远程注入

 

简介：注入代码到远程线程，在目标进程创建一个线程，执行期望的代码。

项目需求：创建远程线程，并可以实现远程注入DLL.

项目分析：使用CreateRemoteProcess在目标进程创建一个远程线程，执行自定义代码，自定义代码当然包括Load一个DLL,这样就可以现实远程注入DLL

项目实现：先在远程线程分配部分空间，然后向里写入一些线程需要的参数，和线程体本身，然后调用CreateRemoteProcess执行那个远程线程体。

 

void __fastcall InjectToRemoteProcess(DWORD dwProcessId,PVOID funcStart,PVOID funcEnd,void * pParam,DWORD dwParamSize)
{
 HANDLE hRemoteProcess=NULL; //remote process will be injected
 HANDLE hRemoteThread=NULL; //injected thread!
 DWORD dwThreadSize=0;
 
 PVOID pRemoteThread=NULL;
 PVOID pRemoteParam=NULL;
 DWORD dwWriten=0;
 BOOL bRet=FALSE;
 
 EnablePrivilege(SE_DEBUG_NAME,true);//up Privilege
 
 hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwProcessId);
 if(hRemoteProcess == NULL)
 {
  MessageBox(NULL,"Failed to Open Process","Open Process Error",MB_OK | MB_APPLMODAL|MB_ICONWARNING);
  return;
 }
 if (0 != dwParamSize)
 {
  pRemoteParam = VirtualAllocEx(hRemoteProcess,NULL,dwParamSize,MEM_COMMIT,PAGE_READWRITE); //alloc memory space for param!
  if(pRemoteParam == NULL)
  {
   MessageBox(NULL,"Failed to Allocate Memory at Remote Process for Param","Alloc Memory Error!",MB_OK | MB_APPLMODAL | MB_ICONWARNING);
   return;
  }
  bRet = WriteProcessMemory(hRemoteProcess,pRemoteParam,pParam,dwParamSize,&dwWriten); //write param to remote alloced space!
  if(!bRet)
  {
   MessageBox(NULL,"Failed to Write Param to Remote Process",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
   return;          
  }
 }
 
 dwThreadSize = (int)funcEnd - (int)funcStart+2048; //cal remote function need size!
 
 pRemoteThread = VirtualAllocEx(hRemoteProcess,NULL,dwThreadSize,MEM_COMMIT,PAGE_READWRITE); //alloc memory for remote thread!
 if(pRemoteThread == NULL)
 {
  MessageBox(NULL,"Failed to Allocate Memory at Remote Process for Thread Code",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
  return;
 }
 bRet = WriteProcessMemory(hRemoteProcess,pRemoteThread,(LPVOID)funcStart,dwThreadSize,&dwWriten); //write function to remote memory space!
 if(!bRet)
 {
  MessageBox(NULL,"Failed to Write Thread Code to Remote Process",NULL,MB_OK | MB_APPLMODAL | MB_ICONWARNING);
  return;
 }
 
 hRemoteThread = CreateRemoteThread(hRemoteProcess,0,0,(DWORD(__stdcall *)(VOID*))pRemoteThread,pRemoteParam,0,&dwWriten);
 
 EnablePrivilege(SE_DEBUG_NAME,false); //down Privilege
}

代码下载：Inject.rar

可执行文件下载：InjectRelease.rar

http://pgy12345.googlepages.com/inject