C/C++ 实现远程线程DLL注入

阅读目录

• 消息钩子注入(过保护)

32位：远程线程注入

远程线程注入是最常用的一种注入技术，该技术利用的核心API是 CreateRemoteThread() 这个API可以运行远程线程，其次通过创建的线程调用 LoadLibraryA() 这个函数动态载入指定的DLL即可实现运行DLL，
而LoadLibrary()函数在任何一个可执行文件中都可以被调用到，这就给我们注入提供了有效的条件.

#include <windows.h>
#include <stdio.h>

void InjectDLL(DWORD PID,char *Path) 
{
	DWORD dwSize;
	HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,PID);
	dwSize=strlen(Path)+1;

	LPVOID lpParamAddress=VirtualAllocEx(hProcess,0,dwSize,PARITY_SPACE,PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(hProcess,lpParamAddress,(PVOID)Path,dwSize,NULL);

	HMODULE hModule=GetModuleHandleA("kernel32.dll");
	LPTHREAD_START_ROUTINE lpStartAddress=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA");
	HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParamAddress,0,NULL);
	WaitForSingleObject(hThread,1000);
	CloseHandle(hThread);
}

int main()
{
	InjectDLL(1258,"C:\hook.dll");
	return 0;
}

64位：远程线程注入

#include <stdio.h>
#include <windows.h>

BOOL WINAPI InjectProxyW(DWORD dwPID, PCWSTR pwszProxyFile)
{
    BOOL ret = FALSE;
    HANDLE hToken = NULL;
    HANDLE hProcess = NULL;
    HANDLE hThread = NULL;
    FARPROC pfnThreadRtn = NULL;
    PWSTR pwszPara = NULL;
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
    pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
    size_t iProxyFileLen = wcslen(pwszProxyFile)*sizeof(WCHAR); //May be in your case iProxyFileLen containes invalid value.
    pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);
    hThread = CreateRemoteThread(hProcess, NULL, 1024, (LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);
    WaitForSingleObject(hThread, INFINITE);
    CloseHandle(hThread);
    VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
    CloseHandle(hProcess);
    return(TRUE);
}

int main()
{
    WCHAR dllname[MAX_PATH];
    DWORD dwPID = 0;
    printf("input pid: "); scanf("%ld", &dwPID);
    //printf("input dll full path: "); scanf("%ws", dllname);
    InjectProxyW(dwPID,L"C:\\hook.dll");
    //InjectProxyW(dwPID, dllname);
    return 0;
}

回到顶部

消息钩子注入(过保护)

消息钩子注入原理是利用Windows系统中SetWindowsHookEx()这个API函数，它可以拦截目标进程的消息到指定的DLL中导出的函数，利用这个特性，我们可以将DLL注入到指定进程中，
该函数的注入属于全局注入，部分游戏保护是无法识别这种注入方式的，我们在注入后需要在代码中判断一下进程是不是我们需要注入的，不然会对全局生效。

1.首先我们需要创建一个Dll工程 hook.cpp 然后将SetHook方法导出，在DllMain中进行了判断，如果窗口句柄为valve001则弹出一个消息框，其他进程直接跳过，即可实现指定进程注入。

#include <windows.h>
HHOOK global_hook;

LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
	return CallNextHookEx(global_hook, nCode, wParam, lParam);
}
extern "C" __declspec(dllexport) void SetHook()
{
	global_hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandle(TEXT("hook.dll")), 0);
}
bool APIENTRY DllMain(HANDLE handle, DWORD dword, LPVOID lpvoid)
{
	HWND hwnd = FindWindowW(L"valve001",NULL);
	DWORD pid;
	GetWindowThreadProcessId(hwnd, &pid);
	if (GetCurrentProcessId() == pid)
	{
		MessageBox(hwnd, TEXT("inject"), 0, 0);
	}
	return true;
}

2.调用代码如下，注意必须将上方编译好的hook.dll与下方工程放到同一个目录下，通过LoadLibrary函数获取到模块句柄，然后通过GetProcAddress获取到导出函数地址，并通过函数指针调用。

#include <windows.h>
int main()
{
	HMODULE hMod = LoadLibrary(TEXT("hook.dll"));
	typedef void(*pSetHook)(void);
	pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
	SetHook();
	while (1)
	{
		Sleep(1000);
	}
	return 0;
}