注入的过程大概就是:
(1)找到目标进程,并得到进程ID
(2)获得目标进程句柄
(3)分配/写内存(为LoadLibraryA的参数分配写/空间)
(4)创建远程线程
(5)释放内存
==============================================================================
(1)找到目标进程,并得到进程ID
首先创建一个进程列表的快照,用CreateToolhelp32Snapshot
HANDLE WINAPI CreateToolhelp32Snapshot(
DWORD dwFlags,
DWORD th32ProcessID
);
dwFlags这个参数用TH32CS_SNAPPROCESS,th32ProcessID就用0了;
接着就用Process32First和Process32Next逐个查找目标进程
BOOL WINAPI Process32First(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
BOOL WINAPI Process32Next(
HANDLE hSnapshot,
LPPROCESSENTRY32 lppe
);
PROCESSENTRY32这个结构体中szExeFile就是进程名,th32ProcessID是进程ID
(2)获得目标进程句柄
这个就用OpenProcess这个函数了
HANDLE OpenProcess(
DWORD dwDesiredAccess, // access flag
BOOL bInheritHandle, // handle inheritance flag
DWORD dwProcessId // process identifier
);
dwDesiredAccess用PROCESS_CREATE_THREAD(允许远程创建线程)
PROCESS_VM_OPERATION(允许远程VM操作)
PROCESS_VM_WRITE(允许远程VM写,就是可以用用WriteProcessMemory写内存)
为了简单也可以直接用PROCESS_ALL_ACCESS
(3)分配内存(为LoadLibraryA的参数分配空间)
先要用到VirtualAllocEx来分配一段内存空间来写
LPVOID VirtualAllocEx(
HANDLE hProcess, // 这个填用OpenProcess获得的句柄
LPVOID lpAddress, // desired starting address of allocation
DWORD dwSize, // 用分配的内存大小
DWORD flAllocationType,// 用MEM_COMMIT
DWORD flProtect //用PAGE_READWRITE
);
然后用写入LoadlibraryA的参数(比如“dll.dll”)
BOOL WriteProcessMemory(
HANDLE hProcess, // 这个填用OpenProcess获得的句柄
LPVOID lpBaseAddress, // 就是用VirtualAllocEx获得的地址
LPVOID lpBuffer, // 就是“dll.dll”咯
DWORD nSize, // “dll.dll”的长度加1
LPDWORD lpNumberOfBytesWritten // actual number of bytes written
);
(4)创建远程线程
这里首先要获得LoadLibraryA的地址
直接用LPVOID LpFun=LoadLibraryA;
HANDLE CreateRemoteThread(
HANDLE hProcess, // 用OpenProcess获得的句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes, // pointer to security attributes
DWORD dwStackSize, // initial thread stack size, in bytes
LPTHREAD_START_ROUTINE lpStartAddress, // LpFun(还要转换类型)
LPVOID lpParameter, // “dll.dll”的地址,已用VirtualAllocEx得到
DWORD dwCreationFlags, // creation flags
LPDWORD lpThreadId // pointer to returned thread identifier
);
(5)释放内存
释放前要确保LoadLibraryA以执行(即已不需要“dll.dll”这个字符串)
DWORD WaitForSingleObject(
HANDLE hHandle, // handle to object to wait for
DWORD dwMilliseconds // time-out interval in milliseconds
);
如果自行完毕就接着VirtualFreeEx释放内存
BOOL VirtualFreeEx(
HANDLE hProcess, // process within which to free memory
LPVOID lpAddress, // starting address of memory region to free
DWORD dwSize, // size, in bytes, of memory region to free
DWORD dwFreeType // type of free operation
);
=========源码如下=============================================
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
void Inject();
int WINAPI WinMain(
HINSTANCE hInstance, // handle to current instance
HINSTANCE hPrevInstance, // handle to previous instance
LPSTR lpCmdLine, // pointer to command line
int nCmdShow // show state of window
)
{
Inject();
return 0;
}
void Inject()
{
PROCESSENTRY32 Lppe[30];
DWORD targetID=0;
HANDLE snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
Process32First(snapshot,&Lppe[0]);
int i=1;
char buf[20]={0};
while (Process32Next(snapshot,&Lppe[i]))
{
sprintf(buf,"%s",Lppe[i].szExeFile);
if (strstr(buf,"dj.exe"))
{
targetID=Lppe[i].th32ProcessID;
break;
}
i++;
}
if (targetID==0)
{
MessageBox(NULL,"not find!!","!",0);
return;
}
DWORD size=strlen("dl.dll")+1;
HANDLE target=OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION
|PROCESS_VM_WRITE,false,targetID);
LPVOID DLn=VirtualAllocEx(target,NULL,size,
MEM_COMMIT,PAGE_READWRITE);
if (DLn==NULL)
{
MessageBox(NULL,"!!","!",0);
}
BOOL ou=WriteProcessMemory(target,DLn,"dl.dll",
size,NULL);
if (!ou)
{
MessageBox(NULL,"WriteProcessMemory Error",0,0);
}
LPTHREAD_START_ROUTINE taddr=(LPTHREAD_START_ROUTINE)LoadLibraryA;
HANDLE tt=CreateRemoteThread(target,NULL,NULL,taddr,DLn,NULL,NULL);
WaitForSingleObject( tt, INFINITE ); //必须等待LoadLibrary加载完毕
VirtualFreeEx( target, DLn,size, MEM_DECOMMIT );
CloseHandle(tt);
CloseHandle(target);
}
=====================================================================
(注:非原创,仅整理了一遍,关于DLL的卸载就请看原文原文http://www.pconline.com.cn/pcjob/process/other/others/0512/732808.html)