#include <windows.h>
#include <tchar.h>
#include <TLHELP32.H>
#include "resource.h"
DWORD FindTarget( LPCTSTR lpszProcess )
{
DWORD dwRet = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof( PROCESSENTRY32 );
Process32First( hSnapshot, &pe32 );
do
{
if ( lstrcmpi( pe32.szExeFile, lpszProcess ) == 0 )
{
dwRet = pe32.th32ProcessID;
break;
}
} while ( Process32Next( hSnapshot, &pe32 ) );
CloseHandle( hSnapshot );
return dwRet;
}
BOOL RemoteLoadLibrary( DWORD dwProcessID, LPCSTR lpszDll )
{
// 打开目标进程
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
// 向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
return FALSE;
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
return FALSE;
}
}
else
{
CloseHandle( hProcess );
return FALSE;
}
// 使目标进程调用LoadLibrary,加载DLL
DWORD dwID;
LPVOID pFunc = LoadLibraryA;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
// 等待LoadLibrary加载完毕
WaitForSingleObject( hThread, INFINITE );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
CloseHandle( hProcess );
return TRUE;
}
BOOL RemoteFreeLibrary( DWORD dwProcessID, LPCSTR lpszDll )
{
// 打开目标进程
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );
// 向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
dwSize = lstrlenA( lpszDll ) + 1;
LPVOID lpBuf = VirtualAllocEx( hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE );
if ( NULL == lpBuf )
{
CloseHandle( hProcess );
return FALSE;
}
if ( WriteProcessMemory( hProcess, lpBuf, (LPVOID)lpszDll, dwSize, &dwWritten ) )
{
// 要写入字节数与实际写入字节数不相等,仍属失败
if ( dwWritten != dwSize )
{
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hProcess );
return FALSE;
}
}
else
{
CloseHandle( hProcess );
return FALSE;
}
// 使目标进程调用GetModuleHandle,获得DLL在目标进程中的句柄
DWORD dwHandle, dwID;
LPVOID pFunc = GetModuleHandleA;
HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, lpBuf, 0, &dwID );
// 等待GetModuleHandle运行完毕
WaitForSingleObject( hThread, INFINITE );
// 获得GetModuleHandle的返回值
GetExitCodeThread( hThread, &dwHandle );
// 释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT );
CloseHandle( hThread );
// 使目标进程调用FreeLibrary,卸载DLL
pFunc = FreeLibrary;
hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc, (LPVOID)dwHandle, 0, &dwID );
// 等待FreeLibrary卸载完毕
WaitForSingleObject( hThread, INFINITE );
CloseHandle( hThread );
CloseHandle( hProcess );
return TRUE;
}
int CALLBACK MainDlgProc( HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam )
{
static DWORD dwProcessID;
switch ( uMsg )
{
case WM_INITDIALOG:
{
dwProcessID = 0;
SendDlgItemMessage( hDlg, IDC_EDT_TARGET, EM_LIMITTEXT, MAX_PATH, 0 );
}
break;
case WM_COMMAND:
{
switch ( LOWORD( wParam ) )
{
case IDC_BTN_EXIT:
{
EndDialog( hDlg, 0 );
}
break;
case IDC_BTN_INSERT:
{
TCHAR szTarget[MAX_PATH];
GetDlgItemText( hDlg, IDC_EDT_TARGET, szTarget, MAX_PATH );
dwProcessID = FindTarget( szTarget );
if ( 0 == dwProcessID )
{
MessageBox( hDlg, _T("找不到目标进程。"), _T("错误"), MB_ICONINFORMATION );
break;
}
if ( !RemoteLoadLibrary( dwProcessID, "DLL.dll" ) )
{
MessageBox( hDlg, _T("远程DLL加载失败。"), _T("错误"), MB_ICONINFORMATION );
}
}
break;
case IDC_BTN_DETACH:
{
if ( 0 == dwProcessID )
{
MessageBox( hDlg, _T("找不到目标进程。"), _T("错误"), MB_ICONINFORMATION );
break;
}
if ( !RemoteFreeLibrary( dwProcessID, "DLL.dll" ) )
{
MessageBox( hDlg, _T("远程DLL卸载失败。"), _T("错误"), MB_ICONINFORMATION );
}
}
break;
}
}
break;
case WM_CLOSE:
{
EndDialog( hDlg, 0 );
}
break;
}
return 0;
}
int WINAPI _tWinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPTSTR lpCmdLine, int nShowCmd )
{
return DialogBox( hInstance, MAKEINTRESOURCE( IDD_MAIN_DLG ), NULL, MainDlgProc );
}
DLL的远程注入技术
需积分: 0 135 浏览量
2008-05-29
09:33:25
上传
评论
收藏 1.76MB RAR 举报
alexander_vc
- 粉丝: 89
- 资源: 71
最新资源
- SAP常用事务代码,涉及到MM板块
- A Pathfinding Project Pro v5.0.5.unitypackage
- 糖尿病并发症预警数据集
- All In 1 Sprite Shader v3.6.unitypackage
- 基于深度学习的电影推荐系统源代码,数据集采用MovieLens1M,实现了AE、VAE、BERT提取电影名特征3种方法
- 联通支付注册-滑动验证-selenium+Opencv 自动化测试程序-pc端
- UGUI Super ScrollView v2.5.4.unitypackage
- 锅炉腐蚀炉管穿孔 炉水发红蒸汽冷凝水铁超标一招化解.docx
- 从效率角度看6种MySQL批量更新方式的优劣.zip
- Behavior Designer - Behavior Trees for Everyone v1.7.9.unitypack
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
评论0