CreateRemoteThread远程注入使用例子

来源：互联网发布：c语言double怎么用编辑：程序博客网时间：2024/06/06 02:23

CreateRemoteThread远程注入使用例子

2008-04-15 17:02 2112人阅读评论(0) 收藏举报

//CreateRemoteThread 使用关闭远程进程句柄 processID远程进程的进程ID handle远程进程的进程句柄

CloseRemoteHandle( DWORD processID, HANDLE handle )

{

HANDLE ht = 0;

DWORD rc = 0;

// open the process

HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, processID );

if ( hProcess == NULL )

{

rc = GetLastError();

MessageBox( _T("OpenProcess() failed ") );

return rc;

}

// load kernel32.dll

HMODULE hKernel32 = LoadLibrary( _T("kernel32.dll") );

// CreateRemoteThread()

ht = CreateRemoteThread(

hProcess,

(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"CloseHandle"),

handle,

&rc );

if ( ht == NULL )

{

//Something is wrong with the privileges, or the process doesn't like us

rc = GetLastError();

MessageBox( _T("CreateRemoteThread() failed ") );

//Free up the kernel32.dll

FreeLibrary( hKernel32 );

CloseHandle( hProcess );

}

switch ( WaitForSingleObject( ht, 2000 ) )

{

case WAIT_OBJECT_0:

//Well done

rc = 0;

MessageBox( _T("Ok "));

break;

default:

//Oooops, shouldn't be here

rc = GetLastError();

MessageBox( _T("WaitForSingleObject() failed ") );

break;

}

//Closes the remote thread handle

CloseHandle( ht );

//Free up the kernel32.dll

if ( hKernel32 != NULL)

FreeLibrary( hKernel32 );

//Close the process handle

CloseHandle( hProcess );

return rc;

}

//CreateRemoteThread 使用释放远程dll句柄 processID占用dll的远程进程的进程ID lpDllPath dll路径

CloseRemoteDll( DWORD processID, LPCTSTR lpDllPath )

{

HANDLE ht = 0;

DWORD rc = 0;

DWORD dwHandle;

HANDLE hProcess;

hProcess= OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程

PROCESS_VM_OPERATION | //允许远程VM操作

PROCESS_VM_WRITE, //允许远程VM写

FALSE, processID );

if ( hProcess == NULL )

{

rc = GetLastError();

//MessageBox( _T("OpenProcess() failed ") );

return rc;

}

HMODULE hKernel32 = LoadLibrary("kernel32.dll");

//向目标进程地址空间写入DLL名称

DWORD dwSize, dwWritten;

CString str;

str=lpDllPath;

dwSize=str.GetLength()+1;

LPVOID lpBuf = VirtualAllocEx(hProcess,NULL,dwSize, MEM_COMMIT, PAGE_READWRITE );

if(!WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpDllPath, dwSize,&dwWritten))

{

rc=GetLastError();

VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);

CloseHandle(hProcess);

return rc;

}

HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,

(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"GetModuleHandleA"),

lpBuf ,0, NULL);

if(hThread == NULL)

{

rc=GetLastError();

CloseHandle(hProcess);

return rc ;

}

//等待GetModuleHandle运行完毕

WaitForSingleObject(hThread, INFINITE);

//获得GetModuleHandle的返回值

GetExitCodeThread(hThread,&dwHandle);

//释放目标进程中申请的空间

VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT);

CloseHandle(hThread);

// CreateRemoteThread()

ht = CreateRemoteThread(

hProcess,

(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"FreeLibrary"),

(LPVOID)dwHandle,

&rc );

if ( ht == NULL )

{

rc = GetLastError();

MessageBox( _T("CreateRemoteThread() failed ") );

FreeLibrary( hKernel32 );

CloseHandle( hProcess );

return rc;

}

switch ( WaitForSingleObject( ht, 2000 ) )

{

case WAIT_OBJECT_0:

rc = 0;

MessageBox( _T("Ok "));

break;

default:

rc = GetLastError();

MessageBox( _T("WaitForSingleObject() failed ") );

break;

}

//Closes the remote thread handle

CloseHandle(ht );

//Free up the kernel32.dll

if ( hKernel32 != NULL)

FreeLibrary( hKernel32 );

//Close the process handle

CloseHandle( hProcess );

return rc;

}

分享到：

上一篇：CTreeCtrl使用

下一篇：C# 里面的编码问题

CreateRemoteThread远程注入 使用例子