Dll注入技術之遠程線程注入
測試環境
系統:Windows 10 64bit
注入目標: win7 64bit 計算器(這個軟件用着習慣,所以我從win7上拷貝到win10上了)
主要思路:
1.使用進程PID打開進程,獲得句柄
2.使用進程句柄申請內存空間
3.把dll路徑寫入內存
4.創建遠程線程,調用LoadLibrary
5.釋放收尾工作或者卸載dll
主要函數:
//打開進程
HANDLE WINAPI OpenProcess(_In_ DWORD dwDesiredAccess, //打開的權限
_In_ BOOL bInheritHandle, //不繼承,填False
_In_ DWORD dwProcessId //進程PID
);
//申請內存
LPVOID WINAPI VirtualAllocEx(
_In_ HANDLE hProcess, //進程句柄
_In_opt_ LPVOID lpAddress, //指定分配內存的地址,填NULL默認幫我們找地方
_In_ SIZE_T dwSize, //分配內存大小
_In_ DWORD flAllocationType, //是否立即申請
_In_ DWORD flProtect //申請的這塊內存擁有的權限
);
//寫入內存
BOOL WINAPI WriteProcessMemory(_In_ HANDLE hProcess, //進程句柄
_In_ LPVOID lpBaseAddress, //要寫入內存的首地址(VirtualAllocEx申請出來的)
_In_ LPCVOID lpBuffer, //寫入的內容(填我們的dll路徑)
_In_ SIZE_T nSize, //寫入大小
_Out_ SIZE_T *lpNumberOfBytesWritten //實際寫入的字節數
);
//創建遠程線程
HANDLE WINAPI CreateRemoteThread(
_In_ HANDLE hProcess, //進程句柄
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes, //安全屬性
_In_ SIZE_T dwStackSize, //棧大小
_In_ LPTHREAD_START_ROUTINE lpStartAddress, //調用的函數(LoadLibrary)
_In_ LPVOID lpParameter, //線程參數(即LoadLibrary參數:dll路徑)
_In_ DWORD dwCreationFlags, //創建標誌
_Out_ LPDWORD lpThreadId //線程ID
);
主要代碼:
//遠程線程注入
bool RemoteThreadInject(SIZE_T dwPid)
{
//1.使用PID打開進程獲取權限
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid);
//2.申請內存,寫入DLL路徑
int nLen = sizeof(WCHAR)*(wcslen(L"C:\\Win32Dll.dll") + 1);
LPVOID pBuf = VirtualAllocEx(hProcess, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pBuf)
{
printf("申請內存失敗!\n");
return false;
}
//3.寫入內存
SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"C:\\Win32Dll.dll", nLen, &dwWrite))
{
printf("寫入內存失敗!\n");
return false;
}
//4.創建遠程線程,讓對方調用LoadLibrary
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0);
//5.等待線程結束返回,釋放資源
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE);
return true;
}
dll部分只彈出一個MessageBox,以下是dll部分源碼