#include <windows.h>
#include <string.h>
#include <Tlhelp32.h>
#include <iostream>
using namespace std;
class InjectionRemoteThread
{
public:
InjectionRemoteThread(const char *FileName,const char *DllName);
DWORD GetProcessID(); //获取目标进程pid
DWORD OpenRemoteProcess(); //打开远程进程
DWORD InjectionRemoteProcess(); //注入远程线程
DWORD FreeRemoteProcess(); //释放远程线程
protected:
HANDLE hProcess; //进程句柄
char m_FileName[MAX_PATH]; //进程名
char m_DllName[MAX_PATH]; //注入的DLL文件名
DWORD m_Size; //DLL路径名长度
};
InjectionRemoteThread::InjectionRemoteThread(const char *FileName,const char *DllName){
strncpy(m_FileName,FileName,MAX_PATH);
strncpy(m_DllName,DllName,MAX_PATH);
m_Size=(strlen(m_DllName)+1);
}
//获取目标进程pid
DWORD InjectionRemoteThread::GetProcessID()
{
HANDLE myhProcess;
PROCESSENTRY32 mype;
BOOL mybRet;
mype.dwSize = sizeof(PROCESSENTRY32); //万年坑
//进行进程快照
myhProcess=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //TH32CS_SNAPPROCESS快照所有进程
//开始进程查找
mybRet=Process32First(myhProcess,&mype);
//循环比较,得出ProcessID
while(mybRet)
{
if(strcmp(m_FileName,mype.szExeFile)==0)
return mype.th32ProcessID;
else
mybRet=Process32Next(myhProcess,&mype);
}
return 0;
}
//打开远程进程
DWORD InjectionRemoteThread::OpenRemoteProcess(){
//打开目标进程获得进程句柄
hProcess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,false,GetProcessID());
if(!hProcess){
cout<<"打开进程失败"<<endl;
return 1;
}
return 0;
}
//注入远程进程
DWORD InjectionRemoteThread::InjectionRemoteProcess(){
//打开进程
//OpenRemoteProcess();
//分配内存空间
LPVOID lpRemoteDllName=::VirtualAllocEx(hProcess,NULL,m_Size,MEM_COMMIT,PAGE_READWRITE);
//将DLL路径名拷贝到已分配的内存空间中
::WriteProcessMemory(hProcess,lpRemoteDllName,(LPVOID)m_DllName,m_Size,NULL);
//取得LoadLibraryA函数地址
LPVOID StartRoutine=LoadLibraryA;
//启动远程线程
HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)StartRoutine,lpRemoteDllName,0,NULL);
//如果启动注入失败退出
if(hRemoteThread==NULL){
cout<<"启动注入失败"<<endl;
::CloseHandle(hProcess);
return 1;
}
//等待目标线程结束
::WaitForSingleObject(hRemoteThread,INFINITE);
//释放空间关闭句柄
::VirtualFreeEx(hProcess,lpRemoteDllName,m_Size,MEM_DECOMMIT);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return 0;
}
//释放注入线程
DWORD InjectionRemoteThread::FreeRemoteProcess(){
//打开进程
OpenRemoteProcess();
//分配内存空间
LPVOID lpRemoteDllName=::VirtualAllocEx(hProcess,NULL,8,MEM_COMMIT,PAGE_READWRITE);
//将DLL路径名拷贝到已分配的内存空间中
::WriteProcessMemory(hProcess,lpRemoteDllName,(LPVOID)m_DllName,8,NULL);
//取得GetModuleHandleA函数地址
LPVOID StartRoutine=GetModuleHandleA;
//启动远程线程
HANDLE hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)StartRoutine,lpRemoteDllName,0,NULL);
//如果启动注入失败退出
if(hRemoteThread==NULL){
cout<<"启动注入失败"<<endl;
::CloseHandle(hProcess);
return 1;
}
DWORD dwHandle;
//等待目标线程结束
::WaitForSingleObject(hRemoteThread,INFINITE);
//释放空间关闭句柄
::GetExitCodeThread(hRemoteThread, &dwHandle);
::VirtualFreeEx(hProcess,lpRemoteDllName,m_Size,MEM_DECOMMIT);
::CloseHandle(hRemoteThread);
// 使目标进程调用FreeLibrary,卸载DLL
StartRoutine=FreeLibrary;
// 等待FreeLibrary卸载完毕
hRemoteThread=::CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)StartRoutine,(LPVOID)dwHandle,0,NULL);
::WaitForSingleObject(hRemoteThread,INFINITE);
::CloseHandle(hRemoteThread);
::CloseHandle(hProcess);
return 0;
}
int main(){
//构造函数重载
InjectionRemoteThread myIRT("目标进程名","dll绝对路径");
//远程注入线程
myIRT.InjectionRemoteProcess();
//远程卸载线程
myIRT.FreeRemoteProcess();
//返回最后一个错误
cout<<GetLastError()<<endl;
return
}
远程注入线程
最新推荐文章于 2023-09-13 08:55:58 发布