利用CreateRemoteThread

#include <iostream>
#include <tchar.h>
#include <Windows.h>
#include <tlhelp32.h>
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid; if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
_tprintf(L"OpenProcessToken error: %u\n", GetLastError());
return FALSE;
} if (!LookupPrivilegeValue(NULL, // lookup privilege on local system
lpszPrivilege, // privilege to lookup
&luid)) // receives LUID of privilege
{
_tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
} tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0; // Enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken,
FALSE,
&tp,
sizeof(TOKEN_PRIVILEGES),
(PTOKEN_PRIVILEGES)NULL,
(PDWORD)NULL))
{
_tprintf(L"AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
} if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
_tprintf(L"The token does not have the specified privilege. \n");
return FALSE;
} return TRUE;
} BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
HANDLE hProcess = NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc; // #1. 通过dwPID获取进程句柄
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
{
_tprintf(L"OpenProcess(%d) failed!!! [%d]\n", dwPID, GetLastError());
return FALSE;
} // #2. 在注入的目标进程中开辟内存,存储Dll的路径
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE); // #3. 写入DLL路径数据
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL); // #4. 获取LoadLibraryA() API
hMod = GetModuleHandle(L"kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW"); // #5. 调用CreateRemoteThread
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread);
CloseHandle(hProcess); return TRUE;
}
BOOL EjectDll(DWORD dwPID, LPCTSTR szDllName)
{
BOOL bMore = FALSE, bFound = FALSE;
HANDLE hSnapshot, hProcess, hThread;
HMODULE hModule = NULL;
MODULEENTRY32 me = { sizeof(me) };
LPTHREAD_START_ROUTINE pThreadProc; // dwPID = notepad 进程id
// 使用TH32CS_SNAPMODULE 参数,获取加载到notepad 进程dll的名称
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);//句柄 bMore = Module32First(hSnapshot, &me);
for (; bMore; bMore = Module32Next(hSnapshot, &me))//循环比较地址
{
if (!_tcsicmp((LPCTSTR)me.szModule, szDllName) ||
!_tcsicmp((LPCTSTR)me.szExePath, szDllName))
{
bFound = TRUE;
break;
}
} if (!bFound)
{
CloseHandle(hSnapshot);
return FALSE;
} if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))//获取目标进程的句柄
{
_tprintf(L"OpenProcess(%d) failed!!! [%d]\n", dwPID, GetLastError());
return FALSE;
} hModule = GetModuleHandle(L"kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary");//获取FreeLibrary的api地址
hThread = CreateRemoteThread(hProcess, NULL, 0,
pThreadProc, me.modBaseAddr,
0, NULL); //卸载dll
WaitForSingleObject(hThread, INFINITE); CloseHandle(hThread);
CloseHandle(hProcess);
CloseHandle(hSnapshot); return TRUE;
}
int main()
{
std::cout << "Hello World!\n";
DWORD pID;
std::cout << "input pid:\n";
_tscanf(_T("%d"), &pID);
TCHAR dllPath[256] = { 0 };
std::cout << "input dll path:\n";
_tscanf(_T("%s"), dllPath);
if (!SetPrivilege(SE_DEBUG_NAME, TRUE)) {
printf("error \n");
getchar();
return 1;
} // inject dll
if (InjectDll(pID, dllPath)) {
_tprintf(L"InjectDll(\"%s\") success!!!\n", dllPath);
getchar();
} else {
_tprintf(L"InjectDll(\"%s\") failed!!!\n", dllPath);
getchar();
}
printf("input 'q' to ejection\n");
if (getchar() == 'q') {
if (EjectDll(pID, dllPath)) {
printf("ejection success!\n");
}
else
{
printf("ejection error!\n");
}
}
return 0;
}

《逆向工程核心原理》——DLL注入与卸载的更多相关文章

  1. dll注入及卸载实践

    三种方法:具体详见<逆向工程核心原理>. 1.创建远程线程CreateRemoteThread() 2.使用注册表AppInit_DLLs 3.消息钩取SetWindowsHookEx() ...

