这几天研究关于HOOK API的问题,DLL写了一大堆,倒是略有所得
但是都是用的钩子进行注入,而且还是全局钩子,载入DLL时要进行一大堆判断,不然操作失误波及一大片进程估计会系统崩溃
所以就试着自己写了个远程线程植入DLL的工具
C#写的界面调用C++写的DLL 完成植入功能
本来打算全部实现都写到exe程序里的,但是用了C#以后感觉MFC实在太重了,伤不起
下面贴出DLL的代码
这是导出函数的头文件 export.h
#pragma once
#define EXPORT_C extern "C" __declspec(dllexport)
EXPORT_C bool LoadDLL(DWORD, LPCTSTR);
EXPORT_C bool FreeDLL();
EXPORT_C int TestSum(int a, int b);
C#调用的话,是在主类中做静态声明
[DllImport("RemoteThreadDLL.dll", EntryPoint = "LoadDLL", CharSet = CharSet.Unicode)]
public static extern bool LoadDLL(int Pid, string szDllName);
[DllImport("RemoteThreadDLL.dll", EntryPoint = "FreeDLL")]
public static extern bool FreeDLL();
[DllImport("RemoteThreadDLL.dll", EntryPoint = "TestSum")]
public static extern int TestSum(int a, int b);
一开始调用LoadDLL函数没翻译,不得以又去用C++ Win32程序调试(C#无法跟进DLL中调试。不给力啊),结果一切正常
后来几经求索,原来导入函数的时候,导入设置必须正确
CharSet = CharSet.Unicode
这个一开始没有显示声明,应为C#和DLL都是用的Unicode编码,以为没有问题
结果C#调用传进去的 包含DLL文件的string是乱码,汗
CallingConvention = CallingConvention .StdCal
本来还有这一条的,表示用__stdcall调用导入函数,和C++的标准调用约定是一样的,但是是默认的,所以省略
另外,C#调用的C++ DLL中 DllMain中不能执行代码(非托管代码?)不知道为什么,不过没有大碍就没去管它
首先是提升权限的函数
bool EnablePrivilege()
{
HANDLE hToken;
LUID uid;
TOKEN_PRIVILEGES tp;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
MSG(TEXT("OpenProcessToken Error!"));
return false;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uid))
{
MSG(TEXT("LookupPrivilegeValue Error !"));
CloseHandle(hToken);
return false;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = uid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
MSG(TEXT("AdjustTokenPrivileges Failed !"));
CloseHandle(hToken);
return false;
}
return true;
}
以下是DLL中的 LoadDLL函数植入远程植入DLL的代码
bool LoadDLL(DWORD Pid, LPCTSTR szDllName)
{
//检查参数
if(Pid <= 0 || lstrlen(szDllName) <= 0)
return false;
DWORD dwWritten;
DWORD dwSize;
PTHREAD_START_ROUTINE pfnThreadProc;
DWORD dwDesire;
HANDLE hProcess, hThread;
LPVOID lpBase;
//检查并修改全局变量
if (g_bInjected)
return false;
if(g_szDllName)
{
delete []g_szDllName;
g_szDllName = NULL;
}
g_Pid = Pid;
dwSize = (lstrlen(szDllName) + 1) * sizeof(TCHAR);
g_szDllName = new TCHAR[lstrlen(szDllName) + 1];
ZeroMemory(g_szDllName, dwSize);
lstrcpy(g_szDllName, szDllName);
int iStep = 0; //已经执行完的步骤
switch(1)
{
case 1:
pfnThreadProc = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle(TEXT("Kernel32.dll")),
"LoadLibraryW");
if (pfnThreadProc == NULL)
break;
iStep = 1;
case 2:
if(!EnablePrivilege())
break;
iStep = 2;
case 3:
dwDesire = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_READ | PROCESS_VM_WRITE;
hProcess = OpenProcess(dwDesire, FALSE, g_Pid);
//这里还要再加一条判断,因为如果PID指向的进程不存在的话
//会返回0,而不是INVALID_HANDLE_VALUE(-1),我这里就懒得改了
if (hProcess == INVALID_HANDLE_VALUE)
break;
iStep = 3;
case 4:
lpBase = VirtualAllocEx(hProcess, NULL, dwSize,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(lpBase == NULL)
break;
iStep = 4;
case 5:
WriteProcessMemory(hProcess, lpBase, g_szDllName, dwSize, &dwWritten);
if (dwWritten != dwSize)
break;
iStep = 5;
case 6:
hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadProc, lpBase, 0, NULL);
if (hThread == NULL)
break;
default:
//等到LoadLibrary执行完毕,返回成功
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, lpBase, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
CloseHandle(hProcess);
g_bInjected = true;
return true;
}
TCHAR szBreakMsg[32] = {};
//执行过程中断,扫尾工作
switch(iStep)
{
case 5:
case 4:
