我是靠谱客的博主 调皮盼望,最近开发中收集的这篇文章主要介绍封装远程注入类CreateRemoteThreadEx,觉得挺不错的,现在分享给大家,希望可以做个参考。

概述

类初始化时传入要注入的DLL文件名


只使用两个函数

// 注入DLL到指定的地址空间
BOOL InjectModuleInto(DWORD dwProcessId);
// 从指定的地址空间卸载DLL
BOOL EjectModuleFrom(DWORD dwProcessId);


.h

#pragma once
#include <windows.h>  //在头文件中包含

class CRemThreadInject
{
public:
	CRemThreadInject(LPSTR lpDllName);
	~CRemThreadInject(void);

protected:
	char m_szDllName[MAX_PATH];
	static BOOL EnableDebugPrivilege(BOOL bEnable);
public:
	// 注入DLL到指定的地址空间
	BOOL InjectModuleInto(DWORD dwProcessId);
	// 从指定的地址空间卸载DLL
	BOOL EjectModuleFrom(DWORD dwProcessId);
};



.cpp

#include "RemThreadInject.h"
#include <tlhelp32.h> 



CRemThreadInject::CRemThreadInject(LPSTR lpDllName)
{
	memcpy(m_szDllName, lpDllName, MAX_PATH);
	EnableDebugPrivilege(TRUE);
}


CRemThreadInject::~CRemThreadInject(void)
{
	EnableDebugPrivilege(FALSE);
}

BOOL CRemThreadInject::EnableDebugPrivilege(BOOL bEnable)
{
	HANDLE hToken = INVALID_HANDLE_VALUE;
	//OpenProcessToken
	if (0 == ::OpenProcessToken(::GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
	{
		return FALSE;
	}
	LUID luid;
	
	//
	::LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
	TOKEN_PRIVILEGES tp;
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Luid = luid;
	if (bEnable)
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	else
		tp.Privileges[0].Attributes = 0;
	if ( !AdjustTokenPrivileges(
		hToken, 
		FALSE, 
		&tp, 
		sizeof(TOKEN_PRIVILEGES), 
		(PTOKEN_PRIVILEGES) NULL, 
		(PDWORD) NULL) )
	{ 
		return FALSE; 
	} 
	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
	{
		return FALSE;
	} 
	::CloseHandle(hToken);
	return TRUE;
}

// 注入DLL到指定的地址空间
BOOL CRemThreadInject::InjectModuleInto(DWORD dwProcessId)
{
	//
	if (::GetCurrentProcessId() == dwProcessId)
	{
		return FALSE; 
	}
	BOOL bFound;
	/************************************************************************/
	/* 遍历模块                                                              */
	/************************************************************************/
	HANDLE hModuleSnap = INVALID_HANDLE_VALUE; 
	MODULEENTRY32 me32; 

	//  Take a snapshot of all modules in the specified process. 
	hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId ); 
	if( hModuleSnap == INVALID_HANDLE_VALUE ) 
	{ 
		return( FALSE ); 
	} 
	me32.dwSize = sizeof( MODULEENTRY32 ); 
	if( !Module32First( hModuleSnap, &me32 ) ) 
	{ 
		CloseHandle( hModuleSnap );     // Must clean up the snapshot object! 
		return( FALSE ); 
	} 
	do 
	{ 
		if (stricmp(me32.szModule, m_szDllName) == 0)
		{
			bFound = TRUE;
			break;
		}
	} while( Module32Next( hModuleSnap, &me32 ) ); 

	//  Do not forget to clean up the snapshot object. 
	CloseHandle( hModuleSnap ); 

	if (bFound) //如果已经加载了模块,就不再加载
	{
		return FALSE;
	}

	//如果没加载,打开进程,远程注入
	
	HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
	if (hProcess == NULL)
	{
		return FALSE;
	}
	HMODULE  hKernerl32 = GetModuleHandle("kernel32.dll");
	LPTHREAD_START_ROUTINE pfnLoadLibraryA = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "LoadLibraryA"); 

	int cbSize = strlen(m_szDllName)+1;
	LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
	::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
	HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnLoadLibraryA, lpRemoteDllName, 0, NULL, NULL);
	if (NULL == hRemoteThread)
	{
		::CloseHandle(hProcess);
		return FALSE;
	}
	//等待目标线程运行结束,即LoadLibraryA函数返回
	::WaitForSingleObject(hRemoteThread, INFINITE);
	::CloseHandle(hRemoteThread);
	::CloseHandle(hProcess);
	return TRUE;
}


// 从指定的地址空间卸载DLL
BOOL CRemThreadInject::EjectModuleFrom(DWORD dwProcessId)
{
	//
	if (::GetCurrentProcessId() == dwProcessId)
	{
		return FALSE; 
	}
	BOOL bFound;
	/************************************************************************/
	/* 遍历模块                                                              */
	/************************************************************************/
	HANDLE hModuleSnap = INVALID_HANDLE_VALUE; 
	MODULEENTRY32 me32; 

	//  Take a snapshot of all modules in the specified process. 
	hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwProcessId ); 
	if( hModuleSnap == INVALID_HANDLE_VALUE ) 
	{ 
		return( FALSE ); 
	} 
	me32.dwSize = sizeof( MODULEENTRY32 ); 
	if( !Module32First( hModuleSnap, &me32 ) ) 
	{ 
		CloseHandle( hModuleSnap );     // Must clean up the snapshot object! 
		return( FALSE ); 
	} 
	do 
	{ 
		if (stricmp(me32.szModule, m_szDllName) == 0)
		{
			bFound = TRUE;
			break;
		}
	} while( Module32Next( hModuleSnap, &me32 ) ); 

	//  Do not forget to clean up the snapshot object. 
	CloseHandle( hModuleSnap ); 

	if (!bFound) //如果没有加载模块,就不能卸载
	{
		return FALSE;
	}

	//如果加载了,打开进程,远程注入

	HANDLE hProcess = ::OpenProcess(PROCESS_CREATE_THREAD |PROCESS_VM_OPERATION |PROCESS_VM_WRITE, FALSE, dwProcessId);
	if (hProcess == NULL)
	{
		return FALSE;
	}
	HMODULE  hKernerl32 = GetModuleHandle("kernel32.dll");
	LPTHREAD_START_ROUTINE pfnFreeLibrary = (LPTHREAD_START_ROUTINE)::GetProcAddress(hKernerl32, "FreeLibrary"); 

	int cbSize = strlen(m_szDllName)+1;
	LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, 0, cbSize, MEM_COMMIT, PAGE_READWRITE);
	::WriteProcessMemory(hProcess, lpRemoteDllName, m_szDllName, cbSize, NULL);
	HANDLE hRemoteThread = ::CreateRemoteThreadEx(hProcess, NULL, 0, pfnFreeLibrary, lpRemoteDllName, 0, NULL, NULL);
	if (NULL == hRemoteThread)
	{
		::CloseHandle(hProcess);
		return FALSE;
	}
	//等待目标线程运行结束,即LoadLibraryA函数返回
	::WaitForSingleObject(hRemoteThread, INFINITE);
	::CloseHandle(hRemoteThread);
	::CloseHandle(hProcess);
	return TRUE;
}


最后

以上就是调皮盼望为你收集整理的封装远程注入类CreateRemoteThreadEx的全部内容,希望文章能够帮你解决封装远程注入类CreateRemoteThreadEx所遇到的程序开发问题。

如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(27)

评论列表共有 0 条评论

立即
投稿
返回
顶部