• 远程DLL注入

    界面如下:

    关键部分代码如下:

     1 void CInjectDllDlg::OnBnClickedButtonInject()
 2 {
 3     // TODO: 在此添加控件通知处理程序代码
 4     UpdateData(TRUE);
 5     int iBufSize = WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, NULL, 0, NULL, NULL);
 6     char *pszBuffer = new char[iBufSize];
 7     WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, pszBuffer, iBufSize, NULL, NULL);
 8     InjectDll(m_dwPid, pszBuffer);
 9     delete []pszBuffer;
10     pszBuffer = NULL;
11 }
12 
13 void CInjectDllDlg::OnBnClickedButtonUnload()
14 {
15     // TODO: 在此添加控件通知处理程序代码
16     UpdateData(TRUE);
17     int iBufSize = WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, NULL, 0, NULL, NULL);
18     char *pszBuffer = new char[iBufSize];
19     WideCharToMultiByte(CP_ACP, 0, m_strPathName.GetBuffer(0), -1, pszBuffer, iBufSize, NULL, NULL);
20     UnInjectDll(m_dwPid, pszBuffer);
21     delete []pszBuffer;
22     pszBuffer = NULL;
23 }
24 
25 void CInjectDllDlg::InjectDll(DWORD dwPid, char* szDllName)
26 {
27     if (dwPid == 0 || strlen(szDllName) == 0)
28     {
29         return;
30     }
31 
32     char *pFunName = "LoadLibraryA";
33     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
34     if (NULL == hProcess)
35     {
36         return;
37     }
38 
39     int iDllLen = strlen(szDllName) + sizeof(char);
40     PVOID pDllAddr = VirtualAllocEx(hProcess, NULL, iDllLen, MEM_COMMIT, PAGE_READWRITE);
41     if (NULL == pDllAddr)
42     {
43         CloseHandle(hProcess);
44         return;
45     }
46 
47     DWORD dwWriteNum = 0;
48     WriteProcessMemory(hProcess, pDllAddr, szDllName, iDllLen, &dwWriteNum);
49     FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), pFunName);
50     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, pDllAddr, 0, NULL);
51     WaitForSingleObject(hThread, INFINITE);
52 
53     CloseHandle(hThread);
54     CloseHandle(hProcess);
55 }
56 
57 void CInjectDllDlg::UnInjectDll(DWORD dwPid, char* szDllName)
58 {
59     HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPid);
60     MODULEENTRY32 Me32 = {0};
61     Me32.dwSize = sizeof(MODULEENTRY32);
62 
63     BOOL bRet = Module32First(hSnap, &Me32);
64     while (bRet)
65     {
66         int iBufSize = WideCharToMultiByte(CP_ACP, 0, Me32.szExePath, -1, NULL, 0, NULL, NULL);
67         char *pszBuffer = new char[iBufSize];
68         WideCharToMultiByte(CP_ACP, 0, Me32.szExePath, -1, pszBuffer, iBufSize, NULL, NULL);
69         if (strcmp(pszBuffer, szDllName) == 0)
70         {
71             delete []pszBuffer;
72             pszBuffer = NULL;
73             break;
74         }
75         delete []pszBuffer;
76         pszBuffer = NULL;
77         bRet = Module32Next(hSnap, &Me32);
78     }
79     CloseHandle(hSnap);
80     char *pFunName = "FreeLibrary";
81 
82     HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
83     FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"), pFunName);
84     HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunAddr, Me32.hModule, 0, NULL);
85     WaitForSingleObject(hThread, INFINITE);
86 
87     CloseHandle(hThread);
88     CloseHandle(hProcess);
89 }

    下载地址:

    http://pan.baidu.com/s/1xk7Jw
  • 相关阅读:
    最长双回文串
    BUUOJ misc 二维码
    HDU 1284 钱币兑换问题 (动态规划 背包方案数)
    HDU 1260 Tickets (动态规划)
    HDU 1231 最大连续子序列 (动态规划)
    HDU 1203 I NEED A OFFER! (动态规划、01背包、概率)
    BUUOJ reverse SimpleRev (爆破)
    BUUOJ reverse 不一样的flag
    HDU 1176 免费馅饼 (动态规划、另类数塔)
    HDU 1171 Big Event in HDU (动态规划、01背包)
  • 原文地址:https://www.cnblogs.com/qiyueliuguang/p/3544087.html
Copyright © 2020-2023  润新知