在编写进程注入程序中最常见的部分就是远端线程注入:将本地的程序(一般为动态链接库)注入目的进程,以实现本地程序在目的进程空间执行。这里面有两个关键点:
1) 远端进程中创建远端线程
在Windows中提供对应的API(CreateRemoteThread)来创建远端线程,远端线程执行的函数必须为目的进程空间,但进程地址空间独立,一般选择为系统默认函数以此函数为基点运行我们的程序,这里选择加载动态链接库函数LoadLibrary。通过执行加载动态链接库函数来实现运行我们的程序;在dllman函数中执行我们想要执行的代码。
2) 远端进程中内存分配
目的进程分配地址空间的分配采用系统提供的API:VirtualAllocEx和WriteProcessMemory,前者实现内存分配,后者实现内存写操作,将参数写入指定地址空间。
3) 解除注入
当动态链接库执行完成后,就需要卸载对应的动态链接库,此时需要遍历目的进程的地址空间找出我们的库,再通过关键点(1)来实现动态链接库的卸载。
基于以上原理,两部分源码如下
进程注入源码:
BOOL WINAPI InjectLibW(DWORD dwProcessId,PCWSTR pszLibFile)
{
BOOL bOk = FALSE;
HANDLE hProcess = NULL,hThread = NULL;
PWSTR pszLibFileRemote = NULL;
__try {
// Get a handle for the target process
hProcess= OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_READ |
PROCESS_VM_WRITE,
FALSE,dwProcessId);
if(hProcess == NULL) __leave;
int cch = 1 + lstrlenW(pszLibFile);
int cb = cch * sizeof(wchar_t);
// Allocate space in the remote process's address space
pszLibFileRemote = (PWSTR)VirtualAllocEx(hProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
if (pszLibFileRemote == NULL) __leave;
// Copy the DLL's pathname to the remote process's address space
if(!WriteProcessMemory(hProcess,pszLibFileRemote,(PVOID)pszLibFile,cb,NULL)) __leave;
// Get the real address of LoadLibraryW in kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryW");
if(pfnThreadRtn == NULL) __leave;
// Create the remote thread
hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,pszLibFileRemote,0,NULL);
if(hThread == NULL) __leave;
// Wait for the remote thread terminate
WaitForSingleObject(hThread,INFINITE);
// 判断注入是否成功
DWORD dwExitCode = 0;
bOk = GetExitCodeThread(hThread, &dwExitCode);
if (NULL == dwExitCode)
{
bOk = FALSE;
}
bOk = TRUE;
}
__finally{
// Free the remote memory
if(pszLibFileRemote != NULL)
VirtualFreeEx(hProcess,pszLibFileRemote,0,MEM_RELEASE);
if(hThread != NULL)
CloseHandle(hThread);
if(hProcess != NULL)
CloseHandle(hProcess);
}
return bOk;
}
进程卸载源码如下:
BOOL WINAPI EjectLibW(DWORD dwProcessId,PCWSTR pszLibFile)
{
BOOL bOk = FALSE;
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL,hThread = NULL;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwProcessId);
if(hthSnapshot == INVALID_HANDLE_VALUE) __leave;
// Get the module of target library
MODULEENTRY32W me = {sizeof(me)};
BOOL bFound = FALSE;
BOOL bMoreMods = Module32FirstW(hthSnapshot,&me);
for(;bMoreMods;bMoreMods = Module32NextW(hthSnapshot,&me)) {
bFound = (_wcsicmp(me.szModule,pszLibFile) == 0) || (_wcsicmp(me.szExePath,pszLibFile) == 0);
if(bFound) break;
}
if(!bFound) __leave;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION,
FALSE,dwProcessId);
if(hProcess == NULL) __leave;
// Get the real address of LoadLibraryW in kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"FreeLibrary");
if(pfnThreadRtn == NULL) __leave;
// Create the remote thread
hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,me.modBaseAddr,0,NULL);
if(hThread == NULL) __leave;
// Wait for the remote thread terminate
WaitForSingleObject(hThread,INFINITE);
// 判断注入是否成功
DWORD dwExitCode = 0;
bOk = GetExitCodeThread(hThread, &dwExitCode);
if (NULL == dwExitCode)
{
bOk = FALSE;
}
bOk = TRUE;
}__finally {
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if(hThread != NULL)
CloseHandle(hThread);
if(hProcess != NULL)
CloseHandle(hProcess);
}
return bOk;
}
运行结果如下:
卸载结果:
具体原理可见<<Windows核心编程>>,测试源码在这里。