DLL注入三种方法:
使用LoadLibrary加载某个DLL时,该DLL中的DllMain函数就会被调用执行。
1.创建远程线程(CreateRemoteThread)
使用InjectDll.exe在notepad.exe中注入Myhack.dll(winxp提权后测试成功)
InjectDll.exe源码
// InjectDll.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
#include <tchar.h>
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
if( !OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken) )
{
_tprintf(L"OpenProcessToken error: %u\n", GetLastError());
return FALSE;
}
if( !LookupPrivilegeValue(NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid) ) // receives LUID of privilege
{
_tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError() );
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if( bEnablePrivilege )
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
// Enable the privile