-
-
[求助]DLL注入病毒报警?为啥……
-
发表于:
2008-5-23 11:12
6311
-
根据网上的教程写了一个DLL注入的小程序,可是杀毒软件报警(NOD32),这是为啥?
可是我看见别的应用程序(如Unlocker)Dll注入到其他的任何进程都没有关系啊。难道是我的编写有问题吗?
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
DWORD FindTarget(LPCTSTR proceName)
{
DWORD dwRet;
HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(PROCESSENTRY32);
Process32First(hSnapshot,&pe32);
do
{
if(lstrcmpi(pe32.szExeFile,proceName)==0)
{
dwRet=pe32.th32ProcessID;
break;
}
}
while(Process32Next(hSnapshot,&pe32));
CloseHandle(hSnapshot);
return dwRet;
}
BOOL LoadMod(DWORD dwPID, const TCHAR* pszModuleFile)
{
HANDLE hProcess= NULL;
HANDLE hThread= NULL;
DWORD dwSize= 0;
DWORD dwWritten= 0;
LPVOID lpBuf= NULL;
LPVOID lpThreadFun= NULL;
hProcess =OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwPID);
if (!hProcess)
{
return FALSE;
}
dwSize = (DWORD)strlen(pszModuleFile);//_tcslen
lpBuf =VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (!lpBuf)
{
CloseHandle(hProcess);
return FALSE;
}
if (!WriteProcessMemory(hProcess, lpBuf, (LPVOID)pszModuleFile, dwSize, &dwWritten))
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
if (dwSize != dwWritten)
{
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hProcess);
return FALSE;
}
#ifdef _UNICODE
lpThreadFun =GetProcAddress(GetModuleHandle(("Kernel32")), "LoadLibraryW");//_T
#else
lpThreadFun =GetProcAddress(GetModuleHandle(("Kernel32")), "LoadLibraryA");
#endif
hThread =CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpThreadFun, lpBuf, 0, &dwPID);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
CloseHandle(hProcess);
return TRUE;
}
int main()
{
char processName[]="explorer.exe";
char dllAddr[]="c:\\dll.dll";
LoadMod(FindTarget("explorer.exe"),dllAddr);
}
问题好像处在了这个函数,为什么一调用这个函数,杀毒软件就会报警呢?
CreateRemoteThread
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法