初学C++ 远程线程注入DLL与卸载
来源:互联网 发布:淘宝图标在线制作 编辑:程序博客网 时间:2024/06/18 07:44
//提升权限
void DebugPrivilege()
{
HANDLE hToken = NULL;
//打开当前进程的访问令牌
int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
if( hRet)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
//取得描述权限的LUID
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//调整访问令牌的权限
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
CloseHandle(hToken);
}
}
void InpouringDll()//注入
{
WCHAR *DllName = _T("C:\\Users\\yjip\\Documents\\Visual Studio 2008\\Projects\\tetst\\Debug\\TestDLL.dll");
DWORD ProcessID = GetProcessIdByName(L"notepad.exe");//得到进程ID//explorer
DebugPrivilege();
HANDLE ht = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);//得到进程句柄//PROCESS_VM_OPERATION|PROCESS_VM_WRITE
DWORD DNLeng = wcslen(DllName)*2+sizeof(WCHAR);//DLL名子的长度以\0结尾
//参数意思1申请内存所在进程句柄2保留页面的内存地址一般NULL3内存大小字节
//4 MEM_COMMIT为特定的页面区域分配内存中或磁盘的页面文件 中的物理存储
//5 PAGE_READWRITE 可被应用程序读写
PVOID pDLLAdd = VirtualAllocEx(ht,NULL,DNLeng,MEM_COMMIT,PAGE_READWRITE);//在目标进程中分配内存
if (pDLLAdd == NULL)
{
CloseHandle(ht);
return;
}
DWORD dwWriteNum = 0;//实际写入的字节数
//参数 1进程句柄 2要写入的内存首地址 3 DLL名子 4 名子长度 5实际要写的大小
BOOL br = WriteProcessMemory(ht,pDLLAdd,DllName,DNLeng,&dwWriteNum);//写入某一进程的内存区域kernel32.dll
char *FunName = "LoadLibraryW";
FARPROC pFunAddr = /*(PTHREAD_START_ROUTINE)*/GetProcAddress(GetModuleHandle(_T("kernel32.dll")),FunName);
DWORD DWID = 0;
HANDLE hThread = CreateRemoteThread(ht,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,pDLLAdd,0,&DWID);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(ht);
}
void UninstallDll()
{
WCHAR *DllName = _T("C:\\Users\\yjip\\Documents\\Visual Studio 2008\\Projects\\tetst\\Debug\\TestDLL.dll");
DWORD ProcessID = GetProcessIdByName(L"notepad.exe");//得到进程ID//explorer
DebugPrivilege();
HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID);
MODULEENTRY32 me32 = {0};
me32.dwSize = sizeof(MODULEENTRY32);
BOOL bRet = Module32First(hsnap,&me32);
while(bRet)
{
if (wcscmp(me32.szExePath,DllName) == 0)
{
break;
}
bRet = Module32Next(hsnap,&me32);
}
CloseHandle(hsnap);
char *FunName = "FreeLibrary";
DebugPrivilege();
HANDLE ht = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);//得到进程句柄//PROCESS_VM_OPERATION|PROCESS_VM_WRITE
FARPROC pFunAddr = GetProcAddress(GetModuleHandle(_T("kernel32.dll")),FunName);
DWORD DWID = 0;
DWID = GetLastError();
HANDLE hThread = CreateRemoteThread(ht,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,me32.hModule,0,&DWID);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(ht);
}
void DebugPrivilege()
{
HANDLE hToken = NULL;
//打开当前进程的访问令牌
int hRet = OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
if( hRet)
{
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
//取得描述权限的LUID
