普通的Dll注入没啥技术含量分享给不会注入的初学者没保护的进程还是没问题的

古月不傲 · 发表于 2019-11-19 05:25

本帖最后由古月不傲于 2019-11-28 03:38 编辑

[C] 纯文本查看 复制代码

#include <Windows.h>

#define DLL TEXT("C:\\Users\\25335\\Desktop\\11111111111111.dll")
#define EXE_TITLE TEXT("TraceMe 动态分析技术")
#define DEBUG 1

HMODULE g_hModule = NULL;

HANDLE GetProcessHANDLE()
{
	HWND hWnd = NULL;
	DWORD dwThreadProcessId = 0;
	HANDLE hProcess = NULL;

	hWnd = FindWindow(NULL, EXE_TITLE);
	if (hWnd == NULL && DEBUG)
	{
		return NULL;
	}
	GetWindowThreadProcessId(hWnd, &dwThreadProcessId);
	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwThreadProcessId);
	if (hProcess == NULL && DEBUG)
	{
		return NULL;
	}
	return hProcess;
}

VOID InjectDll()
{
	HANDLE hProcess = NULL;
	LPVOID lpBaseAddress = NULL;
	ULONG uWirteBytes = 0;
	BOOL bWirteProcessMemory = FALSE;
	DWORD dwThreadId = 0;
	HANDLE hThread = NULL;
	DWORD dwThreadExitCode = 0;
	hProcess = GetProcessHANDLE();
	
	lpBaseAddress = VirtualAllocEx(hProcess, NULL, 4096, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	bWirteProcessMemory = WriteProcessMemory(hProcess, lpBaseAddress, DLL, MAX_PATH, &uWirteBytes);
	
	hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, lpBaseAddress, NULL, &dwThreadId);

	if (hThread == NULL && DEBUG)
	{
		return;
	}
	WaitForSingleObject(hThread, INFINITE);

	GetExitCodeThread(hThread, &dwThreadExitCode);
	//Remarks
	/*This function returns immediately. If the specified thread has not terminated and the function succeeds, the status returned is STILL_ACTIVE. 
	If the thread has terminated and the function succeeds, the status returned is one of the following values:

	The exit value specified in the ExitThread or TerminateThread function.
		The return value from the thread function.
		The exit value of the thread's process.
		*/
	g_hModule = (HMODULE)dwThreadExitCode;
	BOOL bRet = VirtualFreeEx(hProcess, lpBaseAddress, 4096, MEM_DECOMMIT);
	CloseHandle(hThread);
	CloseHandle(hProcess);
}

VOID FreeDll()
{
	HANDLE hProcess = NULL;
	LPVOID lpBaseAddress = NULL;
	ULONG uWirteBytes = 0;
	BOOL bWirteProcessMemory = FALSE;
	DWORD dwThreadId = 0;
	HANDLE hThread = NULL;
	DWORD dwThreadExitCode = 0;
	hProcess = GetProcessHANDLE();

	lpBaseAddress = VirtualAllocEx(hProcess, NULL, 4096, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	bWirteProcessMemory = WriteProcessMemory(hProcess, lpBaseAddress, DLL, MAX_PATH, &uWirteBytes);

	hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)FreeLibrary, g_hModule, NULL, &dwThreadId);

	if (hThread == NULL && DEBUG)
	{
		return;
	}
	WaitForSingleObject(hThread, INFINITE);

	GetExitCodeThread(hThread, &dwThreadExitCode);
	BOOL bRet = VirtualFreeEx(hProcess, lpBaseAddress, 4096, MEM_DECOMMIT);
	CloseHandle(hThread);
	CloseHandle(hProcess);
}

int main(void)
{
	InjectDll();
	FreeDll();

	system("pause");
	return 0;
}

Tonyヾ · 发表于 2019-11-20 02:13

意思就是当系统缺少DII打开这个会自动检测然后自动下载补齐对吗？

古月不傲 · 发表于 2019-11-20 07:55

Tonyヾ发表于 2019-11-20 02:13
意思就是当系统缺少DII打开这个会自动检测然后自动下载补齐对吗？

就是被注入的这个进程会直接LoadLibray你写进去的这个DLL
lpBaseAddress就是你写进去的Dll名字

Tonyヾ · 发表于 2019-11-20 20:06

古月不傲发表于 2019-11-20 07:55
就是被注入的这个进程会直接LoadLibray你写进去的这个DLL
lpBaseAddress就是你写进去的Dll名字

原来如此，谢谢大神

帐号		自动登录	找回密码
密码			注册[Register]

[C&C++ 转载] 普通的Dll注入没啥技术含量分享给不会注入的初学者没保护的进程还是没问题的

免费评分

[C&C++ 转载] 普通的Dll注入 没啥技术含量 分享给不会注入的初学者 没保护的进程还是没问题的

免费评分

[C&C++ 转载] 普通的Dll注入没啥技术含量分享给不会注入的初学者没保护的进程还是没问题的