43
44 // Get the real address of LoadLibraryW in Kernel32.dll
45 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
46 GetProcAddress(GetModuleHandle(TEXT( " Kernel32 " )), " LoadLibraryW " );
47 if (pfnThreadRtn == NULL) __leave;
48
49 // Create a remote thread that calls LoadLibraryW(DLLPathname)
50 hThread = CreateRemoteThread(hProcess, NULL, 0 ,
51 pfnThreadRtn, pszLibFileRemote, 0 , NULL);
52 if (hThread == NULL) __leave;
53
54 // Wait for the remote thread to terminate
55 WaitForSingleObject(hThread, INFINITE);
56
57 fOk = TRUE; // Everything executed successfully
58 }
59 __finally { // Now, we can clean everthing up
60
61 // Free the remote memory that contained the DLL's pathname
62 if (pszLibFileRemote != NULL)
63 VirtualFreeEx(hProcess, pszLibFileRemote, 0 , MEM_RELEASE);
64
65 if (hThread != NULL)
66 CloseHandle(hThread);
67
68 if (hProcess != NULL)
69 CloseHandle(hProcess);
70 }
71
72 return (fOk);
73 }
74
75
76 // /
77
78
79 BOOL WINAPI InjectLibA(DWORD dwProcessId, PCSTR pszLibFile) {
80
81 // Allocate a (stack) buffer for the Unicode version of the pathname
82 PWSTR pszLibFileW = (PWSTR)
83 _alloca((lstrlenA(pszLibFile) + 1 ) * sizeof (WCHAR));
84
85 // Convert the ANSI pathname to its Unicode equivalent
86 wsprintfW(pszLibFileW, L " %S " , pszLibFile);
87
88 // Call the Unicode version of the function to actually do the work.
89 return (InjectLibW(dwProcessId, pszLibFileW));
90 }
91
92
93 // /
94
95
96 BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {
97
98 BOOL fOk = FALSE; // Assume that the function fails
99 HANDLE hthSnapshot = NULL;
100 HANDLE hProcess = NULL, hThread = NULL;
101
102 __try {
103 // Grab a new snapshot of the process
104 hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
105 if (hthSnapshot == NULL) __leave;
106
107 // Get the HMODULE of the desired library
108 MODULEENTRY32W me = { sizeof (me) };
109 BOOL fFound = FALSE;
110 BOOL fMoreMods = Module32FirstW(hthSnapshot, & me);
111 for (; fMoreMods; fMoreMods = Module32NextW(hthSnapshot, & me)) {
112 fFound = (lstrcmpiW(me.szModule, pszLibFile) == 0 ) ||
113 (lstrcmpiW(me.szExePath, pszLibFile) == 0 );
114 if (fFound) break ;
115 }
116 if ( ! fFound) __leave;
117
118 // Get a handle for the target process.
119 hProcess = OpenProcess(
120 PROCESS_QUERY_INFORMATION | // Required by Alpha
121 PROCESS_CREATE_THREAD |
122 PROCESS_VM_OPERATION, // For CreateRemoteThread
123 FALSE, dwProcessId);
124 if (hProcess == NULL) __leave;
125
126 // Get the real address of LoadLibraryW in Kernel32.dll
127 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
128 GetProcAddress(GetModuleHandle(TEXT( " Kernel32 " )), " FreeLibrary " );
129 if (pfnThreadRtn == NULL) __leave;
130
131 // Create a remote thread that calls LoadLibraryW(DLLPathname)
132 hThread = CreateRemoteThread(hProcess, NULL, 0 ,
133 pfnThreadRtn, me.modBaseAddr, 0 , NULL);
134 if (hThread == NULL) __leave;
135
136 // Wait for the remote thread to terminate
137 WaitForSingleObject(hThread, INFINITE);
138
139 fOk = TRUE; // Everything executed successfully
140 }
141 __finally { // Now we can clean everything up
142
143 if (hthSnapshot != NULL)
144 CloseHandle(hthSnapshot);
145
146 if (hThread != NULL)
147 CloseHandle(hThread);
148
149 if (hProcess != NULL)
150 CloseHandle(hProcess);
151 }
152
153 return (fOk);
154 }
155
156
157 // /
158
159
160 BOOL WINAPI EjectLibA(DWORD dwProcessId, PCSTR pszLibFile) {
161
162 // Allocate a (stack) buffer for the Unicode version of the pathname
163 PWSTR pszLibFileW = (PWSTR)
164 _alloca((lstrlenA(pszLibFile) + 1 ) * sizeof (WCHAR));
165
166 // Convert the ANSI pathname to its Unicode equivalent
167 wsprintfW(pszLibFileW, L " %S " , pszLibFile);
168
169 // Call the Unicode version of the function to actually do the work.
170 return (EjectLibW(dwProcessId, pszLibFileW));
171 }
172
(支援ANSI和UNICODE兩種版本的API)
轉載于:https://www.cnblogs.com/shiweifu/archive/2010/07/29/1788332.html