实现效果
原理
程序运行的容器是进程,真正活动的是其中的线程。因此,改变程序流程的通常做法是改变线程 EIP 、创建新线程或修改目标进程内的某些代码,使其执行 LoadLibrary(Ex) 来加载目标 DLL
- CreateRemoteThead法
这是最经典的也是使用范围最广的方法,其基本思路是在目标进程中申请一块内存并向其中写入 DLL 路径,然后调用 CreateRemoteThread,在目标进程中创建一个线程。线程函数的地址就是 LoadLibraryA(W),参数就是存放 DLL 路径的内存指针。这时需要目标进程的 4 个权限(在 Windows7 中需要更多的权限),分别是 PROCESS_CREATE_THREAD、PROCESS_QUERY_INFORMATION、PROCESS_VM_OPERATION 和 PROCESS_VM_WRITE。
代码实现
dll注入.asm
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Win32汇编实现DLL的远程注入
; by CarveStone
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; dll注入.asm
; 32位或64位dll 注入
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 使用 nmake 或下列命令进行编译和链接:
; ml /c /coff dll注入.asm
; rc dll注入.rc
; Link /subsystem:windows dll注入.obj dll注入.res
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.386
.model flat, stdcall
option casemap :none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Include 文件定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
include comdlg32.inc
includelib comdlg32.lib
RemoteInjectModule PROTO :DWORD,:DWORD
;RemoteUnloadModule PROTO :DWORD,:DWORD
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; Equ 等值定义
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ICO_MAIN equ 1000h ;图标
DLG_MAIN equ 1
IDC_DLLPATH equ 2
IDC_CHOOSEPATH equ 3
IDC_INPUTPID equ 4
IDC_INJECTION equ 5
IDC_UNLOADING equ 6
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data?
hInstance dd ?
pid dd ? ;输入的pid
szModule dd ? ;注入的dll
lpDllName dd ?
szMyDllFull db MAX_PATH dup(?)
lpLoadLibrary dd ?
hProcess dd ?
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 数据段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
szGetModuleHandleA db 'GetModuleHandleA',0
;szLoadLibraryA db 'LoadLibraryA',0
szFreeLibrary db 'FreeLibrary',0
szErr1 db '进程打开错误',0
szErr2 db '虚拟分配错误',0
szErr3 db '写入进程内存错误',0
szErr4 db '获取进程地址错误',0
szErr5 db '创建远程线程错误',0
szFailed db '注入失败!',0
szSuccessfully db '注入成功!',0
;szDllKernel db 'Kernel32.dll',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 常量
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
szDllFileExt db 'dll(*.dll);exe(*.exe);所有文件',0,0
szLoadLibrary db 'LoadLibraryA',0
szDllKernel db 'Kernel32.dll',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 代码段
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
RemoteInjectModule proc dwProcID,pszModule
;local hProcess
invoke GetModuleHandle,addr szDllKernel
invoke GetProcAddress,eax,offset szLoadLibrary
mov lpLoadLibrary,eax
invoke OpenProcess,PROCESS_CREATE_THREAD or PROCESS_VM_OPERATION or \
PROCESS_VM_WRITE,FALSE,dwProcID
.if eax
mov hProcess,eax
;使用VirtualAllocEx函数在远程进程的内存地址空间分配 DLL 文件缓冲区
invoke VirtualAllocEx,hProcess,NULL,MAX_PATH,MEM_COMMIT,PAGE_READWRITE
.if eax
mov lpDllName,eax
;使用 WriteProcessMemory 函数将 DLL 的路径名复制到远程的内存空间中
invoke WriteProcessMemory,hProcess,eax,pszModule,MAX_PATH,NULL
invoke CreateRemoteThread,hProcess,NULL,0,lpLoadLibrary,lpDllName,0,NULL
invoke CloseHandle,eax
.else
invoke MessageBox,NULL,addr szErr2,NULL,MB_OK
.endif
invoke CloseHandle,hProcess
.else
invoke MessageBox,NULL,addr szFailed,NULL,MB_OK
