远程线程注入
2016-04-10 15:32
330 查看
通过实例对远程线程注入进行详细的讲解:
远程线程注入的核心函数是
CreateRemoteThread(
_In_ HANDLE hProcess,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
被注入的目标进程程序:
实验结果:
当dll注入成功,目标进程会弹出提示框
远程线程注入的核心函数是
CreateRemoteThread(
_In_ HANDLE hProcess,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ SIZE_T dwStackSize,
_In_ LPTHREAD_START_ROUTINE lpStartAddress,
_In_opt_ LPVOID lpParameter,
_In_ DWORD dwCreationFlags,
_Out_opt_ LPDWORD lpThreadId
);
被注入的目标进程程序:
int _tmain(int argc, _TCHAR* argv[]) { printf("hello world!"); system("pause"); getchar(); return 0; }注入程序:
BOOL InjectionDll( DWORD processID ,WCHAR szDllPath[]) //第一个参数:被注入进程ID 第二个参数:dll路径 { if( NULL == szDllPath) return FALSE; //1.打开进程 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID); //2.在远程进程中申请空间 LPVOID pszDllName = VirtualAllocEx(hProcess,NULL,4096,MEM_COMMIT,PAGE_READONLY); if(NULL == pszDllName ) return FALSE; //更改空间的读写内容 DWORD dwOld = 0; VirtualProtectEx(hProcess,pszDllName,4096,PAGE_READWRITE,&dwOld); //3.向远程进程进程中写入数据 if(!WriteProcessMemory(hProcess,pszDllName,szDllPath,MAX_PATH,NULL)) return false; //恢复空间的读写权限 VirtualProtectEx(hProcess,pszDllName,4096,dwOld,NULL); //4.在远程进程中创建远程线程 HANDLE hInjecthread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, pszDllName, NULL, NULL ); //5.等待线程结束返回 DWORD dw = WaitForSingleObject(hInjecthread,-1); //6.获取线程退出码,即LoadLibrary的返回值,即dll的首地址 DWORD dwExitCode; GetExitCodeThread(hInjecthread,&dwExitCode); HMODULE hMod = (HMODULE)dwExitCode; //7.释放空间 if(!VirtualFreeEx(hProcess,pszDllName,4096,MEM_COMMIT)) return FALSE; CloseHandle(hProcess); return TRUE; }向目标程序中注入的dll程序(使用vs创建win32控制台类型的dll):
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL,NULL,NULL,NULL); //注入到目标进程中后,弹出提示框 break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
实验结果:
当dll注入成功,目标进程会弹出提示框
相关文章推荐
- 小技巧当从后台传入数据时不要传null最好是个空对象入json中
- hibernate初探
- Fragment的使用与通信方式小结
- 【UVA11478】Halum (最短路解差分约束)
- 邁向IT專家成功之路的三十則鐵律 鐵律二十五:IT人屈辱之道-十倍奉還
- 第七周
- Sort Colors
- @SuppressWarnings注解
- Move Zeroes
- Linux上安装使用Redis
- 【剑指offer系列】 数组中出现数字超过一半的数字___29
- poj 2528 Mayor's posters
- SQL函数——CASE
- java插入排序(个人总结)
- Java实现数组反转翻转的方法
- 栈的后缀表达式求值
- JavaWeb总结(一)—Servlet
- Quartz使用-入门使用(java定时任务实现)
- 【笔记】Android中Context相关理解
- 南大周志华写的For Potential Students