远程线程注入RemoteThread(dll)

最新推荐文章于 2024-05-17 00:38:51 发布

b10l07

最新推荐文章于 2024-05-17 00:38:51 发布

阅读量921

点赞数

文章标签： c#

原文链接：http://blog.51cto.com/haidragon/2306823

版权

https://github.com/haidragon/win10_CreateRemoteThread
远程线程注入RemoteThread(dll)
// RemoteInject.h

#pragma once

// RemoteInject 对话框

class RemoteInject : public CDialogEx
{
    DECLARE_DYNAMIC(RemoteInject)

public:
    RemoteInject(CWnd* pParent = NULL);   // 标准构造函数
    virtual ~RemoteInject();

// 对话框数据
    enum { IDD = IDD_DIALOG10 };

protected:
    virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV 支持

    DECLARE_MESSAGE_MAP()
public:
    DWORD m_dwPID;
    CString m_strDllPath;
    afx_msg void OnBnClickedButton2();
    afx_msg void OnBnClickedInject();
};

// RemoteInject.cpp

// RemoteInject.cpp : 实现文件
//

#include "stdafx.h"
#include "MyInjectTool.h"
#include "RemoteInject.h"
#include "afxdialogex.h"

// RemoteInject 对话框

IMPLEMENT_DYNAMIC(RemoteInject, CDialogEx)

RemoteInject::RemoteInject(CWnd* pParent /*=NULL*/)
    : CDialogEx(RemoteInject::IDD, pParent)
    , m_dwPID(0)
    , m_strDllPath(_T(""))
{

}

RemoteInject::~RemoteInject()
{
}

void RemoteInject::DoDataExchange(CDataExchange* pDX)
{
    CDialogEx::DoDataExchange(pDX);
    DDX_Text(pDX, IDC_EDIT1, m_dwPID);
    DDX_Text(pDX, IDC_EDIT4, m_strDllPath);
}

BEGIN_MESSAGE_MAP(RemoteInject, CDialogEx)
    ON_BN_CLICKED(IDC_BUTTON2, &RemoteInject::OnBnClickedButton2)
    ON_BN_CLICKED(IDC_INJECT, &RemoteInject::OnBnClickedInject)
END_MESSAGE_MAP()

// RemoteInject 消息处理程序

void RemoteInject::OnBnClickedButton2()
{
    // TODO:  在此添加控件通知处理程序代码
    char szFilter[] = "动态链接库|*.dll";
    CFileDialog fileDlg(TRUE, "dll", NULL, OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT, szFilter);
    UpdateData(TRUE);
    if (fileDlg.DoModal() == IDOK)
    {
        m_strDllPath = fileDlg.GetPathName();
    }
    UpdateData(FALSE);
}

void RemoteInject::OnBnClickedInject()
{
    // TODO:  在此添加控件通知处理程序代码
    HANDLE hProcess = NULL;
    HANDLE hThread = NULL;
    HANDLE hThread2 = NULL;
    char* pszRemoteBuffer = NULL;
    DWORD * pDwTidRemote = NULL;

    //UpdateData(TRUE);

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwPID);

    if (hProcess == NULL)
    {
        MessageBox("打开进程失败!!!!");
        return;
    }

    //1.在远程进程中分配内存
    pszRemoteBuffer = (char *)VirtualAllocEx(hProcess, NULL, m_strDllPath.GetLength(), MEM_COMMIT, PAGE_READWRITE);

    if (pszRemoteBuffer == NULL)
    {
        MessageBox("申请远程空间失败");
        return;
    }
    //2.在远程申请的地址当中写入DLL的路径
    SIZE_T dwWriten;
    if (!WriteProcessMemory(hProcess, pszRemoteBuffer, (LPVOID)m_strDllPath.GetBuffer(0), m_strDllPath.GetLength(), &dwWriten))
    {
        MessageBox("写入内存失败");
    }

    //3.获取远程进程中LaodLibry的地址,这里你用的巧合是每个程序中的kernel32的地址的都一样，远程中也一样在
    HMODULE hMouDle = GetModuleHandle("Kernel32");
    PTHREAD_START_ROUTINE pfnLoadLibrary = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");

    if (pfnLoadLibrary == NULL)
    {
        MessageBox("获取LoadLibrary地址失败！！！");
        return;
    }

    //4.创建远程线程
    hThread = CreateRemoteThread(hProcess, NULL, 0, pfnLoadLibrary, pszRemoteBuffer, 0, NULL);

    DWORD dwErrCode = GetLastError();
    if (hThread == NULL)
    {
        MessageBox("创建远程线程失败");
        return;
    }

    WaitForSingleObject(hThread, 2000);
}

转载于:https://blog.51cto.com/haidragon/2306823

b10l07

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
远程线程注入RemoteThread(dll)

https://github.com/haidragon/win10_CreateRemoteThread// RemoteInject.h#pragma once// RemoteInject 对话框class RemoteInject : public CDialogEx{ DECLARE_DYNAMIC(RemoteInject)public: RemoteI...
复制链接

扫一扫