15,471
社区成员
发帖
与我相关
我的任务
分享
//-----------------------------------------------
// InjectDll
// Notice: Loads "LibSpy.dll" into the remote process
// (via CreateRemoteThread & LoadLibrary)
//
// Return value: 1 - success;
// 0 - failure;
//
int InjectDll( HANDLE hProcess )
{
HANDLE hThread;
char szLibPath [_MAX_PATH];
void* pLibRemote = 0; // the address (in the remote process) where
// szLibPath will be copied to;
DWORD hLibModule = 0; // base adress of loaded module (==HMODULE);
HMODULE hKernel32 = ::GetModuleHandle("Kernel32");
DWORD dwWritten = 0;
// Get full path of "LibSpy.dll"
if( !GetModuleFileName(NULL, szLibPath, _MAX_PATH) )
return false;
strcpy( strstr(szLibPath,"hookexe4.exe"),"hookdll.dll" ); // .dll 文件的全路径
printf("DLL Library name: %s\n", szLibPath);
// 1. Allocate memory in the remote process for szLibPath
// 2. Write szLibPath to the allocated memory
pLibRemote = ::VirtualAllocEx(hProcess, NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE );
if( pLibRemote == NULL ) {
MessageBox(NULL,
"Failed to allocate memory in the remote process !",
"Notice", MB_ICONINFORMATION | MB_OK);
return false;
}
printf("Success to allocate memory in the remote process !\n");
printf("remote process address: %p !\n", pLibRemote);
if (::WriteProcessMemory(hProcess, pLibRemote, (void*)szLibPath, sizeof(szLibPath), &dwWritten)) {
if ( dwWritten != sizeof(szLibPath) ) {
VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_DECOMMIT );
CloseHandle( hProcess );
MessageBox(NULL, TEXT("写入失败,写入字节大小不符"),TEXT("插入模块"),MB_OK|MB_ICONERROR);
return false;
}
} else {
CloseHandle( hProcess );
VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_DECOMMIT );
MessageBox(NULL, TEXT("写入失败"),TEXT("插入模块"),MB_OK|MB_ICONERROR);
return false;
}
printf("remote process address: %p !\n", pLibRemote);
printf("error: %d !\n", GetLastError());
// Load "LibSpy.dll" into the remote process
// (via CreateRemoteThread & LoadLibrary)
// pLibRemote中记录dll全路径信息,供函数LoadLibrary使用
hThread = ::CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,"LoadLibraryA"),
pLibRemote, 0, NULL );
if( hThread == NULL ) {
MessageBox(NULL,
"Failed to create remote thread !",
"Notice", MB_ICONINFORMATION | MB_OK);
goto JUMP;
}
printf("error1: %d !\n", GetLastError());
::WaitForSingleObject( hThread, INFINITE );
// Get handle of loaded module
::GetExitCodeThread( hThread, &hLibModule );
if( hLibModule == NULL ) {
MessageBox(NULL,
"Failed to get handle of loaded module !",
"Notice", MB_ICONINFORMATION | MB_OK);
return false;
}
printf("error2: %d !\n", GetLastError());
::CloseHandle( hThread );
printf("error21: %d !\n", GetLastError());
JUMP:
char szExeName[128];
scanf("%s",szExeName);
printf("remote process address: %p !\n", pLibRemote);
BOOL flag = ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );
printf("flag: %d !\n", flag);
printf("error3: %d !\n", GetLastError());
printf("remote process address: %p !\n", pLibRemote);
// Unload "LibSpy.dll" from the remote process
// (via CreateRemoteThread & FreeLibrary)
hThread = ::CreateRemoteThread( hProcess,
NULL, 0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress(hKernel32,"FreeLibrary"),
(void*)hLibModule,
0, NULL );
if( hThread == NULL ) { // failed to unload
MessageBox(NULL,
"Failed to unload !",
"Notice", MB_ICONINFORMATION | MB_OK);
return false;
}
printf("error4: %d !\n", GetLastError());
::WaitForSingleObject( hThread, INFINITE );
::GetExitCodeThread( hThread, &hLibModule );
if( hLibModule == NULL ) {
MessageBox(NULL,
"Failed to get handle of loaded module !",
"Notice", MB_ICONINFORMATION | MB_OK);
return false;
}
printf("error5: %d !\n", GetLastError());
::CloseHandle( hThread );
// return value of remote FreeLibrary (=nonzero on success)
return hLibModule;
}
JUMP:
char szExeName[128];
scanf("%s",szExeName);
printf("remote process address: %p !\n", pLibRemote);
BOOL flag = ::VirtualFreeEx( hProcess, pLibRemote, 0, MEM_RELEASE );
printf("flag: %d !\n", flag);
printf("error3: %d !\n", GetLastError());
printf("remote process address: %p !\n", pLibRemote);