在Windows2000/XP下向进程插入自己的线程的演示
来源:互联网 发布:阿里云更换镜像 编辑:程序博客网 时间:2024/04/28 16:36
在Windows2000/XP下向进程插入自己的线程的演示
编写 ImageWalk.Dll (作用是当被加载,它就通过VirtualQuery获取加载它的进程所加载的Dll信息)使用VC6生成一个 Win32 Dynamic-Link Library 工程编写DllMain函数内容如下:
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
MEMORY_BASIC_INFORMATION mbi;
PBYTE ptr = NULL;
DWORD dwBytesReturn = sizeof(MEMORY_BASIC_INFORMATION);
char szBuffer[256*100] = "";
char szModuFile[240] = "";
char szThis[256] = "";
char szProcess[256] = "";
char szTmpBuffer[256] = "";
GetModuleFileName((HINSTANCE)hModule, szThis, 256);
GetModuleFileName(GetModuleHandle(NULL), szProcess,256);
while( dwBytesReturn == sizeof(MEMORY_BASIC_INFORMATION) )
{
dwBytesReturn = VirtualQuery( ptr,&mbi,sizeof(MEMORY_BASIC_INFORMATION) );
if( mbi.Type == MEM_FREE )
{
mbi.AllocationBase = mbi.BaseAddress;
}
GetModuleFileName( (HINSTANCE)mbi.AllocationBase, szModuFile,240 );
sprintf(szTmpBuffer,"/t[ Module: 0x%x - %s ] /r/n",mbi.AllocationBase,szModuFile);
if(mbi.AllocationBase == mbi.BaseAddress &&
mbi.AllocationBase != NULL &&
strcmp(szThis,szModuFile) !=0 &&
strcmp(szProcess,szModuFile) != 0 )strcat(szBuffer , szTmpBuffer);
ptr += mbi.RegionSize;
}
}
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
编译生成ImageWalk.dll
这个函数用来列举系统的进程(为了简化,生成一个字符串)
void EnumProcess(char * szBuffer)//由你提供的字符串缓冲区,此处为了简化,假定这一缓冲区足够大
{
char szCurrentProcessInfo[512] = "" ;
char szExeName[256] = "" ;
char szAllProcessInfo[512*256] = "" ;
HANDLE hCurrentProcess = NULL ;
HMODULE hCurrentModule = NULL ;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPALL , 0 );
PROCESSENTRY32 ppe;
ppe.dwSize = sizeof(ppe);
Process32First(hSnapshot,&ppe);
hCurrentProcess = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_READ|PROCESS_VM_OPERATION , FALSE, ppe.th32ProcessID);
GetModuleFileName( hCurrentModule , szExeName , 256 );
sprintf(szCurrentProcessInfo,"[ExeFileName:%s; Process ID:0x%x(%d); Thread Count:%d; Usage:%d]/r/n",
ppe.szExeFile, ppe.th32ProcessID ,ppe.th32ProcessID , ppe.cntThreads, ppe.cntUsage);
strcat(szAllProcessInfo,szCurrentProcessInfo);
while( Process32Next(hSnapshot , &ppe) )
{
hCurrentProcess = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_READ|PROCESS_VM_OPERATION, FALSE, ppe.th32ProcessID);
GetModuleFileName( (HINSTANCE)hCurrentProcess , szExeName , 256 );
sprintf(szCurrentProcessInfo,"[ExeFileName:%s; Process ID:0x%x(%d); Thread Count:%d; Usage:%d]/r/n",
ppe.szExeFile , ppe.th32ProcessID ,ppe.th32ProcessID, ppe.cntThreads, ppe.cntUsage );
strcat(szAllProcessInfo,szCurrentProcessInfo);
}
CloseHandle(hSnapshot);
hSnapshot = NULL;
strcpy(szBuffer,szAllProcessInfo);
}
//这个函数将ImageWalk.dll插入指定的线程,为了简化,假定ImageWalk.dll就在d:/
void InjectDll(DWORD m_ProcessID, char * szBuffer)//通过上面的EnumProcess可以获得Process ID
{//szBuffer,储存了被插入线程加载Dll的信息(不会出现ImageWalk.dll)为了简化,假定其足够大
char szTmp[256] = "";
size_t bytesread = 0;
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,m_ProcessID);//打开进程,获取进程Handle
PSTR pszLibName = (PSTR)VirtualAllocEx(hProcess,NULL,64,MEM_COMMIT,PAGE_READWRITE);
//我们要在远程进程中运行一个新的线程,所传入的参数的内容必须放入远程进程的地址空间,
//使用VirtualAllocEx分配远程进程的内存
WriteProcessMemory(hProcess,pszLibName,(PVOID)"D:/ImageWalk.dll",17,NULL);
//将参数写入刚才分配好的空间
PTHREAD_START_ROUTINE pfnLoadLib = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
//获取LoadLibraryA在内村中的地址
if(pfnLoadLib && hProcess)
{
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnLoadLib,pszLibName,0,NULL);
//创建一个线程,让远程进程执行 LoadLibraryA("D:/ImageWalk.dll")
//注意pfnLoadLib不能换成LoadLibraryA
WaitForSingleObject(hThread,INFINITE);
//等待线程结束
HANDLE hDll;
GetExitCodeThread(hThread, (DWORD*)&hDll);//获取LoadLibraryA("d:/imagewalk.dll")所返回的hModule
CloseHandle(hThread);
pfnLoadLib = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary");
FILE * fp;
while( (fp = fopen("d:/image.txt","rt") ) == NULL)
{
Sleep(50);
}//等待ImageWalk.dll将信息写入交换文件
while( !feof(fp) )
{
bytesread=fread(szTmp,1,255,fp);
szTmp[bytesread] = '';
strcat(szBuffer,szTmp);
}
fclose(fp);
if(pfnLoadLib)
{//将ImageWalk卸载
hThread = CreateRemoteThread(hProcess,NULL,0,pfnLoadLib,hDll,0,NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
}
}
VirtualFreeEx(hProcess,pszLibName,0,MEM_RELEASE);//释放刚才分配的远程进程的内存
CloseHandle(hProcess);
}
- 在Windows2000/XP下向进程插入自己的线程的演示
- 在Windows2000/XP的安全模式下,替换Gina
- windows2000下简单的进程隐藏
- Windows2000,xp下关闭进程(NTSD)
- 在Windows2000/XP下使用NetSH动态切换主机的IP 地址
- 在XP下组建自己的VPN
- PerlMagick在Windows2000下安装的问题
- PHP4在Windows2000下的安装
- 在dos命令台上关闭windows2000的线程
- 去除Windows2000/XP/2003的默认共享
- 转:开发基于Windows2000/XP的防火墙
- 修改windows2000,XP的時間顯示格式
- 在xp和2003下察看端口对应的进程
- oracle9i在windows2000 server下的问题归总
- 生产者/消费者问题在windows2000下的实现
- 如何编译支持在Windows2000下运行的Qt程序
- 进程、线程调度模型及其在Windows2000中的实现
- 进程、线程调度模型及其在Windows2000中的实现
- eNews 第二十六期/2007.07
- 在控件的创建中触发事件
- js:check ip
- something about XmlSerializer
- eNews 第二十七期/2007.08
- 在Windows2000/XP下向进程插入自己的线程的演示
- Vista 下金山词霸取词慢的问题解决方案
- 思念如丝
- 创业,选择软件,还是服务?
- 说说大型高并发高负载网站的系统架构
- Socket连接技术
- 端口复用技术与实现代码
- 大型Web2.0站点构建技术初探
- 用于检查源代码的工具(更新中!)