CreateRemoteThread函数
编写一个简单dll,当加载成功时弹窗提示
#include "windows.h"BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){ switch (fdwReason){ case DLL_PROCESS_ATTACH: //dll被加载时,弹出提示 MessageBox(NULL, TEXT("hello,5319"), TEXT("提示"), MB_OK); break; case DLL_PROCESS_DETACH: //dll被清除时,弹出提示 MessageBox(NULL, TEXT("goodbye,5319"), TEXT("提示"), MB_OK); break; } return true;}
写好了我们的“病毒”程序,我们就需要寻找我们的目标作为宿主(这里我选择了一个自己编写的窗口小程序hello5319.exe)通过系统函数获取其Pid以便进行下一步操作
DWORD getPID(){ PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32); HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { return false; } BOOL bMore = Process32First(hProcessSnap, &pe32); while (bMore) { if (!stricmp(pe32.szExeFile, "hello5319.exe")){ //获取该进程的句柄 HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS,false, pe32.th32ProcessID); if (handle == NULL) { exit(0); } CloseHandle(hProcessSnap); CloseHandle(handle); break; } else bMore = Process32Next(hProcessSnap, &pe32); } return pe32.th32ProcessID; //返回此进程ID }
之后就在进程中分配相应空间,创建新线程,使用函数loadlibrary完成dll加载,函数实现如下
BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId){ HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwRemoteProcessId); char *pszdll; pszdll = (char *)VirtualAllocEx(hProcess, NULL, lstrlen(DllFullPath) + 1,MEM_COMMIT, PAGE_READWRITE); //在远程进程的内存地址空间分配DLL文件名空间 WriteProcessMemory(hProcess,pszdll, (void *)DllFullPath, lstrlen(DllFullPath) + 1, NULL);//将DLL的路径名写入到远程进程的内存空间 DWORD dwID; LPVOID pFunc = LoadLibrary; HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFunc,pszdll, 0, &dwID); CloseHandle(hProcess); CloseHandle(hThread); return TRUE;}
以上我们的远程注入就算是成功了,但是要想进一步完善则需要运用到更多技术,例如,当宿主程序关闭时,dll文件即被清除,无法将其隐藏并保存下来,我们就需要运用资源节方面的技术,或是将修改注册表,将注入程序添加到自启动项,每次开机都完成一次注入,不过那只能等到下一次再一一介绍了