远程线程挂接DLL的实现模型
2008-04-01 00:16
316 查看
#include <windows.h>
#include <stdio.h>
#include <Tlhelp32.h>
void usage(char *);
int main(int argc, char* argv[])
{
//char *Dll = "C://DLL.dll";
HANDLE hProcess = NULL,hRometeThread = NULL,hRometeThread2 = NULL;
LPVOID pszRemoteMemory = NULL;
HANDLE hSnapShot = NULL;
int PID = atoi(argv[1]);
char *Dll = argv[2];
if(argc!=3)
{
usage(argv[0]);
return 1;
}
__try
{
hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,PID);
if(hProcess==NULL)
{
printf("failed to open process.");
__leave;
}
pszRemoteMemory = VirtualAllocEx(hProcess,NULL,30,MEM_COMMIT,PAGE_READWRITE);
if(pszRemoteMemory==NULL)
{
printf("/n failed to malloc memory in the remote process.");
__leave;
}
if(!WriteProcessMemory(hProcess,pszRemoteMemory,Dll,30,NULL))
{
printf("/n failed to write remote memory.");
__leave;
}
PTHREAD_START_ROUTINE pAddrOfLoad = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA");
if(pAddrOfLoad==NULL)
{
printf("/n failed to get loadlibrary proc addr.");
__leave;
}
hRometeThread = CreateRemoteThread(hProcess,NULL,0,pAddrOfLoad,pszRemoteMemory,0,NULL);
if(hRometeThread==NULL)
{
printf("/n failed to create remote thread");
__leave;
}
WaitForSingleObject(hRometeThread,INFINITE);
Sleep(5000);
PTHREAD_START_ROUTINE pAddrOfFree = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"FreeLibrary");
if(pAddrOfFree==NULL)
{
printf("/n failed to get freelibrary proc addr.");
__leave;
}
MODULEENTRY32 DllModules; DllModules.dwSize = sizeof(DllModules);
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
if(hSnapShot==NULL)
{
printf("/n failed to get modules.");
__leave;
}
Module32First(hSnapShot,&DllModules);
while(DllModules.szModule!=szDllFile)
{
if(!Module32Next(hSnapShot,&DllModules))
break;
}
hRometeThread2 = CreateRemoteThread(hProcess,NULL,0,pAddrOfFree,DllModules.modBaseAddr,0,NULL);
if(hRometeThread2==NULL)
{
printf("/n failed to free dll.");
__leave;
}
WaitForSingleObject(hRometeThread2,INFINITE);
}
__finally
{
if(hProcess!=NULL)
CloseHandle(hProcess);
if(pszRemoteMemory!=NULL)
VirtualFreeEx(hProcess,pszRemoteMemory,0,MEM_RELEASE);
if(hRometeThread!=NULL)
CloseHandle(hRometeThread);
if(hSnapShot!=NULL)
CloseHandle(hSnapShot);
if(hRometeThread2!=NULL)
CloseHandle(hRometeThread2);
}
return 0;
}
void usage(char *tool)
{
printf(" /n using remote thread to inject dlls demoing ");
printf("/n %s usage:%s PID DLL",tool,tool);
printf("/n by Rhett 2005.05.13");
}
#include <stdio.h>
#include <Tlhelp32.h>
void usage(char *);
int main(int argc, char* argv[])
{
//char *Dll = "C://DLL.dll";
HANDLE hProcess = NULL,hRometeThread = NULL,hRometeThread2 = NULL;
LPVOID pszRemoteMemory = NULL;
HANDLE hSnapShot = NULL;
int PID = atoi(argv[1]);
char *Dll = argv[2];
if(argc!=3)
{
usage(argv[0]);
return 1;
}
__try
{
hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,PID);
if(hProcess==NULL)
{
printf("failed to open process.");
__leave;
}
pszRemoteMemory = VirtualAllocEx(hProcess,NULL,30,MEM_COMMIT,PAGE_READWRITE);
if(pszRemoteMemory==NULL)
{
printf("/n failed to malloc memory in the remote process.");
__leave;
}
if(!WriteProcessMemory(hProcess,pszRemoteMemory,Dll,30,NULL))
{
printf("/n failed to write remote memory.");
__leave;
}
PTHREAD_START_ROUTINE pAddrOfLoad = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA");
if(pAddrOfLoad==NULL)
{
printf("/n failed to get loadlibrary proc addr.");
__leave;
}
hRometeThread = CreateRemoteThread(hProcess,NULL,0,pAddrOfLoad,pszRemoteMemory,0,NULL);
if(hRometeThread==NULL)
{
printf("/n failed to create remote thread");
__leave;
}
WaitForSingleObject(hRometeThread,INFINITE);
Sleep(5000);
PTHREAD_START_ROUTINE pAddrOfFree = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"FreeLibrary");
if(pAddrOfFree==NULL)
{
printf("/n failed to get freelibrary proc addr.");
__leave;
}
MODULEENTRY32 DllModules; DllModules.dwSize = sizeof(DllModules);
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
if(hSnapShot==NULL)
{
printf("/n failed to get modules.");
__leave;
}
Module32First(hSnapShot,&DllModules);
while(DllModules.szModule!=szDllFile)
{
if(!Module32Next(hSnapShot,&DllModules))
break;
}
hRometeThread2 = CreateRemoteThread(hProcess,NULL,0,pAddrOfFree,DllModules.modBaseAddr,0,NULL);
if(hRometeThread2==NULL)
{
printf("/n failed to free dll.");
__leave;
}
WaitForSingleObject(hRometeThread2,INFINITE);
}
__finally
{
if(hProcess!=NULL)
CloseHandle(hProcess);
if(pszRemoteMemory!=NULL)
VirtualFreeEx(hProcess,pszRemoteMemory,0,MEM_RELEASE);
if(hRometeThread!=NULL)
CloseHandle(hRometeThread);
if(hSnapShot!=NULL)
CloseHandle(hSnapShot);
if(hRometeThread2!=NULL)
CloseHandle(hRometeThread2);
}
return 0;
}
void usage(char *tool)
{
printf(" /n using remote thread to inject dlls demoing ");
printf("/n %s usage:%s PID DLL",tool,tool);
printf("/n by Rhett 2005.05.13");
}
相关文章推荐
- 进程注入DLL实现(APC和远程线程创建)
- 远程线程嵌入方式 实现DLL的隐藏
- 利用远程线程实现dll的注入
- 将注入进行到底--------远程线程实现 Dll 注入 汇编实现
- Win32汇编实现DLL的远程注入及卸载
- 聊聊线程技术与线程实现模型
- 使用DLL_THREAD_ATTACH阻止远程线程
- 通过LD_ASSUME_KERNEL设置Linux的线程实现模型
- VC用远程线程来实现程序自删除
- 利用两个线程实现生产者消费者模型
- C++ 实现远程注入DLL技术要点总结
- 利用远程线程进行DLL的注入
- JAVA RMI线程模型及内部实现机制
- java线程间通信[实现不同线程之间的消息传递(通信),生产者和消费者模型]
- 一种模仿线程的Javascript异步模型设计&实现
- 用Visual C++实现远程线程嵌入木马技术
- 《windows核心编程系列》十九谈谈使用远程线程来注入DLL。
- 从java多线程实现“生产者-消费者”模型来谈谈操作系统中线程状态的转换及线程同步的总结
- (纪念国殇).Net Hosting:托管远程线程插入及非托管dll线程插入实现
- 利用远程线程无DLL直接注入