• WIN32 远程注入 CreateRemoteThread


    // remote06.cpp : Defines the entry point for the console application.
    //
    
    #include "stdafx.h"
    #include "windows.h"
    
    
    BOOL func(DWORD ProcessID,char* DllPathName)
    {
        DWORD ThreadID = NULL;
        //1.获取进程句柄
        HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);
        if (hProcess == NULL)
        {
            OutputDebugString("OpenProcess失败!");
            CloseHandle(hProcess);
            return FALSE;
        }
        //2.计算DLL路径长度,并且加上0结尾长度strlen
        DWORD LenOfDllPathName = strlen(DllPathName)+1;
    
        
        //3.在目标进程分配内存VirtualAllocEx
        LPVOID lpAllocAddr = VirtualAllocEx(hProcess,NULL,LenOfDllPathName,MEM_COMMIT,PAGE_READWRITE);
        if (lpAllocAddr == NULL)
        {
            OutputDebugString("VirtualAllocEx失败!");
            CloseHandle(hProcess);
            return FALSE;
        }
    
        //4.拷贝DLL路径到目标进程新分配的内存WriteProcessMemory
        DWORD bRet = WriteProcessMemory(hProcess,lpAllocAddr,DllPathName,LenOfDllPathName,NULL);
        if (!bRet)
        {
            OutputDebugString("WriteProcessMemory失败!");
            CloseHandle(hProcess);
            return FALSE;
        }
    
        //5.获得模块地址GetModuleHandle
        HMODULE hml = GetModuleHandle("Kernel32.dll");
        if (hml == NULL)
        {
            OutputDebugString("GetModuleHandle失败!");
            CloseHandle(hProcess);
            return FALSE;
        }
        
        //6.获得LoadLibraryA函数地址GetProcAddress
        DWORD lpLoadAddr = (DWORD)GetProcAddress(hml,"LoadLibraryA");
        if (!lpLoadAddr)
        {
            OutputDebugString("GetProcAddress失败!");
            CloseHandle(hProcess);
            CloseHandle(hml);
            return FALSE;
        }
        
        //7.创建远程线程,加载DLL
        HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadAddr,lpAllocAddr,0,NULL);
        if (hThread == NULL)
        {
            OutputDebugString("CreateRemoteThread失败!");
            CloseHandle(hThread);
            CloseHandle(hml);
            CloseHandle(hProcess);
            return FALSE;
        }
    
        //关闭资源
        CloseHandle(hThread);
        CloseHandle(hml);
        CloseHandle(hProcess);
    
        return TRUE;
    
    }
    int main(int argc, char* argv[])
    {
    
        func(进程ID,DLL路径);
        
        
        return 0;
    }
  • 相关阅读:
    MyBatis 学习笔记
    JavaEE路径陷阱之getRealPath
    Java路径问题最终解决方案—可定位所有资源的相对路径寻址
    Hibernate4.3.10通过slf4j使用log4j
    Hibernate关联关系映射
    SpringMVC 学习笔记
    Spring 学习笔记
    Hibernate 学习笔记
    Struts2 学习笔记
    vue element tree组件,根据不同的状态显示不同的字体颜色
  • 原文地址:https://www.cnblogs.com/ganxiang/p/13215364.html
Copyright © 2020-2023  润新知