大家好,又见面了,我是你们的朋友全栈君。
DLL注入可用于编写外挂和病毒不易发现。
void CInjectDllToolDlg::StartInject(char *path, int pid)
{
int pathLen = strlen(path)+sizeof(char);//获取dll目录大小
HANDLE hPro = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (!hPro)
{
MessageBox("打开进程失败", "警告", 0);
return;
}
//在该进程申请内存,用来存放path数据
LPVOID dllAddr = VirtualAllocEx(hPro, NULL, pathLen, MEM_COMMIT, PAGE_READWRITE);
if (!dllAddr)
{
MessageBox("获取地址失败", "警告", 0);
CloseHandle(hPro);
return;
}
//在申请的内存中写入path
DWORD wNum = 0;
if (!WriteProcessMemory(hPro, dllAddr, path, pathLen, &wNum))
{
MessageBox("写入失败", "警告", 0);
VirtualFreeEx(hPro, dllAddr, pathLen, MEM_DECOMMIT);
CloseHandle(hPro);
return;
}
//获取loadlibrary函数地址
FARPROC pFun = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
if (!pFun)
{
MessageBox("获取函数失败", "警告", 0);
VirtualFreeEx(hPro, dllAddr, pathLen, MEM_DECOMMIT);
CloseHandle(hPro);
return;
}
DWORD dwPid;
HANDLE hThread = CreateRemoteThread(hPro, NULL, 0, (LPTHREAD_START_ROUTINE)pFun, dllAddr, 0, &dwPid);
if (!hThread)
{
MessageBox("注入失败", "警告", 0);
VirtualFreeEx(hPro, dllAddr, pathLen, MEM_DECOMMIT);
CloseHandle(hPro);
return;
}
DWORD errorNum = GetLastError();
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
CloseHandle(hPro);
}
这个只适用于xp系统,win7系统不可以随便CreateRemoteThread了,返回值一直为NULL
具体方法引用看雪:Vista&Win7下CreateRemoteThread应用的若干问题和解决方案
Dll卸载与注入流程大体相同,先创建 进程快照找到相应的线程模块,获取FreeLibrary地址,再创建远程线程卸载
void UnInjectDll(char *szDllName, DWORD dwPid)
{
if(dwPid==0 || strlen(szDllName)==0)
{
AfxMessageBox("输入信息不全");
return;
}
//创建进程快照
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,dwPid);
MODULEENTRY32 ME32 = {0};
ME32.dwSize = sizeof(MODULEENTRY32);
BOOL isNext = Module32First(hSnap,&ME32);
BOOL flag = FALSE;
while(isNext)
{
if(strcmp(ME32.szModule,szDllName)==0)
{
flag = TRUE;
break;
}
isNext = Module32Next(hSnap,&ME32);
}
if(flag == FALSE)
{
AfxMessageBox("找不到目标模块");
return;
}
CloseHandle(hSnap);
HANDLE hPro = OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwPid);
FARPROC pFun = GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary");
HANDLE hThread = CreateRemoteThread(hPro,NULL,0,(LPTHREAD_START_ROUTINE)pFun,ME32.szModule,0,NULL);
if(!hThread)
{
AfxMessageBox("创建远程线程失败");
return ;
}
AfxMessageBox("卸载成功");
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hThread);
CloseHandle(hPro);
}版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请联系我们举报,一经查实,本站将立刻删除。
发布者:全栈程序员-站长,转载请注明出处:https://javaforall.net/145594.html原文链接:https://javaforall.net
