CreateRemoteThread虽然很容易被检测到,但是在有些场合还是挺有用的。每次想用的时候总想着去找以前的代码,现在在这里记录一下。
CreateRemoteThread远程注入
DWORD dwOffect,dwArgu; BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId ,DWORD dwOffect,DWORD dwArgu) { HANDLE hToken; if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) ) { TOKEN_PRIVILEGES tkp; LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限 tkp.PrivilegeCount=1; tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限 CloseHandle(hToken); } HANDLE hRemoteProcess; //打开远程线程 if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程 PROCESS_VM_OPERATION | //允许远程VM操作 PROCESS_VM_WRITE, //允许远程VM写 FALSE, dwRemoteProcessId ) )== NULL ) { return FALSE; } char *pszLibFileRemote; //在远程进程的内存地址空间分配DLL文件名缓冲区 pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE); if(pszLibFileRemote == NULL) { CloseHandle(hRemoteProcess); return FALSE; } //将DLL的路径名复制到远程进程的内存空间 if( WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0) { CloseHandle(hRemoteProcess); return FALSE; } //计算LoadLibraryA的入口地址 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA"); if(pfnStartAddr == NULL) { return FALSE; } HANDLE hRemoteThread; hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL); WaitForSingleObject(hRemoteThread,INFINITE); if( hRemoteThread == NULL) { CloseHandle(hRemoteProcess); return FALSE; } DWORD dwDllAddr; GetExitCodeThread(hRemoteThread,&dwDllAddr); if(dwDllAddr!=0) { dwDllAddr += dwOffect; HANDLE hHookFunc; hHookFunc = CreateRemoteThread( hRemoteProcess, NULL, 0, (PTHREAD_START_ROUTINE)dwDllAddr, (LPVOID)dwArgu, 0, NULL); WaitForSingleObject(hHookFunc,INFINITE); if( hHookFunc == NULL) { CloseHandle(hRemoteThread); CloseHandle(hRemoteProcess); return FALSE; } CloseHandle(hHookFunc); } else { CloseHandle(hRemoteProcess); CloseHandle(hRemoteThread); return FALSE; } CloseHandle(hRemoteProcess); CloseHandle(hRemoteThread); return TRUE; } void Hook(int dwPid) { char curpath[260]; GetModuleFileName(NULL,curpath,260); *strrchr(curpath,'\') = '�'; strcat(curpath,"\this.dll"); HMODULE hTmpDll = LoadLibrary(curpath); dwOffect = (DWORD)GetProcAddress(hTmpDll,"HookFun"); dwOffect -= (DWORD)hTmpDll; FreeLibrary(hTmpDll); CreateRemoteDll(curpath,dwPid,dwOffect,dwArgu); }
Hook代码
__declspec(naked) void MyHookGetRes() { __asm { pushad pushfd } MyFun(); __asm { popfd popad add esp,0xc jmp uRetAddr } } ULONG uHookAddr = 0x11111 + (DWORD)hModule; HANDLE handle = GetCurrentProcess(); char MyJMP[5]={0}; MyJMP[0]=(char)0xe9; ULONG uTempAddr=(ULONG)MyJMP; uRetAddr = uHookAddr + 5; ULONG uSkillJmp=(ULONG)MyHookGetRes-uHookAddr-5; __asm { mov eax,uSkillJmp mov ebx, uTempAddr add ebx ,1 mov [ebx],eax mov ecx,[ebx] } WriteProcessMemory(handle,(LPVOID)(uHookAddr),(LPVOID)MyJMP,5,NULL);