admin管理员组文章数量:1622291
最近在研究动态库远程注入技术,将相关的源码分享下
1,。动态库一般只能将32位动态库注入32位程序中,将64位动态库注入相应的64位程序中
#include
#include “windows.h” //包含窗体的头文件
#include “tlhelp32.h”
//提升权限
int enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return -1;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return -1;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
{
CloseHandle(hToken);
return -1;
}
return 1;
}
//加载动态库
BOOL LoadRemoteDll(DWORD dwProcessId, LPTSTR lpszLibName)
{
int Retn = 0;
BOOL bResult = FALSE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
PSTR pszLibFileRemote = NULL;
DWORD cch;
PTHREAD_START_ROUTINE pfnThreadRrn;
__try
{
//获得想要注入代码的进程的句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
Retn = GetLastError();
if (NULL == hProcess)
__leave;
//计算DLL路径名需要的字节数
cch = 2 * (1 + lstrlen(lpszLibName));
//在远程线程中为路径名分配空间
pszLibFileRemote = (PSTR)VirtualAllocEx(hProcess, NULL, cch, MEM_COMMIT, PAGE_READWRITE);
Retn = GetLastError();
if (pszLibFileRemote == NULL)
__leave;
//将DLL的路径名复制到远程进程的地址空间
if (!WriteProcessMemory(hProcess, (PVOID)pszLibFileRemote, (PVOID)lpszLibName, cch, NULL))
__leave;
Retn = GetLastError();
//获得LoadLibraryA在Kernel.dll中得真正地址
pfnThreadRrn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT(“Kernel32”)), “LoadLibraryW”);
Retn = GetLastError();
if (pfnThreadRrn == NULL)
__leave;
hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRrn, (PVOID)pszLibFileRemote, 0, NULL);
Retn = GetLastError();
if (hThread == NULL)
__leave;
//等待远程线程终止
WaitForSingleObject(hThread, INFINITE);
bResult = TRUE;
}
__finally
{
//关闭句柄
if (pszLibFileRemote != NULL)
VirtualFreeEx(hProcess, (PVOID)pszLibFileRemote, 0, MEM_RELEASE);
Retn = GetLastError();
if (hThread != NULL)
CloseHandle(hThread);
Retn = GetLastError();
if (hProcess != NULL)
CloseHandle(hProcess);
Retn = GetLastError();
}
return bResult;
}
//卸载动态库
BOOL UnLoadRemoteDll(DWORD dwProcessId ,LPTSTR lpPathDllName)
{
int Retn = 0;
BOOL bResult = FALSE;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
HANDLE hSnapshot = NULL;
__try
{
//先查找到相应的动态库地址
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (INVALID_HANDLE_VALUE == hSnapshot)
__leave;
BOOL IsFind = FALSE;
MODULEENTRY32 me = { 0 };
me.dwSize = sizeof(MODULEENTRY32);
BOOL bRet = Module32First(hSnapshot, &me);
while (bRet)
{
if (0 == memcmp(lpPathDllName, me.szExePath,wcslen(lpPathDllName)))
{
IsFind = TRUE;
break;
}
ZeroMemory(&me, sizeof(me));
me.dwSize = sizeof(MODULEENTRY32);
bRet = Module32Next(hSnapshot, &me);
}
if (!IsFind)
__leave;
//获得想要注入代码的进程的句柄
typedef BOOL(*pfnFreeLibrary)(HMODULE);
pfnFreeLibrary pfnThreadRrn = (pfnFreeLibrary)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
Retn = GetLastError();
if (pfnThreadRrn == NULL)
__leave;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
Retn = GetLastError();
if (NULL == hProcess)
__leave;
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pfnThreadRrn, (PVOID)me.modBaseAddr, 0, NULL);
Retn = GetLastError();
if (hThread == NULL)
__leave;
//等待远程线程终止
WaitForSingleObject(hThread, INFINITE);
bResult = TRUE;
}
__finally
{
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
if (hSnapshot != NULL)
CloseHandle(hSnapshot);
}
return bResult;
}
//判定当前的程序是否64位程序
bool IsProcess64(DWORD dwProcessId)
{
HANDLE hProcess = NULL;
BOOL bWin32Process = FALSE;
__try
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (NULL == hProcess)
__leave;
IsWow64Process(hProcess,&bWin32Process);
}
__finally
{
if (hProcess != NULL)
CloseHandle(hProcess);
}
return !bWin32Process;
}
int main()
{
int Retn = enableDebugPriv(); //提升当前的权限
wchar_t* injectDllPath = NULL;
if (IsProcess64(8904)) //64位程序
injectDllPath = L"E:\Muma\20200309\ConsoleApplication1\x64\Debug\InjectDll.dll";
else
injectDllPath = L"E:\Muma\20200309\ConsoleApplication1\Debug\InjectDll.dll";
if (Retn)
LoadRemoteDll(8904, injectDllPath);
//injectDllPath = L"InjectDll.dll";
UnLoadRemoteDll(8904, injectDllPath);
std::cout << "Hello World!\n";
}
相应的源码
版权声明:本文标题:动态库远程注入技术 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/dongtai/1728851947a1176781.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论