您的位置:首页 > 其它

远程线程嵌入方式 实现DLL的隐藏

2007-08-04 09:09 351 查看
#include "stdafx.h"
#include<windows.h>
#include<stdlib.h>
#include<stdio.h>
#include "psapi.h"
//#include "PSAPI.H"
//#pragma comment( lib, "PSAPI.LIB" )

DWORD ProcessToPID( char *);            //将进程名转换为PID的函数
void  CheckError  ( int, int, char *);        //出错处理函数
void  usage       ( char *);            //使用说明函数

PDWORD pdwThreadId;
HANDLE hRemoteThread, hRemoteProcess;
DWORD  fdwCreate, dwStackSize, dwRemoteProcessId;
PWSTR  pszLibFileRemote=NULL;

void main(int argc,char **argv)
{
    int iReturnCode;
    char lpDllFullPathName[MAX_PATH];
    WCHAR pszLibFileName[MAX_PATH]={0};

    //处理命令行参数
  

 /*
 argv[0]="F://TestTempProgramming//RmtDLL//Debug//RmtDLL.exe";
 argv[1]="explorer.exe";
 argv[2]="F://TestTempProgramming//TestDLL//Debug//TestDLL.dll";
     */

  if (argc!=3) usage("Parametes number incorrect!");
    else{ 
        //如果输入的是进程名,则转化为PID
        if(isdigit(*argv[1])) dwRemoteProcessId = atoi(argv[1]);
        else dwRemoteProcessId = ProcessToPID(argv[1]);
        //判断输入的DLL文件名是否是绝对路径
       if(strstr(argv[2],"://")!=NULL)
         strncpy(lpDllFullPathName,argv[2] , MAX_PATH);
  
        else
        {    //取得当前目录,将相对路径转换成绝对路径
            iReturnCode = GetCurrentDirectory(MAX_PATH, lpDllFullPathName);
            CheckError(iReturnCode, 0, "GetCurrentDirectory");
            strcat(lpDllFullPathName, "//");
            strcat(lpDllFullPathName, argv[2]);
            printf("Convert DLL filename to FullPathName:/n/t%s/n/n",
    lpDllFullPathName);
        }
        //判断DLL文件是否存在
        iReturnCode=(int)_lopen(lpDllFullPathName, OF_READ);
  //iReturnCode =0;
        CheckError(iReturnCode, HFILE_ERROR, "DLL File not Exist");
        //将DLL文件全路径的ANSI码转换成UNICODE码
        iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
   lpDllFullPathName, strlen(lpDllFullPathName),pszLibFileName, MAX_PATH);
        CheckError(iReturnCode, 0, "MultByteToWideChar");
        //输出最后的操作参数
        wprintf(L"Will inject %s", pszLibFileName);
        printf(" into process:%s PID=%d/n", argv[1], dwRemoteProcessId);  
 
    }

    //打开远程进程
    hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程
  PROCESS_VM_OPERATION | //允许VM操作
  PROCESS_VM_WRITE,       //允许VM写
  FALSE, dwRemoteProcessId );   
    CheckError( (int) hRemoteProcess, NULL,
  "Remote Process not Exist or Access Denied!");
    //计算DLL路径名需要的内存空间
    int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
    pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb,
  MEM_COMMIT, PAGE_READWRITE);
    CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
    //将DLL的路径名复制到远程进程的内存空间
    iReturnCode = WriteProcessMemory(hRemoteProcess,
        pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
    CheckError(iReturnCode, false, "WriteProcessMemory");
    //计算LoadLibraryW的入口地址
    PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
        GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
    CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
    //启动远程线程,通过远程线程调用用户的DLL文件   
    hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,  pfnStartAddr, pszLibFileRemote, 0, NULL);
    CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
    //等待远程线程退出
    WaitForSingleObject(hRemoteThread, INFINITE);
    //清场处理
    if (pszLibFileRemote != NULL)
        VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
    if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
    if (hRemoteProcess!= NULL) CloseHandle(hRemoteProcess);

