远线程注入指定进程附源代码（转）

1、可以通过pid注入到指定进程（某些系统安全级别的进程请把自身提权至se_debug），程序结束后也可以安全的把dll卸载注意：里面用了硬编码，别直接用代码写的有点严谨，在可确信的前提下，某些检测可以跳过。然后发代码，因为在mfc里写，所以可能会有点分散。 / dlgcppcremoteinjectdlg:cremoteinjectdlg(cwnd* pparent /*=null*/): cdialog(cremoteinjectdlg:idd, pparent)m_hicon = afxgetapp()-loadicon(idr_mainframe);/ initialize some va

2、riableslpsfileremote = null;hremotethread = null;hprocess = null;void cremoteinjectdlg:onbnclickedbtnexit()enddialog(true);void cremoteinjectdlg:onbnclickedbtninject()/ 打开目标进程,获取目标进程的handle/ 为了方便,我这里用了硬编码,自己别直接用hprocess = :openprocess(process_create_thread |/ for createremotethread process_vm_operat

3、ion | / for virtualallocex & virtualfreeex process_vm_write | / & writeprocessmemory process_query_information | process_vm_read, false, 2012ul);if (!hprocess) trace(_t(nopenprocess failed %ld), :getlasterror(); goto fail;/ 获取当前目录下dll的路径/ 这个api挺好玩的dword dwret = :getfullpathname(_t(mfc dyndll.dll), m

4、ax_path, lpsdllpath, null);if (!dwret) trace(_t(ngetfullpathname failed %ld), :getlasterror(); goto fail;/ 计算所需空间,并在指定远进程中分配/ 此空间用于保存dll的路径/ 注意这里是字节数,所以unicode需要处理下int ncbsize = (lstrlenw(lpsdllpath) + 1) * sizeof(tchar);lpsfileremote = (lptstr):virtualallocex(hprocess, null, ncbsize, mem_commit, pa

5、ge_readwrite);if (!lpsfileremote) trace(_t(nvirtualallocex failed %ld), :getlasterror(); goto fail;/ 把dll的路径写到在远程线程中分配的空间中/ 此时对于目标进程应具有process_vm_operation和process_vm_writebool bret = :writeprocessmemory(hprocess, lpsfileremote, (lpvoid)lpsdllpath, ncbsize, null);if (!bret) trace(_t(nwriteprocessmem

6、ory failed %ld), :getlasterror(); goto fail;/ 获取loadlibrary的函数地址/ 因为编译后,loadlibrary会因为输入节的形式替换程序(thunk)会替换函数/ 因此我们只能通过getproaddress来获取loadlibrary的函数地址/ getprocaddress中可能必须指定a版还是w版lpthread_start_routine lpfnthreadrun = (lpthread_start_routine) :getprocaddress(:getmodulehandle(_t(kernel32), loadlibrar

7、yw);if (!lpfnthreadrun) trace(_t(ngetprocaddress failed %ld), :getlasterror(); goto fail;/ 创建远程线程,利用loadlibrary加载dll/ createremotethread的第四个参数要求一个定义自lpthread_start_routine的函数/ 这个函数会在远程线程启动地址空间时调用hremotethread = :createremotethread(hprocess, null, 0, lpfnthreadrun, lpsfileremote, 0, null);if (!hremot

8、ethread) trace(_t(ncreateremotethread failed %ld), :getlasterror(); goto fail;else trace(_t(ncongratulate createremotethread succeed!n);return;/ 失败处理fail:if (lpsfileremote) :virtualfreeex(hprocess, lpsfileremote, 0, mem_release);closehandle(hremotethread);closehandle(hprocess);cremoteinjectdlg:cremo

9、teinjectdlg()/ 遍历目标进程的dll/ 通过比对dll的路径,把注入的dll找出来/ 方便之后的freelibrarymoduleentry32 modentry;/ msdn说,在用之前先初始化dwsizemodentry.dwsize = sizeof(moduleentry32);/ 有硬编码，别直接用handle hsnapmoudle = :createtoolhelp32snapshot(th32cs_snapmodule, 2012ul);if (!hsnapmoudle) trace(_t(ncreatetoolhelp32snapshot failed %ld)

10、, :getlasterror(); goto fail;bool bfound = false;bool bmodret = :module32first(hsnapmoudle, &modentry);assert(lpsdllpath);while (bmodret) / 这里lstrcmpi貌似就是lstrcmpia / 所以只能使用lstrcmpiw(带有i的表示不区分大小写) bfound = (0 = :lstrcmpiw(modentry.szexepath, (lpctstr)lpsdllpath); if(bfound) break; bmodret = :module32

11、next(hsnapmoudle, &modentry);/ 用freelibrary卸载dll/ freelibrary有且仅有一个版本lpthread_start_routine lpfnthreadrun = (lpthread_start_routine) :getprocaddress(:getmodulehandle(_t(kernel32), freelibrary);if (!lpfnthreadrun) trace(_t(ngetprocaddress failed %ld), :getlasterror(); goto fail;assert(hprocess);handl

12、e htread = createremotethread(hprocess, null, 0, lpfnthreadrun, modentry.modbaseaddr, 0, null);if (!htread) trace(_t(nuncreateremotethread failed %ldn), :getlasterror(); goto fail;else trace(_t(nunload createremotethread succeed!);fail:/ 清空在远程线程分配的空间/ 此空间用于保存dll的路径assert(lpsfileremote);:virtualfreeex(hprocess, lpsfileremote, 0, mem_release);/ 最后的清理:closehandle(hsnapmoudle);:closehandle(htread);:closehandle(hremotethread);:closehandle(hprocess);/ dlgh/ some member variablesprivate:lptstr lpsfileremote;/ remote thread memory addresshandle hremotethread;/ remote thread handlehandle hproces