通过CreateProcess插入DLL的方法 (DLL篇)
2005-03-13 08:25
453 查看
#include <stdio.h>
#include <stddef.h>
#include <windows.h>
#pragma comment(lib, "ImageHlp.lib")
#pragma pack (push ,1) //以下结构字节对齐
typedef struct
{
BYTE int_PUSHAD;
BYTE int_PUSH;
DWORD push_Value;
BYTE int_MOVEAX;
DWORD eax_Value;
WORD call_eax;
BYTE jmp_MOVEAX;
DWORD jmp_Value;
WORD jmp_eax;
char szDLL[MAX_PATH];
}INJECT_LOADLIBRARY_CODE, *LPINJECT_CODE, INJECT_CODE;
#pragma pack (pop , 1)
typedef struct
{
LPBYTE lpEntryPoint; // 目标进程的入口地址
BYTE oldcode[sizeof(INJECT_CODE)];// 目标进程的代码保存
}SPY_MEM_SHARE, * LPSPY_MEM_SHARE;
typedef struct
{
DWORD lpEntryPoint;
DWORD OldAddr;
DWORD OldCode[4];
}JMP_CODE, *LPJMP_CODE;
static JMP_CODE _lpCode;
//跳到目标进程入口地址
void __declspec(naked)DoJmpEntryPoint()
{
DWORD *_glpMovEax;
WORD *_GlpJmp;
DWORD _gfNew;
DWORD _gfOld;
// 恢复LoadLibrary后面的代码
_gfNew = PAGE_READWRITE;
_glpMovEax = (DWORD*)_lpCode.OldAddr;
VirtualProtect(_glpMovEax, 2*sizeof(DWORD), _gfNew, &_gfOld);
*_glpMovEax = _lpCode.OldCode[0];
*(_glpMovEax + 1) = _lpCode.OldCode[1];
VirtualProtect(_glpMovEax, 2*sizeof(DWORD), _gfOld, &_gfNew);
// 跳至目标代码的入口
_asm popad
_asm jmp _lpCode.lpEntryPoint
}
BOOL WINAPI InitApiSpy()
{
HANDLE hMap;
LPSPY_MEM_SHARE lpMem;
DWORD dwSize;
BOOL rc;
BYTE *lpByte;
// 取得FileMapping的句柄
hMap = OpenFileMapping(FILE_MAP_ALL_ACCESS, 0, "MyDllMapView");
if(hMap)
{
lpMem = (LPSPY_MEM_SHARE)MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
if(lpMem)
{
// 恢复目标进程的入口代码
// 得到mov eax, value代码的地址
_lpCode.OldAddr = (DWORD)((BYTE*)lpMem->lpEntryPoint + offsetof(INJECT_CODE, jmp_MOVEAX));
_lpCode.lpEntryPoint = (DWORD)lpMem->lpEntryPoint;
// 保存LoadLibrary()后面的代码
memcpy(&_lpCode.OldCode, (BYTE*)lpMem->oldcode + offsetof(INJECT_CODE, jmp_MOVEAX), 2*sizeof(DWORD));
// 恢复目标进程的入口代码
rc = WriteProcessMemory(GetCurrentProcess(), lpMem->lpEntryPoint, lpMem->oldcode, sizeof(INJECT_CODE), &dwSize);
lpByte = (BYTE*)lpMem->lpEntryPoint + offsetof(INJECT_CODE, jmp_MOVEAX);
UnmapViewOfFile(lpMem);
}
CloseHandle(hMap);
}
BYTE *lpMovEax;
DWORD *lpMovEaxValu;
WORD *lpJmp;
DWORD fNew;
DWORD fOld;
fNew = PAGE_READWRITE;
lpMovEax = lpByte;
VirtualProtect(lpMovEax, 2*sizeof(DWORD), fNew, &fOld);
*lpMovEax = 0xB8;
lpMovEaxValu = (DWORD*)(lpMovEax + 1);
*lpMovEaxValu = (DWORD)&DoJmpEntryPoint;
lpJmp = (WORD*)(lpMovEax + 5);
*lpJmp = 0xE0FF; // (FF E0)
VirtualProtect(lpMovEax, 2*sizeof(DWORD), fOld, &fNew);
//调用自定义函数,做你想做的事
//MyFunc();
return TRUE;
}
BOOL APIENTRY DllMain( HANDLE hInstance,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
//MyhModule = (HMODULE)hInstance;
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
return InitApiSpy();
return TRUE;
}
#include <stddef.h>
#include <windows.h>
#pragma comment(lib, "ImageHlp.lib")
#pragma pack (push ,1) //以下结构字节对齐
typedef struct
{
BYTE int_PUSHAD;
BYTE int_PUSH;
DWORD push_Value;
BYTE int_MOVEAX;
DWORD eax_Value;
WORD call_eax;
BYTE jmp_MOVEAX;
DWORD jmp_Value;
WORD jmp_eax;
char szDLL[MAX_PATH];
}INJECT_LOADLIBRARY_CODE, *LPINJECT_CODE, INJECT_CODE;
