先上代码
项目定义了 UNICODE
HANDLE hRemoteProcess;
DWORD exitcode;
DWORD dwRemoteProcessId=processid;//远程进程ID
EnableDebugPriv(SE_DEBUG_NAME); //提权,与远程注入一样的代码
//打开远程线程
hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS | //允许远程创建线程PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE, dwRemoteProcessId ); WCHAR *pszLibFileRemote;
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
pszLibFileRemote = (WCHAR *) VirtualAllocEx( hRemoteProcess, NULL, (lstrlen((LPWSTR)(LPCWSTR)driverpath)+1)*sizeof(WCHAR),
MEM_COMMIT, PAGE_READWRITE); //driverpath 为远程DLL的全路进 //使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (LPVOID)(LPWSTR)(LPCWSTR)driverpath, (lstrlen((LPWSTR)(LPCWSTR)driverpath)+1)*sizeof(WCHAR), NULL);
//计算GetModuleHandleW的入口地址
PTHREAD_START_ROUTINE pfnrGetModuleHandle = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(_T("Kernel32")), "GetModuleHandleW");
//启动远程线程GetModuleHandleW,通过远程线程调用创建新的线程
HANDLE hRemoteThread; if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnrGetModuleHandle, pszLibFileRemote, 0, NULL) ) == NULL)
{
AfxMessageBox(CUtil::ErrorMessageFormatW(GetLastError()));
TRACE("CreateRemoteThread error!\r\n");
return ;
} WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread(hRemoteThread, &exitcode);
//以上代码返回值 exitcode 与远程注入的时候 返回的值一样,说明以上代码执行正确吧.....?? VirtualFreeEx( hRemoteProcess, pszLibFileRemote, (lstrlen(pszLibFileRemote)+1)*sizeof(WCHAR), MEM_DECOMMIT ); CloseHandle(hRemoteThread);
TRACE("CreateRemoteThread Success!\r\n");
以下使用ANSI 编写,用UNICODE编写一样效果,不能卸载dll
//计算FreeLibrary的入口地址
PTHREAD_START_ROUTINE pfnrFreeLibrary = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(_T("Kernel32")), "FreeLibrary"); char buffer[MAX_PATH];
LPCSTR buf=buffer;
sprintf(buffer,"%d",exitcode);//exitcode 为要卸载 dll的hmodule //使用VirtualAllocEx函数在远程进程的内存地址空间分配 FreeLibrary 参数空间
char *pszLibFileRemoteA= (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlenA(buf)+1,
MEM_COMMIT, PAGE_READWRITE);
exitcode=lstrlenA(buf)+1;
//使用WriteProcessMemory函数将FreeLibrary 参数 写入到远程进程的内存空间
WriteProcessMemory(hRemoteProcess,
pszLibFileRemoteA, (LPVOID)buf, lstrlenA(buf)+1, &exitcode);
// 这里也用readprocessmemory 读写进去的值,也是正确的 exitcode的就是 buf的长度+1
//创建远程线程 FreeLibraryAndExitThread
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnrFreeLibrary,pszLibFileRemoteA, 0, NULL );
// 等待FreeLibrary卸载完毕
WaitForSingleObject(hRemoteThread, INFINITE );
GetExitCodeThread(hRemoteThread, &exitcode);//这里exitcode 为0 VirtualFreeEx( hRemoteProcess, pszLibFileRemoteA, lstrlenA(pszLibFileRemoteA)+1, MEM_DECOMMIT ); //delete pszLibFileRemote;
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
以上代码卸载不了其它进程的DLL,当然那个DLL是我自己注入的 注入进的记事本程序
项目定义了 UNICODE
HANDLE hRemoteProcess;
DWORD exitcode;
DWORD dwRemoteProcessId=processid;//远程进程ID
EnableDebugPriv(SE_DEBUG_NAME); //提权,与远程注入一样的代码
//打开远程线程
hRemoteProcess = OpenProcess( PROCESS_ALL_ACCESS | //允许远程创建线程PROCESS_VM_OPERATION | //允许远程VM操作
PROCESS_VM_WRITE,//允许远程VM写
FALSE, dwRemoteProcessId ); WCHAR *pszLibFileRemote;
//使用VirtualAllocEx函数在远程进程的内存地址空间分配DLL文件名空间
pszLibFileRemote = (WCHAR *) VirtualAllocEx( hRemoteProcess, NULL, (lstrlen((LPWSTR)(LPCWSTR)driverpath)+1)*sizeof(WCHAR),
MEM_COMMIT, PAGE_READWRITE); //driverpath 为远程DLL的全路进 //使用WriteProcessMemory函数将DLL的路径名写入到远程进程的内存空间
WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (LPVOID)(LPWSTR)(LPCWSTR)driverpath, (lstrlen((LPWSTR)(LPCWSTR)driverpath)+1)*sizeof(WCHAR), NULL);
