使用远程线程注入DLL

发表于 |

总览

注入

  1. OpenProcess()
  2. VirtualAllocEx()
  3. WriteProcessMemory()
  4. GetProcessAddress() -> LoadLibrary
  5. CreateRemoteThread() -> LoadLibrary() -> DLLMain()

注出

  1. CreateToolhelp32Snapshot()
  2. Module32FirstW Module32NextW
  3. OpenProcess()
  4. GetProcessAddress -> FreeLibrary()
  5. CreateRemoteThread() -> FreeLibrary()

注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
BOOL WINAPI injectLibW(DWORD pid, PCWSTR path) {
	BOOL bRet = FALSE;
	HANDLE hProcess = NULL, hThread = NULL;
	PCWSTR pszLibFileRemote = NULL;
	CString test;

	//hProcess = OpenProcess(
	//	PROCESS_QUERY_INFORMATION |
	//	PROCESS_CREATE_THREAD |
	//	PROCESS_VM_OPERATION |
	//	PROCESS_VM_WRITE,
	//	FALSE,
	//	pid
	//);
	hProcess = OpenProcess(
		PROCESS_ALL_ACCESS,
		FALSE,
		pid);
	if (hProcess == NULL)	return FALSE;
	int pathLen = lstrlenW(path) + 1;
	int pathByteNum = pathLen * sizeof(wchar_t);

	pszLibFileRemote = (PCWSTR)VirtualAllocEx(hProcess, NULL, pathByteNum, MEM_COMMIT, PAGE_READWRITE);
	if (pszLibFileRemote == NULL)	return FALSE;
	if (!WriteProcessMemory(hProcess, (LPVOID)pszLibFileRemote, path, pathByteNum, NULL))	return FALSE;
	PTHREAD_START_ROUTINE pLoadLib = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
	if (pLoadLib == NULL)	return FALSE;
	AfxMessageBox(_T("OK"));
	hThread = CreateRemoteThread(hProcess, NULL, 0,
		pLoadLib,
		(LPTHREAD_START_ROUTINE)pszLibFileRemote,
		0,
		NULL);
	if (hThread == NULL) {
		test.Format(_T("%d"), GetLastError());
		AfxMessageBox(test);
		return FALSE;
	}
	AfxMessageBox(_T("OK"));
	WaitForSingleObject(hThread, INFINITE);

	bRet = TRUE;


	if (pszLibFileRemote != NULL)
	{
		VirtualFreeEx(hProcess, (LPVOID)pszLibFileRemote, 0, MEM_RELEASE);
	}
	if (hThread != NULL)
	{
		CloseHandle(hThread);
	}
	if (hProcess != NULL)
	{
		CloseHandle(hProcess);
	}

	return bRet;
}

BOOL WINAPI injectLibA(DWORD pid, PCSTR path) {
	SIZE_T size = lstrlenA(path);
	PWSTR pathw = (PWSTR)_alloca(size * sizeof(wchar_t));
	StringCchPrintfW(pathw, size, L"%s", path);
	return injectLibW(pid, pathw);
}

注出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
BOOL WINAPI unInjectLibW(DWORD pid, PCWSTR path) {
	BOOL bRet = FALSE;
	HANDLE hSnapshot = NULL;
	HANDLE hProcess = NULL, hThead = NULL;

	hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
	if (hSnapshot == NULL) return FALSE;
	MODULEENTRY32W me = { sizeof(me) };
	BOOL bFound = FALSE;
	BOOL bMoreMods = Module32FirstW(hSnapshot, &me);
	for (;bMoreMods;bMoreMods = Module32NextW(hSnapshot, &me))
	{
		bFound = (_wcsicmp(me.szModule, path) == 0 || _wcsicmp(me.szExePath, path) == 0);
		if (bFound)
		{
			break;
		}
	}
	if (!bFound) {
		AfxMessageBox(L"找到到你要卸载的dll");
		return FALSE;
	}

	hProcess = OpenProcess(
		PROCESS_ALL_ACCESS,
		FALSE,
		pid
	);

	PTHREAD_START_ROUTINE psrThread = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
	if (psrThread == NULL)
	{
		AfxMessageBox(L"找freelibrary失败");
		return FALSE;
	}
	hThead = CreateRemoteThread(hProcess, NULL, 0, psrThread, me.modBaseAddr, 0, NULL);
	if (hThead == NULL)
	{
		AfxMessageBox(L"CreateRemoteThread失败");
		return FALSE;
	}
	WaitForSingleObject(hThead, INFINITE);
	bRet = TRUE;
	if (hSnapshot != NULL)
	{
		CloseHandle(hSnapshot);
	}
	if (hThead != NULL)
	{
		CloseHandle(hThead);
	}
	if (hProcess != NULL)
	{
		CloseHandle(hProcess);
	}

	return bRet;

}
打赏专区
paypal: https://www.paypal.me/giantbranch
假如你看不到评论,可能是你访问Disqus被墙了,请使用代理访问