注入
- 在第三方进程不知道或者不允许的情况下将模块或者代码写入对方进程空间,并执行的技术。
- 在安全领域,"注入" 是非常重要的一种技术手段,注入与反注入也一直处于不断变化的,而且也处于愈来愈激烈的对抗当中。
- 如:远程线程注入、APC注入、消息钩子注入、注册表注入、导入表注入、输入法注入等。
远程线程注入实现
进程A
#include <iostream>
#include <Windows.h>
int main()
{
std::cout << "Waiting..." << std::endl;
std::cout << "PID:" << GetCurrentProcessId() << std::endl;
std::cin.get();
return 0;
}
DLL
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
void MyFunction()
{
for (;;)
{
std::cout << "DLL->MyFunction Running..." << std::endl;
Sleep(1000);
}
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
HANDLE hThread;
hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MyFunction, NULL, 0, NULL);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
进程B
#include <iostream>
#include <Windows.h>
BOOL LoadDll(DWORD dwProcessID, char* szDllPathName)
{
BOOL bRet;
HANDLE hProcess;
HANDLE hThread;
DWORD dwLength;
DWORD dwLoadAddr;
LPVOID lpAllocAddr;
DWORD dwThreadID;
HMODULE hModule;
bRet = 0;
dwLoadAddr = 0;
hProcess = 0;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID);
if (hProcess == NULL)
{
std::cout << "OpenProcess FAILED!!!" << std::endl;
return FALSE;
}
dwLength = strlen(szDllPathName) + 1;
lpAllocAddr = VirtualAllocEx(hProcess, NULL, dwLength, MEM_COMMIT, PAGE_READWRITE);
if (lpAllocAddr == NULL)
{
std::cout << "VirtualAllocEx FAILED!!!" << std::endl;
CloseHandle(hProcess);
return FALSE;
}
bRet = WriteProcessMemory(hProcess, lpAllocAddr, szDllPathName, dwLength, NULL);
if (!bRet)
{
std::cout << "WriteProcessMemory FAILED!!!" << std::endl;
CloseHandle(hProcess);
return FALSE;
}
hModule = GetModuleHandle(L"kernel32.dll");
if (!hModule)
{
std::cout << "GetModuleHandle FAILED!!!" << std::endl;
CloseHandle(hProcess);
return FALSE;
}
dwLoadAddr = (DWORD)GetProcAddress(hModule, "LoadLibraryA");
if (!dwLoadAddr)
{
std::cout << "GetProcAddress FAILED!!!" << std::endl;
CloseHandle(hModule);
CloseHandle(hProcess);
return FALSE;
}
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)dwLoadAddr, lpAllocAddr, 0, NULL);
if (!hThread)
{
std::cout << "CreateRemoteThread FAILED!!!" << std::endl;
CloseHandle(hModule);
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
int main()
{
std::cout << "ready?" << std::endl;
std::cin.get();
LoadDll(11740, (char*)"D:\\Test.dll");
std::cin.get();
return 0;
}
效果