AutoHotKey也能实现远程dll注入Inject
希望这篇文章和这些代码能帮助到所有正在研究相关技术的人
AutoHotKey也能实现远程dll注入Inject
InjectDll(pid,dllpath) ;目标进程pid,需要注入的dll路径
{
FileGetSize, size, %dllpath% ;获取dll文件大小
file := FileOpen(dllpath, "r") ;只读方式打开“r”
file.RawRead(dllFile, size) ;文件写入到变量dllFile
;根据pid获得句柄,权限为“0x1F0FFF“所有权限
pHandle := DllCall("OpenProcess", "UInt", 0x1F0FFF, "Int", false, "UInt", pid)
;在目标进程申请size大小内存区域用于写入
pLibRemote := DllCall("VirtualAllocEx", "Uint", pHandle, "Uint", 0, "Uint", size, "Uint", 0x1000, "Uint", 4)
;写入Dll
VarSetCapacity(result,4)
DllCall("WriteProcessMemory","Uint",pHandle,"Uint",pLibRemote,"Uint",&dllFile,"Uint",size,"Uint",&result)
;找到LoadLibraryA的入口地址
LoadLibraryAdd := DllCall("GetProcAddress", "Uint", DllCall("GetModuleHandle", "str", "kernel32.dll"),"AStr", "LoadLibraryA")
;创建远程进程,以完成注入
hThrd := DllCall("CreateRemoteThread", "Uint", pHandle, "Uint", 0, "Uint", 0, "Uint", LoadLibraryAdd, "Uint", pLibRemote, "Uint", 0, "Uint", 0)
;回收内存区域
DllCall("VirtualFreeEx","Uint",hProcess,"Uint",pLibRemote,"Uint",0,"Uint",32768)
DllCall("CloseHandle", "Uint", hThrd)
DllCall("CloseHandle", "Uint", pHandle)
Return True
}
{
FileGetSize, size, %dllpath% ;获取dll文件大小
file := FileOpen(dllpath, "r") ;只读方式打开“r”
file.RawRead(dllFile, size) ;文件写入到变量dllFile
;根据pid获得句柄,权限为“0x1F0FFF“所有权限
pHandle := DllCall("OpenProcess", "UInt", 0x1F0FFF, "Int", false, "UInt", pid)
;在目标进程申请size大小内存区域用于写入
pLibRemote := DllCall("VirtualAllocEx", "Uint", pHandle, "Uint", 0, "Uint", size, "Uint", 0x1000, "Uint", 4)
;写入Dll
VarSetCapacity(result,4)
DllCall("WriteProcessMemory","Uint",pHandle,"Uint",pLibRemote,"Uint",&dllFile,"Uint",size,"Uint",&result)
;找到LoadLibraryA的入口地址
LoadLibraryAdd := DllCall("GetProcAddress", "Uint", DllCall("GetModuleHandle", "str", "kernel32.dll"),"AStr", "LoadLibraryA")
;创建远程进程,以完成注入
hThrd := DllCall("CreateRemoteThread", "Uint", pHandle, "Uint", 0, "Uint", 0, "Uint", LoadLibraryAdd, "Uint", pLibRemote, "Uint", 0, "Uint", 0)
;回收内存区域
DllCall("VirtualFreeEx","Uint",hProcess,"Uint",pLibRemote,"Uint",0,"Uint",32768)
DllCall("CloseHandle", "Uint", hThrd)
DllCall("CloseHandle", "Uint", pHandle)
Return True
}
注意此处 "AStr", "LoadLibraryA"
一定要用"AStr",才能获取到loadLibraryA的地址, 具体原因是GetProcAddress只能接受 Ansi类型的字符串参数