//计算GetModuleHandleW的入口地址
PTHREAD_START_ROUTINE pfnrGetModuleHandle = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(_T("Kernel32")), "GetModuleHandleW");
//启动远程线程GetModuleHandleW,通过远程线程调用创建新的线程
HANDLE hRemoteThread; if( (hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnrGetModuleHandle, pszLibFileRemote, 0, NULL) ) == NULL)
{
AfxMessageBox(CUtil::ErrorMessageFormatW(GetLastError()));
TRACE("CreateRemoteThread error!\r\n");
return ;
} WaitForSingleObject(hRemoteThread, INFINITE);
GetExitCodeThread(hRemoteThread, &exitcode);
//以上代码返回值 exitcode 与远程注入的时候 返回的值一样,说明以上代码执行正确吧.....?? VirtualFreeEx( hRemoteProcess, pszLibFileRemote, (lstrlen(pszLibFileRemote)+1)*sizeof(WCHAR), MEM_DECOMMIT ); CloseHandle(hRemoteThread);
TRACE("CreateRemoteThread Success!\r\n");
以下使用ANSI 编写,用UNICODE编写一样效果,不能卸载dll
//计算FreeLibrary的入口地址
PTHREAD_START_ROUTINE pfnrFreeLibrary = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(_T("Kernel32")), "FreeLibrary"); char buffer[MAX_PATH];
LPCSTR buf=buffer;
sprintf(buffer,"%d",exitcode);//exitcode 为要卸载 dll的hmodule //使用VirtualAllocEx函数在远程进程的内存地址空间分配 FreeLibrary 参数空间
char *pszLibFileRemoteA= (char *) VirtualAllocEx( hRemoteProcess, NULL, lstrlenA(buf)+1,
MEM_COMMIT, PAGE_READWRITE);
exitcode=lstrlenA(buf)+1;
//使用WriteProcessMemory函数将FreeLibrary 参数 写入到远程进程的内存空间
WriteProcessMemory(hRemoteProcess,
pszLibFileRemoteA, (LPVOID)buf, lstrlenA(buf)+1, &exitcode);
// 这里也用readprocessmemory 读写进去的值,也是正确的 exitcode的就是 buf的长度+1
//创建远程线程 FreeLibraryAndExitThread
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnrFreeLibrary,pszLibFileRemoteA, 0, NULL );
// 等待FreeLibrary卸载完毕
WaitForSingleObject(hRemoteThread, INFINITE );
GetExitCodeThread(hRemoteThread, &exitcode);//这里exitcode 为0 VirtualFreeEx( hRemoteProcess, pszLibFileRemoteA, lstrlenA(pszLibFileRemoteA)+1, MEM_DECOMMIT ); //delete pszLibFileRemote;
CloseHandle(hRemoteThread);
CloseHandle(hRemoteProcess);
以上代码卸载不了其它进程的DLL,当然那个DLL是我自己注入的 注入进的记事本程序
那我注入dll也是用的 EnableDebugPriv(SE_DEBUG_NAME); //提权,与远程注入一样的代码
//卸载
void CInjectDlg::OnButtonUnload()
{
int nPid=0;
HANDLE hModuleSnap=NULL;
MODULEENTRY32 stModuleEntry={0};
BOOL bFlag=TRUE;
WCHAR szDllPath[MAX_PATH]={0};
HMODULE hFindModule=NULL; stModuleEntry.dwSize=sizeof(stModuleEntry);
m_CtrEditPath.GetDllInfo(szDllPath); //获取dll路径
nPid=m_CtrCboProcess.GetUserChoosePid(); //获取选择的进程PID
hModuleSnap=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,nPid);
bFlag=Module32FirstW(hModuleSnap,&stModuleEntry);
for(;bFlag;)
{
if (0==wcsicmp(szDllPath,stModuleEntry.szExePath))
{
hFindModule=stModuleEntry.hModule;
}
bFlag=Module32NextW(hModuleSnap,&stModuleEntry);
}
//准备工作完成,开始工作
//////////////////////////////////////////////////////////////////////////
HANDLE hRemoteProcess=NULL;
HANDLE hRemoteThread=NULL;
LPTHREAD_START_ROUTINE pFreeLibrary=NULL;
pFreeLibrary=(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"Kernel32"),"FreeLibrary");
__try
{
hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION|PROCESS_VM_WRITE,\
FALSE,nPid);
if (NULL==hRemoteProcess)
{
ShowErrorInfo(L"OpenProcess Error!");
__leave;
}
// 鸡冻人心的时刻
hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pFreeLibrary,hFindModule,0,NULL);
if (NULL==hRemoteThread)
{
ShowErrorInfo(L"CreateRemoteThread error!");
__leave;
}
WaitForSingleObject(hRemoteThread,INFINITE);
}
__finally
{
if (NULL!=hRemoteProcess)
{
CloseHandle(hRemoteProcess);
hRemoteProcess=NULL;
}
}
}