Windows下的dll注入(使用CreateRemoteThread)
作者:互联网
话不多说,直接贴代码。
dll注入方式挺多,个人感觉比较方便的就是这个。效果很明显,编译运行阶段
就会被火绒拦截;手动添加信任才能正常运行。
需要注意的就是64位编译出来,远程注入的程序必须是64位,dll也必须是64位的;32位也必须统一。
还有就是注入系统进程貌似都是创建线程失败,错误为5,大概是权限不足吧。
这种方式框架就是这样,都是Win32API,只需要知道基本调用就好了。
#include <windows.h>
#include <tlhelp32.h>
#include <memoryapi.h>
#include <iostream>
using namespace std;
string dllNamea;
string procNamea;
DWORD pid;
char* wideCharToMultiByte(wchar_t* pWCStrKey)
{
//第一次调用确认转换后单字节字符串的长度,用于开辟空间
int pSize = WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), NULL, 0, NULL, NULL);
char* pCStrKey = new char[pSize+1];
//第二次调用将双字节字符串转换成单字节字符串
WideCharToMultiByte(CP_UTF8, 0, pWCStrKey, wcslen(pWCStrKey), pCStrKey, pSize, NULL, NULL);
pCStrKey[pSize] = '\0';
// qDebug()<<"cstrkey "<<pCStrKey;
return pCStrKey;
//如果想要转换成string,直接赋值即可
//string pKey = pCStrKey;
}
DWORD GetProcId(string procName)
{
BOOL bRet;
PROCESSENTRY32 pe32;
HANDLE hSnap;
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe32.dwSize = sizeof(pe32);
bRet = Process32First(hSnap,&pe32);
char* array;
WCHAR* ff;
string arr;
while(bRet)
{
array = (char*)pe32.szExeFile;
// array = wideCharToMultiByte(ff);
cout<<"array = "<<array<<endl;
arr = array;
if(procName == arr)
{
cout<<"找到了"<<endl;
return pe32.th32ProcessID;
}
bRet = Process32Next(hSnap,&pe32);
}
return 0;
}
void InjectDll(DWORD pid,string dllName)
{
if(pid==0||dllName.length()==0)
{
return;
}
char* pFunName = "LoadLibraryA";
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
if(hProcess==NULL)
{
return;
}
int dllLen = dllName.length();
PVOID pDllAddr = VirtualAllocEx(hProcess,NULL,dllLen,MEM_COMMIT,PAGE_READWRITE);
if(pDllAddr ==NULL)
{
CloseHandle(hProcess);
return;
}
cout<<"注入成功"<<endl;
DWORD writeNum = 0;
cout<<WriteProcessMemory(hProcess,(LPVOID)pDllAddr,(LPCVOID)dllName.c_str(),(SIZE_T)dllLen,(SIZE_T *)&writeNum)<<endl;
FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName);
cout<<pDllAddr<<endl;
cout<<pFunAddr<<endl;
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,pDllAddr,0,NULL);
cout<<"hthread = "<<hThread<<endl;
if(hThread)
{
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
}
else
{
cout<<GetLastError()<<endl;
}
CloseHandle(hProcess);
}
void on_inject_clicked()
{
// dllNamea = "C:\\Users\\17724\\Desktop\\dll4\\dllTest.dll";
// dllNamea = "C:\\Users\\17724\\Desktop\\dll2\\dllTesta.dll";
// procNamea = "Everything.exe";
dllNamea = "C:\\Users\\17724\\Desktop\\dllTest\\myTest.dll";
procNamea = "test.exe";
pid = GetProcId(procNamea);
cout<<"pid = "<<pid<<endl;
InjectDll(pid,dllNamea);
}
void UninjectDll(DWORD pid, string dllName)
{
if(pid==0||dllName.length()==0)
{
return;
}
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,pid);
MODULEENTRY32 me32;
me32.dwSize = sizeof(me32);
BOOL bRet = Module32Next(hSnap,&me32);
char* array;
WCHAR* ff;
string arr;
while(bRet)
{
array = (char*)me32.szExePath;
arr = array;
if(dllName == arr)
{
cout<<"也找到了"<<endl;
break;
}
bRet = Module32Next(hSnap,&me32);
}
CloseHandle(hSnap);
char* pFunName = "FreeLibrary";
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
if(hProcess==NULL)
{
return;
}
FARPROC pFunAddr = GetProcAddress(GetModuleHandleA("kernel32.dll"),pFunName);
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunAddr,me32.hModule,0,NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hProcess);
}
void on_detatch_clicked()
{
UninjectDll(pid,dllNamea);
}
int main()
{
on_inject_clicked();
int num;
while(true)
{
cin>>num;
if(num == 5)
{
on_detatch_clicked();
}
}
}
标签:CreateRemoteThread,include,Windows,pWCStrKey,pSize,dll,64,NULL 来源: https://www.cnblogs.com/dayq/p/15809067.html