主要内容:
1) 获得某进程ID号;
2) 更改系统权限为Debug模式;
3) 将DLL注入到某进程中;
1) 获得进程ID号
函数
HANDLE WINAPI CreateToolhelp32Snapshot( DWORD dwFlags, //标志位,是为进程、线程等创建快照,如TH32CS_SNAPPROCESS为进程创建快照 DWORD th32ProcessID // 要获得的进程的ID “0”获得当前进程ID );
1
2
3
4
5
6
7
8
9
10
11
12
|
typedef
struct
tagPROCESSENTRY32 {
DWORD
dwSize;
// 结构大小;
DWORD
cntUsage;
// 此进程的引用计数;
DWORD
th32ProcessID;
// 进程ID;
DWORD
th32DefaultHeapID;
// 进程默认堆ID;
DWORD
th32ModuleID;
// 进程模块ID;
DWORD
cntThreads;
// 此进程开启的线程计数;
DWORD
th32ParentProcessID;
// 父进程ID;
LONG
pcPriClassBase;
// 线程优先权;
DWORD
dwFlags;
// 保留;
char
szExeFile[MAX_PATH];
// 进程全名;
} PROCESSENTRY32;
|
使用时指定大小dwSize,存放进程相关信息。
BOOL WINAPI Process32First( HANDLE hSnapshot, LPPROCESSENTRY32 lppe );BOOL WINAPI Process32Next( HANDLE hSnapshot, LPPROCESSENTRY32 lppe );获得进程第一个信息和下一个进程的信息。
函数源码:
DWORD GetProcessId()
{
DWORD Pid = -1;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
//创建系统快照
PROCESSENTRY32 lPrs;
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize = sizeof(lPrs);
char *targetFile = "SERVICES.EXE";
Process32First(hSnap,&lPrs); //取得系统快照中第一个进程信息
if(strstr(targetFile,lPrs.szExeFile))//判断进程信息是否为explorer.exe
{
Pid = lPrs.th32ProcessID;
return Pid;
}
while(1)
{
ZeroMemory(&lPrs,sizeof(lPrs));
lPrs.dwSize = (&lPrs,sizeof(lPrs));
if(!Process32Next(hSnap,&lPrs))
{
Pid = 1;
break;
}
if(strstr(targetFile,lPrs.szExeFile))
{
Pid = lPrs.th32ProcessID;
break;
}
}
return Pid;
}
更改系统权限,方便通过进程ID号打开任意进程,以便将DLL插入该进程中运行。
函数说明:
OpenProcessToken百度搜索见百度百科
源码:
int EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
//打开进程令牌
OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);
//获得进程本地唯一ID
LookupPrivilegeValue(NULL,name,&luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
return 0;
}
注入DLL
#define
SE_DEBUG_NAME TEXT("SeDebugPrivilege") //Required to debug and adjust the memory of a process owned by another account.
//User Right: Debug programs.
BOOL InjectDll(const char *DllFullPath,const DWORD dwRemoteProcessId) { HANDLE hRemoteProcess; EnableDebugPriv(SE_DEBUG_NAME); hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId); char *pszLibFileRemote; pszLibFileRemote = NULL; //使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间 pszLibFileRemote = (char *)VirtualAllocEx(hRemoteProcess,NULL,lstrlen(DllFullPath)+1,MEM_COMMIT,PAGE_READWRITE); //使用WriteProcessMemory函数将dll的路径写入到远程进程的内存空间 WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void *)DllFullPath,lstrlen(DllFullPath)+1,NULL); //计算LoadLibraryA的入口地址 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32.dll")),"LoadLibraryA"); //启动远程线程LoadLibraryA,通过远程线程调用创建新的线程 HANDLE hRemoteThread; if((hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL)) == NULL) { cout<<"注入线程失败!"<<endl; return FALSE; } CloseHandle(hRemoteProcess); CloseHandle(hRemoteThread); return TRUE; }