注入思路
1.使用进程PID打开进程,获得句柄
2.使用进程句柄申请内存空间
3.把dll路径写入内存
4.创建远程线程,调用LoadLibrary
5.释放收尾工作或者卸载dll
代码实现:
BOOL CInjectDlg::ZwCreateThreadExInjectDll(DWORD dwProcessId, char* pszDllFileName)
{
HANDLE hProcess = NULL;
SIZE_T dwSize = 0;
LPVOID pDllAddr = NULL; //DLL地址
FARPROC pFunProcAddr = NULL; //函数地址
HANDLE hRemoteThread = NULL;//远程线程
DWORD dwStatus = 0;
//打开目标进程 获取句柄
//使用进程PID打开进程,获得句柄
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (hProcess == NULL)
{
m_TipMsg += L"打开进程失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"打开进程成功\r\n";
}
//在注入的进程中申请内存
dwSize = strlen(pszDllFileName) + 1;
//分配空间,存储dll
//使用进程句柄申请内存空间
pDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (pDllAddr == NULL)
{
m_TipMsg += L"申请内存失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"申请内存成功\r\n";
}
//向申请的内存中写入数据
//把dll路径写入内存
BOOL bIsSucess = WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL);
if (bIsSucess == FALSE)
{
m_TipMsg += L"写入内存失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"写入内存成功\r\n";
}
//获得
//加载ntdll.dll
HMODULE hNtdll = LoadLibraryA("ntdll.dll");
if (hNtdll == NULL)
{
m_TipMsg += L"加载ntdll失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"加载ntdll成功\r\n";
}
//获取LoadLibraryA函数地址
////创建远程线程,调用LoadLibrary
pFunProcAddr = GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA");
if (pFunProcAddr == NULL)
{
m_TipMsg += L"加载LoadLibraryA函数地址失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"加载LoadLibraryA函数地址成功\r\n";
}
//获取ZwCreateThread函数地址 ZwCreateThread在64位和32位下的函数声明不一样
#ifdef _WIN64
typedef DWORD(WINAPI *typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
ULONG CreateThreadFlags,
SIZE_T ZeroBits,
SIZE_T StackSize,
SIZE_T MaximumStackSize,
LPVOID pUnkown);
#else
typedef DWORD(WINAPI *typedef_ZwCreateThreadEx)(
PHANDLE ThreadHandle, //线程句柄
ACCESS_MASK DesiredAccess,
LPVOID ObjectAttributes,
HANDLE ProcessHandle, //进程句柄
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
DWORD dwStackSize,
DWORD dw1,
DWORD dw2,
LPVOID pUnkown);
#endif
typedef_ZwCreateThreadEx ZwCreateThreadEx = (typedef_ZwCreateThreadEx)GetProcAddress(hNtdll, "ZwCreateThreadEx");
if (ZwCreateThreadEx == NULL)
{
m_TipMsg += L"加载ZwCreateThreadEx函数地址失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"加载ZwCreateThreadEx函数地址成功\r\n";
}
//使用ZwCreateThreadEx函数创建远程线程 实现DLL注入
dwStatus = ZwCreateThreadEx(
&hRemoteThread,
THREAD_ALL_ACCESS,
NULL,
hProcess,
(LPTHREAD_START_ROUTINE)pFunProcAddr,
pDllAddr,
0, 0, 0, 0, NULL);
if (hRemoteThread == NULL)
{
m_TipMsg += L"远程线程注入失败\r\n";
return FALSE;
}
else
{
m_TipMsg += L"远程线程注入成功\r\n";
}
//关闭句柄
CloseHandle(hProcess);
FreeLibrary(hNtdll);
return TRUE;
}