95.自动注射

dll文件(自定义函数)

1 _declspec(dllexport)   void  autoadd()
2 {
3     int *p = (int*)0xdc0c4d0;
4     *p = 5048;
5 }

dll文件DLLMain函数

 1 BOOL APIENTRY DllMain( HMODULE hModule,
 2                        DWORD  ul_reason_for_call,
 3                        LPVOID lpReserved
 4                      )
 5 {
 6     switch (ul_reason_for_call)
 7     {
 8     case DLL_PROCESS_ATTACH:
 9         autoadd();
10         //注射到进程的时候执行
11     case DLL_THREAD_ATTACH:
12         //注射到进程，当作线程启动的时候
13     case DLL_THREAD_DETACH:
14         //线程结束
15     case DLL_PROCESS_DETACH:
16         //进程结束的操作
17         break;
18     }
19     return TRUE;
20 }

自动注射

以非独占的方式打开一个进程

1 //以非独占的方式打开这个进程
2     HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwprocessid);

获取路径长度并分配内存

1 int length = strlen(dllpath) + 1;
2 //在其他进程内部分配内存，可以读写
3 LPVOID lpremotedllname = VirtualAllocEx(hprocess, NULL, length, MEM_COMMIT, PAGE_READWRITE);

将路径写入到进程

1 //将路径写入到进程
2     if (WriteProcessMemory(hprocess, lpremotedllname,dllpath,length,NULL)==FALSE)
3     {
4         printf("内存写入无效");
5         return;
6     }

获取系统dll接口,并获取函数的接口

1    //获取系统dll接口
2     HMODULE hmodule = GetModuleHandleA("kernel32.dll");
3     //获取函数接口
4     LPTHREAD_START_ROUTINE  fnstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmodule, "LoadLibraryA");

开启一个远程线程

1 //开启一个远程线程
2     HANDLE hremoteThread = CreateRemoteThread(hprocess, NULL,0, fnstart, dllpath, 0, NULL);

关闭句柄,释放内存

1 CloseHandle(hremoteThread);
2 CloseHandle(hmodule);
3 CloseHandle(hprocess);

main函数

1 //获取当前路径
2     GetCurrentDirectoryA(1024, dllpath);
3     //连接到字符串
4     strcat(dllpath, "\\new.dll");//链接
5 
6     inject(5016);

完整代码

 1 #define   _CRT_SECURE_NO_WARNINGS
 2 #include<Windows.h>
 3 #include<string.h>
 4 #include<stdio.h>
 5 
 6 //dll路径
 7 char dllpath[1024] = { 0 };
 8 //根据线程id号注射
 9 void  inject(DWORD dwprocessid)
10 {
11     if (dwprocessid==0)
12     {
13         printf("进程编号无效");
14         return;
15     }
16     //以非独占的方式打开这个进程
17     HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwprocessid);
18     //如果打开失败
19     if (hprocess==NULL)
20     {
21         printf("进程打开无效");
22         return;
23     }
24     //获取路径长度并分配内存
25     int length = strlen(dllpath) + 1;
26     //在其他进程内部分配内存，可以读写
27     LPVOID lpremotedllname = VirtualAllocEx(hprocess, NULL, length, MEM_COMMIT, PAGE_READWRITE);
28     //判断是否分配成功
29     if (lpremotedllname==NULL)
30     {
31         printf("进程分配内存无效");
32         return;
33     }
34     //将路径写入到进程
35     if (WriteProcessMemory(hprocess, lpremotedllname,dllpath,length,NULL)==FALSE)
36     {
37         printf("内存写入无效");
38         return;
39     }
40     //获取系统dll接口
41     HMODULE hmodule = GetModuleHandleA("kernel32.dll");
42     //获取函数接口
43     LPTHREAD_START_ROUTINE  fnstart = (LPTHREAD_START_ROUTINE)GetProcAddress(hmodule, "LoadLibraryA");
44     if ((DWORD)fnstart==0)
45     {
46         printf("获取地址失败");
47         return;
48     }
49     //开启一个远程线程
50     HANDLE hremoteThread = CreateRemoteThread(hprocess, NULL,0, fnstart, dllpath, 0, NULL);
51     if (hremoteThread == NULL)
52     {
53         printf("开启线程失败");
54         return;
55     }
56     //等待
57     if (WaitForSingleObject(hremoteThread,INFINITE)!=WAIT_OBJECT_0)
58     {
59         printf("线程等待失败");
60         return;
61     }
62 
63     CloseHandle(hremoteThread);
64     CloseHandle(hmodule);
65     CloseHandle(hprocess);
66 }
67 void main()
68 {
69     //获取当前路径
70     GetCurrentDirectoryA(1024, dllpath);
71     //连接到字符串
72     strcat(dllpath, "\\new.dll");//链接
73 
74     inject(5016);
75 
76     system("pause");
77 }

posted @ 2018-02-23 13:26 喵小喵~ 阅读(119) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

喵小喵~

95.自动注射

公告