WIN32 远程注入 CreateRemoteThread

2021-01-03 00:29

阅读:476

标签:bug   长度   加载   open   ==   creat   拷贝   name   turn   

// remote06.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include "windows.h"


BOOL func(DWORD ProcessID,char* DllPathName)
{
    DWORD ThreadID = NULL;
    //1.获取进程句柄
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);
    if (hProcess == NULL)
    {
        OutputDebugString("OpenProcess失败!");
        CloseHandle(hProcess);
        return FALSE;
    }
    //2.计算DLL路径长度,并且加上0结尾长度strlen
    DWORD LenOfDllPathName = strlen(DllPathName)+1;

    
    //3.在目标进程分配内存VirtualAllocEx
    LPVOID lpAllocAddr = VirtualAllocEx(hProcess,NULL,LenOfDllPathName,MEM_COMMIT,PAGE_READWRITE);
    if (lpAllocAddr == NULL)
    {
        OutputDebugString("VirtualAllocEx失败!");
        CloseHandle(hProcess);
        return FALSE;
    }

    //4.拷贝DLL路径到目标进程新分配的内存WriteProcessMemory
    DWORD bRet = WriteProcessMemory(hProcess,lpAllocAddr,DllPathName,LenOfDllPathName,NULL);
    if (!bRet)
    {
        OutputDebugString("WriteProcessMemory失败!");
        CloseHandle(hProcess);
        return FALSE;
    }

    //5.获得模块地址GetModuleHandle
    HMODULE hml = GetModuleHandle("Kernel32.dll");
    if (hml == NULL)
    {
        OutputDebugString("GetModuleHandle失败!");
        CloseHandle(hProcess);
        return FALSE;
    }
    
    //6.获得LoadLibraryA函数地址GetProcAddress
    DWORD lpLoadAddr = (DWORD)GetProcAddress(hml,"LoadLibraryA");
    if (!lpLoadAddr)
    {
        OutputDebugString("GetProcAddress失败!");
        CloseHandle(hProcess);
        CloseHandle(hml);
        return FALSE;
    }
    
    //7.创建远程线程,加载DLL
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadAddr,lpAllocAddr,0,NULL);
    if (hThread == NULL)
    {
        OutputDebugString("CreateRemoteThread失败!");
        CloseHandle(hThread);
        CloseHandle(hml);
        CloseHandle(hProcess);
        return FALSE;
    }

    //关闭资源
    CloseHandle(hThread);
    CloseHandle(hml);
    CloseHandle(hProcess);

    return TRUE;

}
int main(int argc, char* argv[])
{

    func(进程ID,DLL路径);
    
    
    return 0;
}

 

WIN32 远程注入 CreateRemoteThread

标签:bug   长度   加载   open   ==   creat   拷贝   name   turn   

原文地址:https://www.cnblogs.com/ganxiang/p/13215364.html


评论


亲,登录后才可以留言!