C#中的DLL注入
事实上dll注入很简单,无非就是调用virtualAllocEx,WriteProcessMemory,OpenProcess,CreateRemoteThread等API函数,因为我是学c#的,所以也想看一下c#这方面的文章,但在网上找了半天,没有找到一篇,也许是c#刚兴起的缘故,学c#的并不多,没办法,只好自己移植一下,因为凡是用到API函数,所有的编程的语言都是相同的,这就为我们的移植带来了方便,学c#的一般应该对API的调用概念很淡,因为c#通常不会去调用API函数,因为这些已经被封装了,在vb,vc 等语言中要结束一个进程,首先就必须要得到这个进程的句柄,然后才能进行相应的关闭进程等操作,得到句柄要用到OpenProcess API函数,结束进程要用到TerminateProcess API函数,但是在c#中你根本不需要知道这些API函数就能完成同样的功能,所以你要是想了解一下API的相关知识,学一点vb是一个很好的选择。好了!下面就开始我们的c# dll注入之旅吧!
首先需要加入以下API函数:
[DllImport(kernel32.dll)]
public static extern int VirtualAllocEx(IntPtr hwnd, int lpaddress, int size, int type, int tect);
[DllImport(kernel32.dll)]
public static extern int WriteProcessMemory(IntPtr hwnd, int baseaddress, string buffer, int nsize, int filewriten );
[DllImport(kernel32.dll)]
public static extern int GetProcAddress(int hwnd, string lpname);
[DllImport(kernel32.dll)]
public static extern int GetModuleHandleA(string name);
[DllImport(kernel32.dll)]
public static extern int CreateRemoteThread(IntPtr hwnd, int attrib, int size, int address, int par, int flags, int threadid);
C#声明API比较复杂,因为是调用非托管的dll,所以要用到DllImport来调用非托管的dll,他还有很多属性在这就不多说了,网上有很介绍,可以去查一下,不过c#调用自身的变得动态链接库是倒是很方便,直接加个引用就ok了,调用dll要用的一个引用:using System.Runtime.InteropServices;这个不要忘了加上,下面是编好的所有代码:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace dllinject
{
public partial class Form1 : Form
{
[DllImport(kernel32.dll)] //声明API函数
public static extern int VirtualAllocEx(IntPtr hwnd, int lpaddress, int size, int type, int tect);
[DllImport(kernel32.dll)]
public static extern int WriteProcessMemory(IntPtr hwnd, int baseaddress, string buffer, int nsize, int filewriten );
[DllImport(kernel32.dll)]
public static extern int GetProcAddress(int hwnd, string lpname);
[DllImport(kernel32.dll)]
public static extern int GetModuleHandleA(string name);
[DllImport(kernel32.dll)]
public static extern int CreateRemoteThread(IntPtr hwnd, int attrib, int size, int address, int par, int flags, int threadid);
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
int ok1;
//int ok2;
//int hwnd;
int baseaddress;
int temp=0;
int hack;
int yan;
string dllname;
dllname = c:\\dll.dll;
int dlllength;
dlllength = dllname.Length 1;
Process[] pname = Process.GetProcesses(); //取得所有进程
foreach (Process name in pname) //遍历进程
{
//MessageBox.Show(name.ProcessName.ToLower());
if (name.ProcessName.ToLower().IndexOf(notepad) != -1) //所示记事本,那么下面开始注入
{
baseaddress = VirtualAllocEx(name.Handle, 0, dlllength , 4096, 4); //申请内存空间
if (baseaddress == 0) //返回0则操作失败,下面都是
{
MessageBox.Show(申请内存空间失败!!);
Application.Exit();
}
ok1 = WriteProcessMemory(name.Handle, baseaddress, dllname, dlllength, temp); //写内存
if (ok1 == 0)
{
MessageBox.Show(写内存失败!!);
Application.Exit();
}
hack = GetProcAddress(GetModuleHandleA(Kernel32), LoadLibraryA); //取得loadlibarary在kernek32.dll地址
if (hack == 0)
{
MessageBox.Show(无法取得函数的入口点!!);
Application.Exit();
}
yan = CreateRemoteThread(name.Handle, 0, 0, hack, baseaddress, 0, temp); //创建远程线程。
if (yan == 0)
{
MessageBox.Show(创建远程线程失败!!);
Application.Exit();
}
else
{
MessageBox.Show(已成功注入dll!!);
}
}
}
}
}