最近看了些大虾的文章,蛮有感触的,在看到远程dll后没想到还有无dll的线程函数注入,呵呵,有意思啊,我自己也写了一个,很简单,messagebox的注入.
了解dll注入的一定知道,dll内的内容是要写到目标进程内存的,那么我们也推知我们要注入的线程函数也是一定要写入目标进程内存的,包括函数内要用到的数据也是一样,我们可以把要用到的数据写到一个结构体里即可.还有要对我们在函数里用到的api进行定义,其他的和dll注入没什么太大差别.下面看代码:
#include<stdio.h>
#include"windows.h"
typedef struct{
DWORD address;
char a[10];
}info;
typedef int (_stdcall *msgbox)(HWND, LPCTSTR, LPCTSTR, UINT);
DWORD WINAPI t(LPVOID p){
info *p1=(info*)p;
msgbox m=(msgbox)p1->address;
m(0,p1->a,p1->a,0);
return 0;
}
main()
{
HANDLE ph=::OpenProcess(PROCESS_ALL_ACCESS,false,5388);
void *s;
s=::VirtualAllocEx(ph,0,1024*4,MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(ph,s,t,1024*4,0);
info i;
ZeroMemory(&i,sizeof(i));
::strcpy(i.a,"a");
HINSTANCE m=::LoadLibrary("user32.dll");
i.address=(DWORD)::GetProcAddress(m,"MessageBoxA");
info *s1;
s1=(info *)::VirtualAllocEx(ph,0,sizeof(info),MEM_COMMIT,PAGE_READWRITE);
::WriteProcessMemory(ph,s1,&i,sizeof(info),0);
HANDLE hrt=::CreateRemoteThread(ph,0,0,(LPTHREAD_START_ROUTINE)s,s1,0,0);
}
代码也不长,我想明白dll注入原理的理解这个也不难,我只是做了个大概,说了下思路,如有疏漏之处还望高手见笑.