32位:远程线程注入
远程线程注入是最常用的一种注入技术,该技术利用的核心API是 `CreateRemoteThread()` 这个API可以运行远程线程,其次通过创建的线程调用 `LoadLibraryA()` 这个函数动态载入指定的DLL即可实现运行DLL,
而`LoadLibrary()`函数在任何一个可执行文件中都可以被调用到,这就给我们注入提供了有效的条件.
#include <windows.h> #include <stdio.h> void InjectDLL(DWORD PID,char *Path) { DWORD dwSize; HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,PID); dwSize=strlen(Path)+1; LPVOID lpParamAddress=VirtualAllocEx(hProcess,0,dwSize,PARITY_SPACE,PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess,lpParamAddress,(PVOID)Path,dwSize,NULL); HMODULE hModule=GetModuleHandleA("kernel32.dll"); LPTHREAD_START_ROUTINE lpStartAddress=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA"); HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParamAddress,0,NULL); WaitForSingleObject(hThread,1000); CloseHandle(hThread); } int main() { InjectDLL(1258,"C:hook.dll"); return 0; }
64位:远程线程注入
#include <stdio.h> #include <windows.h> BOOL WINAPI InjectProxyW(DWORD dwPID, PCWSTR pwszProxyFile) { BOOL ret = FALSE; HANDLE hToken = NULL; HANDLE hProcess = NULL; HANDLE hThread = NULL; FARPROC pfnThreadRtn = NULL; PWSTR pwszPara = NULL; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID); pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW"); size_t iProxyFileLen = wcslen(pwszProxyFile)*sizeof(WCHAR); //May be in your case iProxyFileLen containes invalid value. pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL); hThread = CreateRemoteThread(hProcess, NULL, 1024, (LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL); WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread); VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE); CloseHandle(hProcess); return(TRUE); } int main() { WCHAR dllname[MAX_PATH]; DWORD dwPID = 0; printf("input pid: "); scanf("%ld", &dwPID); //printf("input dll full path: "); scanf("%ws", dllname); InjectProxyW(dwPID,L"C:\hook.dll"); //InjectProxyW(dwPID, dllname); return 0; }
### 消息钩子注入(过保护)
消息钩子注入原理是利用Windows系统中`SetWindowsHookEx()`这个API函数,它可以拦截目标进程的消息到指定的DLL中导出的函数,利用这个特性,我们可以将DLL注入到指定进程中,
该函数的注入属于全局注入,部分游戏保护是无法识别这种注入方式的,我们在注入后需要在代码中判断一下进程是不是我们需要注入的,不然会对全局生效。
1.首先我们需要创建一个Dll工程 hook.cpp 然后将SetHook方法导出,在DllMain中进行了判断,如果窗口句柄为valve001则弹出一个消息框,其他进程直接跳过,即可实现指定进程注入。
#include <windows.h> HHOOK global_hook; LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(global_hook, nCode, wParam, lParam); } extern "C" __declspec(dllexport) void SetHook() { global_hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandle(TEXT("hook.dll")), 0); } bool APIENTRY DllMain(HANDLE handle, DWORD dword, LPVOID lpvoid) { HWND hwnd = FindWindowW(L"valve001",NULL); DWORD pid; GetWindowThreadProcessId(hwnd, &pid); if (GetCurrentProcessId() == pid) { MessageBox(hwnd, TEXT("inject"), 0, 0); } return true; }
2.调用代码如下,注意必须将上方编译好的hook.dll与下方工程放到同一个目录下,通过LoadLibrary函数获取到模块句柄,然后通过GetProcAddress获取到导出函数地址,并通过函数指针调用。
#include <windows.h> int main() { HMODULE hMod = LoadLibrary(TEXT("hook.dll")); typedef void(*pSetHook)(void); pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook"); SetHook(); while (1) { Sleep(1000); } return 0; }