通过进程注入,实现指定程序在Explorer.exe进程空间内启动
主进程
在进程空间分配一块内存区域,写入dll的名称,用LoadLibraryA加载
常用API
- CreateToolhelp32Snapshot、Process32First、Process32Next、CloseHandle:get PID
- OpenProcess
- VirtualAllocEx
- WriteProcessMemory
- GetModuleHandle
- GetProcAddress:LoadLibrary
CreateRemoteThread
WaitForSingleObject
- GetExitCodeThread
- CloseHandle
VirtualFreeEx//!!
CreateRemoteThread
- GetProcAddress:FreeLibrary
- WaitForSingleObject// 需要知道线程的退出代码,
- GetExitCodeThread
- CloseHandle
- CloseHandle
- VirtualFreeEx
```cpp
include “stdafx.h”
include
include
include
include “windows.h”
include “tlhelp32.h”
using namespace std;
DWORD GetProcessIDFromName(LPCSTR name)
{
DWORD id = 0; // 进程ID
PROCESSENTRY32 pe; // 进程信息
pe.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); // 获取系统进程列表
if (Process32First(hSnapshot, &pe)) // 返回系统中第一个进程的信息
{
do
{
if (0 == _stricmp(_bstr_t(pe.szExeFile), name)) // 不区分大小写比较
{
id = pe.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &pe)); // 下一个进程
}
CloseHandle(hSnapshot); // 删除快照
return id;
}
int main()
{
HMODULE hKernel32 = NULL;
LPTHREAD_START_ROUTINE pLoadLibrary = NULL;
DWORD hLibModule;
char path[] = “C:\Documents and Settings\Administrator\桌面\workspace\Dll\debug\Dll.dll”;
DWORD pid = GetProcessIDFromName(L”explorer.exe”);
if (pid == 0) printf(“id invalid\n”);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);if (hProcess == INVALID_HANDLE_VALUE) {printf("openprocess error\n");return -1;}LPVOID pszDllName = VirtualAllocEx(hProcess, //在进程空间分配一块区域NULL,strlen(path)+1,MEM_COMMIT,PAGE_READWRITE);if (NULL == pszDllName){printf("alloc error\n");printf("error code:%d",GetLastError());return -1;}BOOL bRet = WriteProcessMemory( hProcess, pszDllName,(void *)path, strlen(path)+1, NULL); //写上要调用的dll名称if (NULL == bRet){printf("write error\n");return -1;}hKernel32=GetModuleHandle(L"kernel32.dll");pLoadLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA");if(!hKernel32 || !pLoadLibrary) return -1;HANDLE hInjectThread = CreateRemoteThread(hProcess,NULL,0,pLoadLibrary,pszDllName,0,NULL);if (NULL == hInjectThread){DWORD dwErr = GetLastError();printf("create thread error:%d\n",dwErr);VirtualFreeEx(hProcess,pszDllName,4096,MEM_DECOMMIT);return -1;}DWORD dw = WaitForSingleObject(hInjectThread, -1);GetExitCodeThread(hInjectThread, &hLibModule);CloseHandle(hInjectThread);BOOL bReturn = VirtualFreeEx(hProcess, pszDllName,strlen(path)+1, MEM_DECOMMIT);if (NULL == bReturn){printf("freeex error:%d\n",GetLastError());return -1;}hInjectThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"FreeLibrary"),(void *)hLibModule,0,NULL);if (hInjectThread == NULL) {printf("create free thread error:%d\n",GetLastError());}WaitForSingleObject(hInjectThread,-1);DWORD FreeLibInfo;GetExitCodeThread(hInjectThread,&FreeLibInfo);if (!FreeLibInfo) {printf("free error:%d\n",GetLastError());}CloseHandle(hInjectThread);CloseHandle(hProcess);hProcess = NULL;VirtualFreeEx(hProcess,pszDllName,strlen(path)+1,MEM_DECOMMIT);system("pause");return 0;
}
<a name="10Oh6"></a># 注入的DLL- CreateProcessW```cpp// Dll.cpp : 定义 DLL 应用程序的入口点。//#include "stdafx.h"#include "Dll.h"#include "Stdafx.h"#include <windows.h>#pragma unmanagedBOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){switch(ul_reason_for_call) {case DLL_PROCESS_ATTACH: {STARTUPINFOW si;memset(&si,0,sizeof(STARTUPINFOW));si.cb=sizeof(STARTUPINFOW);si.dwFlags=STARTF_USESHOWWINDOW;si.wShowWindow=SW_SHOW;PROCESS_INFORMATION pi;wchar_t target[]=L"C:\\Documents and Settings\\Administrator\\桌面\\软件安全漏洞分析与发现\\2018第一次作业\\挑战题附件\\挑战第三题_盗梦空间.exe";if(!CreateProcessW(target,NULL,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi)) {printf("error code:%d",GetLastError());printf("create process error\n");}break;}case DLL_PROCESS_DETACH: {break;}case DLL_THREAD_ATTACH: {break;}case DLL_THREAD_DETACH: {break;}}return TRUE;}
若有收获,就点个赞吧
0 人点赞
