前段时间在网上下了个C#调用API实现进程注入的代码,但运行后却很奇怪
程序里调用的进程插入功能的API,如CreateRemoteThread和WriteProcessMemory执行后结果都不为0,即成功执行.而且安全工具也提示该程序试图插入目标进程,但查看目标进程的模块时却没有发现要插入的DLL或EXE文件,请问哪位有过C#进程插入方面经验的帮忙解答一下或给个代码教程之类!
程序里调用的进程插入功能的API,如CreateRemoteThread和WriteProcessMemory执行后结果都不为0,即成功执行.而且安全工具也提示该程序试图插入目标进程,但查看目标进程的模块时却没有发现要插入的DLL或EXE文件,请问哪位有过C#进程插入方面经验的帮忙解答一下或给个代码教程之类!
解决方案 »
- 附和导线Csharp编程怎么实现
- 如何判断一个套接字是否已经关闭?? 在线等!!!
- 请问这个提示是什么意思,我使用的是VS2008SP1专业版.
- C# winform 怎么获取存储过程的返回值
- 怎样让条码打印机 自动将打印在最后的条码吐出来一截(便于撕下条码)??
- 初学小妹,请各位NET高手帮忙!!关于运行时出现的错误.
- 如何在C#中创建向导式应用程序??????£££££££££
- 怎样来写一个正则表达式,<td></td> 和 <TD></TD> 都可以匹配,也就是说遇上哪一种都返回。
- 求助,C#回车符ASCII怎么写?
- 关于菜单的问题,高手请留步
- C#在桌面程序中怎么使用Server.URLEncode("汇编")函数?
- 运行项目出现以下错误,至今都无法解决。请大家救急!网络上查了很多方法都行。
{
/// <summary>
/// Class1 的摘要说明。
/// </summary> public class DllInsert
{ const int PROCESS_HEAP_ENTRY_BUSY = 0x4;
private const int PROCESS_CREATE_THREAD = 0x2;
private const int PROCESS_VM_OPERATION = 0x8;
private const int PROCESS_VM_WRITE = 0x20;
private const int PAGE_READWRITE = 0x4;
private const int MEM_COMMIT = 4096; private const int TH32CS_SNAPPROCESS = 0x2;
private const int PROCESS_QUERY_INFORMATION = (0x400); [StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int nLength;
public int lpSecurityDescriptor;
public int bInheritHandle; }
[StructLayout(LayoutKind.Sequential)]
public struct PROCESSENTRY32
{
public int dwSize;
public int cntUseage;
public int th32ProcessID;
public int th32DefaultHeapID;
public int th32ModuleID;
public int cntThreads;
public int th32ParentProcessID;
public int pcPriClassBase;
public int swFlags;
public string szExeFile;
} string pszLibFileRemote;
private int TargetProcessHandle;
private int TargetWindowHandle;
private int TargetProcessID;
private int pfnStartAddr;
private int TargetBufferSize;
private int TargetBuffer; #region 导入API [DllImport("kernel32", EntryPoint = "GetProcAddress")]
private static extern int GetProcAddress(
int hModule,
string lpProcName
);
[DllImport("kernel32", EntryPoint = "WriteProcessMemory")]
private static extern int WriteProcessMemory(
int hProcess,
int lpBaseAddress,
ref string lpBuffer,
int nSize,
ref int lpNumberOfBytesWritten
);
[DllImport("kernel32", EntryPoint = "GetModuleHandle")]
private static extern int GetModuleHandle(
string lpModuleName
);
[DllImport("kernel32", EntryPoint = "VirtualAllocEx")]
private static extern int VirtualAllocEx(
int hProcess,
int lpAddress,
int dwSize,
int flAllocationType,
int flProtect
);
[DllImport("user32", EntryPoint = "FindWindow")]
private static extern int FindWindow(
string lpClassName,
string lpWindowName
);
[DllImport("user32", EntryPoint = "GetWindowThreadProcessId")]
private static extern int GetWindowThreadProcessId(
int hwnd,
ref int lpdwProcessId
);
[DllImport("kernel32", EntryPoint = "OpenProcess")]
private static extern int OpenProcess(
int dwDesiredAccess,
bool bInheritHandle,
int dwProcessId
);
[DllImport("kernel32", EntryPoint = "CreateRemoteThread")]
private static extern int CreateRemoteThread(
int hProcess,
int lpThreadAttributes,
int dwStackSize,
int lpStartAddress,
int lpParameter,
int dwCreationFlags,
ref int lpThreadId
);
[DllImport("kernel32", EntryPoint = "CreateToolhelp32Snapshot")]
private static extern int CreateToolhelp32Snapshot(
int dwFlags,
int th32ProcessID
);
[DllImport("kernel32", EntryPoint = "Process32First")]
private static extern int Process32First(
int hSnapshot,
ref PROCESSENTRY32 lppe
);
[DllImport("kernel32", EntryPoint = "Process32Next")]
private static extern int Process32Next(
int hSapshot,
ref PROCESSENTRY32 lppe
);
[DllImport("kernel32", EntryPoint = "CloseHandle")]
private static extern int CloseHandle(
int hObject
); [DllImport("kernel32", EntryPoint="GetLastError")]
private static extern int GetLastError (); #endregion
{
int pid;
getHandle(owner, out pid); ////////////////////////////////////////////////////////////
