使用远程线程注入DLL
使用远程线程注入DLL
用户1423082
发布于 2024-12-31 18:27:20
发布于 2024-12-31 18:27:20
代码可运行
运行总次数:0
代码可运行
总览
注入
- OpenProcess()
- VirtualAllocEx()
- WriteProcessMemory()
- GetProcessAddress() -> LoadLibrary
- CreateRemoteThread() -> LoadLibrary() -> DLLMain()
注出
- CreateToolhelp32Snapshot()
- Module32FirstW Module32NextW
- OpenProcess()
- GetProcessAddress -> FreeLibrary()
- CreateRemoteThread() -> FreeLibrary()
注入
BOOL WINAPI injectLibW(DWORD pid, PCWSTR path) {
BOOL bRet = FALSE;
HANDLE hProcess = NULL, hThread = NULL;
PCWSTR pszLibFileRemote = NULL;
CString test;
//hProcess = OpenProcess(
// PROCESS_QUERY_INFORMATION |
// PROCESS_CREATE_THREAD |
// PROCESS_VM_OPERATION |
// PROCESS_VM_WRITE,
// FALSE,
// pid
//);
hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
pid);
if (hProcess == NULL) return FALSE;
int pathLen = lstrlenW(path) + 1;
int pathByteNum = pathLen * sizeof(wchar_t);
pszLibFileRemote = (PCWSTR)VirtualAllocEx(hProcess, NULL, pathByteNum, MEM_COMMIT, PAGE_READWRITE);
if (pszLibFileRemote == NULL) return FALSE;
if (!WriteProcessMemory(hProcess, (LPVOID)pszLibFileRemote, path, pathByteNum, NULL)) return FALSE;
PTHREAD_START_ROUTINE pLoadLib = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
if (pLoadLib == NULL) return FALSE;
AfxMessageBox(_T("OK"));
hThread = CreateRemoteThread(hProcess, NULL, 0,
pLoadLib,
(LPTHREAD_START_ROUTINE)pszLibFileRemote,
0,
NULL);
if (hThread == NULL) {
test.Format(_T("%d"), GetLastError());
AfxMessageBox(test);
return FALSE;
}
AfxMessageBox(_T("OK"));
WaitForSingleObject(hThread, INFINITE);
bRet = TRUE;
if (pszLibFileRemote != NULL)
{
VirtualFreeEx(hProcess, (LPVOID)pszLibFileRemote, 0, MEM_RELEASE);
}
if (hThread != NULL)
{
CloseHandle(hThread);
}
if (hProcess != NULL)
{
CloseHandle(hProcess);
}
return bRet;
}
BOOL WINAPI injectLibA(DWORD pid, PCSTR path) {
SIZE_T size = lstrlenA(path);
PWSTR pathw = (PWSTR)_alloca(size * sizeof(wchar_t));
StringCchPrintfW(pathw, size, L"%s", path);
return injectLibW(pid, pathw);
}注出
BOOL WINAPI unInjectLibW(DWORD pid, PCWSTR path) {
BOOL bRet = FALSE;
HANDLE hSnapshot = NULL;
HANDLE hProcess = NULL, hThead = NULL;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (hSnapshot == NULL) return FALSE;
MODULEENTRY32W me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32FirstW(hSnapshot, &me);
for (;bMoreMods;bMoreMods = Module32NextW(hSnapshot, &me))
{
bFound = (_wcsicmp(me.szModule, path) == 0 || _wcsicmp(me.szExePath, path) == 0);
if (bFound)
{
break;
}
}
if (!bFound) {
AfxMessageBox(L"找到到你要卸载的dll");
return FALSE;
}
hProcess = OpenProcess(
PROCESS_ALL_ACCESS,
FALSE,
pid
);
PTHREAD_START_ROUTINE psrThread = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
if (psrThread == NULL)
{
AfxMessageBox(L"找freelibrary失败");
return FALSE;
}
hThead = CreateRemoteThread(hProcess, NULL, 0, psrThread, me.modBaseAddr, 0, NULL);
if (hThead == NULL)
{
AfxMessageBox(L"CreateRemoteThread失败");
return FALSE;
}
WaitForSingleObject(hThead, INFINITE);
bRet = TRUE;
if (hSnapshot != NULL)
{
CloseHandle(hSnapshot);
}
if (hThead != NULL)
{
CloseHandle(hThead);
}
if (hProcess != NULL)
{
CloseHandle(hProcess);
}
return bRet;
}本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2018-01-21,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
