Disclaimer: This article is a blogger original article, shall not be reproduced without the bloggers allowed. https://blog.csdn.net/Giser_D/article/details/91417283
CreateRemoteThread is to create a new thread in the current process has been.
Dll implantation step into the process from a 32-bit 32-bit process are as follows:
1.OpenProcess open an existing process
2.VirtualAllocEx space allocated to it
3. Get LoadLibraryW address
4.WriteProcessMemory written into the memory space
5.CreateRemoteThread achieve injection
code show as below:
//32位程序注入到32位程序
//@param:dwPid:需要注入程序的进程pid
//@param:dllpath:注入的dll的路径
//return:True:注入成功,False:注入失败
bool injectDll32To32(DWORD dwPid,LPCTSTR dllpath)
{
//Step 1: oepn destination process
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwPid);
//get dllpath length
DWORD dwBufSize = (DWORD)(_tcslen(dllpath)+1)*sizeof(TCHAR);
//Step2:VirtualAlloc space for the process
LPVOID targetAddress = VirtualAllocEx(hProcess,0,dwBufSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
//Step3:Get LoadLibraryW Address
LPTHREAD_START_ROUTINE pfnThreadRtn = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");
//Step4:ChangePageProtection
DWORD oldProtect = 0;
VirtualProtectEx(hProcess,targetAddress,dwBufSize,PAGE_EXECUTE_READWRITE,&oldProtect);
//Step5:WriteProcessMemory
DWORD bytesRet= 0;
if (!WriteProcessMemory(hProcess,targetAddress,(LPVOID)dllpath,dwBufSize,&bytesRet))
{
return false;
}
//Restore Oral
VirtualProtectEx(hProcess,targetAddress,dwBufSize,oldProtect,&oldProtect);
//Step6:CreateRemoteThread
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,targetAddress,0,NULL );
if (!hThread)
{
return false;
}
WaitForSingleObject(hThread,INFINITE);
return true;
}
Injection 32 64 32 64 64 injection injection time to write behind the like 64
In this source: https://github.com/huifeng-kooboo/InjectDll