//执行6,5步时出错
VirtualFreeEx(hProcess, lpBase, dwSize, MEM_DECOMMIT);
case 3:
//第4步VirtualAllocEx出错
CloseHandle(hProcess);
default:
//前3步出错则不需要进行清理工作
wsprintf(szBreakMsg, TEXT("执行完成前%d步,第%d步中断"), iStep, iStep + 1);
MSG(szBreakMsg);
break;
}
return false;
}
一开始没用switch这种格式,结果每执行一步都要判断是否成功,不成功还要Close之前打开的Handle
重复代码成片成片,可读性极差,不由得想到了Goto,但是忍住了没用,后来灵感突现,就想到了这一格式
写完之后总体感觉看起来不错,还方便调试输出(不用切C++跟步调试了),不得不说C++的switch特性真是nice啊(VB的话就自动帮你break了。。。)
以下是FreeDLL远程卸载DLL的代码
bool FreeDLL()
{
if (g_Pid <= 0 || lstrlen(g_szDllName) == 0)
return false;
bool bBreakWhile;
DWORD dwSize;
DWORD dwDesire;
DWORD dwWritten;
DWORD dwRet;
LPVOID lpBase;
HANDLE hProcess;
HANDLE hGetModThread;
HANDLE hFreeThread;
HMODULE hModule;
PTHREAD_START_ROUTINE pfnGetModule;
PTHREAD_START_ROUTINE pfnFreeLibrary;
int iStep = 0; //执行步骤
switch(1)
{
case 1:
pfnGetModule = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle(TEXT("Kernel32.dll")), "GetModuleHandleW");
if (pfnGetModule == NULL)
break;
iStep = 1;
case 2:
pfnFreeLibrary = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle(TEXT("Kernel32.dll")), "FreeLibrary");
if (pfnFreeLibrary == NULL)
break;
iStep = 2;
case 3:
if(!EnablePrivilege())
break;
iStep = 3;
case 4:
dwDesire = PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
PROCESS_VM_READ | PROCESS_VM_WRITE;
hProcess = OpenProcess(dwDesire, FALSE, g_Pid);
if (hProcess == INVALID_HANDLE_VALUE)
break;
iStep = 4;
case 5:
dwSize = (lstrlen(g_szDllName) + 1) * sizeof(TCHAR);
lpBase = VirtualAllocEx(hProcess, NULL, dwSize,
MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(lpBase == NULL)
break;
iStep = 5;
case 6:
WriteProcessMemory(hProcess, lpBase, g_szDllName, dwSize, &dwWritten);
if (dwWritten != dwSize)
break;
iStep = 6;
default:
bBreakWhile = false;
do
{
//有些DLL被引用多次 需要多次 FreeLibrary
hGetModThread = CreateRemoteThread(hProcess, NULL, 0,
pfnGetModule, lpBase, 0, NULL);
if (hGetModThread == NULL)
{
bBreakWhile = true;
break;
}
WaitForSingleObject(hGetModThread,INFINITE);
GetExitCodeThread(hGetModThread, (LPDWORD)&hModule); //获取植入DLL的基址
CloseHandle(hGetModThread);
hFreeThread = CreateRemoteThread(hProcess, NULL, 0,
pfnFreeLibrary, hModule, 0, NULL);
if (hFreeThread == NULL)
{
bBreakWhile = true;
break;
}
WaitForSingleObject(hFreeThread, INFINITE);
GetExitCodeThread(hFreeThread, (LPDWORD)&dwRet);
CloseHandle(hFreeThread);
} while (dwRet != 0); // 如果GetExitCodeThread返回非零表明调用成功,需要再次调用
// 确保 Dll 被释放,否则,表明该DLL已被成功释放
if(bBreakWhile)
break;
g_Pid = 0;
g_bInjected = false;
delete []g_szDllName;
g_szDllName = NULL;
VirtualFreeEx(hProcess, lpBase, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return true;
}
TCHAR szBreakMsg[32] = {};
//执行中断,扫尾
switch(iStep)
{
case 6:
case 5:
VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
case 4:
CloseHandle(hProcess);
default:
wsprintf(szBreakMsg, TEXT("执行完成前%d步,第%d步中断"), iStep, iStep + 1);
MSG(szBreakMsg);
break;
}
return false;
}
最后是C#的界面程序,几个控件一摆,几行代码就完事了,各位可以自己去写,后面也有整个源码的地址
大概是功能就是一个combo加载系统所有的进程,然后一个textbox是要传入的DLL文件(完整路径)
两个按钮,一个调用LoadDLL,一个调用FreeDLL
关于C#遍历进程 .NET库里已经有个非常方便的类封装好了(C++真是苦逼,这个完全要自己写)
using System.Diagnostics;
classXXX{
private Process[] sysPros;
public Form1()
{
InitializeComponent();
openDlg = new OpenFileDialog();
sysPros = Process.GetProcesses();
foreach (Process var in sysPros)
{
cmbProcess.Items.Add(var.ProcessName);
}
}
}
sysPros数组中保存了每个进程的信息,包括进程名(没有后缀)和PID