原理通过挂起线程(SuspendThread),设置线程(SetThreadContext)上下文中的eip(rip)方式注入。
//ThreadInject.h
#pragma once
// ThreadInject 对话框
class ThreadInject : public CDialogEx
{
DECLARE_DYNAMIC(ThreadInject)
public:
ThreadInject(CWnd* pParent = NULL); // 标准构造函数
virtual ~ThreadInject();
// 对话框数据
enum { IDD = IDD_DIALOG2 };
protected:
virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持
DECLARE_MESSAGE_MAP()
public:
// 进程ID
DWORD m_dwPid;
CString m_strDllPath;
afx_msg void OnBnClickedButton2();
afx_msg void OnBnClickedButton3();
afx_msg void OnBnClickedButton4();
};
//ThreadInject.cpp
// ThreadInject.cpp : 实现文件
//
#include "stdafx.h"
#include "MyInjectTool.h"
#include "ThreadInject.h"
#include "afxdialogex.h"
//777A01D5 68 78563412 push 12345678
//777A01DA 9C pushfd
//777A01DB 60 pushad
//777A01EB 61 popad
//777A01EC 9D popfd
//777A01ED C3 retn
//结构必须字节对齐1
#pragma pack(1)
typedef struct _INJECT_CODE
{
BYTE byPUSH;
DWORD dwPUSH_VALUE;
BYTE byPUSHFD;
BYTE byPUSHAD;
BYTE byMOV_EAX; //mov eax, addr szDllpath
DWORD dwMOV_EAX_VALUE;
BYTE byPUSH_EAX; //push eax
BYTE byMOV_ECX; //mov ecx, LoadLibrary
DWORD dwMOV_ECX_VALUE;
WORD wCALL_ECX; //call ecx
BYTE byPOPAD;
BYTE byPOPFD;
BYTE byRETN;
CHAR szDllPath[MAX_PATH];
}INJECT_CODE, *PINJECT_CODE;
#pragma pack()
// ThreadInject 对话框
IMPLEMENT_DYNAMIC(ThreadInject, CDialogEx)
ThreadInject::ThreadInject(CWnd* pParent /*=NULL*/)
: CDialogEx(ThreadInject::IDD, pParent)
, m_dwPid(0)
, m_strDllPath(_T(""))
{
}
ThreadInject::~ThreadInject()
{
}
void ThreadInject::DoDataExchange(CDataExchange* pDX)
{
CDialogEx::DoDataExchange(pDX);
DDX_Text(pDX, IDC_EDIT1, m_dwPid);
DDX_Text(pDX, IDC_EDIT4, m_strDllPath);
}
BEGIN_MESSAGE_MAP(ThreadInject, CDialogEx)
ON_BN_CLICKED(IDC_BUTTON2, &ThreadInject::OnBnClickedButton2)
ON_BN_CLICKED(IDC_BUTTON3, &ThreadInject::OnBnClickedButton3)
ON_BN_CLICKED(IDC_BUTTON4, &ThreadInject::OnBnClickedButton4)
END_MESSAGE_MAP()
// ThreadInject 消息处理程序
void ThreadInject::OnBnClickedButton2()
{
// TODO: 在此添加控件通知处理程序代码
char szFilter[] = "动态链接库|*.dll";
CFileDialog fileDlg(TRUE, "dll", NULL, OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT, szFilter);
UpdateData(TRUE);
if (fileDlg.DoModal() == IDOK)
{
m_strDllPath = fileDlg.GetPathName();
}
UpdateData(FALSE);
}
HANDLE g_hProcess = 0;
LPVOID g_lpBuffer = NULL;
void ThreadInject::OnBnClickedButton3()
{
// TODO: 在此添加控件通知处理程序代码
//打开目标进程
BOOL bRet = 0;
INJECT_CODE ic = { 0 };
THREADENTRY32 te32 = { 0 };
HANDLE hThreadSnap = NULL;
DWORD dwThreadId = 0;
HANDLE hThread = NULL;
