进程DLL注入
1、为什么要进行进程注入:到了WinNT以后的系列操作系统中,每个进程都有自己的4GB私有进程地址空间,彼此互不相关。进程A中的一个地址,比如:0x12345678,到了进程B中的相同地方,存的东西完全不一样,或者说不可预料。所以说如果进程A想要看看或者修改进程B地址空间中的内容,就必须深入到其地址空间中,因为DLL是可以被加载到任何进程当中的,所以在进程注入中,DLL应该是主角,也就是说一些核心的代码都应该放在DLL中编写。
对于我们小黑来说:优点就是进程隐藏,能穿透防火墙。
2、注入的缺点:
如果DLL程序的算法不是很好,或者DLL文件有Bug,那么将影响目标进程的执行效率,或者说干脆目标进程崩溃。
3、注入的具体方法:
目前Windows操作系统上面注入的方法也很多,《Windows核心编程》上面介绍了不少,大家也可以到网上搜索一下,比如钩子,远程线程技术等等……
4、具体编程方法:
本课程教大家用远程线程技术来实现进程的注入。
用到的API函数:
OpenProcess(...) //获取已知进程的句柄;
VirtualAllocEx(...) //在进程中申请空间;
WriteProcessMemory(...) //向进程中写入东西;
GetProcAddress(...) //取得函数在DLL中的地址;
CreateRemoteThread(...) //在其他进程中创建新线程;
代码代码
对于我们小黑来说:优点就是进程隐藏,能穿透防火墙。
2、注入的缺点:
如果DLL程序的算法不是很好,或者DLL文件有Bug,那么将影响目标进程的执行效率,或者说干脆目标进程崩溃。
3、注入的具体方法:
目前Windows操作系统上面注入的方法也很多,《Windows核心编程》上面介绍了不少,大家也可以到网上搜索一下,比如钩子,远程线程技术等等……
4、具体编程方法:
本课程教大家用远程线程技术来实现进程的注入。
用到的API函数:
OpenProcess(...) //获取已知进程的句柄;
VirtualAllocEx(...) //在进程中申请空间;
WriteProcessMemory(...) //向进程中写入东西;
GetProcAddress(...) //取得函数在DLL中的地址;
CreateRemoteThread(...) //在其他进程中创建新线程;
CloseHandle(...) //关闭句柄;
以前自己写的代码:
代码
1 #include <windows.h>
2 #include <tchar.h>
3 #include <TLHELP32.H>
4 #include <stdio.h>
5
6
7 BOOL WINAPI LoadLib(DWORD dwProcessId, LPWSTR lpszLibName)
8
9 {
10
11 HANDLE hProcess = NULL;
12
13 HANDLE hThread = NULL;
14
15 LPWSTR lpszRemoteFile = NULL;
16
17 // 打开远程进程
18
19 hProcess = OpenProcess(PROCESS_CREATE_THREAD| PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessId);
20
21 if (hProcess == NULL)
22
23 {
24
25 MessageBox(NULL, ("OpenProcess failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
26
27 return FALSE;
28
29 }
30
31 // 在远程进程中分配存贮DLL文件名的空间
32
33 lpszRemoteFile = (LPWSTR)VirtualAllocEx(hProcess, NULL, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1, MEM_COMMIT, PAGE_READWRITE);
34
35 if (lpszRemoteFile == NULL)
36
37 {
38
39 MessageBox(NULL, ("VirtualAllocEx failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
40
41 return FALSE;
42
43 }
44
45
46 // 复制DLL文件名到远程刚分配的进程空间
47
48 if (!WriteProcessMemory(hProcess, lpszRemoteFile, (PVOID)lpszLibName, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1, NULL))
49
50 {
51
52 MessageBox(NULL, ("WriteProcessMemory failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
53
54 return FALSE;
55
56 }
57
58 // 取得LoadLibrary函数在Kennel32.dll中的地址
59
60 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle("Kernel32.dll"),"LoadLibraryW");
61
62 if (pfnThreadRtn == NULL)
63
64 {
65
66 MessageBox(NULL, ("GetProcAddress failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
67
68 return FALSE;
69
70 }
71
72 // 创建远程线程
73
74 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, lpszRemoteFile,0, NULL); //pfnThreadRtn为 LoadLibrary地址,lpszRemoteFile, 要加载的DLL名
75
76 if (hThread == NULL)
77
78 {
79
80 MessageBox(NULL, ("CreateRemoteThread failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
81
82 return FALSE;
83
84 }
85
86
87 // 等待线程返回
88
89 WaitForSingleObject(hThread, INFINITE);
90
91
92 // 释放进程空间中的内存
93
94 VirtualFreeEx(hProcess, lpszRemoteFile, 0, MEM_RELEASE);
95
96 // 关闭句柄
97
98 CloseHandle(hThread);
99
100 CloseHandle(hProcess);
101
102 return TRUE;
103
104 }
105
106 DWORD FindTarget( LPCTSTR lpszProcess ) //该函数是取得远程进程的进程ID;
107
108 {
109 DWORD dwRet = 0;
110 HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
111 PROCESSENTRY32 pe32;
112 pe32.dwSize = sizeof( PROCESSENTRY32 );
113 Process32First( hSnapshot, &pe32 );
