#include "stdafx.h"
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
WCHAR szDllName[] = L"D:\\项目程序\\核心编程\\远程注入DLL\\Debug\\ConsoleApplication1.dll";
if (szDllName[0] == NULL)
return -1;
//打开进程
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 5760);
if (hProcess == INVALID_HANDLE_VALUE)
return -1;
//在远程进程中申请空间
LPVOID pszDllName = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (NULL == pszDllName)
return -1;
//向远程进程中写入数据
if (!WriteProcessMemory(hProcess, pszDllName, szDllName, MAX_PATH, NULL))
return -1;
//在远程进程中创建远程线程
HANDLE hIngecthread = CreateRemoteThread(
hProcess, //远程进程句柄
NULL, //安全属性
0, //栈大小
(LPTHREAD_START_ROUTINE)LoadLibrary, //进程处理函数
pszDllName, //传入参数
NULL, //默认创建后的状态
NULL); //线程ID
if (NULL == hIngecthread)
return -1;
//等待线程结束返回
Sleep(1000);
//DWORD dw = WaitForSingleObject(hIngecthread, -1);
//获取线程退出码,即LoadLibrary的返回值,即DLL的首地址
DWORD dwExitCode;
GetExitCodeThread(hIngecthread, &dwExitCode);
//释放空间
if (!VirtualFreeEx(hProcess, pszDllName, 4096, MEM_DECOMMIT))
return -1;
CloseHandle(hProcess);
system("pause");
return 0;
}
/*******************************************************************************/
/*******************************************************************************/
/*******************************************************************************/
DLL 启动注入
#include "stdafx.h"
#include <Windows.h>
// 函数声明
typedef BOOL(WINAPI* Proc_CreateProcessW)(LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation);
typedef HMODULE(WINAPI* Func_LoadLibraryW)(LPCWSTR lpLibFileName);
BYTE* mov_eax_xx(BYTE* lpCurAddres, DWORD eax)
{
*lpCurAddres = 0xB8;
*(DWORD*)(lpCurAddres + 1) = eax;
return lpCurAddres + 5;
}
BYTE* mov_ebx_xx(BYTE* lpCurAddres, DWORD ebx)
{
*lpCurAddres = 0xBB;
*(DWORD*)(lpCurAddres + 1) = ebx;
return lpCurAddres + 5;
}
BYTE* mov_ecx_xx(BYTE* lpCurAddres, DWORD ecx)
{
*lpCurAddres = 0xB9;
*(DWORD*)(lpCurAddres + 1) = ecx;
return lpCurAddres + 5;
}
BYTE* mov_edx_xx(BYTE* lpCurAddres, DWORD edx)
{
*lpCurAddres = 0xBA;
*(DWORD*)(lpCurAddres + 1) = edx;
return lpCurAddres + 5;
}
BYTE* mov_esi_xx(BYTE* lpCurAddres, DWORD esi)
{
*lpCurAddres = 0xBE;
*(DWORD*)(lpCurAddres + 1) = esi;
return lpCurAddres + 5;
}
BYTE* mov_edi_xx(BYTE* lpCurAddres, DWORD edi)
{
*lpCurAddres = 0xBF;
*(DWORD*)(lpCurAddres + 1) = edi;
return lpCurAddres + 5;
}
BYTE* mov_ebp_xx(BYTE* lpCurAddres, DWORD ebp)
{
*lpCurAddres = 0xBD;
*(DWORD*)(lpCurAddres + 1) = ebp;
return lpCurAddres + 5;
}
BYTE* mov_esp_xx(BYTE* lpCurAddres, DWORD esp)
{
*lpCurAddres = 0xBC;
*(DWORD*)(lpCurAddres + 1) = esp;
return lpCurAddres + 5;
}
BYTE* mov_eip_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
if (!newEip)
{
newEip = (DWORD)lpCurAddres;
}
*lpCurAddres = 0xE9;
*(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
return lpCurAddres + 5;
}
BYTE* push_xx(BYTE* lpCurAddres, DWORD dwAdress)
{
*lpCurAddres = 0x68;
*(DWORD*)(lpCurAddres + 1) = dwAdress;
return lpCurAddres + 5;
}
BYTE* Call_xx(BYTE* lpCurAddres, DWORD eip, DWORD newEip)
{
if (!newEip)
{
newEip = (DWORD)lpCurAddres;
}
*lpCurAddres = 0xE8;
*(DWORD*)(lpCurAddres + 1) = eip - (newEip + 5);
return lpCurAddres + 5;
}
BOOL SuspendTidAndInjectCode(HANDLE hProcess, HANDLE hThread, DWORD dwFuncAdress, const BYTE * lpShellCode, size_t uCodeSize)
{
SIZE_T NumberOfBytesWritten = 0;
BYTE ShellCodeBuf[0x480];
CONTEXT Context;
DWORD flOldProtect = 0;
