向任意进程注入DLL

可能这对高手来说已经是老掉牙的东西了,

还是来说说原理把(本人也是菜鸟啊)!
远程注入就是在目标进程中用VirtualAllocEx申请一段内存,
然后用WriteProcessMemory函数将自己dll的完整路径复制到远程进程中,
然后在Kernel32中计算LoadLibraryA的地址,再调用LoadLibraryA函数加载远程dll,
并在CreateRemoteThread创建远程进程!

#include "stdafx.h"
#include "windows.h"
#include "tlhelp32.h"
#include "stdio.h"
#pragma comment(lib,"ws2_32")
//提提权函数
int EnableDebugPriv(const char * name)
{
    HANDLE hToken;
    TOKEN_PRIVILEGES tp;
    LUID luid;
    //打开进程令牌环
    if(!OpenProcessToken(GetCurrentProcess(),
    TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
        &hToken))
    {
        MessageBox(NULL,"OpenProcessToken Error!","Error!",MB_OK);
            return 1;
    }
    //获得进程本地唯一ID
    if(!LookupPrivilegeValue(NULL,name,&luid))
    {
        MessageBox(NULL,"LookupPrivivlegeValue Error!","Error",MB_OK);
    }
    tp.PrivilegeCount=1;
    tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    tp.Privileges[0].Luid=luid;
    //调整权限
    if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL))
    {
        MessageBox(NULL,"AdjustTokenPrivileges Error!","Error",MB_OK);
        return 1;
    }
    return 0;
}
 
//注入主函数
BOOL injectit(const char *DllPath,const DWORD dwRemoteProcessld){
    HANDLE hrp;
    if(EnableDebugPriv(SE_DEBUG_NAME))
    {
        MessageBox(NULL,"Add Privilege Error!","Error",MB_OK);
        return FALSE;
    }
    if((hrp=OpenProcess(PROCESS_CREATE_THREAD|//允许远程创建线程
        PROCESS_VM_OPERATION|//允许远程VM操作
        PROCESS_VM_WRITE,//允许远程VM写
        FALSE,dwRemoteProcessld))==NULL)
    {
        MessageBox(NULL,"OpenProcess Error!","Error",MB_OK);
        return FALSE;
    }
    char *psLibFileRemote;
    //使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名缓冲
    psLibFileRemote=(char *)VirtualAllocEx(hrp,NULL,lstrlen(DllPath)+1,
        MEM_COMMIT,PAGE_READWRITE);
    if(psLibFileRemote==NULL)
    {
        MessageBox(NULL,"VirtualAllocEx Error!","Error",MB_OK);
        return FALSE;
    }
    //使用WriteProcessMemory函数将DLL的路径名复制到远程的内存空间
    if(WriteProcessMemory(hrp,psLibFileRemote,(void *)DllPath,lstrlen(DllPath)+1,NULL)==0)
    {
        MessageBox(NULL,"WriteProcessMemory Error!","Error",MB_OK);
        return FALSE;
    }
    //计算LoadLibraryA的入口地址
    PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
    if(pfnStartAddr==NULL)
    {
        MessageBox(NULL,"GetProcAddress Error!","Error",MB_OK);
        return FALSE;
    }
    //pfnStartAddr地址就是LoadLibraryA的入口地址

    HANDLE hrt;
    if((hrt=CreateRemoteThread(hrp,
        NULL,
        0,
        pfnStartAddr,
        psLibFileRemote,
        0,
        NULL))==NULL)
    {
        MessageBox(NULL,"CreateRemote Error!","Error",MB_OK);
        return FALSE;
    }
    return TRUE;
}
 
//得到进程pid
unsigned long getpid(char *pn)
{
    BOOL b;
    HANDLE hnd;
    PROCESSENTRY32 pe;
    //得到进程快照
    hnd=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
    pe.dwSize=sizeof(pe);
    b=Process32First(hnd,&pe);
    while(b)
    {
        if(strcmp(pn,pe.szExeFile)==0)
            return pe.th32ProcessID;
        b=Process32Next(hnd,&pe);
    }
}

int main(int argc, char* argv[])
{
    if(argc<2)
    {
        printf("++++++++++++++++++++++++++++++++++++++++++++++++++++++\n");
        printf("injectpro V1.0!\nAuthor:text  QQ:52674548\nusage:\n  injectpro.exe targetprocess youdll\n");
        printf("  eg:injectpro.exe iexplorer.exe c:\\youdll.dll\n");
        printf("++++++++++++++++++++++++++++++++++++++++++++++++++++++\n");
        return 0;
    }
    EnableDebugPriv(SE_DEBUG_NAME);//自身提权
    DWORD pid=getpid(argv[1]);
    //printf("%d",pid);
    if(pid==0)
        return 1;
        if(injectit(argv[2],pid))
        {
            printf("inject success!");
        }
        else
        {
            printf("inject error!");
        }
    return 0;
}

posted on 2011-08-01 14:29  l1b2q31  阅读(308)  评论(0编辑  收藏  举报

导航