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//调整访问令牌的权限
AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
CloseHandle(hToken);
}
}
void InpouringDll()//注入
{
WCHAR *DllName = _T("C:\\Users\\yjip\\Documents\\Visual Studio 2008\\Projects\\tetst\\Debug\\TestDLL.dll");
DWORD ProcessID = GetProcessIdByName(L"notepad.exe");//得到进程ID//explorer
DebugPrivilege();
HANDLE ht = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);//得到进程句柄//PROCESS_VM_OPERATION|PROCESS_VM_WRITE
DWORD DNLeng = wcslen(DllName)*2+sizeof(WCHAR);//DLL名子的长度以\0结尾
//参数意思1申请内存所在进程句柄2保留页面的内存地址一般NULL3内存大小字节
//4 MEM_COMMIT为特定的页面区域分配内存中或磁盘的页面文件 中的物理存储
//5 PAGE_READWRITE 可被应用程序读写
PVOID pDLLAdd = VirtualAllocEx(ht,NULL,DNLeng,MEM_COMMIT,PAGE_READWRITE);//在目标进程中分配内存
if (pDLLAdd == NULL)
{
CloseHandle(ht);
return;
}
DWORD dwWriteNum = 0;//实际写入的字节数
//参数 1进程句柄 2要写入的内存首地址 3 DLL名子 4 名子长度 5实际要写的大小
BOOL br = WriteProcessMemory(ht,pDLLAdd,DllName,DNLeng,&dwWriteNum);//写入某一进程的内存区域kernel32.dll
char *FunName = "LoadLibraryW";
FARPROC pFunAddr = /*(PTHREAD_START_ROUTINE)*/GetProcAddress(GetModuleHandle(_T("kernel32.dll")),FunName);
DWORD DWID = 0;
HANDLE hThread = CreateRemoteThread(ht,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,pDLLAdd,0,&DWID);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(ht);
}
void UninstallDll()
{
WCHAR *DllName = _T("C:\\Users\\yjip\\Documents\\Visual Studio 2008\\Projects\\tetst\\Debug\\TestDLL.dll");
DWORD ProcessID = GetProcessIdByName(L"notepad.exe");//得到进程ID//explorer
DebugPrivilege();
HANDLE hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID);
MODULEENTRY32 me32 = {0};
me32.dwSize = sizeof(MODULEENTRY32);
BOOL bRet = Module32First(hsnap,&me32);
while(bRet)
{
if (wcscmp(me32.szExePath,DllName) == 0)
{
break;
}
bRet = Module32Next(hsnap,&me32);
}
CloseHandle(hsnap);
char *FunName = "FreeLibrary";
DebugPrivilege();
HANDLE ht = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);//得到进程句柄//PROCESS_VM_OPERATION|PROCESS_VM_WRITE
FARPROC pFunAddr = GetProcAddress(GetModuleHandle(_T("kernel32.dll")),FunName);
DWORD DWID = 0;
DWID = GetLastError();
HANDLE hThread = CreateRemoteThread(ht,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,me32.hModule,0,&DWID);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(ht);
}
- 初学C++ 远程线程注入DLL与卸载
- DLL远程注入与卸载(C++)
- DLL远程注入与卸载
- 远程注入与卸载DLL
- 远程线程注入和卸载DLL
- DLL与远程线程注入
- C++ DLL远程注入与卸载函数
- C++ DLL远程注入与卸载函数
- 远程DLL注入、卸载
- 远程线程dll注入
- 远程线程DLL注入
- 远程线程注入dll
- DLL 远程线程注入
- VB 远程注入卸载DLL
- DLL注入与卸载
- DLL远程线程注入与简单的启动注入
- C++:远程注入DLL
- 卸载远程线程中的DLL
- C++指针知识总结.
- 苹果Xcode 证书生成、设置、应用完整图文教程
- C#连接数据库的四种方法
- html5含义及特点 2013年9月5 第一讲
- 程序响应热键
- 初学C++ 远程线程注入DLL与卸载
- JS的简单计时和改变网站
- hdu1428之spfa+dfs
- (android 基础知识) DownLoadManager
- 作业
- HDOJ 2736 Surprising Strings
- Android 高手进阶篇 1-Service
- 4.1E2
- 对2组list从大到小排序