远程线程注入技术

一.远程线程注入步骤：

1. 获得目标进程句柄

   • 方法1：先获得窗口句柄，根据窗口句柄获得进程ID，再根据进程ID获得进程句柄。

     hwnd = FindWindow("Notepad", NULL);//找到程序窗口句柄
         if (hwnd == NULL)
         {
             MessageBox(NULL, "获得窗口句柄错误！", "ERROR", MB_OK);
             return false;
         }
         GetWindowThreadProcessId(hwnd, &dwProcessId);
         HANDLE hProcess;
         hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
     

   • 方法2：获得进程快照，根据进程快照遍历进程，直到找到目标进程。

     char ProcessName[25] = "Notepad.exe";
     	DWORD ProcessId = 0;
     	HANDLE SnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);
     	if(SnapShot == NULL)
     	{
     		MessageBox(NULL, "创建进程快照失败！", "ERROR", MB_OK);
     	}
     	PROCESSENTRY32 ProcessInfo = {0};
     	ProcessInfo.dwSize = sizeof(PROCESSENTRY32);
     	int record = Process32Next(SnapShot, &ProcessInfo);
     	while(record)
     	{
     		if(!strcmp(ProcessInfo.szExeFile, ProcessName))
     		{
     			ProcessId = ProcessInfo.th32ProcessID;
     			break;
     		}
     		record = Process32Next(SnapShot, &ProcessInfo);
     	}
     	if(record == 0)
     	{
     		MessageBox(NULL, "查找目标进程失败！", "ERROR", MB_OK);
     		return false;
     	}
     	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessId);
     

2. 开辟空间并且将目标DLL的地址写入进程空间

   PVOID lpPathAddr = VirtualAllocEx(hProcess, 0, strlen(pszDllFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
       if (lpPathAddr == NULL)
       {
           MessageBox(NULL, "申请内存空间错误！", "ERROR", MB_OK);
           CloseHandle(hProcess);
           return false;
       }
       //3.在目标进程当中写入dll路径
       SIZE_T dwWriteSize = 0;
       if (WriteProcessMemory(hProcess, lpPathAddr, pszDllFileName, strlen(pszDllFileName) + 1, &dwWriteSize) == false)
       {
           MessageBox(NULL, "写入目标进程空间错误！", "ERROR", MB_OK);
           CloseHandle(hProcess);
           return false;
       }
   

3. 载入DLL文件，并创建远程线程调用DLL

    FARPROC pFunProcAddr = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
       if (pFunProcAddr == NULL)
       {
           MessageBox(NULL, "载入LoadLibraryA函数错误！", "ERROR", MB_OK);
           CloseHandle(hProcess);
           return false;
       }
       //4.创建远程线程实现dll注入
       HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (PTHREAD_START_ROUTINE)pFunProcAddr, lpPathAddr, NULL, NULL);
       if (hThread == NULL)
       {
           MessageBox(NULL, "创建远程进程错误！", "ERROR", MB_OK);
           CloseHandle(hProcess);
           return false;
       }