DLL注入(CreateRemoteThread方式)

原创

DT陶喆 2022-12-29 15:35:20 博主文章分类：C++ ©著作权

文章标签 内存空间 github 进程注入 文章分类 OpenStack 云计算

©著作权归作者所有：来自51CTO博客作者DT陶喆的原创作品，请联系作者获取转载授权，否则将追究法律责任

CreateRemoteThread即在当前已有进程中创建新的线程。

从32位进程注入dll到32位进程的步骤如下：

1.OpenProcess 打开已有进程

2.VirtualAllocEx分配空间给它

3.获取LoadLibraryW的地址

4.WriteProcessMemory 写进内存空间

5.CreateRemoteThread实现注入

代码如下：

//32位程序注入到32位程序
//@param:dwPid:需要注入程序的进程pid
//@param:dllpath:注入的dll的路径
//return:True:注入成功,False:注入失败
bool injectDll32To32(DWORD dwPid,LPCTSTR dllpath)
{
  //Step 1: oepn destination process
  HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,false,dwPid);
  
  //get dllpath length
  DWORD dwBufSize = (DWORD)(_tcslen(dllpath)+1)*sizeof(TCHAR);

  //Step2:VirtualAlloc space for the process
  LPVOID targetAddress = VirtualAllocEx(hProcess,0,dwBufSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);

  //Step3:Get LoadLibraryW Address
  LPTHREAD_START_ROUTINE pfnThreadRtn = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("Kernel32")), "LoadLibraryW");

  //Step4:ChangePageProtection
  DWORD oldProtect  = 0;  
  VirtualProtectEx(hProcess,targetAddress,dwBufSize,PAGE_EXECUTE_READWRITE,&oldProtect);

  //Step5:WriteProcessMemory
  DWORD bytesRet= 0;
  if (!WriteProcessMemory(hProcess,targetAddress,(LPVOID)dllpath,dwBufSize,&bytesRet))
  {
    return false;
  }

  //Restore Oral 
  VirtualProtectEx(hProcess,targetAddress,dwBufSize,oldProtect,&oldProtect);

  //Step6:CreateRemoteThread
  HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnThreadRtn,targetAddress,0,NULL );
  if (!hThread)
  {
    return false;
  }

  WaitForSingleObject(hThread,INFINITE);
  return true;
}