封装远程注入类CreateRemoteThreadEx
来源:互联网 发布:软件测试高级证书 编辑:程序博客网 时间:2024/05/08 14:24
类初始化时传入要注入的DLL文件名
只使用两个函数
// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);
.h
#pragma once#include <windows.h> //在头文件中包含class CRemThreadInject{public:CRemThreadInject(LPSTR lpDllName);~CRemThreadInject(void);protected:char m_szDllName[MAX_PATH];static BOOL EnableDebugPrivilege(BOOL bEnable);public:// 注入DLL到指定的地址空间BOOL InjectModuleInto(DWORD dwProcessId);// 从指定的地址空间卸载DLLBOOL EjectModuleFrom(DWORD dwProcessId);};
.cpp
#include "RemThreadInject.h"#include <tlhelp32.h> CRemThreadInject::CRemThreadInject(LPSTR lpDllName){memcpy(m_szDllName, lpDllName, MAX_PATH);EnableDebugPrivilege(TRUE);}CRemThreadInject::~CRemThreadInject(void){EnableDebugPrivilege(FALSE);}BOOL CRemThreadInject::EnableDebugPrivilege(BOOL bEnable){HANDLE hToken = INVALID_HANDLE_VALUE;//OpenProcessTokenif (0 == ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)){return FALSE;}LUID luid;//::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);TOKEN_PRIVILEGES tp;tp.PrivilegeCount = 1;tp.Privileges[0].Luid = luid;if (bEnable)tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;elsetp.Privileges[0].Attributes = 0;if ( !AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, (PDWORD) NULL) ){ return FALSE; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED){return FALSE;} ::CloseHandle(hToken);return TRUE;}// 注入DLL到指定的地址空间BOOL CRemThreadInject::InjectModuleInto(DWORD dwProcessId){//if (::GetCurrentProcessId() == dwProcessId){return FALSE; }BOOL bFound;/************************************************************************//* 遍历模块 *//************************************************************************/HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { return( FALSE ); } me32.dwSize = sizeof( MODULEENTRY32 ); if( !Module32First( hModuleSnap, &me32 ) ) { CloseHandle( hModuleSnap ); // Must clean up the snapshot object! return( FALSE ); } do { if (stricmp(me32.szModule, m_szDllName) == 0){bFound = TRUE;break;}} while( Module32Next( hModuleSnap, &me32 ) ); // Do not forget to clean up the snapshot object. CloseHandle( hModuleSnap ); if (bFound) //如果已经加载了模块,就不再加载{return FALSE;}//如果没加载,打开进程,远程注入HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);if (hProcess == NULL){return FALSE;}HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "LoadLibraryA"); int cbSize = strlen(m_szDllName)+1;LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnLoadLibraryA, lpRemoteDllName, 0, NULL, NULL);if (NULL == hRemoteThread){::CloseHandle(hProcess);return FALSE;}//等待目标线程运行结束,即LoadLibraryA函数返回::WaitForSingleObject(hRemoteThread, INFINITE);::CloseHandle(hRemoteThread);::CloseHandle(hProcess);return TRUE;}// 从指定的地址空间卸载DLLBOOL CRemThreadInject::EjectModuleFrom(DWORD dwProcessId){//if (::GetCurrentProcessId() == dwProcessId){return FALSE; }BOOL bFound;/************************************************************************//* 遍历模块 *//************************************************************************/HANDLE hModuleSnap = INVALID_HANDLE_VALUE; MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process. hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId ); if( hModuleSnap == INVALID_HANDLE_VALUE ) { return( FALSE ); } me32.dwSize = sizeof( MODULEENTRY32 ); if( !Module32First( hModuleSnap, &me32 ) ) { CloseHandle( hModuleSnap ); // Must clean up the snapshot object! return( FALSE ); } do { if (stricmp(me32.szModule, m_szDllName) == 0){bFound = TRUE;break;}} while( Module32Next( hModuleSnap, &me32 ) ); // Do not forget to clean up the snapshot object. CloseHandle( hModuleSnap ); if (!bFound) //如果没有加载模块,就不能卸载{return FALSE;}//如果加载了,打开进程,远程注入HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);if (hProcess == NULL){return FALSE;}HMODULE hKernerl32 = GetModuleHandle("kernel32.dll");LPTHREAD_START_ROUTINE pfnFreeLibrary = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "FreeLibrary"); int cbSize = strlen(m_szDllName)+1;LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnFreeLibrary, lpRemoteDllName, 0, NULL, NULL);if (NULL == hRemoteThread){::CloseHandle(hProcess);return FALSE;}//等待目标线程运行结束,即LoadLibraryA函数返回::WaitForSingleObject(hRemoteThread, INFINITE);::CloseHandle(hRemoteThread);::CloseHandle(hProcess);return TRUE;}
- 封装远程注入类CreateRemoteThreadEx
- 封装好的DLL远程注入函数
- 远程注入代码类
- 封装的线程注入类
- 远程注入
- 远程注入
- 远程注入
- 远程注入
- 远程注入类 CRemoteData 使用简单方便
- 一个远程线程注入的类
- 线程的远程注入
- 远程线程注入代码
- 远程注入代码
- C++:远程注入DLL
- 远程注入线程
- zz - DLL远程注入
- 学习:DLL远程注入
- 远程dll注入 C#
- Windows Azure
- 计算两个时间的相差天数。。
- 给UIImageview 添加边框 或者设置成圆角
- 从开发到测试
- uva 10916 - Factstone Benchmark
- 封装远程注入类CreateRemoteThreadEx
- Spring完整配置文件带注释(自动扫包)
- 《c语言深度剖析》学习笔记2
- More Effective C++:指针与引用的区别
- IOS之Objective-C学习笔记(四)
- Spring学习笔记(八)
- Oracle10g的闪回恢复区(Flash recovery area)
- Java程序员从笨鸟到菜鸟之(八十三)细谈Spring(十二)OpenSessionInView详解及用法
- makefile