远程进程的Dll注入[黑防]

转载

ali莫川 2022-10-20 10:32:40 博主文章分类：C++

文章标签 dll null token include thread 文章分类 后端开发

#include "stdafx.h"
 #include <stdio.h>
 #include <windows.h>
 #include <tlhelp32.h>
 /*
 一、OpenProcessToken函数
 打开进程令牌环
 二、LookupPrivilegeValue函数
 获得进程本地唯一ID
 三、AdjustTokenPrivileges函数
 提升进程的权限
 */
 int EnableDebugPriv(const char* name)
 {
  HANDLE hToken;
  if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken))
  {
   printf("打开指定令牌环失败!\n");
   return -1;
  } LUID luid;
 if( !LookupPrivilegeValue(NULL, name, &luid) )
  {
   printf("查询LUID失败!\n");
   return -1;
  } TOKEN_PRIVILEGES tp;
  tp.PrivilegeCount = 1;
  tp.Privileges[0].Luid = luid;
  tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  if( !AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, NULL, NULL) )
  {
   printf("提升进程权限失败!\n");
   return -1;
  } printf("提升权限成功!\n");
  return 0;
 }
 /*
 一、打开远程进程
 OpenProcess函数
 二、在远程进程的内存中分配空间
 VirtualAllocEx函数
 三、远程进程的内存的写入
 WriteProcessMemory函数
 四、找到LoadLibrary函数在Kernel32中的地址
 GetProcAddress函数
 五、在远程进程中线程（远程线程）
 CreateRemoteThread函数
 */
 BOOL InjectDll(const char* DllFullPath, const DWORD dwRemoteProcessId)
 {
  HANDLE hRemoteProcess;
  hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
   FALSE, dwRemoteProcessId);
  if( hRemoteProcess == NULL )
  {
   printf("打开远程进程失败!\n");
   return FALSE;
  } char *pszLibFileRemote ;
 pszLibFileRemote = (char*)VirtualAllocEx(hRemoteProcess, NULL, lstrlen(DllFullPath)+1, MEM_COMMIT, PAGE_READWRITE);
  if( pszLibFileRemote == NULL )
  {
   printf("分配内存失败!\n");
   return FALSE;
  } if( !WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (LPVOID)DllFullPath, lstrlen(DllFullPath)+1, NULL) )
  {
   printf("写入内存失败!\n");
   return FALSE;
  } PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
  if( pfnStartAddr == NULL )
  {
   printf("获取LoadLibrary函数地址失败!\n");
   return FALSE;
  } if( CreateRemoteThread(hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL) == NULL)
  {
   printf("创建远程线程失败!\n");
   return FALSE;
  } return TRUE;
 }
 /*
 一、系统进程快照
 CreateToolhelp32Snapshot函数
 二、在快照中搜索指定进程
 Process32First函数
 Processe32Next函数
 */
 unsigned long getprocid(char *pn)
 {
  HANDLE hnd;
  hnd = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  if( hnd == NULL )
  {
   printf("获取系统快照失败!");
   return 0;
  } PROCESSENTRY32 pe;
  pe.dwSize = sizeof(PROCESSENTRY32);
  BOOL b;
  b = Process32First(hnd, &pe);
  while(b)
  {
   if( strcmp(pe.szExeFile, pn) == 0 )
    return pe.th32ProcessID;
   b = Process32Next(hnd, &pe);
  }
  return 0;
 }int main(int argc, char* argv[])
 { EnableDebugPriv(SE_DEBUG_NAME);//提升本进程的权限至DEBUG模式
  InjectDll("My.dll", getprocid("NOTEPAD.EXE"));//注入My.dll到NOTEPAD.EXE程序
  return 0;
 }