CreateRemoteThread是创建一个在其他进程的地址空间中运行的线程(也称远程线程)。
其函数原型为:
HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);
我们可以通过将Dll完整路径写进目标进程的地址空间然后创建远程线程使目标进程加载Dll来实现注入的效果。话不多说看代码:
头文件:
#pragma once
#include <windows.h>
#include <TlHelp32.h>
#include <Winternl.h>
#include <iostream>
#include <tchar.h>
using namespace std; //命名空间
#define PAGE_READ_FLAGS \
(PAGE_READONLY | PAGE_READWRITE | PAGE_EXECUTE_READ | PAGE_EXECUTE_READWRITE)
#define PAGE_WRITE_FLAGS \
(PAGE_READWRITE | PAGE_WRITECOPY | PAGE_EXECUTE_READWRITE | PAGE_EXECUTE_WRITECOPY)
BOOL SeEnableSeDebugPrivilege(IN const WCHAR* PriviledgeName, BOOL IsEnable);//提权函数
BOOL SeInjectionByCreateRemoteThread(WCHAR* DllFullPath, WCHAR* ProcessImageName, size_t ProcessImageNameLength);
BOOL SeGetProcessIDByProcessImageName(WCHAR* ProcessImageName, DWORD* ProcessID);//通过进程名字获得进程ID
BOOL SeIsValidReadPoint(LPVOID VirtualAddress);
BOOL SeIsValidWritePoint(LPVOID VirtualAddress);
typedef HANDLE(WINAPI* LPFN_CREATEREMOTETHREAD)(
_In_ HANDLE hProcess,
_In_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_ LPDWORD lpThreadId);
//定义LoadLibrary函数指针
typedef HMODULE(WINAPI *LPFN_LOADLIBRARYW) (_In_ LPCTSTR);
.cpp:
#include"CreateRemoteThread-Injection.h"
LPFN_CREATEREMOTETHREAD __CreateRemoteThread = NULL;
LPFN_LOADLIBRARYW f1;
void main()
{
wchar_t v1[MAX_PATH] = { 0 };//存动态链接库的完整路径
if (SeEnableSeDebugPrivilege(L"SeDebugPrivilege", TRUE) == FALSE)
{
return;
}
GetCurrentDirectory(MAX_PATH, v1);
#ifdef _WIN64
wcscat(v1, L"\\DllX64.dll");
#else
wcscat(v1, L"\\DllX86.dll");
#endif
SeE