通过CreateRemoteThread注入DLL
DLL injection via CreateRemoteThread?
让我们假设远程线程过程如下所示:
DWORD __stdcall ThreadProc (void *pData) {
ThreadData *p = (ThreadData*)pData; // Contains function references and strings
p->MessageBoxW(NULL, p->Message, p->Title, MB_OK);
}
然后一切正常,p->MessageBoxW(...)按预期显示一个消息框。但我不想为我在远程线程中使用的每个函数调用GetProcAddress,所以我想我可以在我的模块中创建一个函数导出(EXE文件创建远程线程),这样远程线程只需调用LoadLibraryW将我的EXE文件作为模块加载到目标进程的地址空间,并调用GetProcAddress获取导出函数的地址来调用它。
typedef void (__stdcall *_Test) ();
extern "C" void __stdcall Test () {
return;
}
DWORD __stdcall ThreadProc (void *pData) {
ThreadData *p = (ThreadData*)pData; // Contains function references and strings
HMODULE hLib = p->LoadLibraryW(p->LibPath);
_Test pTest = (_Test)p->GetProcAddress(hLib, p->ProcName);
pTest();
p->FreeLibrary(hLib);
return NULL;
}
这仍然很好用。但一旦我将导出的功能更改为
extern "C" void __stdcall Test () {
MessageBoxW(NULL, L"Message", L"Title", MB_OK);
return;
}
目标进程突然崩溃LoadLibrary不解析联运引用吗?是否可以将我的模块加载到目标进程的地址空间中,以便在不将所有函数地址传递给它的情况下对导出的函数进行编码
附加信息:对于所有复制代码的人,我必须禁用增量链接,构建为版本并添加模块定义文件以确保Test导出为Test而不是_Test@SoMeJuNk。由于某种原因,仅仅准备__declspec(dllexport)是不起作用的。模块定义文件看起来像这个
EXPORTS
Test@0
ThreadData结构看起来像这个
typedef struct tagThreadData {
typedef BOOL (__stdcall *_FreeLibrary) (HMODULE);
typedef FARPROC (__stdcall *_GetProcAddress) (HMODULE, PSTR);
typedef HMODULE (__stdcall *_LoadLibraryW) (LPWSTR);
typedef DWORD (__stdcall *_MessageBoxW) (HWND, LPWSTR, LPWSTR, DWORD);
_FreeLibrary FreeLibrary;
_GetProcAddress GetProcAddress;
_LoadLibraryW LoadLibraryW;
_MessageBoxW MessageBoxW;
WCHAR LibPath[100];
WCHAR Message[30];
CHAR ProcName[10];
WCHAR Title[30];
} ThreadData, *PThreadData;
我想出了一个临时解决方案:将所有远程代码放入一个实际的DLL中。但把代码放入DLL并不是我的目标,所以如果有人想出一个聪明的解决方案,EXE文件是注入程序和被注入的模块,我会把新的答案标记为正确的。
尽管有很多关于如何将实际DLL注入另一个进程的地址空间的教程,但我仍然给出了我的解决方案。我只为UNICODE和64位编写了我的原始解决方案,但我尽了最大努力使其同时适用于ASCII和UNICODE以及32位和64位。但让我们开始吧。。。
首先,解释的基本步骤
-
获得至少具有以下访问权限的目标进程的句柄
PROCESS_CREATE_THREAD PROCESS_QUERY_INFORMATION PROCESS_VM_OPERATION PROCESS_VM_WRITE PROCESS_VM_READ -
为远程线程过程以及加载目标dll及其"入口点"所需的数据和函数指针分配内存(我不是指实际的入口点DllMain,而是一个设计为从远程线程内调用的函数)
PVOID pThread = VirtualAllocEx(hProc, NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); -
将远程线程过程和重要数据复制到目标进程
WriteProcessMemory(hProc, pThread, ThreadProc, ThreadProcLen, NULL); WriteProcessMemory(hProc, pParam, &data, sizeof(ThreadData), NULL); -
创建远程线程。该线程将把目标dll加载到目标进程的地址空间中,并调用其"入口点"
HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, (PTHREAD_START_ROUTINE)pThread, pParam, NULL, NULL); -
可选:等待线程返回
WaitForSingleObject(hThread, INFINITE); DWORD threadExitCode; GetExitCodeThread(hThread, &threadExitCode); -
关闭线程句柄,释放内存,关闭进程句柄
CloseHandle(hThread); VirtualFreeEx(hProc, pThread, 4096, MEM_RELEASE); CloseHandle(hProc);
这是我的ThreadProc和ThreadData结构。ThreadProc是由CreateRemoteThread调用的远程线程过程,LoadLibrary应该是目标dll,因此它可以调用目标dll的"入口点"。ThreadData结构包含LoadLibrary、GetProcAddress和FreeLibrary的地址、目标dll的路径TargetDll和"入口点"DllEntry的名称。
typedef struct {
typedef BOOL (__stdcall *_FreeLibrary) (HMODULE);
typedef FARPROC (__stdcall *_GetProcAddress) (HMODULE, LPCH);
typedef HMODULE (__stdcall *_LoadLibrary) (LPTSTR);
typedef void (__stdcall *_DllEntry) ();
_LoadLibrary LoadLibrary;
TCHAR TargetDll[MAX_PATH];
_GetProcAddress GetProcAddress;
CHAR DllEntry[50]; // Some entrypoint designed to be
// called from the remote thread
_FreeLibrary FreeLibrary;
} ThreadData, *PThreadData;
// ThreadProcLen should be smaller than 3400, because ThreadData can
// take up to 644 bytes unless you change the length of TargetDll or
// DllEntry
#define ThreadProcLen (ULONG_PTR)2048
#define SPY_ERROR_OK (DWORD)0
#define SPY_ERROR_LOAD_LIB (DWORD)1
#define SPY_ERROR_GET_PROC (DWORD)2
DWORD ThreadProc (PVOID pParam) {