}

//将进程名转换为PID的函数
DWORD ProcessToPID(char *InputProcessName)
{
    DWORD aProcesses[1024], cbNeeded, cProcesses;
    unsigned int i;
    HANDLE hProcess;
    HMODULE hMod;
    char szProcessName[MAX_PATH] = "UnknownProcess";

 

    // 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs
    if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )  return 0;
    cProcesses = cbNeeded / sizeof(DWORD);
    // 按有效的PID遍历所有的进程
    for ( i = 0; i < cProcesses; i++ )
    {
        // 打开特定PID的进程
        hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
                 FALSE, aProcesses[i]);
        // 取得特定PID的进程名
        if ( hProcess )
        {
            if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
            {
                GetModuleBaseName( hProcess, hMod,
szProcessName, sizeof(szProcessName) );
                //将取得的进程名与输入的进程名比较,如相同则返回进程PID
                if(!_stricmp(szProcessName, InputProcessName)){
                    CloseHandle( hProcess );
                    return aProcesses[i];
                }
            }
        }//end of if ( hProcess )
    }//end of for
    //没有找到相应的进程名,返回0
    CloseHandle( hProcess );
    return 0;
}//end of ProcessToPID

//错误处理函数CheckError()
//如果iReturnCode等于iErrorCode,则输出pErrorMsg并退出
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
    if(iReturnCode==iErrorCode) {
        printf("%s Error:%d/n/n", pErrorMsg, GetLastError());
        //清场处理
        if (pszLibFileRemote != NULL)
            VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
        if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
        if (hRemoteProcess!= NULL) CloseHandle(hRemoteProcess);
        exit(0);
    }
}//end of CheckError()

 

//使用方法说明函数usage()
void usage(char * pErrorMsg)
{
    printf("%s/n/n",pErrorMsg);
    printf("/t/tRemote Process DLL by Shotgun/n");
    printf("/tThis program can inject a DLL into remote process/n");
    printf("Email:/n");
    printf("/tShotgun@Xici.Net/n");
    printf("HomePage:/n");
    printf("/thttp://It.Xici.Net/n");
    printf("/thttp://www.Patching.Net/n");
    printf("USAGE:/n");
    printf("/tRmtDLL.exe PID[|ProcessName] DLLFullPathName/n");
    printf("Example:/n");
    printf("/tRmtDLL.exe 1024 C://WINNT//System32//MyDLL.dll/n");
    printf("/tRmtDLL.exe Explorer.exe C://MyDLL.dll/n");
    exit(0);
}//end of usage()

/////////////附带“获得当前进程ID代码 ------> TestDLL.dll“和“启动进程代码”

// TestDLL.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include<windows.h>
#include<stdlib.h>
#include<stdio.h>

BOOL APIENTRY DllMain( HANDLE hModule, DWORD reason, LPVOID lpReserved)
{
 char szProcessId[64];
 switch (reason)
 {
 case (DLL_PROCESS_ATTACH):
  {   
   PROCESS_INFORMATION pi;
   STARTUPINFO si;
   memset(&si,0,sizeof(si));
   si.cb=sizeof(si);
   si.wShowWindow=SW_SHOW;
   si.dwFlags=STARTF_USESHOWWINDOW;
   
   
   bool fRet=CreateProcess("E://downLoad//vcfans//thread//thread//Release//ThreadDemo1.exe",
    NULL,NULL,FALSE,NULL,NULL,NULL,NULL,&si,&pi);

   if(fRet)
   {
    MessageBox(NULL,"启动进程成功!","^_^",MB_OK);
   }
   else
   {
    MessageBox(NULL,"进程启动失败!","T_T",MB_OK);
   }
   //获得当前进程ID
   _itoa(GetCurrentProcessId(),szProcessId,10);
   MessageBox(NULL,szProcessId,"RemoteDLL",MB_OK);
  }
 default:
  return TRUE;
 }
}

 
 
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  dll null path thread include access
相关文章推荐
新的分享
章节导航