其他
萌新逆向学习笔记——远程线程注入DLL
本文为看雪论坛精华文章
看雪论坛作者ID:psycongroo
前言
准备工作
阅读并实现本文主题,需要以下工具及知识:
原理
代码中加载DLL
HMODULE LoadLibraryA/W(
LPCWSTR lpLibFileName //DLL文件的全路径
);
#include <libloaderapi.h >
int main()
{
LoadLibrary(L"F://Project//MyDll.dll");
}
以下为创建的DLL文件:
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"内容", L"标题", MB_OK);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
远程线程使别人加载自己的DLL
HANDLE CreateRemoteThread(
HANDLE hProcess, //进程句柄
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress, //函数地址
LPVOID lpParameter, //传递给函数的参数
DWORD dwCreationFlags,
LPDWORD lpThreadId
);
虽然参数过多,但我们只需要关注三个参数即可:
传递被调用的函数
DWORD WINAPI ThreadProc(
_In_ LPVOID lpParameter
);
HMODULE LoadLibraryA/W(
LPCWSTR lpLibFileName //DLL文件的全路径
);
实践
EXE中代码:
//参数1:获取别人的EXE的句柄。进程ID可用procexp查看并手动输入
mProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 进程ID);
// 参数2:获取地址,并转换为规定格式
HMODULE hMod = GetModuleHandle(L"kernel32.dll");
LPTHREAD_START_ROUTINE fun = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");
// 参数3:传递给函数的参数,需申请并写入内存
// 调用VirtualAllocEx申请内存空间
CString path = "F:\\Projec\\MyDLL.dll";
SIZE_T pathSize = (path.GetLength()+1) * sizeof(TCHAR);
LPVOID mBuffer = VirtualAllocEx(mProcess, NULL, pathSize, MEM_COMMIT, PAGE_READWRITE);
// 调用WriteProcessMemory写入内存
WriteProcessMemory(mProcess, mBuffer, path, pathSize, NULL)
//调用CreateRemoteThread使别人的EXE加载我们的DLL
mRemoteThread = CreateRemoteThread(mProcess, NULL, 0, fun, mBuffer, 0, NULL);
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved )
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"内容", L"标题", MB_OK);
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
总结
看雪ID:psycongroo
https://bbs.pediy.com/user-899080.htm
*本文由看雪论坛 psycongroo 原创,转载请注明来自看雪社区。
推荐文章++++
求分享
求点赞
求在看