Dll注入经典方法完整版

Pnig0s1992:算是复习了，最经典的教科书式的Dll注入。

总结一下基本的注入过程，分注入和卸载

注入Dll：

1，OpenProcess获得要注入进程的句柄

2，VirtualAllocEx在远程进程中开辟出一段内存，长度为strlen(dllname)+1;

3，WriteProcessMemory将Dll的名字写入第二步开辟出的内存中。

4，CreateRemoteThread将LoadLibraryA作为线程函数，参数为Dll的名称，创建新线程

5，CloseHandle关闭线程句柄

卸载Dll：

1，CreateRemoteThread将GetModuleHandle注入到远程进程中，参数为被注入的Dll名

2，GetExitCodeThread将线程退出的退出码作为Dll模块的句柄值。

3，CloseHandle关闭线程句柄

3，CreateRemoteThread将FreeLibraryA注入到远程进程中，参数为第二步获得的句柄值。

4，WaitForSingleObject等待对象句柄返回

5，CloseHandle关闭线程及进程句柄。

01.//Code By Pnig0s1992 
02.//Date:2012,3,13 
03.#include <stdio.h> 
04.#include <Windows.h> 
05.#include <TlHelp32.h> 
06. 
07. 
08.DWORD getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID 
09.{ 
10.    DWORD dwRet = 0; 
11.    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 
12.    if(hSnapShot == INVALID_HANDLE_VALUE) 
13.    { 
14.        printf("\n获得进程快照失败%d",GetLastError()); 
15.        return dwRet; 
16.    } 
17. 
18.    PROCESSENTRY32 pe32;//声明进程入口对象 
19.    pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小 
20.    Process32First(hSnapShot,&pe32);//遍历进程列表 
21.    do  
22.    { 
23.        if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定进程名的PID 
24.        { 
25.            dwRet = pe32.th32ProcessID; 
26.            break; 
27.        } 
28.    } while (Process32Next(hSnapShot,&pe32)); 
29.    CloseHandle(hSnapShot); 
30.    return dwRet;//返回 
31.} 
32. 
33.INT main(INT argc,CHAR * argv[]) 
34.{ 
35.    DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]); 
36.    LPCSTR lpDllName = "EvilDll.dll"; 
37.    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid); 
38.    if(hProcess == NULL) 
39.    { 
40.        printf("\n获取进程句柄错误%d",GetLastError()); 
41.        return -1; 
42.    } 
43.    DWORD dwSize = strlen(lpDllName)+1;  
44.    DWORD dwHasWrite; 
45.    LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); 
46.    if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite)) 
47.    { 
48.        if(dwHasWrite != dwSize) 
49.        { 
50.            VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT); 
51.            CloseHandle(hProcess); 
52.            return -1; 
53.        } 
54. 
55.    }else 
56.    { 
57.        printf("\n写入远程进程内存空间出错%d。",GetLastError()); 
58.        CloseHandle(hProcess); 
59.        return -1; 
60.    } 
61. 
62.    DWORD dwNewThreadId; 
63.    LPVOID lpLoadDll = LoadLibraryA; 
64.    HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId); 
65.    if(hNewRemoteThread == NULL) 
66.    { 
67.        printf("\n建立远程线程失败%d",GetLastError()); 
68.        CloseHandle(hProcess); 
69.        return -1; 
70.    } 
71. 
72.    WaitForSingleObject(hNewRemoteThread,INFINITE); 
73.    CloseHandle(hNewRemoteThread); 
74. 
75.    //准备卸载之前注入的Dll 
76.    DWORD dwHandle,dwID; 
77.    LPVOID pFunc = GetModuleHandleA;//获得在远程线程中被注入的Dll的句柄 
78.    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID); 
79.    WaitForSingleObject(hThread,INFINITE); 
80.    GetExitCodeThread(hThread,&dwHandle);//线程的结束码即为Dll模块儿的句柄 
81.    CloseHandle(hThread); 
82.    pFunc = FreeLibrary; 
83.    hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //将FreeLibraryA注入到远程线程中去卸载Dll 
84.    WaitForSingleObject(hThread,INFINITE); 
85.    CloseHandle(hThread); 
86.    CloseHandle(hProcess); 
87.    return 0; 
88.} 

http://pnig0s1992.blog.51cto.com/393390/804484