CreateRemoteThread远程线程注入Dll与Hook

CreateRemoteThread虽然很容易被检测到，但是在有些场合还是挺有用的。每次想用的时候总想着去找以前的代码，现在在这里记录一下。

CreateRemoteThread远程注入

DWORD dwOffect,dwArgu;

BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId ,DWORD dwOffect,DWORD dwArgu)
{
    HANDLE hToken;
    if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
    {
        TOKEN_PRIVILEGES tkp;

        LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
        tkp.PrivilegeCount=1;
        tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
        AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
        CloseHandle(hToken);
    }

    HANDLE hRemoteProcess;

    //打开远程线程
    if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD |    //允许远程创建线程
        PROCESS_VM_OPERATION |                //允许远程VM操作
        PROCESS_VM_WRITE,                    //允许远程VM写
        FALSE, dwRemoteProcessId ) )== NULL )
    {
        return FALSE;
    }

    char *pszLibFileRemote;
    //在远程进程的内存地址空间分配DLL文件名缓冲区
    pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1, 
        MEM_COMMIT, PAGE_READWRITE);
    if(pszLibFileRemote == NULL)
    {
        CloseHandle(hRemoteProcess);
        return FALSE;
    }

    //将DLL的路径名复制到远程进程的内存空间
    if( WriteProcessMemory(hRemoteProcess,
        pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
    {
        CloseHandle(hRemoteProcess);
        return FALSE;
    }

    //计算LoadLibraryA的入口地址
    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");

    if(pfnStartAddr == NULL)
    {
        return FALSE;
    }

    HANDLE hRemoteThread;
    hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, 
        pfnStartAddr, pszLibFileRemote, 0, NULL);
    WaitForSingleObject(hRemoteThread,INFINITE);
    if( hRemoteThread == NULL)
    {

        CloseHandle(hRemoteProcess);
        return FALSE;
    }
    DWORD dwDllAddr;
    GetExitCodeThread(hRemoteThread,&dwDllAddr);
    if(dwDllAddr!=0)
    {    
        dwDllAddr += dwOffect;
        HANDLE hHookFunc;
        hHookFunc = CreateRemoteThread( hRemoteProcess, NULL, 0, 
            (PTHREAD_START_ROUTINE)dwDllAddr, (LPVOID)dwArgu, 0, NULL);
        WaitForSingleObject(hHookFunc,INFINITE);
        if( hHookFunc == NULL)
        {
            CloseHandle(hRemoteThread);
            CloseHandle(hRemoteProcess);
            return FALSE;
        }
        CloseHandle(hHookFunc);

    }
    else
    {
        CloseHandle(hRemoteProcess);
        CloseHandle(hRemoteThread);
        return FALSE;

    }
    CloseHandle(hRemoteProcess);
    CloseHandle(hRemoteThread);
    return TRUE;
}

void Hook(int dwPid)
{ 
    char curpath[260];
    GetModuleFileName(NULL,curpath,260);
    *strrchr(curpath,'\\') = '\0';
    strcat(curpath,"\\this.dll");
    HMODULE hTmpDll = LoadLibrary(curpath);
    dwOffect = (DWORD)GetProcAddress(hTmpDll,"HookFun");
    dwOffect -= (DWORD)hTmpDll;
    FreeLibrary(hTmpDll);
    CreateRemoteDll(curpath,dwPid,dwOffect,dwArgu);
}

Hook代码

__declspec(naked) void MyHookGetRes()
{
    __asm
    {
        pushad
        pushfd
    }
    MyFun();
    __asm
    {
        popfd
        popad
        add esp,0xc
        jmp uRetAddr
    }
}

ULONG uHookAddr = 0x11111  + (DWORD)hModule;
HANDLE handle = GetCurrentProcess();
char MyJMP[5]={0};
MyJMP[0]=(char)0xe9;
ULONG uTempAddr=(ULONG)MyJMP;
uRetAddr = uHookAddr + 5;
ULONG uSkillJmp=(ULONG)MyHookGetRes-uHookAddr-5;
__asm
{
    mov eax,uSkillJmp
        mov ebx, uTempAddr
        add ebx ,1
        mov [ebx],eax
        mov ecx,[ebx]
}
WriteProcessMemory(handle,(LPVOID)(uHookAddr),(LPVOID)MyJMP,5,NULL);