dll的注入 (远程线程方式)

本文详细介绍了一种通过DLL注入实现进程间通信的技术方案。具体步骤包括:获取目标进程ID,设置本进程为debug权限,获取目标进程句柄,在远程进程中分配内存用于存放DLL路径,将DLL路径写入远程内存,最后通过创建远程线程来加载DLL。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

DWORD MyGetProcessHand(LPCSTR lpProcessName)

{
DWORD dwPid = 0;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnapShot == INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot error: %d\r\n", GetLastError());
return dwPid;
}


PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnapShot, &pe32);
do 
{
if(!strcmp(pe32.szExeFile, lpProcessName))
{
dwPid = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot, &pe32));


CloseHandle(hSnapShot);
return dwPid;
}


void MyEnableDebugPrivilege(HANDLE hProcess)
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tps;


if(!OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
{
printf("OpenProcessToken error: %d\r\n", GetLastError());
return;
}


if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
printf("luid error: %d\r\n", GetLastError());
CloseHandle(hToken);
return;
}


tps.PrivilegeCount = 1;
tps.Privileges[0].Luid = luid;
tps.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;


if(!AdjustTokenPrivileges(hToken, false, &tps, sizeof(tps), NULL, NULL))
{
printf("AdjustTokenPrivileges error: %d\r\n", GetLastError());
CloseHandle(hToken);
}
}


int main(int argc, char* argv[])
{
// 查询并获取指定进程ID 
DWORD dwPid = MyGetProcessHand((LPCSTR)"pe.exe");
LPCSTR lpDllName = "HookDll.dll";

// 设置本进程权限为debug权限(调试权限),这样可打开其他进程
MyEnableDebugPrivilege(GetCurrentProcess());


// 获取目标进程的句柄
HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_ALL_ACCESS, NULL, dwPid);
if(NULL == hProcess)
{
printf("OpenProcess error: %d\r\n", GetLastError());
return -1;
}



DWORD dwSize = strlen(lpDllName) + 1;
DWORD dwWriteByte;

// 在远程进程中申请内存空间,用来储存注入的dll的路径
LPVOID lpRemoteBuf = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);


// 写入目标dll路径
if(WriteProcessMemory(hProcess, lpRemoteBuf, (LPVOID)lpDllName, dwSize, &dwWriteByte))
{
if(dwWriteByte != dwSize)
{
VirtualFree(hProcess, dwSize, MEM_COMMIT);
CloseHandle(hProcess);
return -1;
}
}
else
{
printf("WriteProcessMemory error %d\r\n", GetLastError());
CloseHandle(hProcess);
return -1;
}


DWORD dwNewThreadId;
LPVOID lpLoadDll = LoadLibraryA;


// 创建远程线程 (这里的lpLoadDll存放LoadLibraryA, 相当于把LoadLibraryA当做线程处理函数, 而参数就是目标dll的地址)
HANDLE hNewRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpLoadDll, lpRemoteBuf, 0, &dwNewThreadId);
if(NULL == hNewRemoteThread)
{
printf("CreateRemoteThread error %d\r\n", GetLastError());
CloseHandle(hProcess);
return -1;
}

printf("%d\r\n", hNewRemoteThread);
WaitForSingleObject(hNewRemoteThread, INFINITE);
CloseHandle(hNewRemoteThread);

system("pause");


return 0;
}

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值