  2. 《逆向工程核心原理》Windows消息钩取

    DLL注入--使用SetWindowsHookEx函数实现消息钩取 MSDN: SetWindowsHookEx Function The SetWindowsHookEx function inst ...

  3. 《逆向工程核心原理》——API HOOK

    编写dll处理hook逻辑,注入到目标进程,实现api hook. Windows10 notepad,通过hook kernel32.dll.WriteFile,实现小写字母转大写保存到文件. ho ...

  4. 《逆向工程核心原理》——IAThook

    hook逻辑写入dll中,注入dll. #include "pch.h" #include <tchar.h> #include "windows.h&quo ...

  5. 《逆向工程核心原理》——通过调试方式hook Api

    1.附加目标进程, 2.CREATE_PROCESS_DEBUG_EVENT附加事件中将目标api处设置为0xcc(INT 3断点) 3.EXCEPTION_DEBUG_EVENT异常事件中,首先判断 ...

  6. 逆向工程核心原理-IA-32寄存器

    IA-32由四类寄存器组成:通用寄存器,段寄存器,程序状态与控制寄存器,指令指针寄存器. 通用寄存器:用于传送和暂存数据,也可参与算数逻辑运算,并保存运算结果. EAX(0-31) 32位      ...

  7. 《逆向工程核心原理》——TLS回调函数

    pe中TLS(thread local storage)中函数的执行时机早于入口函数(entry point), 相关结构: // // Thread Local Storage // typedef ...

  8. dll注入与代码注入

    学习<逆向工程核心原理>,在x64下dll注入与代码注入. dll注入主要用到CreateRemoteThread, HANDLE WINAPI CreateRemoteThread( _ ...

  9. <ReversingEngineering>关于windows32位系统下的dll注入技术经验汇

    上个学期把自己闷在图书馆一直在看关于逆向工程技术方面的书,从入门到初级,现在也敢说自己一条腿已经迈进了这片知识的大门里,因为该博客刚开通先将一些经验记录下来,也是留给自己一方面做个参照. <逆向 ...

随机推荐

  1. 使用opencv-python实现MATLAB的fspecial('Gaussian', [r, c], sigma)

    reference_opencv实现高斯核 reference_MATLAB_fspecial函数说明 # MATLAB H = fspecial('Gaussian', [r, c], sigma) ...

  2. CSON vs JSON

    CSON vs JSON 今天在github浏览资料时,无意发现了这个很像json,却优于json的cson.故,再次分享给大家! 官方fork文档:https://github.com/xgqfrm ...

  3. node.js cli downloader

    node.js cli downloader cli 下载器 refs https://github.com/xgqfrms/react-storybook-app xgqfrms 2012-2020 ...

  4. js & touch & swiper

    js & touch & swiper https://developer.mozilla.org/en/docs/Web/API/Touch_events "use str ...

  5. export excel

    export excel sheet.js https://sheetjs.com/ https://github.com/SheetJS/sheetjs excel.js https://www.n ...

  6. c++ win32 关机 注销 重启

    #include <iostream> #include <Windows.h> #pragma comment(lib, "user32.lib") #p ...

  7. 开发Microsoft Teams选项卡应用安全注意事项

    我们都知道,为了方便广大的开发人员快速开发Microsoft Teams选项卡应用,微软提供了一个JS SDK,你可以通过这里 https://docs.microsoft.com/en-us/jav ...

  8. git log的常用命令

    git config --global alias.lg "log --graph --oneline --pretty='%Cred%h%Creset -%C(yellow)%d%Cblu ...

  9. winform导出csv

    public void ExportToSvc1(string strFileName) { string strPath = strFileName + ".csv"; Stri ...

  10. Vue学习笔记-Vue.js-2.X 学习(一)===>基本知识学习

    一  使用环境: windows 7 64位操作系统 二  IDE:VSCode/PyCharm 三  Vue.js官网: https://cn.vuejs.org/ 四  下载安装引用 方式1:直接 ...