C++笔记-远程线程注入
目錄
?
?
基本概念
代碼與實(shí)例
?
基本概念
Kernel32.dll和user32.dll在大部分程序上都會(huì)調(diào)用dll,同一個(gè)dll在不同的進(jìn)程中,不一定被映射(加載)在同一個(gè)內(nèi)存地址。
但Kernel32.dll和user32.dll例外。他們都是被映射到進(jìn)程的內(nèi)存首選地址,因此,在所有使用這兩個(gè)dll進(jìn)程中,這兩個(gè)dll的內(nèi)存地址是相同的。在本進(jìn)程獲取的Kernel32.dll中函數(shù)地址,在目標(biāo)進(jìn)程中也是一樣的。
邏輯:目標(biāo)進(jìn)程->傳入dll地址>開啟遠(yuǎn)程線程->加載dll->實(shí)現(xiàn)dll的注入
依次使用函數(shù):
OpenProcess? ? ?獲取進(jìn)程句柄
VirtualAllocEx? ? ?在進(jìn)程中申請空間
WriteProcessMemory? ? ?在進(jìn)程中寫入東西
GetProcAddress? ? ?獲取函數(shù)dll中的地址
CreateRemoteThreadEx? ?在其他進(jìn)程中創(chuàng)建新線程
Close Handle? ? 關(guān)閉句柄
?
?
代碼與實(shí)例
路徑如下:
64位編譯:
界面運(yùn)行:
點(diǎn)擊Inject:
?已經(jīng)注入到計(jì)算器里面了!
dll關(guān)鍵代碼如下:
// dllmain.cpp : 定義 DLL 應(yīng)用程序的入口點(diǎn)。 #include "stdafx.h"BOOL APIENTRY DllMain( HMODULE hModule,DWORD ul_reason_for_call,LPVOID lpReserved) {switch (ul_reason_for_call){case DLL_PROCESS_ATTACH:MessageBox(NULL, L"報(bào)告首長", L"我已成功打入敵人內(nèi)部", NULL);break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE; }注入器相關(guān)代碼:
void CcallDllDlg::OnBnClickedOpen() {CFileDialog filedialog(TRUE, 0, 0, NULL, _T("DLL Files|*.dll|"));if(filedialog.DoModal() == IDOK){CString Dllpath;Dllpath = filedialog.GetPathName();SetDlgItemText(IDC_DLLPATH, Dllpath);} }DWORD ProcessFind(LPCTSTR Exename){HANDLE hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);if(!hProcess){return FALSE;}PROCESSENTRY32 info;info.dwSize = sizeof(PROCESSENTRY32);if(!Process32First(hProcess, &info)){return FALSE;}while(true){if(_tcscmp(info.szExeFile, Exename) == 0){return info.th32ProcessID;}if(!Process32Next(hProcess, &info)){return FALSE;}}return FALSE; }BOOL Inject(LPCTSTR DLLPath, DWORD ProcessID){HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, TRUE, ProcessID);if(!hProcess){return FALSE;}SIZE_T PathSize = (_tcslen(DLLPath) + 1) * sizeof(TCHAR);LPVOID StartAddress = VirtualAllocEx(hProcess, NULL, PathSize, MEM_COMMIT, PAGE_READWRITE);if(!StartAddress){return FALSE;}if(!WriteProcessMemory(hProcess, StartAddress, DLLPath, PathSize, NULL)){return FALSE;}PTHREAD_START_ROUTINE pfnStartAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("kernel32.dll")), "LoadLibraryW");if(!pfnStartAddress){return FALSE;}HANDLE hThread = CreateRemoteThreadEx(hProcess, NULL, NULL, pfnStartAddress, StartAddress, NULL, NULL, NULL);//Xp 中沒有這個(gè)函數(shù)//CreateRemoteThreadif(!hThread){return FALSE;}WaitForSingleObject(hThread, INFINITE);CloseHandle(hThread);CloseHandle(hProcess);return TRUE; }void CcallDllDlg::OnBnClickedInject() {CString Dllpath;CString Exename;GetDlgItemText(IDC_EXENAME, Exename);GetDlgItemText(IDC_DLLPATH, Dllpath);if(Exename.GetLength() == 0){MessageBox(_T("Please input exe name!"));return;}DWORD ProcessID = ProcessFind(Exename);if(!ProcessID){MessageBox(_T("Cant't find the process!"));return;}BOOL IsInjected = Inject(Dllpath, ProcessID);if(IsInjected){MessageBox(_T("Inject Success!"));}else{MessageBox(_T("Inject Failed!"));} }源碼下載地址:
https://github.com/fengfanchen/CAndCPP/tree/master/InjectDllDemo/DllTest
總結(jié)
以上是生活随笔為你收集整理的C++笔记-远程线程注入的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: SQL笔记-用户表中增加salt属性与真
- 下一篇: C++|Qt笔记-关于extern和na