DLL注入,卸载
来源:互联网 发布:本地yum配置 编辑:程序博客网 时间:2024/06/07 02:10
DLL注入实验:
MSDN已经说明了DllMain可以省略,但这里不能省略。
原因很简单,查看DllMain定义的形参就知道是什么回事啦。
当应用程序加载DLL时会发送消息到DllMain函数的第二个参数。
利用这个特性,加载的DLL就可以立刻响应里面的功能函数啦!!
下面是实验的代码:
- #include <windows.h>
- DWORD WINAPI ThreadProc(PVOID lp);
- BOOL APIENTRY DllMain(HANDLE hModule,DWORD ul_reason_for_call,LPVOID lpReserved)
- {
- switch(ul_reason_for_call)
- {
- case DLL_PROCESS_ATTACH:
- MessageBox(NULL,"DLL_PROCESS_ATTACH","ASDF",0);
- CreateThread(NULL,0,ThreadProc,NULL,0,NULL);
- break;
- case DLL_THREAD_ATTACH:
- MessageBox(NULL,"DLL_THREAD_ATTACH","ASDF",0);
- break;
- case DLL_THREAD_DETACH:
- MessageBox(NULL,"DLL_THREAD_DETACH","ASDF",0);
- break;
- case DLL_PROCESS_DETACH:
- MessageBox(NULL,"DLL_PROCESS_DETACH","ASDF",0);
- break;
- }
- return TRUE;
- }
- DWORD WINAPI ThreadProc(PVOID lp)
- {
- MessageBox(NULL,"ThreadProc","ASDF",0);
- return 0;
- }
- void CInTOprocessDlg::OnBtnIn()
- {
- UpdateData(TRUE);
- HANDLE hRemoteProcess;
- hRemoteProcess=OpenProcess(
- PROCESS_CREATE_THREAD |
- PROCESS_VM_OPERATION |
- PROCESS_VM_WRITE ,
- FALSE,m_pid);
- if(!hRemoteProcess)
- {
- MessageBox("can't not open the process");
- }
- char *pszLibFileName="my.dll";
- int cb = (1 + lstrlenA(pszLibFileName)) * sizeof(char);
- //申请内存存放以DLL文件路径名
- char *pszLibFileRemote=(char *)VirtualAllocEx(hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE);
- //写DLL文件路径名到远程进程
- if(!pszLibFileRemote)
- {
- MessageBox("VirtualAllocEx error!");
- }
- if(!WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(PVOID)pszLibFileName,cb,NULL))
- {
- VirtualFreeEx(pszLibFileRemote);
- MessageBox("WriteProcessMemory error!");
- }
- //创建远程线程
- HANDLE hThread=CreateRemoteThread( hRemoteProcess, NULL, 0,(PTHREAD_START_ROUTINE)LoadLibraryA, pszLibFileRemote, 0, NULL)
- if(!hThread)
- {
- VirtualFreeEx(pszLibFileRemote);
- CloseHandle(hThread);
- MessageBox("CreateRemoteThread error!");
- }
- VirtualFreeEx(pszLibFileRemote);
- CloseHandle(hThread);
- }
今天用IceSword研究DLL的注入时遇到一个奇怪问题。
当我调用LoadLibrary时,不知道什么原因(后来发现,可能是手痒了,多按了几下),用FreeLibrary,都释放不了DLL。
后来经过我多次试验,发现以下规律:
当我多次调用LoadLibrary时,然后再调用FreeLibrary,最后用IceSword查看了目标进程的模块,发现注入的DLL未Unload!!!
但多次调用FreeLibrary时,DLL能Unload!!最后试验得出,LoadLibrary 与 FreeLibrary调用的次数要相等,才能Unload。
Oh,my god!!! 虽然解决了问题,但不知道根本原因啊!不甘心!为了查出真凶,不得不去查了一下全是英文的MSND。
后来去查了MSDN,发现
以下是MSDN的说明:
The system maintains a per-process reference count for each loaded module. A module that was loaded at process initialization due to load-time dynamic linking has a reference count of one. The reference count for a module is incremented each time the module is loaded by a call to LoadLibrary. The reference count is also incremented by a call to LoadLibraryEx unless the module is being loaded for the first time and is being loaded as a data or image file.
The reference count is decremented each time the FreeLibrary or FreeLibraryAndExitThread function is called for the module. When a module's reference count reaches zero or the process terminates, the system unloads the module from the address space of the process. Before unloading a library module, the system enables the module to detach from the process by calling the module's DllMain function, if it has one, with the DLL_PROCESS_DETACH value. Doing so gives the library module an opportunity to clean up resources allocated on behalf of the current process. After the entry-point function returns, the library module is removed from the address space of the current process.
简要的说就是每调用一次LoadLibrary内部计数会加1,每调用一次FreeLibrary内部计数减1,当内部计数为0时释放DLL。
卸载:
知道了注入的原理,对于卸载就很容易学会了! 对于DLL注入型病毒、木马、可以很自己编写一个专杀软件! 下面的写法对于我来说比较新鲜,用的是返回错误代码的写法,有点API的味道!
- DLL注入,卸载
- DLL注入与卸载
- 远程DLL注入、卸载
- DLL远程注入与卸载
- VB 远程注入卸载DLL
- 远程注入与卸载DLL
- dll注入进程后卸载的代码
- VB远程注入卸载DLL代码
- DLL远程注入与卸载(C++)
- 远程线程注入和卸载DLL
- 卸载已经注入进程的DLL 实验
- C++ DLL远程注入与卸载函数
- C++ DLL远程注入与卸载函数
- 实现DLL的注入与卸载
- DLL的远程注入及卸载技术详解
- 卸载远线程中被注入的dll
- Win32汇编实现DLL的远程注入及卸载
- Win32汇编实现DLL的远程注入及卸载
- linux内存管理
- epoll 模型-client
- C# 设置程序开机自动运行/设置&获取程序的安装路径
- [转]linux getopts与shift学习笔记
- Java synchronized同步机制
- DLL注入,卸载
- mount jffs2 image
- linux的启动过程
- 个人和企业都需要用项目管理来武装自己
- grep命令的-o和-P选项
- 总结一致性哈希(Consistent Hashing)
- 用于主题检测的临时日志(c2945428-c3e2-4693-8bff-93b76dd3a846 - 3bfe001a-32de-4114-a6b4-4005b770f6d7)
- DAL
- 金山词霸2009牛津版