WIN32 远程注入 CreateRemoteThread
Posted ganxiang
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了WIN32 远程注入 CreateRemoteThread相关的知识,希望对你有一定的参考价值。
// remote06.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
BOOL func(DWORD ProcessID,char* DllPathName)
{
DWORD ThreadID = NULL;
//1.获取进程句柄
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,ProcessID);
if (hProcess == NULL)
{
OutputDebugString("OpenProcess失败!");
CloseHandle(hProcess);
return FALSE;
}
//2.计算DLL路径长度,并且加上0结尾长度strlen
DWORD LenOfDllPathName = strlen(DllPathName)+1;
//3.在目标进程分配内存VirtualAllocEx
LPVOID lpAllocAddr = VirtualAllocEx(hProcess,NULL,LenOfDllPathName,MEM_COMMIT,PAGE_READWRITE);
if (lpAllocAddr == NULL)
{
OutputDebugString("VirtualAllocEx失败!");
CloseHandle(hProcess);
return FALSE;
}
//4.拷贝DLL路径到目标进程新分配的内存WriteProcessMemory
DWORD bRet = WriteProcessMemory(hProcess,lpAllocAddr,DllPathName,LenOfDllPathName,NULL);
if (!bRet)
{
OutputDebugString("WriteProcessMemory失败!");
CloseHandle(hProcess);
return FALSE;
}
//5.获得模块地址GetModuleHandle
HMODULE hml = GetModuleHandle("Kernel32.dll");
if (hml == NULL)
{
OutputDebugString("GetModuleHandle失败!");
CloseHandle(hProcess);
return FALSE;
}
//6.获得LoadLibraryA函数地址GetProcAddress
DWORD lpLoadAddr = (DWORD)GetProcAddress(hml,"LoadLibraryA");
if (!lpLoadAddr)
{
OutputDebugString("GetProcAddress失败!");
CloseHandle(hProcess);
CloseHandle(hml);
return FALSE;
}
//7.创建远程线程,加载DLL
HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadAddr,lpAllocAddr,0,NULL);
if (hThread == NULL)
{
OutputDebugString("CreateRemoteThread失败!");
CloseHandle(hThread);
CloseHandle(hml);
CloseHandle(hProcess);
return FALSE;
}
//关闭资源
CloseHandle(hThread);
CloseHandle(hml);
CloseHandle(hProcess);
return TRUE;
}
int main(int argc, char* argv[])
{
func(进程ID,DLL路径);
return 0;
}
以上是关于WIN32 远程注入 CreateRemoteThread的主要内容,如果未能解决你的问题,请参考以下文章
远程线程注入 CreateRemoteThread 返回NULL