远程线程注入

最新推荐文章于 2024-07-07 10:44:58 发布

123qweqew

最新推荐文章于 2024-07-07 10:44:58 发布

阅读量69

点赞数 1

文章标签： c语言操作系统 windows

本文链接：https://blog.csdn.net/pluginL/article/details/137732155

版权

获取PID懒得搞了，无非就是多调用几个API，我是直接看任务栏管理器直接写的哈哈

//远程线程注入
DWORD RemoteThreadInject(DWORD dwPID) {
	//获取LoadLibrary地址
	PVOID funAddr = LoadLibraryA;
	//注入模块的名字
	BYTE dllName[] = "InjectDll.dll";
	DWORD dwNameSize = strlen(dllName) + 1;
	HANDLE processHandle = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPID);
	if (!processHandle) {
		printf("processHandle1\n");
		return;
	}
	//申请内存地址，写入
	PVOID pWritePosition = VirtualAllocEx(processHandle, 0, dwNameSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (!pWritePosition) {
		printf("VirtualAllocEx1\n");
		return;
	}
	if (!WriteProcessMemory(processHandle, pWritePosition, dllName, dwNameSize, 0)) {
		printf("WriteProcessMemory1\n");
		return;
	}
	HANDLE threadHandle = CreateRemoteThread(processHandle, 0, 0, funAddr, pWritePosition, 0, 0);
	if (!threadHandle) {
		printf("CreateRemoteThread1\n");
		return;
	}
	WaitForSingleObject(threadHandle, INFINITE);
	DWORD dwExitCode = 0;
	if (!GetExitCodeThread(threadHandle, &dwExitCode)) {
		printf("GetExitCodeThread1\n");
		return;
	}
	if (!VirtualFreeEx(processHandle, pWritePosition, 0, MEM_RELEASE)) {
		printf("VirtualFreeEx\n");
		return;
	}
	CloseHandle(threadHandle);
	printf("Library handle:%08x\n", dwExitCode);
	return dwExitCode;
}```
卸载的时候使用freelibrary

```c
//远程线程卸载
VOID RemoteThreadFree(DWORD dwPID,HANDLE hLibrary){
	//FreeLibrary返回值为4字节，参数也是4字节，系统函数stdcall，可以作为线程回调函数传参
	PVOID funAddr = FreeLibrary;
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwPID);
	if (!hProcess) {
		printf("OpenProcess\n");
		return;
	}
	HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, FreeLibrary, hLibrary, 0, 0);
	if (!hThread) {
		printf("CreateRemoteThread\n");
		return;
	}
	CloseHandle(hThread);
}