Shulou(Shulou.com)06/01 Report--

Remote thread injection,

Inject several core API functions,

OpenProcess-Open the target process.

VirtualAllocEx/VirtualFreeEx-allocate / free memory space in the target process.

WriteProcessMemory-writes the DLL path to be loaded in the target process.

CreateRemoteThread-A key function that remotely loads DLL and is used to control the target process to call the API function.

/ / call LoadLibrary here (the address does not need to be passed because the Kerner32.dll where it is loaded by the same machine is the same,)

/ and LoadLibrary has exactly one parameter that conforms to the remote thread rules,

LoadLibrary-the target process loads our own DLL by calling this function.

I already have the idea. Let's look at the details and realize it.

Void CMyDllInjectDlg::OnInject () / / interface button (inject local DLL into it)

{

If (bMouseDown) / / the variable used to determine whether a process has been selected has already been said,

{

EnableDebugPriv (); / / lift the weight this function will record later, with it you can OpenProcess any process,

/ / the following is the pop-up find dialog box using MFC encapsulated classes: CFileDialog,

CString filter

CString PathDll

Filter= ("(* .dll) | * .dll | All files (*. *) | *. * | |"); / / filter as long as the DLL file is displayed here.

CFileDialog FindDll (true,NULL,NULL,OFN_HIDEREADONLY,filter); / / hide the read-only check box

If (FindDll.DoModal () = = IDOK)

{

PathDll = FindDll.GetPathName (); / / get the full path name of DLL,

}

Char* Path = PathDll.GetBuffer (PathDll.GetLength ()); / / Cstring to char*

GetBuffer this function is for a CString object to retrieve the pointer of its internal character buffer, and returns a non-pointer, so it can be modified.

/ / now you have the full pathname of the DLL injected into the target process, stored in Path,

/ / Open the target process

Hkernel32=OpenProcess (PROCESS_CREATE_THREAD | PROCESS_VM_WRITE | PROCESS_VM_OPERATION,1,iID);

Prototype HANDLE OpenProcess (

DWORD dwDesiredAccess, / / access flag

BOOL bInheritHandle, / / handle inheritance option

DWORD dwProcessId / / process identifier); here's the first parameter,

The first parameter of OpenProcess specifies three permissions. In Win32 system, each process has its own 4G virtual address space, and each process is independent of each other. If a process needs to complete cross-process work, it must have the appropriate operation permissions of the target process.

PROCESS_CREATE_THREAD means that I can create a new thread in the process through the returned process handle, that is, the permission to call CreateRemoteThread

Similarly, PROCESS_VM_OPERATION represents the permission to allocate / free memory in the process, that is, the right to call VirtualAllocEx/VirtualFreeEx

PROCESS_VM_WRITE indicates that data can be written to the address space of the process, that is, the permission to invoke WriteProcessMemory.

/ / the application space writes our DLL path to the address space of the target process, (the process is independent),

/ / the previous IAT HOOK is to change the memory information VirtualQuery VirtualProtect, now it is to apply for memory space, VirtualAllocEx

LPVOID pDllAddr=VirtualAllocEx (hkernel32,NULL,strlen (Path), MEM_COMMIT,PAGE_READWRITE)

/ / write the DLL path Path to the pDllAddr address space of the application,

WriteProcessMemory (hkernel32, pDllAddr,LPVOID (Path), strlen (Path), NULL)

/ / get the address of the LoadLibraryA function because the base address when kernel32.dll is loaded is fixed for a machine,

/ / if it is not fixed, you need to write the function address to the address space of the target process as well as the DLL path.

DWORD pLoadAddr= (DWORD) GetProcAddress (GetModuleHandle ("kernel32.dll"), "LoadLibraryA")

/ / start LoadLibrary as a thread of the target process through CreateRemoteThread,

/ / so that we can make the target process call LoadLibrary to load our DLL file.

Handle hThread = CreateRemoteThread (hkernel32,NULL,0, (LPTHREAD_START_ROUTINE) pLoadAddr, pDllAddr,NULL,0)

/ / wait for the LoadLibrary to finish loading, that is, the remote thread finishes executing,

WaitForSingleObject (hThread, INFINITE); / / returns 0 the core object has been activated

/ / the second parameter, dwMilliseconds, has two special values: 0 and INFINITE.

/ / if 0, the function returns immediately

/ / in the case of INFINITE, the thread is suspended until the object pointed to by the hHandle becomes signaled.

CloseHandle (hkernel32)

CloseHandle (Thread)

/ / release the space requested in the target process

VirtualFreeEx (hThread, pDllAddr, strlen (Path), MEM_DECOMMIT)

CloseHandle (hThread)

CloseHandle (hProcess); / / closes the handle to free the requested memory space,

}

Else

{

MessageBox ("No process is currently selected and cannot be operated!", "process is soft!", MB_OK)

}

}

/ / at this point, the test program can be casually written to call MessageBox,

# include "stdio.h"

# include "windows.h"

Int main ()

{

Printf ("enter a character to start MessageBox for testing,")

Getchar (); / / Open the injection tool at this time to inject DLL,

MessageBoxA (NULL, "HOOK failed", "MessageBox of source program", MB_OK)

Return 0

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.