Dll注入技术之远程线程注入
测试环境
系统:Windows 10 64bit
注入目标: win7 64bit 计算器(这个软件用着习惯,所以我从win7上拷贝到win10上了)
主要思路:
1.使用进程PID打开进程,获得句柄
2.使用进程句柄申请内存空间
3.把dll路径写入内存
4.创建远程线程,调用LoadLibrary
5.释放收尾工作或者卸载dll
主要函数:
//打开进程
HANDLE WINAPI OpenProcess(_In_ DWORD dwDesiredAccess, //打开的权限
_In_ BOOL bInheritHandle, //不继承,填False
_In_ DWORD dwProcessId //进程PID
);
//申请内存
LPVOID WINAPI VirtualAllocEx(
_In_ HANDLE hProcess, //进程句柄
_In_opt_ LPVOID lpAddress, //指定分配内存的地址,填NULL默认帮我们找地方
_In_ SIZE_T dwSize, //分配内存大小
_In_ DWORD flAllocationType, //是否立即申请
_In_ DWORD flProtect //申请的这块内存拥有的权限
);
扫描二维码关注公众号,回复:
2194000 查看本文章
//写入内存
BOOL WINAPI WriteProcessMemory(_In_ HANDLE hProcess, //进程句柄
_In_ LPVOID lpBaseAddress, //要写入内存的首地址(VirtualAllocEx申请出来的)
_In_ LPCVOID lpBuffer, //写入的内容(填我们的dll路径)
_In_ SIZE_T nSize, //写入大小
_Out_ SIZE_T *lpNumberOfBytesWritten //实际写入的字节数
);
//创建远程线程
HANDLE WINAPI CreateRemoteThread(
_In_ HANDLE hProcess, //进程句柄
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, //安全属性
_In_ SIZE_T dwStackSize, //栈大小
_In_ LPTHREAD_START_ROUTINE lpStartAddress, //调用的函数(LoadLibrary)
_In_ LPVOID lpParameter, //线程参数(即LoadLibrary参数:dll路径)
_In_ DWORD dwCreationFlags, //创建标志
_Out_ LPDWORD lpThreadId //线程ID
);
主要代码:
//远程线程注入
bool RemoteThreadInject(SIZE_T dwPid)
{
//1.使用PID打开进程获取权限
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid);
//2.申请内存,写入DLL路径
int nLen = sizeof(WCHAR)*(wcslen(L"C:\\Win32Dll.dll") + 1);
LPVOID pBuf = VirtualAllocEx(hProcess, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pBuf)
{
printf("申请内存失败!\n");
return false;
}
//3.写入内存
SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"C:\\Win32Dll.dll", nLen, &dwWrite))
{
printf("写入内存失败!\n");
return false;
}
//4.创建远程线程,让对方调用LoadLibrary
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0);
//5.等待线程结束返回,释放资源
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE);
return true;
}
dll部分只弹出一个MessageBox,以下是dll部分源码