C/C++ 实现远程线程DLL注入

32位:远程线程注入

远程线程注入是最常用的一种注入技术,该技术利用的核心API是 CreateRemoteThread() 这个API可以运行远程线程,其次通过创建的线程调用 LoadLibraryA() 这个函数动态载入指定的DLL即可实现运行DLL,
LoadLibrary()函数在任何一个可执行文件中都可以被调用到,这就给我们注入提供了有效的条件.

#include <windows.h>
#include <stdio.h>

void InjectDLL(DWORD PID,char *Path) 
{
	DWORD dwSize;
	HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,PID);
	dwSize=strlen(Path)+1;

	LPVOID lpParamAddress=VirtualAllocEx(hProcess,0,dwSize,PARITY_SPACE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess,lpParamAddress,(PVOID)Path,dwSize,NULL);

	HMODULE hModule=GetModuleHandleA("kernel32.dll");
	LPTHREAD_START_ROUTINE lpStartAddress=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA");
	HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParamAddress,0,NULL);
	WaitForSingleObject(hThread,1000);
	CloseHandle(hThread);
}

int main()
{
	InjectDLL(1258,"C:\hook.dll");
	return 0;
}

64位:远程线程注入

#include <stdio.h>
#include <windows.h>

BOOL WINAPI InjectProxyW(DWORD dwPID, PCWSTR pwszProxyFile)
{
    BOOL ret = FALSE;
    HANDLE hToken = NULL;
    HANDLE hProcess = NULL;
    HANDLE hThread = NULL;
    FARPROC pfnThreadRtn = NULL;
    PWSTR pwszPara = NULL;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
    pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
    size_t iProxyFileLen = wcslen(pwszProxyFile)*sizeof(WCHAR); //May be in your case iProxyFileLen containes invalid value.
    pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);
    hThread = CreateRemoteThread(hProcess, NULL, 1024, (LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
    VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
    CloseHandle(hProcess);
    return(TRUE);
}

int main()
{
    WCHAR dllname[MAX_PATH];
    DWORD dwPID = 0;
    printf("input pid: "); scanf("%ld", &dwPID);
    //printf("input dll full path: "); scanf("%ws", dllname);
    InjectProxyW(dwPID,L"C:\\hook.dll");
    //InjectProxyW(dwPID, dllname);
    return 0;
}

消息钩子注入(过保护)

消息钩子注入原理是利用Windows系统中SetWindowsHookEx()这个API函数,它可以拦截目标进程的消息到指定的DLL中导出的函数,利用这个特性,我们可以将DLL注入到指定进程中,
该函数的注入属于全局注入,部分游戏保护是无法识别这种注入方式的,我们在注入后需要在代码中判断一下进程是不是我们需要注入的,不然会对全局生效。

1.首先我们需要创建一个Dll工程 hook.cpp 然后将SetHook方法导出,在DllMain中进行了判断,如果窗口句柄为valve001则弹出一个消息框,其他进程直接跳过,即可实现指定进程注入。

#include <windows.h>
HHOOK global_hook;

LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
	return CallNextHookEx(global_hook, nCode, wParam, lParam);
}
extern "C" __declspec(dllexport) void SetHook()
{
	global_hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandle(TEXT("hook.dll")), 0);
}
bool APIENTRY DllMain(HANDLE handle, DWORD dword, LPVOID lpvoid)
{
	HWND hwnd = FindWindowW(L"valve001",NULL);
	DWORD pid;
	GetWindowThreadProcessId(hwnd, &pid);
	if (GetCurrentProcessId() == pid)
	{
		MessageBox(hwnd, TEXT("inject"), 0, 0);
	}
	return true;
}

2.调用代码如下,注意必须将上方编译好的hook.dll与下方工程放到同一个目录下,通过LoadLibrary函数获取到模块句柄,然后通过GetProcAddress获取到导出函数地址,并通过函数指针调用。

#include <windows.h>
int main()
{
	HMODULE hMod = LoadLibrary(TEXT("hook.dll"));
	typedef void(*pSetHook)(void);
	pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
	SetHook();
	while (1)
	{
		Sleep(1000);
	}
	return 0;
}
posted @ 2019-06-21 17:59  lyshark  阅读(1309)  评论(0编辑  收藏  举报

loading... | loading...
博客园 - 开发者的网上家园