//
CreateRemoteThread 使用 关闭远程进程句柄 processID远程进程的进程ID handle远程进程的进程句柄
CloseRemoteHandle( DWORD processID, HANDLE handle )
...
{
HANDLE ht = 0; DWORD rc = 0; // open the process HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, processID ); if ( hProcess == NULL )
...{ rc = GetLastError(); MessageBox( _T("OpenProcess() failed ") ); return rc;
} // load kernel32.dll HMODULE hKernel32 = LoadLibrary( _T("kernel32.dll") ); // CreateRemoteThread() ht = CreateRemoteThread( hProcess, 0, 0, (DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"CloseHandle"), handle, 0, &rc ); if ( ht == NULL ) ...{ //Something is wrong with the privileges, or the process doesn't like us rc = GetLastError(); MessageBox( _T("CreateRemoteThread() failed ") ); //Free up the kernel32.dll FreeLibrary( hKernel32 ); CloseHandle( hProcess ); } switch ( WaitForSingleObject( ht, 2000 ) ) ...{ case WAIT_OBJECT_0: //Well done rc = 0; MessageBox( _T("Ok ")); break; default: //Oooops, shouldn't be here rc = GetLastError(); MessageBox( _T("WaitForSingleObject() failed ") ); break; } //Closes the remote thread handle CloseHandle( ht ); //Free up the kernel32.dll if ( hKernel32 != NULL) FreeLibrary( hKernel32 ); //Close the process handle CloseHandle( hProcess ); return rc;
}
//
CreateRemoteThread 使用 释放远程dll句柄 processID占用dll的远程进程的进程ID lpDllPath dll路径
CloseRemoteDll( DWORD processID, LPCTSTR lpDllPath )
...
{ HANDLE ht = 0; DWORD rc = 0; DWORD dwHandle; HANDLE hProcess; hProcess= OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程 PROCESS_VM_OPERATION | //允许远程VM操作 PROCESS_VM_WRITE, //允许远程VM写 FALSE, processID ); if ( hProcess == NULL ) ...{ rc = GetLastError(); //MessageBox( _T("OpenProcess() failed ") ); return rc; } HMODULE hKernel32 = LoadLibrary("kernel32.dll"); //向目标进程地址空间写入DLL名称 DWORD dwSize, dwWritten; CString str; str=lpDllPath; dwSize=str.GetLength()+1; LPVOID lpBuf = VirtualAllocEx(hProcess,NULL,dwSize, MEM_COMMIT, PAGE_READWRITE ); if(!WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpDllPath, dwSize,&dwWritten)) ...{ rc=GetLastError(); VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT); CloseHandle(hProcess); return rc; } HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"GetModuleHandleA"), lpBuf ,0, NULL); if(hThread == NULL) ...{ rc=GetLastError(); CloseHandle(hProcess); return rc ; } //等待GetModuleHandle运行完毕 WaitForSingleObject(hThread, INFINITE); //获得GetModuleHandle的返回值 GetExitCodeThread(hThread,&dwHandle); //释放目标进程中申请的空间 VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT); CloseHandle(hThread); // CreateRemoteThread() ht = CreateRemoteThread( hProcess, 0, 0, (DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"FreeLibrary"), (LPVOID)dwHandle, 0, &rc ); if ( ht == NULL ) ...{ rc = GetLastError(); MessageBox( _T("CreateRemoteThread() failed ") ); FreeLibrary( hKernel32 ); CloseHandle( hProcess ); return rc; } switch ( WaitForSingleObject( ht, 2000 ) ) ...{ case WAIT_OBJECT_0: rc = 0; MessageBox( _T("Ok ")); break; default: rc = GetLastError(); MessageBox( _T("WaitForSingleObject() failed ") ); break; } //Closes the remote thread handle CloseHandle(ht ); //Free up the kernel32.dll if ( hKernel32 != NULL) FreeLibrary( hKernel32 ); //Close the process handle CloseHandle( hProcess ); return rc;}
最后
以上就是飘逸夏天最近收集整理的关于CreateRemoteThread远程注入 使用例子的全部内容,更多相关CreateRemoteThread远程注入内容请搜索靠谱客的其他文章。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复