动态库远程注入技术

ConsoleApplication1.zip

远程线程开始加载动态库注入,判断当前正在运行的exe程序是32位还是64位?

立即下载

最近在研究动态库远程注入技术,将相关的源码分享下
1,。动态库一般只能将32位动态库注入32位程序中,将64位动态库注入相应的64位程序中

#include
#include “windows.h” //包含窗体的头文件
#include “tlhelp32.h”

//提升权限
int enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
	return -1;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
	CloseHandle(hToken);
	return -1;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
{
	CloseHandle(hToken);
	return -1;
}
return 1;

}

//加载动态库
BOOL LoadRemoteDll(DWORD dwProcessId, LPTSTR lpszLibName)
{
int Retn = 0;
BOOL bResult = FALSE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
PSTR pszLibFileRemote = NULL;
DWORD cch;
PTHREAD_START_ROUTINE pfnThreadRrn;
__try
{
//获得想要注入代码的进程的句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
Retn = GetLastError();
if (NULL == hProcess)
__leave;
//计算DLL路径名需要的字节数
cch = 2 * (1 + lstrlen(lpszLibName));
//在远程线程中为路径名分配空间
pszLibFileRemote = (PSTR)VirtualAllocEx(hProcess, NULL, cch, MEM_COMMIT, PAGE_READWRITE);
Retn = GetLastError();
if (pszLibFileRemote == NULL)
__leave;
//将DLL的路径名复制到远程进程的地址空间
if (!WriteProcessMemory(hProcess, (PVOID)pszLibFileRemote, (PVOID)lpszLibName, cch, NULL))
__leave;
Retn = GetLastError();
//获得LoadLibraryA在Kernel.dll中得真正地址
pfnThreadRrn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT(“Kernel32”)), “LoadLibraryW”);
Retn = GetLastError();
if (pfnThreadRrn == NULL)
__leave;

    hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRrn, (PVOID)pszLibFileRemote, 0, NULL);
    Retn = GetLastError();
    if (hThread == NULL)
        __leave;
    //等待远程线程终止  
    WaitForSingleObject(hThread, INFINITE);
    bResult = TRUE;
}
__finally
{
    //关闭句柄  
    if (pszLibFileRemote != NULL)
        VirtualFreeEx(hProcess, (PVOID)pszLibFileRemote, 0, MEM_RELEASE);
    Retn = GetLastError();
    if (hThread != NULL)
        CloseHandle(hThread);
    Retn = GetLastError();
    if (hProcess != NULL)
        CloseHandle(hProcess);
    Retn = GetLastError();
}
return bResult;

}

//卸载动态库
BOOL UnLoadRemoteDll(DWORD dwProcessId ,LPTSTR lpPathDllName)
{
int Retn = 0;
BOOL bResult = FALSE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
HANDLE hSnapshot = NULL;
__try
{
//先查找到相应的动态库地址
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (INVALID_HANDLE_VALUE == hSnapshot)
__leave;
BOOL IsFind = FALSE;
MODULEENTRY32 me = { 0 };
me.dwSize = sizeof(MODULEENTRY32);
BOOL bRet = Module32First(hSnapshot, &me);
while (bRet)
{
if (0 == memcmp(lpPathDllName, me.szExePath,wcslen(lpPathDllName)))
{
IsFind = TRUE;
break;
}
ZeroMemory(&me, sizeof(me));
me.dwSize = sizeof(MODULEENTRY32);
bRet = Module32Next(hSnapshot, &me);
}
if (!IsFind)
__leave;

    //获得想要注入代码的进程的句柄  

    typedef BOOL(*pfnFreeLibrary)(HMODULE);
    pfnFreeLibrary pfnThreadRrn = (pfnFreeLibrary)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
    Retn = GetLastError();
    if (pfnThreadRrn == NULL)
        __leave;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
    Retn = GetLastError();
    if (NULL == hProcess)
        __leave;
    hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnThreadRrn, (PVOID)me.modBaseAddr, 0, NULL);
    Retn = GetLastError();
    if (hThread == NULL)
        __leave;
    //等待远程线程终止  
    WaitForSingleObject(hThread, INFINITE);
    bResult = TRUE;
}
__finally
{
    if (hThread != NULL)
        CloseHandle(hThread);
    if (hProcess != NULL)
        CloseHandle(hProcess);
    if (hSnapshot != NULL)
        CloseHandle(hSnapshot);
}
return bResult;

}

//判定当前的程序是否64位程序
bool IsProcess64(DWORD dwProcessId)
{
HANDLE hProcess = NULL;
BOOL bWin32Process = FALSE;
__try
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (NULL == hProcess)
__leave;
IsWow64Process(hProcess,&bWin32Process);
}
__finally
{
if (hProcess != NULL)
CloseHandle(hProcess);
}
return !bWin32Process;
}

int main()
{
int Retn = enableDebugPriv(); //提升当前的权限
wchar_t* injectDllPath = NULL;
if (IsProcess64(8904)) //64位程序
injectDllPath = L"E:\Muma\20200309\ConsoleApplication1\x64\Debug\InjectDll.dll";
else
injectDllPath = L"E:\Muma\20200309\ConsoleApplication1\Debug\InjectDll.dll";
if (Retn)
LoadRemoteDll(8904, injectDllPath);
//injectDllPath = L"InjectDll.dll";
UnLoadRemoteDll(8904, injectDllPath);

std::cout << "Hello World!\n";

}

相应的源码

发布了0 篇原创文章 · 获赞 0 · 访问量 6
展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 1024 设计师: 上身试试

分享到微信朋友圈

×

扫一扫,手机浏览