[原创]注入DLL之ANSI版--改自Jeffrey的《windows核心编程》-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]注入DLL之ANSI版--改自Jeffrey的《windows核心编程》

发表于: 2009-7-1 19:25 5239

[原创]注入DLL之ANSI版--改自Jeffrey的《windows核心编程》

lyricC

2009-7-1 19:25

5239

注入DLL之ANSI版
   Jeffrey在《windows核心编程》中的第22章给出了一个注入dll的实例，可是那里面添加了处理异常，字符串安全操作函数库等各种技术，这是好事，可是就有点让人难以阅读和理解了（也许只有我才有这种情况）。所以我用C重写了一遍。这是ANSI版，看看反响如何，以后推出UNICODE版。
  现在贴于此处，以飨读者。也感谢看雪给我一个获取知识的平台。谢谢
-------------------------------------------------------------------------------------------------
--------------------injec.cpp------------------------------
//此为ascii版本
//
#include"CommFile.h"
#include"resource.h"
#include <tchar.h>
#include <TlHelp32.h>
#include<windows.h>
#include<windowsx.h>
#include <malloc.h>
//#include <StrSafe.h>
#pragma once
//
BOOL EnjectDLL(DWORD dwProcessId ,char *szDllFileName)
{
BOOL fOK=FALSE;
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == INVALID_HANDLE_VALUE)

return fOK;

MODULEENTRY32 me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32First(hthSnapshot, &me);
while(bMoreMods){
if(!lstrcmp(me.szModule,szDllFileName)){
         bFound=TRUE;
break;}
      else bMoreMods = Module32Next(hthSnapshot, &me);
}
if(!bFound){
chMB("not found the wanted-release dll");
return FALSE;
}
if(bFound)
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD    |
PROCESS_VM_OPERATION,  // For CreateRemoteThread
FALSE, dwProcessId);
if(hProcess==NULL) chMB("进程打不开？？？");
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");//FreeLibrary没有FreeLibraryA的
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);

// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);
fOK = TRUE;

if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);

if (hThread    != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);

fOK = TRUE; // Everything executed successfully
return fOK;
}

BOOL InjectDLL(DWORD nThreadID,char *szDllFileName){
HANDLE hProcess=NULL, hThread = NULL;
char *pBaseAddr;
BOOL fOK;
hProcess=::OpenProcess(PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD    | // For CreateRemoteThread
PROCESS_VM_OPERATION    | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE,          // For WriteProcessMemory
FALSE, nThreadID);
if( hProcess==NULL)
{
chMB("该进程不存在或无法打开!");
return FALSE;}
int cb=lstrlen(szDllFileName)+1;

pBaseAddr=(char *)VirtualAllocEx(hProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);

// Copy the DLL's pathname to the remote process' address space
WriteProcessMemory(hProcess, pBaseAddr,
(PVOID)szDllFileName, cb, NULL);
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");

hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, pBaseAddr, 0, NULL);
WaitForSingleObject(hThread, INFINITE);

VirtualFreeEx(hProcess, pBaseAddr, 0, MEM_RELEASE);

if (hThread  != NULL)
CloseHandle(hThread);

if (hProcess != NULL)
CloseHandle(hProcess);

return (fOK=TRUE);
}

BOOL Dlg_OnInitDialog(HWND hwnd, HWND hwndFocus, LPARAM lParam) {

chSETDLGICONS(hwnd, IDI_ICON);

return(TRUE);
}

///////////////////////////////////////////////////////////////////////////////

void Dlg_OnCommand(HWND hwnd, int id, HWND hwndCtl, UINT codeNotify) {

switch (id) {

case IDCANCEL:
EndDialog(hwnd, id);
break;
case IDC_INJECT:
char DllPath[MAX_PATH];
      GetModuleFileName(NULL,DllPath,sizeof(DllPath));
PTSTR pFilename = _tcsrchr(DllPath, TEXT('\\')) + 1 ； lstrcpyn(pFilename, TEXT("walk.dll"), sizeof(DllPath)-(pFilename-DllPath));

UINT nThreadID;
nThreadID=GetDlgItemInt(hwnd,IDC_Thread,NULL,FALSE);
if(nThreadID==0)
nThreadID=GetCurrentProcessId();

if(InjectDLL(nThreadID,DllPath)){
chMB("DLL Injection successful.");
}
if(EnjectDLL(nThreadID,"walk.dll"))
chMB("DLL Enjection is successful");

break;

}
}

///////////////////////////////////////////////////////////////////////////////

INT_PTR WINAPI Dlg_Proc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam) {

switch (uMsg) {
chHANDLE_DLGMSG(hwnd, WM_INITDIALOG, Dlg_OnInitDialog);
chHANDLE_DLGMSG(hwnd, WM_COMMAND, Dlg_OnCommand);

}

return(FALSE);
}

///////////////////////////////////////////////////////////////////////////////

int WINAPI WinMain(HINSTANCE hinstExe, HINSTANCE, PTSTR pszCmdLine, int) {

DialogBoxParam(hinstExe, MAKEINTRESOURCE(IDD_INJECTOR),
NULL, Dlg_Proc, _ttoi(pszCmdLine));

return(0);
}

//////////////////////////////// End of File //////////////////////////////////

-------------------------------------------------------------------------------------------------
至于.rc文件、CommFile.h文件和resource.h可参照《windows核心编程》中给出的实例源代码。还有在编译时出现不识别一些函数而出错，估计您用的是VC6.0的原装库，建议升级一下SDK。当然还需要那个.dll（也在该书的源码中，我改成walk.dll,名字好记。）
高手飘过即可。

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・1

免费・7

支持