- 简介:注入代码到远程线程,在目标进程创建一个线程,执行期望的代码。
- 项目需求:创建远程线程,并可以实现远程注入DLL.
- 项目分析:使用CreateRemoteProcess在目标进程创建一个远程线程,执行自定义代码,自定义代码当然包括Load一个DLL,这样就可以现实远程注入DLL
- 项目实现:先在远程线程分配部分空间,然后向里写入一些线程需要的参数,和线程体本身,然后调用CreateRemoteProcess执行那个远程线程体。
void __fastcall InjectToRemoteProcess(DWORD dwProcessId,PVOID funcStart,PVOID funcEnd,void * pParam,DWORD dwParamSize)
{
HANDLE hRemoteProcess=NULL; //remote process will be injected
HANDLE hRemoteThread=NULL; //injected thread!
DWORD dwThreadSize=0;
PVOID pRemoteThread=NULL;
PVOID pRemoteParam=NULL;
DWORD dwWriten=0;
BOOL bRet=FALSE;
EnablePrivilege(SE_DEBUG_NAME,true);//up Privilege
hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessId);
if(hRemoteProcess == NULL)
{
MessageBox(NULL,"Failed to Open Process","Open Process Error",MB_OK | MB_APPLMODAL|MB_ICONWARNING);
return;
}
if (0 != dwParamSize)
{
pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,dwParamSize,MEM_COMMIT,PAGE_READWRITE); //alloc memory space for param!
if(pRemoteParam == NULL)
{
MessageBox(NULL,"Failed to Allocate Memory at Remote Process for Param","Alloc Memory Error!",MB_OK | MB_APPLMODAL | MB_ICONWARNING);
return;
}
bRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,pParam,dwParamSize,&dwWriten); //write param to remote alloced space!
if(!bRet)
{
MessageBox(NULL,"Failed to Write Param to Remote Process",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
return;
}
}
dwThreadSize = (int)funcEnd - (int)funcStart+2048; //cal remote function need size!
pRemoteThread = VirtualAllocEx(hRemoteProcess,NULL,dwThreadSize,MEM_COMMIT,PAGE_READWRITE); //alloc memory for remote thread!
if(pRemoteThread == NULL)
{
MessageBox(NULL,"Failed to Allocate Memory at Remote Process for Thread Code",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
return;
}
bRet = WriteProcessMemory(hRemoteProcess,pRemoteThread,(LPVOID)funcStart,dwThreadSize,&dwWriten); //write function to remote memory space!
if(!bRet)
{
MessageBox(NULL,"Failed to Write Thread Code to Remote Process",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
return;
}
hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,pRemoteParam,0,&dwWriten);
EnablePrivilege(SE_DEBUG_NAME,false); //down Privilege
}
- 代码下载:Inject.rar
- 可执行文件下载:InjectRelease.rar