资源描述:
《dll注入经典方法完整版》由会员上传分享,免费在线阅读,更多相关内容在行业资料-天天文库。
1、Dll注入经典方法完整版1,OpenProcess获得要注入进程的句柄2,VirtualAllocEx在远程进程中开辟出一段内存,长度为strlen(dllname)+1;3,WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。4,CreateRemoteThread将LoadLibraryA作为线程函数,参数为Dll的名称,创建新线程5,CloseHandle关闭线程句柄卸载Dll:1,CreateRemoteThread将GetModuleHandle注入到远程进程中,参数为被注入的Dll名2,GetExitCo
2、deThread将线程退出的退出码作为Dll模块的句柄值。3,CloseHandle关闭线程句柄3,CreateRemoteThread将FreeLibraryA注入到远程进程中,参数为第二步获得的句柄值。4,WaitForSingleObject等待对象句柄返回5,CloseHandle关闭线程及进程句柄。1.#include 2.#include 3.#include 4. 5. 6.DWORD getProcessHandle(LPCTSTR lpProcessNa
3、me)//根据进程名查找进程PID 7.{ 1. DWORD dwRet = 0; 2. HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 3. if(hSnapShot == INVALID_HANDLE_VALUE) 4. { 5. printf("获得进程快照失败%d",GetLastError()); 6. return dwRet; 7. } 8. 9. PROCESSENTRY3
4、2 pe32;//声明进程入口对象 10. pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小 11. Process32First(hSnapShot,&pe32);//遍历进程列表 12. do 13. { 14. if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定进程名的PID 15. { 16. dwRet = pe32.th32ProcessID; 17.
5、 break; 18. } 19. } while (Process32Next(hSnapShot,&pe32)); 20. CloseHandle(hSnapShot); 21. return dwRet;//返回 22.} 23. 24.INT main(INT argc,CHAR * argv[]) 25.{ 26. DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]); 27. LPCSTR lpDllName = "EvilDl
6、l.dll"; 28. HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION
7、PROCESS_VM_WRITE,FALSE,dwPid); 29. if(hProcess == NULL) 30. { 31. printf("获取进程句柄错误%d",GetLastError()); 32. return -1; 33. } 34. DWORD dwSize = strlen(lpDllName)+1; 35. DWORD d
8、wHasWrite; 36. LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); 1. if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite)) 2. { 3. if(dwHasWrite != dwSize) 4. { 5. VirtualFreeEx(hProces
9、s,lpRemoteBuf,dwSize,MEM_COMMIT); 6. CloseHandle(hProcess); 7. retu
