我在天极网看到一片注入得文章http://dev.yesky.com/55/2165555_1.shtml
有几个问题要问下
1、自己编写(注入)dll 是否要注意地址偏移等问题,如果需要怎么编写 能给例子更好
2、文章中说道注入"d:\\troydll.dll" 但是没有说到 先运行dll 中的哪个函数
有几个问题要问下
1、自己编写(注入)dll 是否要注意地址偏移等问题,如果需要怎么编写 能给例子更好
2、文章中说道注入"d:\\troydll.dll" 但是没有说到 先运行dll 中的哪个函数
2:没执行什么函数,执行了DLL里面的DllMain函数.
在DllMain中创建线程 然后在线程中生成socket给我发送数据 不知道是否可以
但是我运行调用程序之后我的dll是被运行了(因为我dll工程我已经无法再编译了)
我的DLL
#include "stdafx.h"
#include "dlltest.h"
#include <stdlib.h>
DWORD WINAPI ThreadProc( LPVOID lpParam )
{ int num=0;
char buffer[20]={0};
char tmp[200]="c:\\aaa";
char suffix[]=".txt";
char Buffer[]="abcdefghijklm";
unsigned long xx=5;
while(true)
{ Sleep(1000);
num++;
_itoa(num, buffer,10);
strcat(tmp,buffer);
strcat(tmp,suffix);
HANDLE handle=::CreateFile(tmp,GENERIC_READ|GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_FLAG_DELETE_ON_CLOSE,NULL);
if(INVALID_HANDLE_VALUE!= handle )
{
::WriteFile(handle,Buffer,sizeof(Buffer),&xx,NULL);
::CloseHandle(handle);
}
memset(buffer,0,20);
strcpy(tmp,"c:\\aaa");
}
// return x + y;
}BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CreateThread(NULL,0,ThreadProc,NULL,0,NULL);
case DLL_THREAD_ATTACH:
CreateThread(NULL,0,ThreadProc,NULL,0,NULL);
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
// This is an example of an exported variable
DLLTEST_API int nDlltest=0;
// This is an example of an exported function.
DLLTEST_API int fnDlltest(void)
{
return 42;
}CDlltest::CDlltest()
{
return;
}
调用函数
void main(int argc,char **argv)
{
int iReturnCode;
char lpDllFullPathName[MAX_PATH];
WCHAR pszLibFileName[MAX_PATH]={0};
dwRemoteProcessId = 2716;
strcpy(lpDllFullPathName, "C:\\dlltest\\Debug\\dlltest.dll");
//将DLL文件全路径的ANSI码转换成UNICODE码
iReturnCode = MultiByteToWideChar(CP_ACP, MB_ERR_INVALID_CHARS,
lpDllFullPathName, strlen(lpDllFullPathName),
pszLibFileName, MAX_PATH);
CheckError(iReturnCode, 0, "MultByteToWideChar");
//打开远程进程 //被注入得进程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程
PROCESS_VM_OPERATION | //允许VM操作
PROCESS_VM_WRITE, //允许VM写
FALSE, dwRemoteProcessId );
CheckError( (int) hRemoteProcess, NULL,"Remote Process not Exist or Access Denied!");
//计算DLL路径名需要的内存空间
int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb, //在被注入得进程中开辟一块内存。pszLibFileRemote是取得的内存地址
MEM_COMMIT, PAGE_READWRITE);
CheckError((int)pszLibFileRemote, NULL, "VirtualAllocEx");
//将我的DLL的路径名复制到刚刚开辟好的远程进程的内存空间
iReturnCode = WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
CheckError(iReturnCode, false, "WriteProcessMemory");
//计算LoadLibraryW的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
CheckError((int)pfnStartAddr, NULL, "GetProcAddress");
//启动远程线程,通过远程线程调用用户的DLL文件
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0,
pfnStartAddr, pszLibFileRemote, 0, NULL);
CheckError((int)hRemoteThread, NULL, "Create Remote Thread");
//等待远程线程退出
WaitForSingleObject(hRemoteThread, INFINITE);
//清场处理
if (pszLibFileRemote != NULL)
{
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
}
if (hRemoteThread != NULL)
{
CloseHandle(hRemoteThread );
}
if (hRemoteProcess!= NULL)
{
CloseHandle(hRemoteProcess);
}
}