3,882
社区成员
发帖
与我相关
我的任务
分享Win7系统下DLL远程注入
我找到了原因,是因为DLL注入的问题,在XP下可以正常注入,但是win7不行,注入的代码是这样的
int WINAPI InjectLib(DWORD process_id, char *lib_name)
{
PTHREAD_START_ROUTINE pfnRemote =(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnRemote ==NULL)
{
if(g_pfnRemote==NULL)
return -1;
else
pfnRemote=g_pfnRemote;
}
else
{
g_pfnRemote=pfnRemote;
}
HANDLE hProcess =OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);
if(hProcess ==NULL)
{
WriteLog("InjectLib:OpenProcess %d failed!", process_id);
return -1;
}
int mem_size =strlen(lib_name)+1;
void *premote_mem =VirtualAllocEx(hProcess, NULL, mem_size, MEM_COMMIT, PAGE_READWRITE);
if(premote_mem ==NULL)
{
CloseHandle(hProcess);
return -1;
}
//if(hThread) SuspendThread(hThread);
int ret =WriteProcessMemory(hProcess, premote_mem, lib_name, mem_size,NULL);
if(ret ==STATUS_ACCESS_VIOLATION || ret ==false)
{
//if(hThread) ResumeThread(hThread);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//if(hThread) ResumeThread(hThread);
HANDLE hThread =CreateRemoteThread(hProcess, NULL, 0,
pfnRemote, premote_mem, 0, NULL);
if(hThread ==NULL)
{
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//WriteLog2("c:\\hookapi_debug.log", "CreateRemoteThread ok");
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
然后就会弹出好多窗口,例如资源管理器已停止操作等。
我又试了如下代码:这样就直接蓝屏啦,
BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf)
{
HANDLE hThread = NULL;
FARPROC pFunc = NULL;
if( IsVistaOrLater() ) // Vista, 7, Server2008
{
pFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
if( pFunc == NULL )
{
//printf("MyCreateRemoteThread() : GetProcAddress(/"NtCreateThreadEx/") 调用失败!错误代码: [%d]/n",
//GetLastError());
return FALSE;
}
((PFNTCREATETHREADEX)pFunc)(&hThread,
0x1FFFFF,
NULL,
hProcess,
pThreadProc,
pRemoteBuf,
FALSE,
NULL,
NULL,
NULL,
NULL);
if( hThread == NULL )
{
printf("MyCreateRemoteThread() : NtCreateThreadEx() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
}
else // 2000, XP, Server2003
{
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pThreadProc,
pRemoteBuf,
0,
NULL);
if( hThread == NULL )
{
printf("MyCreateRemoteThread() : CreateRemoteThread() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
}
if( WAIT_FAILED == WaitForSingleObject(hThread, INFINITE) )
{
printf("MyCreateRemoteThread() : WaitForSingleObject() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
return TRUE;
}
int WINAPI InjectLib(DWORD process_id, char *lib_name)
{
PTHREAD_START_ROUTINE pfnRemote =(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnRemote ==NULL)
{
if(g_pfnRemote==NULL)
return -1;
else
pfnRemote=g_pfnRemote;
}
else
{
g_pfnRemote=pfnRemote;
}
HANDLE hProcess =OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);
if(hProcess ==NULL)
{
WriteLog("InjectLib:OpenProcess %d failed!", process_id);
return -1;
}
int mem_size =strlen(lib_name)+1;
void *premote_mem =VirtualAllocEx(hProcess, NULL, mem_size, MEM_COMMIT, PAGE_READWRITE);
if(premote_mem ==NULL)
{
CloseHandle(hProcess);
return -1;
}
//if(hThread) SuspendThread(hThread);
int ret =WriteProcessMemory(hProcess, premote_mem, lib_name, mem_size,NULL);
if(ret ==STATUS_ACCESS_VIOLATION || ret ==false)
{
//if(hThread) ResumeThread(hThread);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//if(hThread) ResumeThread(hThread);
if(!MyCreateRemoteThread(hProcess, (LPTHREAD_START_ROUTINE)pfnRemote, premote_mem))
{
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//WriteLog2("c:\\hookapi_debug.log", "CreateRemoteThread ok");
//WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
//CloseHandle(hThread);
return 0;
}
这样就直接蓝屏啦,
我都提权啦,提权代码如下:
BOOL ObtainSeDebugPrivilege()
{
TOKEN_PRIVILEGES TokenPrivileges;
TOKEN_PRIVILEGES PreviousTokenPrivileges;
LUID luid;
HANDLE hToken;
DWORD dwPreviousTokenPrivilegesSize = sizeof(TOKEN_PRIVILEGES);
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
WriteLog("debug 001");
return false;
}
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
WriteLog("debug 002");