114 do
115 {
116 if ( lstrcmpi( pe32.szExeFile, lpszProcess) == 0 )
117 {
118 dwRet = pe32.th32ProcessID;
119 break;
120 }
121 } while ( Process32Next( hSnapshot, &pe32 ) );
122 CloseHandle( hSnapshot );
123 return dwRet;
124 }
125
126 int main(int argc, char* argv[])
127 {
128 LPCTSTR pcTargetFileName=_TEXT("notepad.exe");
129 LPWSTR lpszLibName =L"c:/myDll.dll"; //myDll.dll 可以自己随意创建;
130 LoadLib(FindTarget(pcTargetFileName), lpszLibName);
131 return 0;
132 }
2 #include <tchar.h>
3 #include <TLHELP32.H>
4 #include <stdio.h>
5
6
7 BOOL WINAPI LoadLib(DWORD dwProcessId, LPWSTR lpszLibName)
8
9 {
10
11 HANDLE hProcess = NULL;
12
13 HANDLE hThread = NULL;
14
15 LPWSTR lpszRemoteFile = NULL;
16
17 // 打开远程进程
18
19 hProcess = OpenProcess(PROCESS_CREATE_THREAD| PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessId);
20
21 if (hProcess == NULL)
22
23 {
24
25 MessageBox(NULL, ("OpenProcess failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
26
27 return FALSE;
28
29 }
30
31 // 在远程进程中分配存贮DLL文件名的空间
32
33 lpszRemoteFile = (LPWSTR)VirtualAllocEx(hProcess, NULL, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1, MEM_COMMIT, PAGE_READWRITE);
34
35 if (lpszRemoteFile == NULL)
36
37 {
38
39 MessageBox(NULL, ("VirtualAllocEx failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
40
41 return FALSE;
42
43 }
44
45
46 // 复制DLL文件名到远程刚分配的进程空间
47
48 if (!WriteProcessMemory(hProcess, lpszRemoteFile, (PVOID)lpszLibName, sizeof(WCHAR) * lstrlenW(lpszLibName) + 1, NULL))
49
50 {
51
52 MessageBox(NULL, ("WriteProcessMemory failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
53
54 return FALSE;
55
56 }
57
58 // 取得LoadLibrary函数在Kennel32.dll中的地址
59
60 PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle("Kernel32.dll"),"LoadLibraryW");
61
62 if (pfnThreadRtn == NULL)
63
64 {
65
66 MessageBox(NULL, ("GetProcAddress failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
67
68 return FALSE;
69
70 }
71
72 // 创建远程线程
73
74 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, lpszRemoteFile,0, NULL); //pfnThreadRtn为 LoadLibrary地址,lpszRemoteFile, 要加载的DLL名
75
76 if (hThread == NULL)
77
78 {
79
80 MessageBox(NULL, ("CreateRemoteThread failed with error " + IntToStr(GetLastError())).c_str(), "Error", MB_ICONINFORMATION + MB_OK);
81
82 return FALSE;
83
84 }
85
86
87 // 等待线程返回
88
89 WaitForSingleObject(hThread, INFINITE);
90
91
92 // 释放进程空间中的内存
93
94 VirtualFreeEx(hProcess, lpszRemoteFile, 0, MEM_RELEASE);
95
96 // 关闭句柄
97
98 CloseHandle(hThread);
99
100 CloseHandle(hProcess);
101
102 return TRUE;
103
104 }
105
106 DWORD FindTarget( LPCTSTR lpszProcess ) //该函数是取得远程进程的进程ID;
107
108 {
109 DWORD dwRet = 0;
110 HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
111 PROCESSENTRY32 pe32;
112 pe32.dwSize = sizeof( PROCESSENTRY32 );
113 Process32First( hSnapshot, &pe32 );
114 do
115 {
116 if ( lstrcmpi( pe32.szExeFile, lpszProcess) == 0 )
117 {
118 dwRet = pe32.th32ProcessID;
119 break;
120 }
121 } while ( Process32Next( hSnapshot, &pe32 ) );
122 CloseHandle( hSnapshot );
123 return dwRet;
124 }
125
126 int main(int argc, char* argv[])
127 {
128 LPCTSTR pcTargetFileName=_TEXT("notepad.exe");
129 LPWSTR lpszLibName =L"c:/myDll.dll"; //myDll.dll 可以自己随意创建;
130 LoadLib(FindTarget(pcTargetFileName), lpszLibName);
131 return 0;
132 }
SYC总结的代码:
代码 1 #include "stdafx.h"
2 #include "Inject.h"
3
4
5 BOOL Inject(LPCTSTR szModule, DWORD dwID)
