Windows下的dll注入(使用CreateRemoteThread)

话不多说,直接贴代码。

dll注入方式挺多,个人感觉比较方便的就是这个。效果很明显,编译运行阶段

就会被火绒拦截;手动添加信任才能正常运行。

需要注意的就是64位编译出来,远程注入的程序必须是64位,dll也必须是64位的;32位也必须统一。

还有就是注入系统进程貌似都是创建线程失败,错误为5,大概是权限不足吧。

这种方式框架就是这样,都是Win32API,只需要知道基本调用就好了。

#include <windows.h>
#include <tlhelp32.h>
#include <memoryapi.h>
#include <iostream>
using namespace std;
string dllNamea;
string procNamea;
DWORD pid;

char* wideCharToMultiByte(wchar_t* pWCStrKey)
{
    //第一次调用确认转换后单字节字符串的长度,用于开辟空间
    int pSize = WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), NULL, 0, NULL, NULL);
    char* pCStrKey = new char[pSize+1];
    //第二次调用将双字节字符串转换成单字节字符串
    WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), pCStrKey, pSize, NULL, NULL);
    pCStrKey[pSize] = '\0';
//    qDebug()<<"cstrkey "<<pCStrKey;
    return pCStrKey;

    //如果想要转换成string,直接赋值即可
    //string pKey = pCStrKey;
}

DWORD GetProcId(string procName)
{
    BOOL bRet;
    PROCESSENTRY32 pe32;
    HANDLE hSnap;
    hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    pe32.dwSize = sizeof(pe32);
    bRet = Process32First(hSnap,&pe32);
    char* array;
    WCHAR* ff;
    string arr;
    while(bRet)
    {
        array = (char*)pe32.szExeFile;
//        array = wideCharToMultiByte(ff);
        cout<<"array = "<<array<<endl;
        arr = array;
        if(procName == arr)
        {
            cout<<"找到了"<<endl;
            return pe32.th32ProcessID;
        }
        bRet = Process32Next(hSnap,&pe32);
    }
    return 0;
}

void InjectDll(DWORD pid,string dllName)
{
    if(pid==0||dllName.length()==0)
    {
        return;
    }
    char* pFunName = "LoadLibraryA";
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
    if(hProcess==NULL)
    {
        return;
    }
    int dllLen = dllName.length();
    PVOID pDllAddr = VirtualAllocEx(hProcess,NULL,dllLen,MEM_COMMIT,PAGE_READWRITE);
    if(pDllAddr ==NULL)
    {
        CloseHandle(hProcess);
        return;
    }
    cout<<"注入成功"<<endl;
    DWORD writeNum = 0;
    cout<<WriteProcessMemory(hProcess,(LPVOID)pDllAddr,(LPCVOID)dllName.c_str(),(SIZE_T)dllLen,(SIZE_T *)&writeNum)<<endl;
    FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName);
    cout<<pDllAddr<<endl;
    cout<<pFunAddr<<endl;
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,pDllAddr,0,NULL);
    cout<<"hthread = "<<hThread<<endl;
    if(hThread)
    {
        WaitForSingleObject(hThread,INFINITE);
        CloseHandle(hThread);
    }
    else
    {
        cout<<GetLastError()<<endl;
    }
    CloseHandle(hProcess);
}

void on_inject_clicked()
{
//    dllNamea = "C:\\Users\\17724\\Desktop\\dll4\\dllTest.dll";
//    dllNamea = "C:\\Users\\17724\\Desktop\\dll2\\dllTesta.dll"; 
//    procNamea = "Everything.exe";
    dllNamea = "C:\\Users\\17724\\Desktop\\dllTest\\myTest.dll";
    procNamea = "test.exe";
    pid = GetProcId(procNamea);
    cout<<"pid = "<<pid<<endl;
    InjectDll(pid,dllNamea);
}

void UninjectDll(DWORD pid, string dllName)
{
    if(pid==0||dllName.length()==0)
    {
        return;
    }
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid);
    MODULEENTRY32 me32;
    me32.dwSize = sizeof(me32);
    BOOL bRet = Module32Next(hSnap,&me32);
    char* array;
    WCHAR* ff;
    string arr;
    while(bRet)
    {
        array = (char*)me32.szExePath;
        arr = array;
        if(dllName == arr)
        {
            cout<<"也找到了"<<endl;
            break;
        }
        bRet = Module32Next(hSnap,&me32);
    }
    CloseHandle(hSnap);
    char* pFunName = "FreeLibrary";
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
    if(hProcess==NULL)
    {
        return;
    }
    FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName);
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,me32.hModule,0,NULL);
    WaitForSingleObject(hThread,INFINITE);
    CloseHandle(hThread);
    CloseHandle(hProcess);
} 

void on_detatch_clicked()
{
    UninjectDll(pid,dllNamea);
}

int main()
{
    on_inject_clicked();
    int num;
    while(true)
    {
        cin>>num;
        if(num == 5)
        {
            on_detatch_clicked();
        }        
    }
}

 

上一篇:《汇编语言》第5章 [BX]和loop指令——实验4[bx]和loop的使用


下一篇:Java如何实现并发的原子性、可见性和有序性