遠端執行緒注入RemoteThread(dll)
阿新 • • 發佈:2018-11-09
// RemoteInject.h
#pragma once // RemoteInject 對話方塊 class RemoteInject : public CDialogEx { DECLARE_DYNAMIC(RemoteInject) public: RemoteInject(CWnd* pParent = NULL); // 標準建構函式 virtual ~RemoteInject(); // 對話方塊資料 enum { IDD = IDD_DIALOG10 }; protected: virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支援 DECLARE_MESSAGE_MAP() public: DWORD m_dwPID; CString m_strDllPath; afx_msg void OnBnClickedButton2(); afx_msg void OnBnClickedInject(); };
// RemoteInject.cpp
// RemoteInject.cpp : 實現檔案 // #include "stdafx.h" #include "MyInjectTool.h" #include "RemoteInject.h" #include "afxdialogex.h" // RemoteInject 對話方塊 IMPLEMENT_DYNAMIC(RemoteInject, CDialogEx) RemoteInject::RemoteInject(CWnd* pParent /*=NULL*/) : CDialogEx(RemoteInject::IDD, pParent) , m_dwPID(0) , m_strDllPath(_T("")) { } RemoteInject::~RemoteInject() { } void RemoteInject::DoDataExchange(CDataExchange* pDX) { CDialogEx::DoDataExchange(pDX); DDX_Text(pDX, IDC_EDIT1, m_dwPID); DDX_Text(pDX, IDC_EDIT4, m_strDllPath); } BEGIN_MESSAGE_MAP(RemoteInject, CDialogEx) ON_BN_CLICKED(IDC_BUTTON2, &RemoteInject::OnBnClickedButton2) ON_BN_CLICKED(IDC_INJECT, &RemoteInject::OnBnClickedInject) END_MESSAGE_MAP() // RemoteInject 訊息處理程式 void RemoteInject::OnBnClickedButton2() { // TODO: 在此新增控制元件通知處理程式程式碼 char szFilter[] = "動態連結庫|*.dll"; CFileDialog fileDlg(TRUE, "dll", NULL, OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT, szFilter); UpdateData(TRUE); if (fileDlg.DoModal() == IDOK) { m_strDllPath = fileDlg.GetPathName(); } UpdateData(FALSE); } void RemoteInject::OnBnClickedInject() { // TODO: 在此新增控制元件通知處理程式程式碼 HANDLE hProcess = NULL; HANDLE hThread = NULL; HANDLE hThread2 = NULL; char* pszRemoteBuffer = NULL; DWORD * pDwTidRemote = NULL; //UpdateData(TRUE); hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, m_dwPID); if (hProcess == NULL) { MessageBox("開啟程序失敗!!!!"); return; } //1.在遠端程序中分配記憶體 pszRemoteBuffer = (char *)VirtualAllocEx(hProcess, NULL, m_strDllPath.GetLength(), MEM_COMMIT, PAGE_READWRITE); if (pszRemoteBuffer == NULL) { MessageBox("申請遠端空間失敗"); return; } //2.在遠端申請的地址當中寫入DLL的路徑 SIZE_T dwWriten; if (!WriteProcessMemory(hProcess, pszRemoteBuffer, (LPVOID)m_strDllPath.GetBuffer(0), m_strDllPath.GetLength(), &dwWriten)) { MessageBox("寫入記憶體失敗"); } //3.獲取遠端程序中LaodLibry的地址,這裡你用的巧合是每個程式中的kernel32的地址的都一樣,遠端中也一樣在 HMODULE hMouDle = GetModuleHandle("Kernel32"); PTHREAD_START_ROUTINE pfnLoadLibrary = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"); if (pfnLoadLibrary == NULL) { MessageBox("獲取LoadLibrary地址失敗!!!"); return; } //4.建立遠端執行緒 hThread = CreateRemoteThread(hProcess, NULL, 0, pfnLoadLibrary, pszRemoteBuffer, 0, NULL); DWORD dwErrCode = GetLastError(); if (hThread == NULL) { MessageBox("建立遠端執行緒失敗"); return; } WaitForSingleObject(hThread, 2000); }