代码
BOOL Injector::RemoteThreadInject_General(const wchar_t* destProcessName, const char* DllPath) {
Log::INFO(HString::Format("开始远程线程注入(普通版),模块文件路径[%s]", DllPath));
HANDLE hDestProcess;
if (ProcessTool::OpenProcessByName(destProcessName, hDestProcess) == FALSE) { return FALSE; }
BOOL is32BitProcess = TRUE;
IsWow64Process(hDestProcess, &is32BitProcess);
#ifdef _WIN64
if (is32BitProcess == TRUE) { Log::Error("远程线程注入(普通版)失败!因为当前进程是64位,而目标进程是32位。"); return FALSE; }
#else
if (is32BitProcess == FALSE) { Log::Error("远程线程注入(普通版)失败!因为当前进程是32位,而目标进程是64位。"); return FALSE; }
#endif
PE pe;
if (pe.LoadFileBuffer(DllPath) == FALSE) { return FALSE; }
if (pe.AnalyzePE_ByFileBuffer(pe.pFileBuffer) == FALSE) { return FALSE; }
if (pe.IsPE64 != (!is32BitProcess)) { Log::Error("远程线程注入(普通版)失败!因为目标模块的位数与目标进程的位数不一致。"); return FALSE; }
LPVOID remoteAddr = VirtualAllocEx(hDestProcess, NULL, 100, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (remoteAddr == NULL) { Log::Error(HString::Format("远程线程注入(普通版)失败!因为向目标进程申请空间失败,lastErrorCode=%d", GetLastError())); return FALSE; }
if (WriteProcessMemory(hDestProcess, (LPVOID)remoteAddr, (LPCVOID)DllPath, 100, OUT NULL) == 0) { Log::Error(HString::Format("远程线程注入(普通版)失败!因为向目标进程写入DLL名称字符串失败,lastErrorCode=%d", GetLastError())); return FALSE; }
LPTHREAD_START_ROUTINE pLoadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("KERNEL32.DLL")), "LoadLibraryA");
if (pLoadLibrary == NULL) { Log::Error(HString::Format("远程线程注入(普通版)失败!因为获取本进程LoadLibraryA()函数地址失败,lastErrorCode=%d", GetLastError())); return FALSE; }
DWORD remoteThreadID = 0;
HANDLE hRemoteThread = CreateRemoteThread(hDestProcess, NULL, 0, pLoadLibrary, (LPVOID)remoteAddr, 0, OUT & remoteThreadID);
if (hRemoteThread == NULL) { Log::Error(HString::Format("远程线程注入(普通版)失败!因为创建远程线程失败,lastErrorCode=%d", GetLastError())); return FALSE; }
WaitForSingleObject(hRemoteThread, INFINITE);
DWORD far exitCode;
GetExitCodeThread(hRemoteThread, OUT & exitCode);
if (exitCode == 0) { Log::Error(HString::Format("远程线程注入(普通版)失败!因为目标进程LoadLibrary返回的模块基址为0,可能是因为DLL文件路径有误。")); return FALSE; CloseHandle(hRemoteThread); return FALSE; }
Log::SUCCESS(HString::Format("完成远程线程注入(普通版)!远程线程退出码(即LoadLibrary返回的模块基址) = %llX(仅4字节) ", exitCode));
return TRUE;
}