// 把dll注入notepad.exe进程 //
////////////////////////////////////////////////////////////
int pszLibFileRemote;
int hRemoteProcess, hRemoteThread;
int tmp = 0; //pid = TargetProcessID;
hRemoteProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD | // For CreateRemoteThread
PROCESS_VM_OPERATION | // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // For WriteProcessMemory
false, pid);
if (hRemoteProcess == 0)
{
System.Windows.Forms.MessageBox.Show("hRemoteProcess null" + GetLastError());
return;
}
string CurPath = Application.StartupPath + @"\NoProcessDll.dll"; int len = CurPath.Length + 1; //MessageBox.Show(len.ToString());
pszLibFileRemote = VirtualAllocEx(hRemoteProcess,0, len, MEM_COMMIT, PAGE_READWRITE);
owner.label1.Text += pszLibFileRemote.ToString();
if (pszLibFileRemote == 0)
{
System.Windows.Forms.MessageBox.Show("VirtualAllocEx null" + GetLastError());
return;
}
if(
WriteProcessMemory(hRemoteProcess, pszLibFileRemote,ref CurPath, len, ref tmp)==0
)
{
System.Windows.Forms.MessageBox.Show("WriteProcessMemory fail"+GetLastError());
return;
}
int pfnThreadRtn = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryW");
if (pfnThreadRtn == 0)
{
System.Windows.Forms.MessageBox.Show("VirtualAllocEx null" + GetLastError());
return;
}
MessageBox.Show(pfnThreadRtn.ToString());
hRemoteThread = CreateRemoteThread(hRemoteProcess, 0, 0, pfnThreadRtn, pszLibFileRemote, 0, ref tmp);
MessageBox.Show(tmp.ToString());
//owner.Close();
} unsafe private void getHandle(Form1 owner, out int pid)
{ //int NullPointer = 0;
TargetWindowHandle = FindWindow(null, "无标题 - 记事本");
if (TargetWindowHandle == 0)
{
owner.label1.Text = "Cant't Find the Window \n";
}
GetWindowThreadProcessId(TargetWindowHandle, ref TargetProcessID);
if (TargetProcessID == 0)
{
owner.label1.Text = "Cant't Find the thread \n";
}
pid = TargetProcessID;
return;
/*
TargetProcessHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, false, TargetProcessID);
pszLibFileRemote = @"c:\spaw.dll";
TargetBufferSize = 4096;//(1 + len(pszLibFileRemote)) * 2;
TargetBuffer = VirtualAllocEx(TargetProcessHandle, ref NullPointer, TargetBufferSize, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(TargetProcessHandle, TargetBuffer, ref pszLibFileRemote, TargetBufferSize, ref NullPointer);
pfnStartAddr = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA");
CreateRemoteThread(TargetProcessHandle, ref NullPointer, 0, ref pfnStartAddr, ref TargetBuffer, 0, ref NullPointer);
*/ ////////////////////////////////////////////////////////////
// 查找notepad.exe进程的pid // 将下面代码转换成C# 语言---未完成
////////////////////////////////////////////////////////////
pid = 0; int hSnapshot, Exist = 0; hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
//tmp2.bInheritHandle = 0;
//tmp2.lpSecurityDescriptor = 0;
//tmp2.nLength = 0;
PROCESSENTRY32 pe;
pe.cntThreads = 0;
pe.cntUseage = 0;
pe.dwSize = 0;
pe.pcPriClassBase = 0;
pe.swFlags = 0;
pe.szExeFile = "";
pe.th32DefaultHeapID = 0; pe.th32ModuleID = 0;
pe.th32ParentProcessID = 0;
pe.th32ProcessID = 0; pe.dwSize = System.Runtime.InteropServices.Marshal.SizeOf(pe);
if (Process32First(hSnapshot, ref pe) == 0)
{
//owner.label1.Text = "Cant't process.\n" + pe.szExeFile; } do
{
if (pe.szExeFile.Equals("notepad.exe"))
{
pid = pe.th32ProcessID;
Exist = 1;
break;
}
}
while (Process32Next(hSnapshot, ref pe) != 0); if (Exist != 1)
{
//owner.label1.Text += "Cant't Find notepad.exe.\n"+pe.szExeFile ; } //char[] tmp = "";
//_itoa(pid, tmp, 10); //MessageBox(null,tmp,"查找Notepad.exe",null); CloseHandle(hSnapshot);
} public DllInsert()
{
//Initializing Code
} }
}
1、使用Windows Hook机制,让非.net程序加载你的目标DLL。
2、利用CreateRemoteThread,而这个Thread的执行函数为LoadLibrary,LoadLibrary需要装载的DLL就是你要注入的DLL。然后在DLL的主函数中进行其他处理。我不认为C#的DLL中的主函数能够做什么事情。这个主函数的执行也不是C#程序所能控制的。所以我认为使用C#注入不一定能够有什么结果,即便是注入了也不能做什么事情。