32位:远程线程注入


远程线程注入是最常用的一种注入技术,该技术利用的核心API是 `CreateRemoteThread()` 这个API可以运行远程线程,其次通过创建的线程调用 `LoadLibraryA()` 这个函数动态载入指定的DLL即可实现运行DLL,

而`LoadLibrary()`函数在任何一个可执行文件中都可以被调用到,这就给我们注入提供了有效的条件.

#include <windows.h>
#include <stdio.h>

void InjectDLL(DWORD PID,char *Path)
{
DWORD dwSize;
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,PID);
dwSize=strlen(Path)+1;

LPVOID lpParamAddress=VirtualAllocEx(hProcess,0,dwSize,PARITY_SPACE,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess,lpParamAddress,(PVOID)Path,dwSize,NULL);

HMODULE hModule=GetModuleHandleA("kernel32.dll");
LPTHREAD_START_ROUTINE lpStartAddress=(LPTHREAD_START_ROUTINE)GetProcAddress(hModule,"LoadLibraryA");
HANDLE hThread=CreateRemoteThread(hProcess,NULL,0,lpStartAddress,lpParamAddress,0,NULL);
WaitForSingleObject(hThread,1000);
CloseHandle(hThread);
}

int main()
{
InjectDLL(1258,"C:\hook.dll");
return 0;
}


64位:远程线程注入

#include <stdio.h>
#include <windows.h>

BOOL WINAPI InjectProxyW(DWORD dwPID, PCWSTR pwszProxyFile)
{
BOOL ret = FALSE;
HANDLE hToken = NULL;
HANDLE hProcess = NULL;
HANDLE hThread = NULL;
FARPROC pfnThreadRtn = NULL;
PWSTR pwszPara = NULL;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
pfnThreadRtn = GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
size_t iProxyFileLen = wcslen(pwszProxyFile)*sizeof(WCHAR); //May be in your case iProxyFileLen containes invalid value.
pwszPara = (PWSTR)VirtualAllocEx(hProcess, NULL, iProxyFileLen, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pwszPara, (PVOID)pwszProxyFile, iProxyFileLen, NULL);
hThread = CreateRemoteThread(hProcess, NULL, 1024, (LPTHREAD_START_ROUTINE)pfnThreadRtn, pwszPara, 0, NULL);
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(hProcess, pwszPara, 0, MEM_RELEASE);
CloseHandle(hProcess);
return(TRUE);
}

int main()
{
WCHAR dllname[MAX_PATH];
DWORD dwPID = 0;
printf("input pid: "); scanf("%ld", &dwPID);
//printf("input dll full path: "); scanf("%ws", dllname);
InjectProxyW(dwPID,L"C:\\hook.dll");
//InjectProxyW(dwPID, dllname);
return 0;
}


### 消息钩子注入(过保护)


消息钩子注入原理是利用Windows系统中`SetWindowsHookEx()`这个API函数,它可以拦截目标进程的消息到指定的DLL中导出的函数,利用这个特性,我们可以将DLL注入到指定进程中,

该函数的注入属于全局注入,部分游戏保护是无法识别这种注入方式的,我们在注入后需要在代码中判断一下进程是不是我们需要注入的,不然会对全局生效。

1.首先我们需要创建一个Dll工程 hook.cpp 然后将SetHook方法导出,在DllMain中进行了判断,如果窗口句柄为valve001则弹出一个消息框,其他进程直接跳过,即可实现指定进程注入。

#include <windows.h>
HHOOK global_hook;

LRESULT CALLBACK MyProc(int nCode, WPARAM wParam, LPARAM lParam)
{
return CallNextHookEx(global_hook, nCode, wParam, lParam);
}
extern "C" __declspec(dllexport) void SetHook()
{
global_hook = SetWindowsHookEx(WH_CBT, MyProc, GetModuleHandle(TEXT("hook.dll")), 0);
}
bool APIENTRY DllMain(HANDLE handle, DWORD dword, LPVOID lpvoid)
{
HWND hwnd = FindWindowW(L"valve001",NULL);
DWORD pid;
GetWindowThreadProcessId(hwnd, &pid);
if (GetCurrentProcessId() == pid)
{
MessageBox(hwnd, TEXT("inject"), 0, 0);
}
return true;
}


2.调用代码如下,注意必须将上方编译好的hook.dll与下方工程放到同一个目录下,通过LoadLibrary函数获取到模块句柄,然后通过GetProcAddress获取到导出函数地址,并通过函数指针调用。


#include <windows.h>
int main()
{
HMODULE hMod = LoadLibrary(TEXT("hook.dll"));
typedef void(*pSetHook)(void);
pSetHook SetHook = (pSetHook)GetProcAddress(hMod, "SetHook");
SetHook();
while (1)
{
Sleep(1000);
}
return 0;
}



版权声明:本博客文章与代码均为学习时整理的笔记,文章 [均为原创] 作品,转载请 [添加出处] ,您添加出处是我创作的动力!