.endif
mov eax,1
ret
RemoteInjectModule endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_ProcDlgMain proc uses ebx edi esi hWnd,wMsg,wParam,lParam
local @szBuffer[MAX_PATH]:byte
local @stOpenFileName:OPENFILENAME
mov eax,wMsg
.if eax == WM_CLOSE
invoke EndDialog,hWnd,NULL
.elseif eax == WM_INITDIALOG
invoke LoadIcon,hInstance,ICO_MAIN
invoke SendMessage,hWnd,WM_SETICON,ICON_BIG,eax
.elseif eax == WM_COMMAND
mov eax,wParam
.if ax == IDC_INJECTION
;*********************************************************************
; dll注入
invoke GetDlgItemInt,hWnd,IDC_INPUTPID,NULL,FALSE
invoke RemoteInjectModule,eax,addr szMyDllFull
;*********************************************************************
.elseif ax == IDC_UNLOADING
.elseif ax == IDC_CHOOSEPATH
;*********************************************************************
; 读取dll文件路径
invoke RtlZeroMemory,addr @stOpenFileName,sizeof OPENFILENAME
invoke RtlZeroMemory,addr @szBuffer,sizeof @szBuffer
mov @stOpenFileName.lStructSize,SIZEOF @stOpenFileName
mov @stOpenFileName.Flags,OFN_FILEMUSTEXIST or OFN_PATHMUSTEXIST
push hWnd
pop @stOpenFileName.hwndOwner
mov @stOpenFileName.lpstrFilter,offset szDllFileExt
lea eax,@szBuffer
mov @stOpenFileName.lpstrFile,eax
mov @stOpenFileName.nMaxFile,MAX_PATH
invoke GetOpenFileName,addr @stOpenFileName
invoke SetDlgItemText,hWnd,IDC_DLLPATH,addr @szBuffer
lea eax,@szBuffer
mov szModule,eax
;invoke GetCurrentDirectory,MAX_PATH,addr szMyDllFull
invoke lstrcat,addr szMyDllFull,addr @szBuffer
;**********************************************************************
.endif
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
_ProcDlgMain endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,NULL,offset _ProcDlgMain,NULL
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
dll注入.rc
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#include <resource.h>
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#define DLG_MAIN 1
#define IDC_DLLPATH 2
#define IDC_CHOOSEPATH 3
#define IDC_INPUTPID 4
#define ICO_MAIN 0x1000
#define IDC_INJECTION 5
#define IDC_UNLOADING 6
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ICO_MAIN ICON "carve.ico"
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
DLG_MAIN DIALOG 50, 50,280, 180
STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
CAPTION "DLL注入工具"
FONT 9, "宋体"
{
CTEXT "", IDC_DLLPATH, 10, 20, 200, 20
CTEXT "PID:", -1, 10, 55, 40, 20
EDITTEXT IDC_INPUTPID,50,50,60,20
DEFPUSHBUTTON "选中注入的DLL",IDC_CHOOSEPATH,160,45,100,30
DEFPUSHBUTTON "注入", IDC_INJECTION, 20, 120, 100, 30
DEFPUSHBUTTON "卸载(暂不可用)", IDC_UNLOADING, 160, 120, 100, 30
}
//>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Makefile
写了这个文件后,可以用 nmake 来编译
NAME = dll注入
OBJS = $(NAME).obj
RES = $(NAME).res
LINK_FLAG = /subsystem:windows
ML_FLAG = /c /coff
$(NAME).exe: $(OBJS) $(RES)
Link $(LINK_FLAG) $(OBJS) $(RES)
.asm.obj:
ml $(ML_FLAG) $<
.rc.res:
rc $<
clean:
del *.obj
del *.res
软件下载
csdn
https://download.csdn.net/download/weixin_44018458/12912071
github
https://github.com/CarveStone/dll-