CONTEXT oldContext = { 0 };
CONTEXT newContext = { 0 };
DWORD dwOldEip = 0;
//打开进程
g_hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwPid);
if (!g_hProcess)
{
MessageBox("OpenProcess 失败");
return;
}
g_lpBuffer = VirtualAllocEx(g_hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!g_lpBuffer)
{
MessageBox("VirtualAllocEx 失败");
return;
}
//给ShellCode结构体赋值
ic.byPUSH = 0x68;
ic.dwPUSH_VALUE = 0x12345678; //用于保存原来的返回地址
ic.byPUSHFD = 0x9C;
ic.byPUSHAD = 0x60;
ic.byMOV_EAX = 0xB8;
ic.dwMOV_EAX_VALUE = (DWORD)g_lpBuffer + offsetof(INJECT_CODE, szDllPath);
ic.byPUSH_EAX = 0x50;
ic.byMOV_ECX = 0xB9;
ic.dwMOV_ECX_VALUE = (DWORD)&LoadLibrary;
ic.wCALL_ECX = 0xD1FF;
ic.byPOPAD = 0x61;
ic.byPOPFD = 0x9D;
ic.byRETN = 0xC3;
memcpy(ic.szDllPath, m_strDllPath.GetBuffer(0), m_strDllPath.GetLength());
//写入ShellCode
bRet = WriteProcessMemory(g_hProcess, g_lpBuffer, &ic, sizeof(ic), NULL);
if (!bRet)
{
MessageBox("写入内存失败");
return;
}
//创建线程快照查找目标程序主线程
te32.dwSize = sizeof(te32);
hThreadSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
if (hThreadSnap == INVALID_HANDLE_VALUE)
{
MessageBox("CreateToolhelp32Snapshot 失败");
return;
}
//遍历查询目标程序主线程ID
if (Thread32First(hThreadSnap, &te32))
{
do
{
if (m_dwPid == te32.th32OwnerProcessID)
{
dwThreadId = te32.th32ThreadID;
break;
}
} while (Thread32Next(hThreadSnap, &te32));
}
//打开目标主线程
hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, dwThreadId);
if (!OpenThread)
{
MessageBox("OpenThread 失败");
return;
}
//挂起目标主线程
bRet = SuspendThread(hThread);
if (bRet == -1)
{
MessageBox("SuspendThread 失败");
return;
}
oldContext.ContextFlags = CONTEXT_FULL;
bRet = GetThreadContext(hThread, &oldContext);
if (!bRet)
{
MessageBox("GetThreadContext 失败");
return;
}
newContext = oldContext;
#ifdef _WIN64
newContext.Rip = (DWORD)g_lpBuffer;
dwOldEip = oldContext.Rip;
#else
newContext.Eip = (DWORD)g_lpBuffer;
dwOldEip = oldContext.Eip;
#endif
//;将指针指向ShellCode第一句push 12345678h中的地址,写入返回地址
bRet = WriteProcessMemory(g_hProcess, ((char*)g_lpBuffer) + 1, &dwOldEip, sizeof(DWORD), NULL);
if (!bRet)
{
MessageBox("写入内存失败");
return;
}
bRet = SetThreadContext(hThread, &newContext);
if (!bRet)
{
MessageBox("SetThreadContext 失败");
return;
}
//然后把主线程跑起来
bRet = ResumeThread(hThread);
if (bRet == -1)
{
MessageBox("ResumeThread 失败");
return;
}
}
void ThreadInject::OnBnClickedButton4()
{
// TODO: 在此添加控件通知处理程序代码
if (!VirtualFreeEx(g_hProcess, g_lpBuffer, 0, MEM_RELEASE))
{
MessageBox("VirtualFreeEx 失败");
return;
}
MessageBox("释放对方空间成功");
}