LPBYTE lpCurESPAddress = NULL;
LPBYTE lpCurBufAdress = NULL;
BOOL bResult = FALSE;
// 挂载起线程
SuspendThread(hThread);
memset(&Context, 0, sizeof(Context));
Context.ContextFlags = CONTEXT_FULL;
if (GetThreadContext(hThread, &Context))
{
// 在对方线程中开辟一个 0x480 大小的局部空
lpCurESPAddress = (LPBYTE)((Context.Esp - 0x480) & 0xFFFFFFE0);
// 获取指针 用指针来操作
lpCurBufAdress = &ShellCodeBuf[0];
if (lpShellCode)
{
memcpy(ShellCodeBuf + 128, lpShellCode, uCodeSize);
lpCurBufAdress = push_xx(lpCurBufAdress, (DWORD)lpCurESPAddress + 128); // push
lpCurBufAdress = Call_xx(lpCurBufAdress, dwFuncAdress, (DWORD)lpCurESPAddress + (DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf); //Call
}
lpCurBufAdress = mov_eax_xx(lpCurBufAdress, Context.Eax);
lpCurBufAdress = mov_ebx_xx(lpCurBufAdress, Context.Ebx);
lpCurBufAdress = mov_ecx_xx(lpCurBufAdress, Context.Ecx);
lpCurBufAdress = mov_edx_xx(lpCurBufAdress, Context.Edx);
lpCurBufAdress = mov_esi_xx(lpCurBufAdress, Context.Esi);
lpCurBufAdress = mov_edi_xx(lpCurBufAdress, Context.Edi);
lpCurBufAdress = mov_ebp_xx(lpCurBufAdress, Context.Ebp);
lpCurBufAdress = mov_esp_xx(lpCurBufAdress, Context.Esp);
lpCurBufAdress = mov_eip_xx(lpCurBufAdress, Context.Eip, (DWORD)lpCurESPAddress +
(DWORD)lpCurBufAdress - (DWORD)&ShellCodeBuf);
Context.Esp = (DWORD)(lpCurESPAddress - 4);
Context.Eip = (DWORD)lpCurESPAddress;
if (VirtualProtectEx(hProcess, lpCurESPAddress, 0x480, PAGE_EXECUTE_READWRITE, &flOldProtect)
&& WriteProcessMemory(hProcess, lpCurESPAddress, &ShellCodeBuf, 0x480, &NumberOfBytesWritten)
&& FlushInstructionCache(hProcess, lpCurESPAddress, 0x480)
&& SetThreadContext(hThread, &Context))
{
bResult = TRUE;
}
}
// 恢复线程
ResumeThread(hThread);
return TRUE;
}
DWORD GetFuncAdress()
{
return (DWORD)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryW");
}
BOOL WINAPI CreateProcessWithDllW(LPCWSTR lpApplicationName,
LPWSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory,
LPSTARTUPINFOW lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation,
LPWSTR lpDllFullPath,
Proc_CreateProcessW FuncAdress
)
{
BOOL bResult = FALSE;
size_t uCodeSize = 0;
DWORD dwCreaFlags;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
if (FuncAdress == NULL)
{
FuncAdress = CreateProcessW;
}
// 设置创建就挂起进程
dwCreaFlags = dwCreationFlags | CREATE_SUSPENDED;
if (CreateProcessW(lpApplicationName,
lpCommandLine,
lpProcessAttributes,
lpThreadAttributes,
bInheritHandles,
dwCreaFlags,
lpEnvironment,
lpCurrentDirectory,
lpStartupInfo,
&pi
))
{
if (lpDllFullPath)
uCodeSize = 2 * wcslen(lpDllFullPath) + 2;
else
uCodeSize = 0;
// 得到LoadLibraryW 的地址
DWORD dwLoadDllProc = GetFuncAdress();
// 挂起线程 写入Shellcode
if (SuspendTidAndInjectCode(pi.hProcess, pi.hThread, dwLoadDllProc, (BYTE*)lpDllFullPath, uCodeSize))
{
if (lpProcessInformation)
memcpy(lpProcessInformation, &pi, sizeof(PROCESS_INFORMATION));
if (!(dwCreationFlags & CREATE_SUSPENDED))
ResumeThread(pi.hThread);
bResult = TRUE;
}
}
return bResult;
}
int _tmain(int argc, _TCHAR* argv[])
{
WCHAR wszPath[] = L"D:\\软件工具\\为知\\WizNote\\Wiz.exe";
WCHAR wszDll[] = L"D:\\ConsoleApplication1.dll";
STARTUPINFOW si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
CreateProcessWithDllW(NULL, wszPath, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi, wszDll, NULL);
return 0;
}
/************************************************************************************************/