您的位置:首页 > 其它

CreateRemoteThread远程注入 使用例子

2012-12-19 13:51 471 查看


CreateRemoteThread远程注入 使用例子

2008-04-15 17:02 2112人阅读 评论(0) 收藏 举报


//CreateRemoteThread 使用 关闭远程进程句柄 processID远程进程的进程ID handle远程进程的进程句柄


CloseRemoteHandle( DWORD processID, HANDLE handle )


{


HANDLE ht = 0;


DWORD rc = 0;




// open the process


HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, processID );




if ( hProcess == NULL )


{


rc = GetLastError();


MessageBox( _T("OpenProcess() failed ") );


return rc;


}




// load kernel32.dll


HMODULE hKernel32 = LoadLibrary( _T("kernel32.dll") );




// CreateRemoteThread()


ht = CreateRemoteThread(


hProcess,


0,


0,


(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"CloseHandle"),


handle,


0,


&rc );




if ( ht == NULL )


{


//Something is wrong with the privileges, or the process doesn't like us


rc = GetLastError();


MessageBox( _T("CreateRemoteThread() failed ") );




//Free up the kernel32.dll


FreeLibrary( hKernel32 );


CloseHandle( hProcess );


}




switch ( WaitForSingleObject( ht, 2000 ) )


{


case WAIT_OBJECT_0:


//Well done


rc = 0;


MessageBox( _T("Ok "));


break;




default:


//Oooops, shouldn't be here


rc = GetLastError();


MessageBox( _T("WaitForSingleObject() failed ") );


break;


}




//Closes the remote thread handle


CloseHandle( ht );




//Free up the kernel32.dll


if ( hKernel32 != NULL)


FreeLibrary( hKernel32 );




//Close the process handle


CloseHandle( hProcess );




return rc;


}






//CreateRemoteThread 使用 释放远程dll句柄 processID占用dll的远程进程的进程ID lpDllPath dll路径


CloseRemoteDll( DWORD processID, LPCTSTR lpDllPath )


{


HANDLE ht = 0;


DWORD rc = 0;


DWORD dwHandle;




HANDLE hProcess;


hProcess= OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程


PROCESS_VM_OPERATION | //允许远程VM操作


PROCESS_VM_WRITE, //允许远程VM写


FALSE, processID );




if ( hProcess == NULL )


{


rc = GetLastError();


//MessageBox( _T("OpenProcess() failed ") );


return rc;


}




HMODULE hKernel32 = LoadLibrary("kernel32.dll");




//向目标进程地址空间写入DLL名称


DWORD dwSize, dwWritten;


CString str;


str=lpDllPath;


dwSize=str.GetLength()+1;




LPVOID lpBuf = VirtualAllocEx(hProcess,NULL,dwSize, MEM_COMMIT, PAGE_READWRITE );




if(!WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpDllPath, dwSize,&dwWritten))


{


rc=GetLastError();


VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);


CloseHandle(hProcess);


return rc;


}




HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,


(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"GetModuleHandleA"),


lpBuf ,0, NULL);




if(hThread == NULL)


{


rc=GetLastError();


CloseHandle(hProcess);


return rc ;


}




//等待GetModuleHandle运行完毕


WaitForSingleObject(hThread, INFINITE);


//获得GetModuleHandle的返回值


GetExitCodeThread(hThread,&dwHandle);




//释放目标进程中申请的空间


VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT);


CloseHandle(hThread);




// CreateRemoteThread()


ht = CreateRemoteThread(


hProcess,


0,


0,


(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"FreeLibrary"),


(LPVOID)dwHandle,


0,


&rc );




if ( ht == NULL )


{


rc = GetLastError();


MessageBox( _T("CreateRemoteThread() failed ") );


FreeLibrary( hKernel32 );


CloseHandle( hProcess );


return rc;


}




switch ( WaitForSingleObject( ht, 2000 ) )


{


case WAIT_OBJECT_0:


rc = 0;


MessageBox( _T("Ok "));


break;




default:


rc = GetLastError();


MessageBox( _T("WaitForSingleObject() failed ") );


break;


}




//Closes the remote thread handle


CloseHandle(ht );




//Free up the kernel32.dll


if ( hKernel32 != NULL)


FreeLibrary( hKernel32 );




//Close the process handle


CloseHandle( hProcess );




return rc;




}


分享到:

上一篇:CTreeCtrl使用
下一篇:C# 里面的编码问题
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航