CreateRemoteThread远程线程注入Dll与Hook

CreateRemoteThread虽然很容易被检测到,但是在有些场合还是挺有用的。每次想用的时候总想着去找以前的代码,现在在这里记录一下。

CreateRemoteThread远程注入

DWORD dwOffect,dwArgu;

BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId ,DWORD dwOffect,DWORD dwArgu)
{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
{
TOKEN_PRIVILEGES tkp; LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
CloseHandle(hToken);
} HANDLE hRemoteProcess; //打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, dwRemoteProcessId ) )== NULL )
{
return FALSE;
} char *pszLibFileRemote;
//在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
{
CloseHandle(hRemoteProcess);
return FALSE;
} //将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
{
CloseHandle(hRemoteProcess);
return FALSE;
} //计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); if(pfnStartAddr == NULL)
{
return FALSE;
} HANDLE hRemoteThread;
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL);
WaitForSingleObject(hRemoteThread,INFINITE);
if( hRemoteThread == NULL)
{ CloseHandle(hRemoteProcess);
return FALSE;
}
DWORD dwDllAddr;
GetExitCodeThread(hRemoteThread,&dwDllAddr);
if(dwDllAddr!=0)
{
dwDllAddr += dwOffect;
HANDLE hHookFunc;
hHookFunc = CreateRemoteThread( hRemoteProcess, NULL, 0,
(PTHREAD_START_ROUTINE)dwDllAddr, (LPVOID)dwArgu, 0, NULL);
WaitForSingleObject(hHookFunc,INFINITE);
if( hHookFunc == NULL)
{
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
return FALSE;
}
CloseHandle(hHookFunc); }
else
{
CloseHandle(hRemoteProcess);
CloseHandle(hRemoteThread);
return FALSE; }
CloseHandle(hRemoteProcess);
CloseHandle(hRemoteThread);
return TRUE;
} void Hook(int dwPid)
{
char curpath[260];
GetModuleFileName(NULL,curpath,260);
*strrchr(curpath,'\\') = '\0';
strcat(curpath,"\\this.dll");
HMODULE hTmpDll = LoadLibrary(curpath);
dwOffect = (DWORD)GetProcAddress(hTmpDll,"HookFun");
dwOffect -= (DWORD)hTmpDll;
FreeLibrary(hTmpDll);
CreateRemoteDll(curpath,dwPid,dwOffect,dwArgu);
}

Hook代码

__declspec(naked) void MyHookGetRes()
{
__asm
{
pushad
pushfd
}
MyFun();
__asm
{
popfd
popad
add esp,0xc
jmp uRetAddr
}
} ULONG uHookAddr = 0x11111 + (DWORD)hModule;
HANDLE handle = GetCurrentProcess();
char MyJMP[5]={0};
MyJMP[0]=(char)0xe9;
ULONG uTempAddr=(ULONG)MyJMP;
uRetAddr = uHookAddr + 5;
ULONG uSkillJmp=(ULONG)MyHookGetRes-uHookAddr-5;
__asm
{
mov eax,uSkillJmp
mov ebx, uTempAddr
add ebx ,1
mov [ebx],eax
mov ecx,[ebx]
}
WriteProcessMemory(handle,(LPVOID)(uHookAddr),(LPVOID)MyJMP,5,NULL);
上一篇:winform碎片


下一篇:本周MySQL官方verified/open的bug列表(11月8日至11月14日)