远程线程注入技术
一.远程线程注入步骤:
-
获得目标进程句柄
-
方法1:先获得窗口句柄,根据窗口句柄获得进程ID,再根据进程ID获得进程句柄。
hwnd = FindWindow("Notepad", NULL);//找到程序窗口句柄 if (hwnd == NULL) { MessageBox(NULL, "获得窗口句柄错误!", "ERROR", MB_OK); return false; } GetWindowThreadProcessId(hwnd, &dwProcessId); HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); -
方法2:获得进程快照,根据进程快照遍历进程,直到找到目标进程。
char ProcessName[25] = "Notepad.exe"; DWORD ProcessId = 0; HANDLE SnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL); if(SnapShot == NULL) { MessageBox(NULL, "创建进程快照失败!", "ERROR", MB_OK); } PROCESSENTRY32 ProcessInfo = {0}; ProcessInfo.dwSize = sizeof(PROCESSENTRY32); int record = Process32Next(SnapShot, &ProcessInfo); while(record) { if(!strcmp(ProcessInfo.szExeFile, ProcessName)) { ProcessId = ProcessInfo.th32ProcessID; break; } record = Process32Next(SnapShot, &ProcessInfo); } if(record == 0) { MessageBox(NULL, "查找目标进程失败!", "ERROR", MB_OK); return false; } HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessId);
-
-
开辟空间并且将目标DLL的地址写入进程空间
PVOID lpPathAddr = VirtualAllocEx(hProcess, 0, strlen(pszDllFileName) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); if (lpPathAddr == NULL) { MessageBox(NULL, "申请内存空间错误!", "ERROR", MB_OK); CloseHandle(hProcess); return false; } //3.在目标进程当中写入dll路径 SIZE_T dwWriteSize = 0; if (WriteProcessMemory(hProcess, lpPathAddr, pszDllFileName, strlen(pszDllFileName) + 1, &dwWriteSize) == false) { MessageBox(NULL, "写入目标进程空间错误!", "ERROR", MB_OK); CloseHandle(hProcess); return false; } -
载入DLL文件,并创建远程线程调用DLL
FARPROC pFunProcAddr = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA"); if (pFunProcAddr == NULL) { MessageBox(NULL, "载入LoadLibraryA函数错误!", "ERROR", MB_OK); CloseHandle(hProcess); return false; } //4.创建远程线程实现dll注入 HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, (PTHREAD_START_ROUTINE)pFunProcAddr, lpPathAddr, NULL, NULL); if (hThread == NULL) { MessageBox(NULL, "创建远程进程错误!", "ERROR", MB_OK); CloseHandle(hProcess); return false; }
