2. 技术人生
    3. 在Windows2000XP下向进程插入自己的线程的演示

    在Windows2000XP下向进程插入自己的线程的演示

    技术2022-05-11  55

    在Windows2000/XP下向进程插入自己的线程的演示 

    编写 ImageWalk.Dll (作用是当被加载,它就通过VirtualQuery获取加载它的进程所加载的Dll信息)使用VC6生成一个 Win32 Dynamic-Link Library 工程编写DllMain函数内容如下: BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { MEMORY_BASIC_INFORMATION mbi; PBYTE ptr = NULL; DWORD dwBytesReturn = sizeof(MEMORY_BASIC_INFORMATION); char szBuffer[256*100] = ""; char szModuFile[240] = ""; char szThis[256] = ""; char szProcess[256] = ""; char szTmpBuffer[256] = ""; GetModuleFileName((HINSTANCE)hModule, szThis, 256); GetModuleFileName(GetModuleHandle(NULL), szProcess,256); while( dwBytesReturn == sizeof(MEMORY_BASIC_INFORMATION) ) { dwBytesReturn = VirtualQuery( ptr,&mbi,sizeof(MEMORY_BASIC_INFORMATION) ); if( mbi.Type == MEM_FREE ) { mbi.AllocationBase = mbi.BaseAddress; } GetModuleFileName( (HINSTANCE)mbi.AllocationBase, szModuFile,240 ); sprintf(szTmpBuffer,"/t[ Module: 0x%x - %s ] /r/n",mbi.AllocationBase,szModuFile); if(mbi.AllocationBase == mbi.BaseAddress && mbi.AllocationBase != NULL && strcmp(szThis,szModuFile) !=0 && strcmp(szProcess,szModuFile) != 0 )strcat(szBuffer , szTmpBuffer); ptr += mbi.RegionSize; } } break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }   编译生成ImageWalk.dll   这个函数用来列举系统的进程(为了简化,生成一个字符串) void EnumProcess(char * szBuffer)//由你提供的字符串缓冲区,此处为了简化,假定这一缓冲区足够大 { char szCurrentProcessInfo[512] = "" ; char szExeName[256] = "" ; char szAllProcessInfo[512*256] = "" ; HANDLE hCurrentProcess = NULL ; HMODULE hCurrentModule = NULL ; HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPALL , 0 ); PROCESSENTRY32 ppe; ppe.dwSize = sizeof(ppe); Process32First(hSnapshot,&ppe); hCurrentProcess = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_READ|PROCESS_VM_OPERATION , FALSE, ppe.th32ProcessID); GetModuleFileName( hCurrentModule , szExeName , 256 ); sprintf(szCurrentProcessInfo,"[ExeFileName:%s; Process ID:0x%x(%d); Thread Count:%d; Usage:%d]/r/n", ppe.szExeFile, ppe.th32ProcessID ,ppe.th32ProcessID , ppe.cntThreads, ppe.cntUsage); strcat(szAllProcessInfo,szCurrentProcessInfo); while( Process32Next(hSnapshot , &ppe) ) { hCurrentProcess = OpenProcess( PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_READ|PROCESS_VM_OPERATION, FALSE, ppe.th32ProcessID); GetModuleFileName( (HINSTANCE)hCurrentProcess , szExeName , 256 ); sprintf(szCurrentProcessInfo,"[ExeFileName:%s; Process ID:0x%x(%d); Thread Count:%d; Usage:%d]/r/n", ppe.szExeFile , ppe.th32ProcessID ,ppe.th32ProcessID, ppe.cntThreads, ppe.cntUsage ); strcat(szAllProcessInfo,szCurrentProcessInfo); } CloseHandle(hSnapshot); hSnapshot = NULL; strcpy(szBuffer,szAllProcessInfo); } //这个函数将ImageWalk.dll插入指定的线程,为了简化,假定ImageWalk.dll就在d:/ void InjectDll(DWORD m_ProcessID, char * szBuffer)//通过上面的EnumProcess可以获得Process ID {//szBuffer,储存了被插入线程加载Dll的信息(不会出现ImageWalk.dll)为了简化,假定其足够大 char szTmp[256] = ""; size_t bytesread = 0; HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,FALSE,m_ProcessID);//打开进程,获取进程Handle PSTR pszLibName = (PSTR)VirtualAllocEx(hProcess,NULL,64,MEM_COMMIT,PAGE_READWRITE); //我们要在远程进程中运行一个新的线程,所传入的参数的内容必须放入远程进程的地址空间, //使用VirtualAllocEx分配远程进程的内存 WriteProcessMemory(hProcess,pszLibName,(PVOID)"D:/ImageWalk.dll",17,NULL); //将参数写入刚才分配好的空间 PTHREAD_START_ROUTINE pfnLoadLib = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"); //获取LoadLibraryA在内村中的地址 if(pfnLoadLib && hProcess) { HANDLE hThread = CreateRemoteThread(hProcess,NULL,0,pfnLoadLib,pszLibName,0,NULL); //创建一个线程,让远程进程执行 LoadLibraryA("D:/ImageWalk.dll") //注意pfnLoadLib不能换成LoadLibraryA WaitForSingleObject(hThread,INFINITE); //等待线程结束 HANDLE hDll; GetExitCodeThread(hThread, (DWORD*)&hDll);//获取LoadLibraryA("d:/imagewalk.dll")所返回的hModule CloseHandle(hThread); pfnLoadLib = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary"); FILE * fp; while( (fp = fopen("d:/image.txt","rt") ) == NULL) { Sleep(50); }//等待ImageWalk.dll将信息写入交换文件 while( !feof(fp) ) { bytesread=fread(szTmp,1,255,fp); szTmp[bytesread] = ''; strcat(szBuffer,szTmp); } fclose(fp); if(pfnLoadLib) {//将ImageWalk卸载 hThread = CreateRemoteThread(hProcess,NULL,0,pfnLoadLib,hDll,0,NULL); WaitForSingleObject(hThread,INFINITE); CloseHandle(hThread); } } VirtualFreeEx(hProcess,pszLibName,0,MEM_RELEASE);//释放刚才分配的远程进程的内存 CloseHandle(hProcess); }

    专利

    最新回复(0)