return false;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Luid = luid;
TokenPrivileges.Privileges[0].Attributes = 0;
if(!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES),
&PreviousTokenPrivileges, &dwPreviousTokenPrivilegesSize))
{
WriteLog("debug 003");
return false;
}
PreviousTokenPrivileges.PrivilegeCount = 1;
PreviousTokenPrivileges.Privileges[0].Luid = luid;
PreviousTokenPrivileges.Privileges[0].Attributes |= SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE, &PreviousTokenPrivileges,
dwPreviousTokenPrivilegesSize, NULL, NULL))
{
WriteLog("debug 004");
return false;
}
//WriteLog("debug ok");
return true;
}
也对进程进行了遍历代码:
int CProcessModule::EnumProcess()
{
m_dwProcessCount =0;
/*#ifdef WINNT
DWORD dwBytesNeeded;
if(!m_pEnumProcesses(&m_dwProcessIDs[0], sizeof(m_dwProcessIDs), &dwBytesNeeded))
return -1;
m_dwProcessCount = dwBytesNeeded / sizeof(DWORD);
#else*/
HANDLE hSnapShot;
PROCESSENTRY32 ProcessEntry32;
//MODULEENTRY32 ModuleEntry32;
BOOL Result;
//char *pszExtension;
hSnapShot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == (HANDLE)-1)
return false;
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);
Result = pProcess32First(hSnapShot, &ProcessEntry32);
if (Result != TRUE)
{
CloseHandle(hSnapShot);
return false;
}
do
{
//HMODULE hMod =GetModuleHandle(ProcessEntry32.szExeFile);
//WriteLog("process:%s, id:%x, module id:%x",
// ProcessEntry32.szExeFile, ProcessEntry32.th32ProcessID,
// ProcessEntry32.th32ModuleID);
m_dwProcessIDs[m_dwProcessCount] = ProcessEntry32.th32ProcessID;
m_dwProcessCount ++;
} while (pProcess32Next(hSnapShot, &ProcessEntry32) && m_dwProcessCount < MAX_PROCESS_COUNT);
CloseHandle(hSnapShot);
//#endif
return m_dwProcessCount;
}
还有什么办法能在win7下注入DLL,请各位大神帮帮忙,十一能不能放假就指它啦!
int WINAPI InjectLib(DWORD process_id, char *lib_name)
{
PTHREAD_START_ROUTINE pfnRemote =(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnRemote ==NULL)
{
if(g_pfnRemote==NULL)
return -1;
else
pfnRemote=g_pfnRemote;
}
else
{
g_pfnRemote=pfnRemote;
}
HANDLE hProcess =OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);
if(hProcess ==NULL)
{
WriteLog("InjectLib:OpenProcess %d failed!", process_id);
return -1;
}
int mem_size =strlen(lib_name)+1;
void *premote_mem =VirtualAllocEx(hProcess, NULL, mem_size, MEM_COMMIT, PAGE_READWRITE);
if(premote_mem ==NULL)
{
CloseHandle(hProcess);
return -1;
}
//if(hThread) SuspendThread(hThread);
int ret =WriteProcessMemory(hProcess, premote_mem, lib_name, mem_size,NULL);
if(ret ==STATUS_ACCESS_VIOLATION || ret ==false)
{
//if(hThread) ResumeThread(hThread);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//if(hThread) ResumeThread(hThread);
HANDLE hThread =CreateRemoteThread(hProcess, NULL, 0,
pfnRemote, premote_mem, 0, NULL);
if(hThread ==NULL)
{
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//WriteLog2("c:\\hookapi_debug.log", "CreateRemoteThread ok");
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
CloseHandle(hThread);
return 0;
}
然后就会弹出好多窗口,例如资源管理器已停止操作等。
我又试了如下代码:这样就直接蓝屏啦,
BOOL MyCreateRemoteThread(HANDLE hProcess, LPTHREAD_START_ROUTINE pThreadProc, LPVOID pRemoteBuf)
{
HANDLE hThread = NULL;
FARPROC pFunc = NULL;
if( IsVistaOrLater() ) // Vista, 7, Server2008
{
pFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx");
if( pFunc == NULL )
{
//printf("MyCreateRemoteThread() : GetProcAddress(/"NtCreateThreadEx/") 调用失败!错误代码: [%d]/n",
//GetLastError());
return FALSE;
}
((PFNTCREATETHREADEX)pFunc)(&hThread,
0x1FFFFF,
NULL,
hProcess,
pThreadProc,
pRemoteBuf,
FALSE,
NULL,
NULL,
NULL,
NULL);
if( hThread == NULL )
{
printf("MyCreateRemoteThread() : NtCreateThreadEx() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
}
else // 2000, XP, Server2003
{
hThread = CreateRemoteThread(hProcess,
NULL,
0,
pThreadProc,
pRemoteBuf,
0,
NULL);
if( hThread == NULL )
{
printf("MyCreateRemoteThread() : CreateRemoteThread() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
}
if( WAIT_FAILED == WaitForSingleObject(hThread, INFINITE) )
{
