目录
基本概念
Kernel32.dll和user32.dll在大部分程序上都会调用dll,同一个dll在不同的进程中,不一定被映射(加载)在同一个内存地址。
但Kernel32.dll和user32.dll例外。他们都是被映射到进程的内存首选地址,因此,在所有使用这两个dll进程中,这两个dll的内存地址是相同的。在本进程获取的Kernel32.dll中函数地址,在目标进程中也是一样的。
逻辑:目标进程->传入dll地址>开启远程线程->加载dll->实现dll的注入
依次使用函数:
OpenProcess 获取进程句柄
VirtualAllocEx 在进程中申请空间
WriteProcessMemory 在进程中写入东西
GetProcAddress 获取函数dll中的地址
CreateRemoteThreadEx 在其他进程中创建新线程
Close Handle 关闭句柄
代码与实例
路径如下:
64位编译:
界面运行:
点击Inject:
已经注入到计算器里面了!
dll关键代码如下:
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "stdafx.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"报告首长", L"我已成功打入敌人内部", NULL);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
注入器相关代码:
void CcallDllDlg::OnBnClickedOpen()
{
CFileDialog filedialog(TRUE, 0, 0, NULL, _T("DLL Files|*.dll|"));
if(filedialog.DoModal() == IDOK){
CString Dllpath;
Dllpath = filedialog.GetPathName();
SetDlgItemText(IDC_DLLPATH, Dllpath);
}
}
DWORD ProcessFind(LPCTSTR Exename){
HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if(!hProcess){
return FALSE;
}
PROCESSENTRY32 info;
info.dwSize = sizeof(PROCESSENTRY32);
if(!Process32First(hProcess, &info)){
return FALSE;
}
while(true){
if(_tcscmp(info.szExeFile, Exename) == 0){
return info.th32ProcessID;
}
if(!Process32Next(hProcess, &info)){
return FALSE;
}
}
return FALSE;
}
BOOL Inject(LPCTSTR DLLPath, DWORD ProcessID){
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, ProcessID);
if(!hProcess){
return FALSE;
}
SIZE_T PathSize = (_tcslen(DLLPath) + 1) * sizeof(TCHAR);
LPVOID StartAddress = VirtualAllocEx(hProcess, NULL, PathSize, MEM_COMMIT, PAGE_READWRITE);
if(!StartAddress){
return FALSE;
}
if(!WriteProcessMemory(hProcess, StartAddress, DLLPath, PathSize, NULL)){
return FALSE;
}
PTHREAD_START_ROUTINE pfnStartAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibraryW");
if(!pfnStartAddress){
return FALSE;
}
HANDLE hThread = CreateRemoteThreadEx(hProcess, NULL, NULL, pfnStartAddress, StartAddress, NULL, NULL, NULL);
//Xp 中没有这个函数
//CreateRemoteThread
if(!hThread){
return FALSE;
}
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
void CcallDllDlg::OnBnClickedInject()
{
CString Dllpath;
CString Exename;
GetDlgItemText(IDC_EXENAME, Exename);
GetDlgItemText(IDC_DLLPATH, Dllpath);
if(Exename.GetLength() == 0){
MessageBox(_T("Please input exe name!"));
return;
}
DWORD ProcessID = ProcessFind(Exename);
if(!ProcessID){
MessageBox(_T("Cant't find the process!"));
return;
}
BOOL IsInjected = Inject(Dllpath, ProcessID);
if(IsInjected){
MessageBox(_T("Inject Success!"));
}
else{
MessageBox(_T("Inject Failed!"));
}
}
源码下载地址:
https://github.com/fengfanchen/CAndCPP/tree/master/InjectDllDemo/DllTest