// CreateRemoteThread 使用 关闭远程进程句柄 processID远程进程的进程ID handle远程进程的进程句柄
CloseRemoteHandle( DWORD processID, HANDLE handle )
{
HANDLE ht = 0;
DWORD rc = 0;
// open the process
HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE|PROCESS_VM_READ, FALSE, processID );
if ( hProcess == NULL )
{
rc = GetLastError();
MessageBox( _T("OpenProcess() failed ") );
return rc;
}
// load kernel32.dll
HMODULE hKernel32 = LoadLibrary( _T("kernel32.dll") );
// CreateRemoteThread()
ht = CreateRemoteThread(
hProcess,
0,
0,
(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"CloseHandle"),
handle,
0,
&rc );
if ( ht == NULL )
{
//Something is wrong with the privileges, or the process doesn't like us
rc = GetLastError();
MessageBox( _T("CreateRemoteThread() failed ") );
//Free up the kernel32.dll
FreeLibrary( hKernel32 );
CloseHandle( hProcess );
}
switch ( WaitForSingleObject( ht, 2000 ) )
{
case WAIT_OBJECT_0:
//Well done
rc = 0;
MessageBox( _T("Ok "));
break;
default:
//Oooops, shouldn't be here
rc = GetLastError();
MessageBox( _T("WaitForSingleObject() failed ") );
break;
}
//Closes the remote thread handle
CloseHandle( ht );
//Free up the kernel32.dll
if ( hKernel32 != NULL)
FreeLibrary( hKernel32 );
//Close the process handle
CloseHandle( hProcess );
return rc;
}
// CreateRemoteThread 使用 释放远程dll句柄 processID占用dll的远程进程的进程ID lpDllPath dll路径
CloseRemoteDll( DWORD processID, LPCTSTR lpDllPath )
{
HANDLE ht = 0;
DWORD rc = 0;
DWORD dwHandle;
HANDLE hProcess;
hProcess= OpenProcess(PROCESS_CREATE_THREAD | //允许远程创建线程
PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE, //允许远程VM写
FALSE, processID );
if ( hProcess == NULL )
{
rc = GetLastError();
//MessageBox( _T("OpenProcess() failed ") );
return rc;
}
HMODULE hKernel32 = LoadLibrary("kernel32.dll");
//向目标进程地址空间写入DLL名称
DWORD dwSize, dwWritten;
CString str;
str=lpDllPath;
dwSize=str.GetLength()+1;
LPVOID lpBuf = VirtualAllocEx(hProcess,NULL,dwSize, MEM_COMMIT, PAGE_READWRITE );
if(!WriteProcessMemory(hProcess,lpBuf,(LPVOID)lpDllPath, dwSize,&dwWritten))
{
rc=GetLastError();
VirtualFreeEx(hProcess,lpBuf,dwSize,MEM_DECOMMIT);
CloseHandle(hProcess);
return rc;
}
HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0,
(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"GetModuleHandleA"),
lpBuf ,0, NULL);
if(hThread == NULL)
{
rc=GetLastError();
CloseHandle(hProcess);
return rc ;
}
//等待GetModuleHandle运行完毕
WaitForSingleObject(hThread, INFINITE);
//获得GetModuleHandle的返回值
GetExitCodeThread(hThread,&dwHandle);
//释放目标进程中申请的空间
VirtualFreeEx( hProcess, lpBuf, dwSize, MEM_DECOMMIT);
CloseHandle(hThread);
// CreateRemoteThread()
ht = CreateRemoteThread(
hProcess,
0,
0,
(DWORD(__stdcall *)(void*))GetProcAddress(hKernel32,"FreeLibrary"),
(LPVOID)dwHandle,
0,
&rc );
if ( ht == NULL )
{
rc = GetLastError();
MessageBox( _T("CreateRemoteThread() failed ") );
FreeLibrary( hKernel32 );
CloseHandle( hProcess );
return rc;
}
switch ( WaitForSingleObject( ht, 2000 ) )
{
case WAIT_OBJECT_0:
rc = 0;
MessageBox( _T("Ok "));
break;
default:
rc = GetLastError();
MessageBox( _T("WaitForSingleObject() failed ") );
break;
}
//Closes the remote thread handle
CloseHandle(ht );
//Free up the kernel32.dll
if ( hKernel32 != NULL)
FreeLibrary( hKernel32 );
//Close the process handle
CloseHandle( hProcess );
return rc;
}
CreateRemoteThread远程注入 使用例子
转载
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
使用PyCharm远程调试PY代码
在PyCharm上实现上传代码到远程服务器,并进行远程调试。
远程服务器 Deployment 虚拟环境 PyCharm -
CreateRemoteThread LoadLibrary 注入DLL
我修改了部分代码,输入pid注入对应的进程1
提升进程权限 #pragma 创建线程 -
CreateRemoteThread 直接注入代码执行
上回写到用CreateRemoteThread注入dll,这次换个方式直接注入代码
线程 #include 数据 指令流 -
CreateRemoteThread的使用(转载)
Crea
动态库 地址空间 进程句柄 -
Cobalt Strike进程注入——CreateRemoteThread案例复现和检测
Cobalt Strike进程注入——CreateRemoteTh
安全分析 f5 Windows Network