封装好的DLL远程注入函数
2007-10-17 10:52
399 查看
函数名称: CreateRemoteDll()
返加类型:BOOL
接受参数: DLL路径,注入进程ID
其完整代码如下:
BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
...{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
...{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
}
HANDLE hRemoteProcess;
//打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, dwRemoteProcessId ) )== NULL )
...{
AfxMessageBox("OpenProcess Error!");
return FALSE;
}
char *pszLibFileRemote;
//在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
...{
AfxMessageBox("VirtualAllocEx error! ");
return FALSE;
}
//将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
...{
AfxMessageBox("WriteProcessMemory Error");
return FALSE;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if(pfnStartAddr == NULL)
...{
AfxMessageBox("GetProcAddress Error");
return FALSE;
}
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
...{
AfxMessageBox("CreateRemoteThread Error");
return FALSE;
}
return TRUE;
}
返加类型:BOOL
接受参数: DLL路径,注入进程ID
其完整代码如下:
BOOL CreateRemoteDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
...{
HANDLE hToken;
if ( OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken) )
...{
TOKEN_PRIVILEGES tkp;
LookupPrivilegeValue( NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid );//修改进程权限
tkp.PrivilegeCount=1;
tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken,FALSE,&tkp,sizeof tkp,NULL,NULL );//通知系统修改进程权限
}
HANDLE hRemoteProcess;
//打开远程线程
if( (hRemoteProcess = OpenProcess( PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, dwRemoteProcessId ) )== NULL )
...{
AfxMessageBox("OpenProcess Error!");
return FALSE;
}
char *pszLibFileRemote;
//在远程进程的内存地址空间分配DLL文件名缓冲区
pszLibFileRemote = (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlen(DllFullPath)+1,
MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote == NULL)
...{
AfxMessageBox("VirtualAllocEx error! ");
return FALSE;
}
//将DLL的路径名复制到远程进程的内存空间
if( WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (void *) DllFullPath, lstrlen(DllFullPath)+1, NULL) == 0)
...{
AfxMessageBox("WriteProcessMemory Error");
return FALSE;
}
//计算LoadLibraryA的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
if(pfnStartAddr == NULL)
...{
AfxMessageBox("GetProcAddress Error");
return FALSE;
}
HANDLE hRemoteThread;
if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL) ) == NULL)
...{
AfxMessageBox("CreateRemoteThread Error");
return FALSE;
}
return TRUE;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 一个完整的DLL远程注入函数
- C++ DLL远程注入与卸载函数
- 一个完整的DLL远程注入函数
- [转]C++ DLL远程注入与卸载函数
- 一个完整的DLL远程注入函数
- C++ DLL远程注入与卸载函数
- DLL 远程注入相关函数
- ring3层面函数HOOK从头来之(一)——无dll远程进程代码注入
- DLL远程注入实践
- DLL的远程注入技术
- VB 远程注入卸载DLL
- 进程注入DLL实现(APC和远程线程创建)
- 揭开病毒的奥秘 DLL的远程注入技术详解
- DLL远程注入实例
- 使用DLL远程注入对记事本换肤
- DLL远程注入与卸载
- C++ 实现远程注入DLL技术要点总结
- CreateRemoteThread函数实现远程注入6部曲
- HOOK -- DLL的远程注入技术详解(1)
- C++:远程注入DLL