###伟大的远程线程注入开始了!
先上代码1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54//dllCall.cpp
int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR szCmdLine,
int nCmdShow
)
{
// 以下代码完成动态库的注入
char path[100] = ("D:\\dllTest.dll");
HANDLE hProcess;
// 获取目标进程句柄 遍历系统当前进程
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
BOOL bReturn, bFind = FALSE;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
bReturn = Process32First(hSnapshot, &pe32);
while (bReturn)
{
if (strcmp("calc.exe", pe32.szExeFile) == 0)
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
bFind = TRUE;
break;
}
bReturn = Process32Next(hSnapshot, &pe32);
}
// 获取kernel32.dll中LoadLibraryA的地址,并将其作为远程线程的线程函数
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA");
char *dllPath = (char*)VirtualAllocEx(hProcess, 0, 100 * sizeof(char), MEM_COMMIT, PAGE_READWRITE);
if (!dllPath)
{
return 0;
}
if (!WriteProcessMemory(hProcess, dllPath, path, 100 * sizeof(char), 0))
{
return 0;
}
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, pfnThreadRtn, dllPath, 0, 0);
if (!hThread)
{
return 0;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, dllPath, 100 * sizeof(char), MEM_RELEASE);
CloseHandle(hProcess);
FreeLibrary(GetModuleHandle(path));
return 0;
}
把上一篇文章生成的dll扔到D盘根目录下就行了
#####运行环境:x64 Windows8.1+VS2013
#####说几点注意的,上述程序不是宽字符版本,而是多字符版本,所以得在项目属性里手动设置
由于系统是64位,所以计算器也是64位
VS2013默认是编译成32位的,所以需要手动修改编译选项改成64位,在项目属性里面改就好
32位程序是不能注入到64位程序里的,否则会没反应,记得把dll也编译成64位(测试32位可以用firefox.exe浏览器,这样不用改编译选项)
哎~代码太丑了,但是好歹能运行~~
等以后空了再改改吧 先这样了~
很奇怪的是宽字符版本怎么都注入不了
先把代码贴下面,好心人路过帮忙看一下吧~~1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54//dllCall.cpp
int WINAPI WinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR szCmdLine,
int nCmdShow
)
{
// 以下代码完成动态库的注入
wchar_t path[100] = TEXT("D:\\dllTest.dll");
HANDLE hProcess;
// 获取目标进程句柄 遍历系统当前进程
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
BOOL bReturn, bFind = FALSE;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
bReturn = Process32First(hSnapshot, &pe32);
while (bReturn)
{
if (wcscmp(L"calc.exe", pe32.szExeFile) == 0)
{
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID);
bFind = TRUE;
break;
}
bReturn = Process32Next(hSnapshot, &pe32);
}
// 获取kernel32.dll中LoadLibraryA的地址,并将其作为远程线程的线程函数
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32.dll")), "LoadLibraryA");
wchar_t *dllPath = (wchar_t*)VirtualAllocEx(hProcess, 0, 100 * sizeof(wchar_t), MEM_COMMIT, PAGE_READWRITE);
if (!dllPath)
{
return 0;
}
if (!WriteProcessMemory(hProcess, dllPath, path, 100 * sizeof(char), 0))
{
return 0;
}
HANDLE hThread = CreateRemoteThread(hProcess, NULL, NULL, pfnThreadRtn, dllPath, 0, 0);
if (!hThread)
{
return 0;
}
CloseHandle(hThread);
VirtualFreeEx(hProcess, dllPath, 100 * sizeof(wchar_t), MEM_RELEASE);
CloseHandle(hProcess);
FreeLibrary(GetModuleHandle(path));
return 0;
}