《Dll注入经典方法完整版.doc》由会员分享,可在线阅读,更多相关《Dll注入经典方法完整版.doc(4页珍藏版)》请在金锄头文库上搜索。
1、Dll注入经典方法完整版1,OpenProcess获得要注入进程的句柄2,VirtualAllocEx在远程进程中开辟出一段内存,长度为strlen(dllname)+1;3,WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。4,CreateRemoteThread将LoadLibraryA作为线程函数,参数为Dll的名称,创建新线程5,CloseHandle关闭线程句柄卸载Dll:1,CreateRemoteThread将GetModuleHandle注入到远程进程中,参数为被注入的Dll名2,GetExitCodeThread将线程退出的退出码作为Dll模块的句柄
2、值。3,CloseHandle关闭线程句柄3,CreateRemoteThread将FreeLibraryA注入到远程进程中,参数为第二步获得的句柄值。4,WaitForSingleObject等待对象句柄返回5,CloseHandle关闭线程及进程句柄。1. #include2. #include3. #include4. 5. 6. DWORDgetProcessHandle(LPCTSTRlpProcessName)/根据进程名查找进程PID7. 8. DWORDdwRet=0;9. HANDLEhSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAP
3、PROCESS,0);10. if(hSnapShot=INVALID_HANDLE_VALUE)11. 12. printf(n获得进程快照失败%d,GetLastError();13. returndwRet;14. 15. 16. PROCESSENTRY32pe32;/声明进程入口对象17. pe32.dwSize=sizeof(PROCESSENTRY32);/填充进程入口对象大小18. Process32First(hSnapShot,&pe32);/遍历进程列表19. do20. 21. if(!lstrcmp(pe32.szExeFile,lpProcessName)/查找指定
4、进程名的PID22. 23. dwRet=pe32.th32ProcessID;24. break;25. 26. while(Process32Next(hSnapShot,&pe32);27. CloseHandle(hSnapShot);28. returndwRet;/返回29. 30. 31. INTmain(INTargc,CHAR*argv)32. 33. DWORDdwPid=getProcessHandle(LPCTSTR)argv1);34. LPCSTRlpDllName=EvilDll.dll;35. HANDLEhProcess=OpenProcess(PROCESS
5、_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid);36. if(hProcess=NULL)37. 38. printf(n获取进程句柄错误%d,GetLastError();39. return-1;40. 41. DWORDdwSize=strlen(lpDllName)+1;42. DWORDdwHasWrite;43. LPVOIDlpRemoteBuf=VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);44. if(WriteProcessMemory(hProcess,
6、lpRemoteBuf,lpDllName,dwSize,&dwHasWrite)45. 46. if(dwHasWrite!=dwSize)47. 48. VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT);49. CloseHandle(hProcess);50. return-1;51. 52. 53. else54. 55. printf(n写入远程进程内存空间出错%d。,GetLastError();56. CloseHandle(hProcess);57. return-1;58. 59. 60. DWORDdwNewThre
7、adId;61. LPVOIDlpLoadDll=LoadLibraryA;62. HANDLEhNewRemoteThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId);63. if(hNewRemoteThread=NULL)64. 65. printf(n建立远程线程失败%d,GetLastError();66. CloseHandle(hProcess);67. return-1;68. 69. 70. WaitForSingleO
8、bject(hNewRemoteThread,INFINITE);71. CloseHandle(hNewRemoteThread);72. 73. /准备卸载之前注入的Dll74. DWORDdwHandle,dwID;75. LPVOIDpFunc=GetModuleHandleA;/获得在远程线程中被注入的Dll的句柄76. HANDLEhThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID);77. WaitForSingleObject(hThread,I
9、NFINITE);78. GetExitCodeThread(hThread,&dwHandle);/线程的结束码即为Dll模块儿的句柄79. CloseHandle(hThread);80. pFunc=FreeLibrary;81. hThread=CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID);/将FreeLibraryA注入到远程线程中去卸载Dll82. WaitForSingleObject(hThread,INFINITE);83. CloseHandle(hThread);84. CloseHandle(hProcess);85. return0;86.
