一个远程DLL注入。。 - lanqiaojun的博客

作者在 2008-11-27 01:25:10 发布以下内容

篇幅原因只给出部分代码。。。

static DWORD hProcessId;//查找进程ID

hProcessId=0;

void CRemoteDllDlg::OnBtnInject()
{
// TODO: Add your control notification handler code here
TCHAR getName[MAX_PATH];
GetDlgItemText(IDC_EDIT_TARGET,getName,MAX_PATH);
TCHAR lpStr[MAX_PATH];
GetDlgItemText(IDC_EDIT_DLL,lpStr,MAX_PATH);
hProcessId=GetProcessID(getName);
if(hProcessId==0)
{
  MessageBox("未找到进程或进程未启动","错误提示");
  return;
}
if(!RemoteLoadLibrary(hProcessId,lpStr))
{
  MessageBox("加载DLL失败","错误提示");
  return;
}
}

void CRemoteDllDlg::OnBtnUninstall()
{
// TODO: Add your control notification handler code here
TCHAR lpStr[MAX_PATH];
GetDlgItemText(IDC_EDIT_DLL,lpStr,MAX_PATH);
TCHAR getName[MAX_PATH];
GetDlgItemText(IDC_EDIT_TARGET,getName,MAX_PATH);
if(!RemoteFreeLibrary(hProcessId,lpStr))
{
MessageBox("卸载失败","错误提示");
return;
}
}

void CRemoteDllDlg::OnBtnExit()
{
// TODO: Add your control notification handler code here
SendMessage(WM_CLOSE,0,0);
}

DWORD CRemoteDllDlg::GetProcessID(LPCSTR lpTarget)
{
PROCESSENTRY32 pe32;
DWORD dwRet=0;
HANDLE hSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe32.dwSize=sizeof(PROCESSENTRY32);
Process32First(hSnap,&pe32);
do
{
  if(strcmp(pe32.szExeFile,lpTarget)==0)
  {
   dwRet=pe32.th32ProcessID;
   break;
  }
} while (Process32Next(hSnap,&pe32));
return dwRet;
}

BOOL CRemoteDllDlg::RemoteLoadLibrary(DWORD hProcessId, LPCSTR lpszDll)
{

TOKEN_PRIVILEGES tkp;
HANDLE hOpt;
LUID luId;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hOpt);
LookupPrivilegeValue(NULL,SE_SECURITY_NAME,&luId);

tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
tkp.Privileges[0].Luid=luId;
AdjustTokenPrivileges(hOpt,FALSE,&tkp,sizeof(tkp),NULL,NULL);//权限提升不知道正确否？

DWORD dwWrite;
DWORD dwSize=strlen(lpszDll)+1;
HANDLE hProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,hProcessId);
LPVOID lpBuf=VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
if(0==lpBuf)
{
  CloseHandle(hProcess);
  return FALSE;
}
if(WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpszDll,dwSize,&dwWrite))
{
  if(dwSize != dwWrite)
  {
   VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
   CloseHandle(hProcess);
   return FALSE;
  }
}
else
{
   VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
   CloseHandle(hProcess);
   return FALSE;
}
LPVOID lpFunc;
DWORD dwId;
lpFunc=LoadLibrary;
HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpFunc,lpBuf,0,&dwId);
if(hThread==NULL)
{
  VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
  CloseHandle(hProcess);
  return FALSE;
}
WaitForSingleObject(hThread,INFINITE);
VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}

BOOL CRemoteDllDlg::RemoteFreeLibrary(DWORD hProcessId, LPCSTR lpszDll)
{
DWORD dwSize,dwWrite;
HANDLE hProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,hProcessId);

dwSize=strlen(lpszDll)+1;
LPVOID lpBuf=VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE);
if(NULL==lpBuf)
{
  CloseHandle(hProcess);
  return FALSE;
}
if(WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpszDll,dwSize,&dwWrite))
{
  if(dwWrite!=dwSize)
  {
   VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
   CloseHandle(hProcess);
   return FALSE;
  }
}
else
{
   VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
   CloseHandle(hProcess);
   return FALSE;
}
DWORD dwId,dwThread;
LPVOID lpFunc;
lpFunc=GetModuleHandle;
HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpFunc,lpBuf,0,&dwId);
if(hThread==NULL)
{
   VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
   CloseHandle(hProcess);
   return FALSE;
}
WaitForSingleObject(hThread,INFINITE);

GetExitCodeThread(hThread,&dwThread);
VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
CloseHandle(hThread);
lpFunc=FreeLibrary;
hThread=CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpFunc,(LPVOID)dwThread,0,&dwId);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}