printf("MyCreateRemoteThread() : WaitForSingleObject() 调用失败!错误代码: [%d]/n", GetLastError());
return FALSE;
}
return TRUE;
}
int WINAPI InjectLib(DWORD process_id, char *lib_name)
{
PTHREAD_START_ROUTINE pfnRemote =(PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
if(pfnRemote ==NULL)
{
if(g_pfnRemote==NULL)
return -1;
else
pfnRemote=g_pfnRemote;
}
else
{
g_pfnRemote=pfnRemote;
}
HANDLE hProcess =OpenProcess(PROCESS_ALL_ACCESS, FALSE, process_id);
if(hProcess ==NULL)
{
WriteLog("InjectLib:OpenProcess %d failed!", process_id);
return -1;
}
int mem_size =strlen(lib_name)+1;
void *premote_mem =VirtualAllocEx(hProcess, NULL, mem_size, MEM_COMMIT, PAGE_READWRITE);
if(premote_mem ==NULL)
{
CloseHandle(hProcess);
return -1;
}
//if(hThread) SuspendThread(hThread);
int ret =WriteProcessMemory(hProcess, premote_mem, lib_name, mem_size,NULL);
if(ret ==STATUS_ACCESS_VIOLATION || ret ==false)
{
//if(hThread) ResumeThread(hThread);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//if(hThread) ResumeThread(hThread);
if(!MyCreateRemoteThread(hProcess, (LPTHREAD_START_ROUTINE)pfnRemote, premote_mem))
{
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
return -1;
}
//WriteLog2("c:\\hookapi_debug.log", "CreateRemoteThread ok");
//WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, premote_mem, 0, MEM_RELEASE);
CloseHandle(hProcess);
//CloseHandle(hThread);
return 0;
}
这样就直接蓝屏啦,
我都提权啦,提权代码如下:
BOOL ObtainSeDebugPrivilege()
{
TOKEN_PRIVILEGES TokenPrivileges;
TOKEN_PRIVILEGES PreviousTokenPrivileges;
LUID luid;
HANDLE hToken;
DWORD dwPreviousTokenPrivilegesSize = sizeof(TOKEN_PRIVILEGES);
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
WriteLog("debug 001");
return false;
}
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
WriteLog("debug 002");
return false;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Luid = luid;
TokenPrivileges.Privileges[0].Attributes = 0;
if(!AdjustTokenPrivileges(hToken, FALSE, &TokenPrivileges, sizeof(TOKEN_PRIVILEGES),
&PreviousTokenPrivileges, &dwPreviousTokenPrivilegesSize))
{
WriteLog("debug 003");
return false;
}
PreviousTokenPrivileges.PrivilegeCount = 1;
PreviousTokenPrivileges.Privileges[0].Luid = luid;
PreviousTokenPrivileges.Privileges[0].Attributes |= SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE, &PreviousTokenPrivileges,
dwPreviousTokenPrivilegesSize, NULL, NULL))
{
WriteLog("debug 004");
return false;
}
//WriteLog("debug ok");
return true;
}
也对进程进行了遍历代码:
int CProcessModule::EnumProcess()
{
m_dwProcessCount =0;
/*#ifdef WINNT
DWORD dwBytesNeeded;
if(!m_pEnumProcesses(&m_dwProcessIDs[0], sizeof(m_dwProcessIDs), &dwBytesNeeded))
return -1;
m_dwProcessCount = dwBytesNeeded / sizeof(DWORD);
#else*/
HANDLE hSnapShot;
PROCESSENTRY32 ProcessEntry32;
//MODULEENTRY32 ModuleEntry32;
BOOL Result;
//char *pszExtension;
hSnapShot = pCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == (HANDLE)-1)
return false;
ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);
Result = pProcess32First(hSnapShot, &ProcessEntry32);
if (Result != TRUE)
{
CloseHandle(hSnapShot);
return false;
}
do
{
//HMODULE hMod =GetModuleHandle(ProcessEntry32.szExeFile);
//WriteLog("process:%s, id:%x, module id:%x",
// ProcessEntry32.szExeFile, ProcessEntry32.th32ProcessID,
// ProcessEntry32.th32ModuleID);
m_dwProcessIDs[m_dwProcessCount] = ProcessEntry32.th32ProcessID;
m_dwProcessCount ++;
} while (pProcess32Next(hSnapShot, &ProcessEntry32) && m_dwProcessCount < MAX_PROCESS_COUNT);
CloseHandle(hSnapShot);
//#endif
return m_dwProcessCount;
}
还有什么办法能在win7下注入DLL,请各位大神帮帮忙,十一能不能放假就指它啦!
...全文
请发表友善的回复…
发表回复
u010467625 2013-09-24
- 打赏
- 举报
我的dll是32位的,application也是32位的,我的DLL里面调用了另外一个DLL mydll.dll,就是API HOOK的技术,我把有关mydll.dll的内容删掉,则不会出现蓝屏的问题,但是我单步调试的时候并没有走到有关mydll的内容时就蓝屏,是走到MyCreateRemoteThread的 pFunc = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtCreateThreadEx"); 时蓝屏,是什么原因呢?求各位大神帮帮忙啊
「已注销」 2013-09-23
- 打赏
- 举报
win7上注入注意一点,32位dll只能注入32位application,64位dll只能注入64位application
