给注入explorer.exe的dll添加上开机自动启动的功能给注入explorer.exe的dll添加上开机自动启动的功能

107 阅读 0 评论 71 点赞

我是靠谱客的博主年轻乐曲，这篇文章主要介绍给注入explorer.exe的dll添加上开机自动启动的功能给注入explorer.exe的dll添加上开机自动启动的功能，现在分享给大家，希望可以做个参考。

给注入explorer.exe的dll添加上开机自动启动的功能

在此处我们通过写注册表的方式进行开机启动

复制代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
void AutoRunFun()
{
TCHAR szFullPath[MAX_PATH + 1] = { 0 };//定义存放当前文件的字符串变量
GetModuleFileName(NULL,szFullPath,MAX_PATH);//获取当前文件的路径
LPCTSTR lpSubKey = _T("SOFTWARE\Microsoft\Windows\CurrentVersion\Run");//定义操作的注册表的路径
HKEY hKey;//注册表的返回值
REGSAM flag = KEY_WOW64_64KEY;//当前系统为win7 64位，访问的是64位的注册表，如果访问32位，则改为KEY_WOW64_32KEY
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS | flag, &hKey);//打开注册表
//探测是否有错
if (ERROR_SUCCESS != lRet)
{
cout << "RegOpenKeyEx fail!" << endl;
return;
}
//设置注册表的值
lRet = RegSetValueEx(hKey, TEXT("TEST"), 0, REG_SZ, LPBYTE(szFullPath), wcslen(szFullPath));
if (ERROR_SUCCESS != lRet)
{
cout << "no cheng gong2";
return;
}
return;
}

