• 远程线程注射dll


    //注射
    void CInjectDlg::OnButtonInject()
    {
    int nPid=0;
    WCHAR szDllPath[MAX_PATH]={0};
    int nDllNameSize=0;

    //获取选择的进程PID
    nPid=m_CtrCboProcess.GetUserChoosePid();
    if (nPid<8)
    {
    MessageBox(L"Can't inject to this process!",L"Error",MB_OK+MB_ICONEXCLAMATION);
    return;
    }
    //获取dll信息,路径和文件名长度Byte
    nDllNameSize=m_CtrEditPath.GetDllInfo(szDllPath);
    //准备工作完成,开始工作
    //////////////////////////////////////////////////////////////////////////
    HANDLE hRemoteProcess=NULL;
    WCHAR* pszDllNameBuff=NULL;
    HANDLE hRemoteThread=NULL;
    HMODULE hKernel32 =GetModuleHandle(L"Kernel32");
    LPTHREAD_START_ROUTINE pLoadLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryW");

    __try
    {
    hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,\
    FALSE,nPid);
    if (NULL==hRemoteProcess)
    {
    ShowErrorInfo(L"OpenProcess Error!");
    __leave;
    }
    pszDllNameBuff=(WCHAR*)VirtualAllocEx(hRemoteProcess,NULL,nDllNameSize,MEM_COMMIT,PAGE_READWRITE);
    if (NULL==pszDllNameBuff)
    {
    ShowErrorInfo(L"VirtualAllocEx buff error!");
    __leave;
    }

    if (!WriteProcessMemory(hRemoteProcess,pszDllNameBuff,szDllPath,nDllNameSize,NULL))
    {
    ShowErrorInfo(L"VWriteProcessMemory error!");
    __leave;
    }

    // 鸡冻人心的时刻
    hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pLoadLibrary,pszDllNameBuff,0,NULL);
    if (NULL==hRemoteThread)
    {
    ShowErrorInfo(L"CreateRemoteThread error!");
    __leave;
    }
    WaitForSingleObject(hRemoteThread,INFINITE);
    }
    __finally
    {
    if (NULL!=pszDllNameBuff)
    {
    VirtualFreeEx(hRemoteProcess,pszDllNameBuff,0,MEM_RELEASE);
    }
    if (NULL!=hRemoteProcess)
    {
    CloseHandle(hRemoteProcess);
    hRemoteProcess=NULL;
    }
    }
    }


    //卸载
    void CInjectDlg::OnButtonUnload()
    {
    int nPid=0;
    HANDLE hModuleSnap=NULL;
    MODULEENTRY32 stModuleEntry={0};
    BOOL bFlag=TRUE;
    WCHAR szDllPath[MAX_PATH]={0};
    HMODULE hFindModule=NULL;

    stModuleEntry.dwSize=sizeof(stModuleEntry);
    m_CtrEditPath.GetDllInfo(szDllPath); //获取dll路径
    nPid=m_CtrCboProcess.GetUserChoosePid(); //获取选择的进程PID
    hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,nPid);
    bFlag=Module32FirstW(hModuleSnap,&stModuleEntry);
    for(;bFlag;)
    {
    if (0==wcsicmp(szDllPath,stModuleEntry.szExePath))
    {
    hFindModule=stModuleEntry.hModule;
    }
    bFlag=Module32NextW(hModuleSnap,&stModuleEntry);
    }

    //准备工作完成,开始工作
    //////////////////////////////////////////////////////////////////////////
    HANDLE hRemoteProcess=NULL;
    HANDLE hRemoteThread=NULL;
    LPTHREAD_START_ROUTINE pFreeLibrary=NULL;

    pFreeLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32"),"FreeLibrary");

    __try
    {
    hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,\
    FALSE,nPid);
    if (NULL==hRemoteProcess)
    {
    ShowErrorInfo(L"OpenProcess Error!");
    __leave;
    }

    // 鸡冻人心的时刻
    hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pFreeLibrary,hFindModule,0,NULL);
    if (NULL==hRemoteThread)
    {
    ShowErrorInfo(L"CreateRemoteThread error!");
    __leave;
    }
    WaitForSingleObject(hRemoteThread,INFINITE);
    }
    __finally
    {
    if (NULL!=hRemoteProcess)
    {
    CloseHandle(hRemoteProcess);
    hRemoteProcess=NULL;
    }
    }


    }

  • 相关阅读:
    【SqlServer系列】表达式(expression)
    【SqlServer系列】语法定义符号解析
    Docker常用命令<转>
    VMware下的Centos7联网并设置固定IP
    redis的setbit命令
    Java并发编程:并发容器之CopyOnWriteArrayList<转>
    Java并发编程:volatile关键字解析<转>
    Java并发编程:阻塞队列 <转>
    Java并发编程:Lock和Synchronized <转>
    Jackson学习笔记(三)<转>
  • 原文地址:https://www.cnblogs.com/lzjsky/p/1892712.html
Copyright © 2020-2023  润新知