远程进程注入

 

/*-----------------------------------------------------------------------------
*  
*   版权声明:
*   可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明
*   http://www.cnblogs.com/yuliyang/
*   联系方式:
*   Mail:yuliyang@qq.com
*
*-----------------------------------------------------------------------------*/

 

流程如下:

image

 

先写一个dll文件,用于注入远程进程。(就是在远程进程里新建一个远程线程,远程线程里调用的就是预先准备的dll文件)

为了简单起见,我们的dll文件没有任何导出函数,只有在DllMain中弹出一个窗口,没写任何导出函数,

#include "stdafx.h"
//对话框弹出dll
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL,"yuliyang","inject",MB_OK);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

测试函数:

/*
 * =====================================================================================
 *
 *       Filename:  testdialogdll.cpp
 *      Environment:    
 *    Description:  测试注入DLL
 *
 *
 *        Version:  1.0
 *        Created:  2013/11/3 19:54:41
 *         Author:  yuliyang
I*
 *             Mail:  wzyuliyang911@gmail.com
 *             Blog:  http://www.cnblogs.com/yuliyang
 *
 * =====================================================================================
 */

/*------------------------------------------------------------------------------------------------------------
 * 
 *
 * 只要程序一加载dialogdll.dll就会弹出对话框
 *
 *
 *------------------------------------------------------------------------------------------------------------*/
//#include <Windows.h>
//int main(){
//
//    HINSTANCE hinst;
//    hinst=LoadLibrary("dialogdll.dll");
//    return 0;
//
//}
// ConRunDll.cpp : Defines the entry point for the console application.
//

//#include "stdafx.h"
#include <stdio.h>
#include <windows.h>

int EnableDebugPriv(const char* name)
{
    HANDLE hToken;
    if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
    {
        printf("打开指定令牌环失败!\n");
        return -1;
    }

    LUID luid;

    if( !LookupPrivilegeValue(NULL, name, &luid) )
    {
        printf("查询LUID失败!\n");
        return -1;
    }

    TOKEN_PRIVILEGES tp;
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = luid;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    if( !AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL) )
    {
        printf("提升进程权限失败!\n");
        return -1;
    }

    printf("提升权限成功!\n");
    return 0;
}

BOOL InjectDll(const char* DllFullPath, const DWORD dwRemoteProcessId)
{
    HANDLE hRemoteProcess;
    hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
        FALSE, dwRemoteProcessId);
    if( hRemoteProcess == NULL )
    {
        printf("打开远程进程失败!\n");
        return FALSE;
    }

    char *pszLibFileRemote ;

    pszLibFileRemote = (char*)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);
    if( pszLibFileRemote == NULL )
    {
        printf("分配内存失败!\n");
        return FALSE;
    }

    if( !WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (LPVOID)DllFullPath, lstrlen(DllFullPath)+1, NULL) )
    {
        printf("写入内存失败!\n");
        return FALSE;
    }

    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
    if( pfnStartAddr == NULL )
    {
        printf("获取LoadLibrary函数地址失败!\n");
        return FALSE;
    }

    if( CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) == NULL)
    {
        printf("创建远程线程失败!\n");
        return FALSE;
    }

    return TRUE;
}

int main(int argc, char* argv[])
{
    EnableDebugPriv(SE_DEBUG_NAME);             /* 提升权限 */
    InjectDll("c:\\dialogdll.dll", 2640);       /* 注入远程进程,2640是这时刻我机子上记事本程序的PID,dll文件存放在c:/里 */
    return 0;
}

结果:

86

87

posted @ 2013-11-03 20:26  小菜鸟_yang  阅读(706)  评论(0编辑  收藏  举报