结果我们的整个程序代码如下：

复制代码

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
#include <tchar.h>
using namespace std;
bool RemoteThreadInject(SIZE_T dwPid);
SIZE_T GetProcessIdByName(LPCTSTR pszExeFile);
void AutoRunFun();
int main()
{
SIZE_T pid;
AutoRunFun();
pid = GetProcessIdByName(L"explorer.exe");//获取explorer.exe进程id
RemoteThreadInject(pid);//将dll注入explorer.exe进程，这样只要有explorer.exe的运行的时候，你的dll程序会一直运行
//开机启动程序
AutoRunFun();
}
//该函数是通过进程的名称来获取进程的id
void AutoRunFun()
{
//获取文件路径
TCHAR szFullPath[MAX_PATH + 1] = { 0 };
GetModuleFileName(NULL, szFullPath, MAX_PATH);
LPCTSTR lpSubKey = _T("SOFTWARE\Microsoft\Windows\CurrentVersion\Run");
HKEY hKey;
REGSAM flag = KEY_WOW64_64KEY;//当前系统为win7 64位，访问的是64位的注册表，如果访问32位，则改为KEY_WOW64_32KEY
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS | flag, &hKey);
if (ERROR_SUCCESS != lRet)
{
cout << "RegOpenKeyEx fail!" << endl;
return;
}
lRet = RegSetValueEx(hKey, TEXT("TEST"), 0, REG_SZ, LPBYTE(szFullPath), wcslen(szFullPath));
if (ERROR_SUCCESS != lRet)
{
cout << "no cheng gong2";
return;
}
return;
}
SIZE_T GetProcessIdByName(LPCTSTR pszExeFile)
{
SIZE_T nProcessID = 0;//定义进程的返回的id
PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
if (Process32First(hSnapshot, &pe))
{
while (Process32Next(hSnapshot, &pe))
{
if (lstrcmpi(pszExeFile, pe.szExeFile) == 0)
{
nProcessID = pe.th32ProcessID;
break;
}
}
}
CloseHandle(hSnapshot);
}
return nProcessID;
}
bool RemoteThreadInject(SIZE_T dwPid)
{
//1.使用PID打开进程获取权限
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid);
//2.申请内存,写入DLL路径，dll路径必须为绝对路径
int nLen = sizeof(WCHAR) * (wcslen(L"F:\win\InjectionDll\x64\Release\InjectionDll.dll") + 1);
LPVOID pBuf = VirtualAllocEx(hProcess, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pBuf)
{
printf("申请内存失败！n");
return false;
}
//3.写入内存
SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"F:\win\InjectionDll\x64\Release\InjectionDll.dll", nLen, &dwWrite))
{
printf("写入内存失败！n");
return false;
}
//4.创建远程线程，让对方调用LoadLibrary
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0);
//5.等待线程结束返回,释放资源
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE);
return true;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
#include <tchar.h>
using namespace std;
bool RemoteThreadInject(SIZE_T dwPid);
SIZE_T GetProcessIdByName(LPCTSTR pszExeFile);
void AutoRunFun();
int main()
{
SIZE_T pid;
AutoRunFun();
pid = GetProcessIdByName(L"explorer.exe");//获取explorer.exe进程id
RemoteThreadInject(pid);//将dll注入explorer.exe进程，这样只要有explorer.exe的运行的时候，你的dll程序会一直运行
//开机启动程序
AutoRunFun();
}
//该函数是通过进程的名称来获取进程的id
void AutoRunFun()
{
//获取文件路径
TCHAR szFullPath[MAX_PATH + 1] = { 0 };
GetModuleFileName(NULL, szFullPath, MAX_PATH);
LPCTSTR lpSubKey = _T("SOFTWARE\Microsoft\Windows\CurrentVersion\Run");
HKEY hKey;
REGSAM flag = KEY_WOW64_64KEY;//当前系统为win7 64位，访问的是64位的注册表，如果访问32位，则改为KEY_WOW64_32KEY
LONG lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, lpSubKey, 0, KEY_ALL_ACCESS | flag, &hKey);
if (ERROR_SUCCESS != lRet)
{
cout << "RegOpenKeyEx fail!" << endl;
return;
}
lRet = RegSetValueEx(hKey, TEXT("TEST"), 0, REG_SZ, LPBYTE(szFullPath), wcslen(szFullPath));
if (ERROR_SUCCESS != lRet)
{
cout << "no cheng gong2";
return;
}
return;
}
SIZE_T GetProcessIdByName(LPCTSTR pszExeFile)
{
SIZE_T nProcessID = 0;//定义进程的返回的id
PROCESSENTRY32 pe = { sizeof(PROCESSENTRY32) };
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
if (Process32First(hSnapshot, &pe))
{
while (Process32Next(hSnapshot, &pe))
{
if (lstrcmpi(pszExeFile, pe.szExeFile) == 0)
{
nProcessID = pe.th32ProcessID;
break;
}
}
}
CloseHandle(hSnapshot);
}
return nProcessID;
}
bool RemoteThreadInject(SIZE_T dwPid)
{
//1.使用PID打开进程获取权限
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, NULL, dwPid);
//2.申请内存,写入DLL路径，dll路径必须为绝对路径
int nLen = sizeof(WCHAR) * (wcslen(L"F:\win\InjectionDll\x64\Release\InjectionDll.dll") + 1);
LPVOID pBuf = VirtualAllocEx(hProcess, NULL, nLen, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!pBuf)
{
printf("申请内存失败！n");
return false;
}
//3.写入内存
SIZE_T dwWrite = 0;
if (!WriteProcessMemory(hProcess, pBuf, L"F:\win\InjectionDll\x64\Release\InjectionDll.dll", nLen, &dwWrite))
{
printf("写入内存失败！n");
return false;
}
//4.创建远程线程，让对方调用LoadLibrary
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL,
(LPTHREAD_START_ROUTINE)LoadLibrary, pBuf, 0, 0);
//5.等待线程结束返回,释放资源
WaitForSingleObject(hRemoteThread, -1);
CloseHandle(hRemoteThread);
VirtualFreeEx(hProcess, pBuf, 0, MEM_FREE);
return true;
}