6 {
7 HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);
8 if ( !hProcess ) {
9 return FALSE;
10 }
11 int cByte = (_tcslen(szModule)+1) * sizeof(TCHAR);
12 LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);
13 if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szModule, cByte, NULL)) {
14 return FALSE;
15 }
16 #ifdef _UNICODE
17 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
18 #else
19 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
20 #endif
21 if ( !pfnStartAddr ) {
22 return FALSE;
23 }
24 DWORD dwThreadID = 0;
25 HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);
26 if ( !hRemoteThread ) {
27 return FALSE;
28 }
29 CloseHandle(hRemoteThread);
30 CloseHandle(hProcess);
31 return TRUE;
32 }
33
34 BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)//提升权限函数
35 {
36 HANDLE hToken = NULL;
37 TOKEN_PRIVILEGES tp;
38 LUID luid;
39
40 if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))
41 return FALSE;
42 if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
43 return TRUE;
44
45 tp.PrivilegeCount = 1;
46 tp.Privileges[0].Luid = luid;
47 tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
48
49 AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL);
50 CloseHandle(hToken);
51 return (GetLastError() == ERROR_SUCCESS);
52 }
53
54 BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName = SE_DEBUG_NAME, BOOL bEnable = TRUE);
55
56 int APIENTRY _tWinMain(HINSTANCE hInstance,
57 HINSTANCE hPrevInstance,
58 LPTSTR lpCmdLine,
59 int nCmdShow)
60 {
61 Inject(_T("E:\\Project\\Vc8.0\\DLLTest\\debug\\DLLTest.dll"), 2152);
62 }
2 #include "Inject.h"
3
4
5 BOOL Inject(LPCTSTR szModule, DWORD dwID)
6 {
7 HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwID);
8 if ( !hProcess ) {
9 return FALSE;
10 }
11 int cByte = (_tcslen(szModule)+1) * sizeof(TCHAR);
12 LPVOID pAddr = VirtualAllocEx(hProcess, NULL, cByte, MEM_COMMIT, PAGE_READWRITE);
13 if ( !pAddr || !WriteProcessMemory(hProcess, pAddr, szModule, cByte, NULL)) {
14 return FALSE;
15 }
16 #ifdef _UNICODE
17 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
18 #else
19 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryA");
20 #endif
21 if ( !pfnStartAddr ) {
22 return FALSE;
23 }
24 DWORD dwThreadID = 0;
25 HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, pfnStartAddr, pAddr, 0, &dwThreadID);
26 if ( !hRemoteThread ) {
27 return FALSE;
28 }
29 CloseHandle(hRemoteThread);
30 CloseHandle(hProcess);
31 return TRUE;
32 }
33
34 BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName, BOOL bEnable)//提升权限函数
35 {
36 HANDLE hToken = NULL;
37 TOKEN_PRIVILEGES tp;
38 LUID luid;
39
40 if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY | TOKEN_READ, &hToken))
41 return FALSE;
42 if(!LookupPrivilegeValue(NULL, lpszPrivilegeName, &luid))
43 return TRUE;
44
45 tp.PrivilegeCount = 1;
46 tp.Privileges[0].Luid = luid;
47 tp.Privileges[0].Attributes = (bEnable) ? SE_PRIVILEGE_ENABLED : 0;
48
49 AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL);
50 CloseHandle(hToken);
51 return (GetLastError() == ERROR_SUCCESS);
52 }
53
54 BOOL EnablePrivilege(LPCTSTR lpszPrivilegeName = SE_DEBUG_NAME, BOOL bEnable = TRUE);
55
56 int APIENTRY _tWinMain(HINSTANCE hInstance,
57 HINSTANCE hPrevInstance,
58 LPTSTR lpCmdLine,
59 int nCmdShow)
60 {
61 Inject(_T("E:\\Project\\Vc8.0\\DLLTest\\debug\\DLLTest.dll"), 2152);
62 }