DWORD err = SPY_ERROR_OK;
PThreadData p = (PThreadData)pParam;
// Load dll to be injected
HMODULE hLib = p->LoadLibrary(p->TargetDll);
if (hLib == NULL)
return SPY_ERROR_LOAD_LIB;
// Obtain "entrypoint" of dll (not DllMain)
ThreadData::_DllEntry pDllEntry = (ThreadData::_DllEntry)p->GetProcAddress(hLib, p->DllEntry);
if (pDllEntry != NULL)
// Call dll's "entrypoint"
pDllEntry();
else
err = SPY_ERROR_GET_PROC;
// Free dll
p->FreeLibrary(hLib);
return err;
}
然后是将远程线程过程注入目标进程的地址空间的实际代码
int main(int argc, char* argv[]) {
// DWORD pid = atoi(argv[1]);
// Open process
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (hProc != NULL) {
// Allocate memory in the target process's address space
PVOID pThread = VirtualAllocEx(hProc, NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pThread != NULL) {
PVOID pParam = (PVOID)((ULONG_PTR)pThread + ThreadProcLen);
// Initialize data to be passed to the remote thread
ThreadData data;
HMODULE hLib = LoadLibrary(TEXT("KERNEL32.DLL"));
data.LoadLibrary = (ThreadData::_LoadLibrary)GetProcAddress(hLib, "LoadLibrary");
data.GetProcAddress = (ThreadData::_GetProcAddress)GetProcAddress(hLib, "GetProcAddress");
data.FreeLibrary = (ThreadData::_FreeLibrary)GetProcAddress(hLib, "FreeLibrary");
FreeLibrary(hLib);
_tcscpy_s(data.TargetDll, TEXT("...")); // Insert path of target dll
strcpy_s(data.DllEntry, "NameOfTheDllEntry"); // Insert name of dll's "entrypoint"
// Write procedure and data into the target process's address space
WriteProcessMemory(hProc, pThread, ThreadProc, ThreadProcLen, NULL);
WriteProcessMemory(hProc, pParam, &data, sizeof(ThreadData), NULL);
// Create remote thread (ThreadProc)
HANDLE hThread = CreateRemoteThread(hProc, NULL, 0, (PTHREAD_START_ROUTINE)pThread, pParam, NULL, NULL);
if (hThread != NULL) {
// Wait until remote thread has finished
if (WaitForSingleObject(hThread, INFINITE) == WAIT_OBJECT_0) {
DWORD threadExitCode;
// Evaluate exit code
if (GetExitCodeThread(hThread, &threadExitCode) != FALSE) {
// Evaluate exit code
} else {
// The thread's exit code couldn't be obtained
}
} else {
// Thread didn't finish for some unknown reason
}
// Close thread handle
CloseHandle(hThread);
}
// Deallocate memory
VirtualFreeEx(hProc, pThread, 4096, MEM_RELEASE);
} else {
// Couldn't allocate memory in the target process's address space
}
// Close process handle
CloseHandle(hProc);
}
return 0;
}
当LoadLibrary将目标dll加载到目标进程的地址空间时,被注入的dll有一个被调用的实际入口点DllMain,以及由远程线程过程调用的另一个"入口点"NameOfTheDllEntry(如果它可以位于第一位置)
// Module.def:
// LIBRARY NameOfDllWithoutExtension
// EXPORTS
// NameOfTheDllEntry
__declspec(dllexport) void __stdcall NameOfTheDllEntry () {
// Because the library is actually loaded in the target process's address
// space, there's no need for obtaining pointers to every function.
// I didn't try libraries other than kernel32.dll and user32.dll, but they
// should be working as well as long as the dll itself references them
// Do stuff
return;
}
BOOL APIENTRY DllMain (HMODULE hLib, DWORD reason, PVOID) {
if (reason == DLL_PROCESS_ATTACH)
DisableThreadLibraryCalls(hLib); // Optional
return TRUE;
}
相关文章:
- 读取进程内存多级指针(DLL 注入)
- DLL 注入不断失败,出现不一致的错误
- DLL 注入记事本
- 当我将 DLL 注入现有进程时,DLLMain 不执行任何操作
- 如何获取 dll 注入到的进程的名称
- Dll 注入 - LoadLibraryA 失败
- 通过 dll 注入在主线程中执行代码
- 手动 DLL 注入
- DLL注入,C ++,DLL没有SVChost权限的原因
- DLL 注入编译 "unresolved external symbol" Visual Studio C++
- C++ - DLL 注入器中未解析的外部
- C++Dll注入——Hello world Dll只有在注入到注入它的相同.exe中时才能工作
- DLL注入仅在没有从视觉工作室开始时起作用
- C++ - DLL 注入和调用函数
- 如何将DLL注入Delphi程序
- DLL 注入:DrawText 和 TextOut 不会返回所有文本
- Dll 注入 - 在另一个进程中编写本机代码
- GetFullPathNameA的Dll注入不起作用
- 如何使用Blackllist/通过唯一标识dll来阻止dll注入
- 如何将dll注入另一个进程
