6,850
社区成员
发帖
与我相关
我的任务
分享关于用CreateRemoteThread进行Dll注入的问题
刚测试了使用CreateRemoteThread将Dll注入到其他进程中的方法,在测试中发现一个有意思的问题,以我的知识无法回答,请哪位高手解释一下:
注入程序如下
#include "stdafx.h"
char *pstrDll = "G:\\Service.dll";
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
DWORD dwProcessID;
HMODULE hDll= LoadLibrary( pstrDll );
FARPROC fpLoadLibrary = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
HWND hwNotePad = FindWindow("Notepad", NULL);
GetWindowThreadProcessId(hwNotePad, &dwProcessID);
HANDLE hProcess = OpenProcess(
PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
FALSE,
dwProcessID);
LPVOID lpDllName = VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, lpDllName, pstrDll, MAX_PATH,NULL);
HANDLE hT = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)fpLoadLibrary, lpDllName, 0, NULL);
CloseHandle(hT);
CloseHandle(hProcess);
// ExitProcess(NULL);
return 0;
}
Dll如下:
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
char strShow[128];
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
sprintf(strShow, "DLL_PROCESS_ATTACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
case DLL_THREAD_ATTACH:
sprintf(strShow, "DLL_THREAD_ATTACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
case DLL_THREAD_DETACH:
sprintf(strShow, "DLL_THREAD_DETACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
case DLL_PROCESS_DETACH:
sprintf(strShow, "DLL_PROCESS_DETACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
}
return TRUE;
}
在注入后,我监测到了两个DLL_PROCESS_ATTACH消息,一个DLL_PROCESS_DETACH消息,
一个DLL_THREAD_DETACH消息,一个DLL_THREAD_ATTACH
在关闭被注入的进程Notpad后又收到一个DLL_PROCESS_DETACH消息
哪位能解释一下这个过程?
注入程序如下
#include "stdafx.h"
char *pstrDll = "G:\\Service.dll";
int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPSTR lpCmdLine,
int nCmdShow)
{
// TODO: Place code here.
DWORD dwProcessID;
HMODULE hDll= LoadLibrary( pstrDll );
FARPROC fpLoadLibrary = GetProcAddress(GetModuleHandle("Kernel32.dll"), "LoadLibraryA");
HWND hwNotePad = FindWindow("Notepad", NULL);
GetWindowThreadProcessId(hwNotePad, &dwProcessID);
HANDLE hProcess = OpenProcess(
PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,
FALSE,
dwProcessID);
LPVOID lpDllName = VirtualAllocEx(hProcess, NULL, MAX_PATH, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, lpDllName, pstrDll, MAX_PATH,NULL);
HANDLE hT = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)fpLoadLibrary, lpDllName, 0, NULL);
CloseHandle(hT);
CloseHandle(hProcess);
// ExitProcess(NULL);
return 0;
}
Dll如下:
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
char strShow[128];
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
sprintf(strShow, "DLL_PROCESS_ATTACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
case DLL_THREAD_ATTACH:
sprintf(strShow, "DLL_THREAD_ATTACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
case DLL_THREAD_DETACH:
sprintf(strShow, "DLL_THREAD_DETACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
case DLL_PROCESS_DETACH:
sprintf(strShow, "DLL_PROCESS_DETACH: %d", GetCurrentThreadId());
MessageBox(NULL, strShow, "Test", MB_OK);
break;
}
return TRUE;
}
在注入后,我监测到了两个DLL_PROCESS_ATTACH消息,一个DLL_PROCESS_DETACH消息,
一个DLL_THREAD_DETACH消息,一个DLL_THREAD_ATTACH
在关闭被注入的进程Notpad后又收到一个DLL_PROCESS_DETACH消息
哪位能解释一下这个过程?
...全文
请发表友善的回复…
发表回复
jin0706 2006-04-16
- 打赏
- 举报
请你移动到相关的开发板块提问