#pragma pack (pop , 1)
typedef struct
{
LPBYTE lpEntryPoint; // 目标进程的入口地址
BYTE oldcode[sizeof(INJECT_CODE)];// 目标进程的代码保存
}SPY_MEM_SHARE, * LPSPY_MEM_SHARE;
typedef struct
{
DWORD lpEntryPoint;
DWORD OldAddr;
DWORD OldCode[4];
}JMP_CODE, *LPJMP_CODE;
static JMP_CODE _lpCode;
//跳到目标进程入口地址
void __declspec(naked)DoJmpEntryPoint()
{
DWORD *_glpMovEax;
WORD *_GlpJmp;
DWORD _gfNew;
DWORD _gfOld;
// 恢复LoadLibrary后面的代码
_gfNew = PAGE_READWRITE;
_glpMovEax = (DWORD*)_lpCode.OldAddr;
VirtualProtect(_glpMovEax, 2*sizeof(DWORD), _gfNew, &_gfOld);
*_glpMovEax = _lpCode.OldCode[0];
*(_glpMovEax + 1) = _lpCode.OldCode[1];
VirtualProtect(_glpMovEax, 2*sizeof(DWORD), _gfOld, &_gfNew);
// 跳至目标代码的入口
_asm popad
_asm jmp _lpCode.lpEntryPoint
}
BOOL WINAPI InitApiSpy()
{
HANDLE hMap;
LPSPY_MEM_SHARE lpMem;
DWORD dwSize;
BOOL rc;
BYTE *lpByte;
// 取得FileMapping的句柄
hMap = OpenFileMapping(FILE_MAP_ALL_ACCESS, 0, "MyDllMapView");
if(hMap)
{
lpMem = (LPSPY_MEM_SHARE)MapViewOfFile(hMap, FILE_MAP_ALL_ACCESS, 0, 0, 0);
if(lpMem)
{
// 恢复目标进程的入口代码
// 得到mov eax, value代码的地址
_lpCode.OldAddr = (DWORD)((BYTE*)lpMem->lpEntryPoint + offsetof(INJECT_CODE, jmp_MOVEAX));
_lpCode.lpEntryPoint = (DWORD)lpMem->lpEntryPoint;
// 保存LoadLibrary()后面的代码
memcpy(&_lpCode.OldCode, (BYTE*)lpMem->oldcode + offsetof(INJECT_CODE, jmp_MOVEAX), 2*sizeof(DWORD));
// 恢复目标进程的入口代码
rc = WriteProcessMemory(GetCurrentProcess(), lpMem->lpEntryPoint, lpMem->oldcode, sizeof(INJECT_CODE), &dwSize);
lpByte = (BYTE*)lpMem->lpEntryPoint + offsetof(INJECT_CODE, jmp_MOVEAX);
UnmapViewOfFile(lpMem);
}
CloseHandle(hMap);
}
BYTE *lpMovEax;
DWORD *lpMovEaxValu;
WORD *lpJmp;
DWORD fNew;
DWORD fOld;
fNew = PAGE_READWRITE;
lpMovEax = lpByte;
VirtualProtect(lpMovEax, 2*sizeof(DWORD), fNew, &fOld);
*lpMovEax = 0xB8;
lpMovEaxValu = (DWORD*)(lpMovEax + 1);
*lpMovEaxValu = (DWORD)&DoJmpEntryPoint;
lpJmp = (WORD*)(lpMovEax + 5);
*lpJmp = 0xE0FF; // (FF E0)
VirtualProtect(lpMovEax, 2*sizeof(DWORD), fOld, &fNew);
//调用自定义函数,做你想做的事
//MyFunc();
return TRUE;
}
BOOL APIENTRY DllMain( HANDLE hInstance,
DWORD ul_reason_for_call,
LPVOID lpReserved)
{
//MyhModule = (HMODULE)hInstance;
if(ul_reason_for_call == DLL_PROCESS_ATTACH)
return InitApiSpy();
return TRUE;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- CreateProcess插入DLL的方法
- CreateProcess插入DLL的方法 (EXE篇
- CreateProcess插入DLL的方法 (EXE篇)
- 非常简单的利用CreateProcess注入DLL的方法
- MFC CTreectrl 通过DeleteAllItems删除全部节点后,再插入节点不显示问题解决方法
- 调用DLL的方法(验证通过)
- DLL文件基本原理及修改方法和通过改DLL来美化系统图标
- jquery通过插入方法向html中插入对象,对象的hover失效解决办法
- C++Builder XEn使用BCB6的DLL(以BCB6中流行的DES加密控件WCDESComp通过DLL供XE使用的方法为例)
- 通过DLL路径,实现动态调用动态链接库中指定类的(静态)方法和属性
- php oci8.dll 插入数据到oracle数据库 php操作oracle数据库 亲测 ORA-00911 无效字符错误解决方法
- 非常简单的利用CreateProcess注入DLL的方法
- DLL文件基本原理及修改方法和通过改DLL来美化系统图标
- 【转】通过修改npptools.dll访问权限来防止ARP病毒的方法
- 通过native方法编写JNI接口及通过VS2010生成dll文件
- javascript插入下拉框的数据 &&通过javascript传参PHP方法
- JAVA通过JNI调用c++本地方法dll
- unity 安卓热更新代码的最新方法: 通过Mono加载新的重新编译的dll
- C#,动态加载DLL,通过反射,调用参数,方法,窗体
- 通过dll来引用webservice的方法